Blog

Nova ferramenta antiransomware opensource

Um grupo de desenvolvedores criaram um projeto open source antiransomware, a estratégia é muito interessante.

É um honeyspot (como no wifi por exemplo), é criada uma pasta com documentos onde a ferramenta fica na escuta, quando o ransomware passa pela pasta é o detecta e consegue parar.

Para mais informações confira em http://www.security-projects.com/?Anti_Ransom

Rakhni Decryptor

RakhniDecryptor ferramenta que remove o código malicioso Trojan-Ransom.Win32.Rakhni (.oshit and others)

Esta ferramenta serve para arquivos infectados pela lista de malware a seguir:

  • rojan-Ransom.Win32.Rakhni
  • Trojan-Ransom.Win32.Agent.iih
  • Trojan-Ransom.Win32.Autoit
  • Trojan-Ransom.Win32.Aura
  • Trojan-Ransom.AndroidOS.Pletor
  • Trojan-Ransom.Win32.Rotor
  • Trojan-Ransom.Win32.Lamer
  • Trojan-Ransom.Win32.Cryptokluchen
  • Trojan-Ransom.Win32.Democry
  • Trojan-Ransom.Win32.Bitman version 3 and 4
  • Trojan-Ransom.Win32.Libra
  • Trojan-Ransom.MSIL.Lobzik
  • Trojan-Ransom.MSIL.Lortok
  • Trojan-Ransom.Win32.Chimera
  • Trojan-Ransom.Win32.CryFile
  • Trojan-Ransom.Win32.Nemchig
  • Trojan-Ransom.Win32.Mircop
  • Trojan-Ransom.Win32.Mor
  • Trojan-Ransom.Win32.Crusis

Tipos de arquivos que podem ser descriptografado com RakhniDecryptor

Quando o malware criptografa os arquivos mudando a extensão. Por exemplo:

  • before file.doc / after file.doc.locked
  • before 1.doc / after 1.dochb15
  • before 1.doc / after 1.doc._17-05-2016-20-27-37_$seven_legion@india.com$.777

The RakhniDecryptor.zip tool can decrypt the files encrypted according to the following templates:

Trojan-Ransom.Win32.Rakhni:
  • <file_name>.<original_extension>.<locked>
  • <file_name>.<original_extension>.<kraken>
  • <file_name>.<original_extension>.<darkness>
  • <file_name>.<original_extension>.<oshit>
  • <file_name>.<original_extension>.<nochance>
  • <file_name>.<original_extension>.<oplata@qq_com>
  • <file_name>.<original_extension>.<relock@qq_com>
  • <file_name>.<original_extension>.<crypto>
  • <file_name>.<original_extension>.<helpdecrypt@ukr.net>
  • <file_name>.<original_extension>.<pizda@qq_com>
  • <file_name>.<original_extension>.<dyatel@qq_com>
  • <file_name>.<original_extension>.<nalog@qq_com>
  • <file_name>.<original_extension>.<chifrator@gmail_com>
  • <file_name>.<original_extension>.<gruzin@qq_com>
  • <file_name>.<original_extension>.<troyancoder@gmail_com>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id373>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id371>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id372>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id374>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id375>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id376>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id392>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id357>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id356>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id358>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id359>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id360>
  • <file_name>.<original_extension>.<coderksu@gmail_com_id20>
Trojan-Ransom.Win32.Mor:
  • <file_name>.<original_extension>_crypt
Trojan-Ransom.Win32.Autoit:
  • <<file_name>.<original_extension>.<_crypt@india.com_.random characters>
Trojan-Ransom.MSIL.Lortok:
  • <file_name>.<original_extension>.<cry>
  • <file_name>.<original_extension>.<AES256>
Trojan-Ransom.AndroidOS.Pletor:
  • <file_name>.<original_extension>.<enc>
Trojan-Ransom.Win32.Agent.iih:
  • <file_name>.<original_extension>+<hb15>
Trojan-Ransom.Win32.CryFile:
  • <file_name>.<original_extension>.<encrypted>
Trojan-Ransom.Win32.Democry:
  • <file_name>.<original_extension>+<._date-time_$email@domain$.777>
  • <file_name>.<original_extension>+<._date-time_$email@domain$.legion>
Trojan-Ransom.Win32.Bitman version 3:
  • <file_name>.<xxx>
  • <file_name>.<ttt>
  • <file_name>.<micro>
  • <file_name>.<mp3>
Trojan-Ransom.Win32.Bitman version 4:
  • <file_name>.<original_extension> (file name and extension are not changed)
Trojan-Ransom.Win32.Libra:
  • <file_name>.<encrypted>
  • <file_name>.<locked>
  • <file_name>.<SecureCrypted>
Trojan-Ransom.MSIL.Lobzik:
  • <file_name>.<fun>
  • <file_name>.<gws>
  • <file_name>.<btc>
  • <file_name>.<AFD>
  • <file_name>.<porno>
  • <file_name>.<pornoransom>
  • <file_name>.<epic>
  • <file_name>.<encrypted>
  • <file_name>.<J>
  • <file_name>.<payransom>
  • <file_name>.<paybtcs>
  • <file_name>.<paymds>
  • <file_name>.<paymrss>
  • <file_name>.<paymrts>
  • <file_name>.<paymst>
  • <file_name>.<paymts>
  • <file_name>.<gefickt>
  • <file_name>.<uk-dealer@sigaint.org>
Trojan-Ransom.Win32.Mircop:
  • <Lock>.<file_name>.<original_extension>
Trojan-Ransom.Win32.Crusis:
  • .ID<…>.<mail>@<server>.<domain>.xtbl
  • .ID<…>.<mail>@<server>.<domain>.CrySiS
  • .id-<…>.<mail>@<server>.<domain>.xtbl
  • .id-<…>.<mail>@<server>.<domain>.wallet
  • .id-<…>.<mail>@<server>.<domain>.dhrama
  • .<mail>@<server>.<domain>.wallet
  • .<mail>@<server>.<domain>.dhrama
Trojan-Ransom.Win32. Nemchig:
  • <file_name>.<original_extension>.<safefiles32@mail.ru>
Trojan-Ransom.Win32.Lamer:
  • <file_name>.<original_extension>.<bloked>
  • <file_name>.<original_extension>.<cripaaaa>
  • <file_name>.<original_extension>.<smit>
  • <file_name>.<original_extension>.<fajlovnet>
  • <file_name>.<original_extension>.<filesfucked>
  • <file_name>.<original_extension>.<criptx>
  • <file_name>.<original_extension>.<gopaymeb>
  • <file_name>.<original_extension>.<cripted>
  • <file_name>.<original_extension>.<bnmntftfmn>
  • <file_name>.<original_extension>.<criptiks>
  • <file_name>.<original_extension>.<cripttt>
  • <file_name>.<original_extension>.<hithere>
  • <file_name>.<original_extension>.<aga>
Trojan-Ransom.Win32.Cryptokluchen:
  • <file_name>.<original_extension>.<AMBA>
  • <file_name>.<original_extension>.<PLAGUE17>
  • <file_name>.<original_extension>.<ktldll>
Trojan-Ransom.Win32.Rotor:
  • <file_name>.<original_extension>.<.-.DIRECTORAT1C@GMAIL.COM.roto>
  • <file_name>.<original_extension>.<.-.CRYPTSb@GMAIL.COM.roto>
  • <file_name>.<original_extension>.<.-.DIRECTORAT1C8@GMAIL.COM.roto>
  • <file_name>.<original_extension>.<!______________DESKRYPTEDN81@GMAIL.COM.crypt>
  • <file_name>.<original_extension>.<!___prosschiff@gmail.com_.crypt>
  • <file_name>.<original_extension>.<!_______GASWAGEN123@GMAIL.COM____.crypt>
  • <file_name>.<original_extension>.<!_________pkigxdaq@bk.ru_______.crypt>
  • <file_name>.<original_extension>.<!____moskali1993@mail.ru___.crypt>
  • <file_name>.<original_extension>.<!==helpsend369@gmail.com==.crypt>
  • <file_name>.<original_extension>.<!-==kronstar21@gmail.com=–.crypt>
Trojan-Ransom.Win32.Chimera:
  • <file_name>.<original_extension>.<crypt>
  • <file_name>.<original_extension>.<4 random characters>

Como usar esta ferramenta

Para desencriptar, siga os seguintes passos:

  1. Baixe a ferramenta RakhniDecryptor.zip, descpacte o arquivo com o windows, ou utilitarios como o7zip.
  2. Execute o arquivo RakhniDecryptor.exe no computador infectado.
  3. Na janela do Kaspersky RakhniDecryptor click na opção “Change parameters”

  1. Na janela aberta “Settings” selecione os objetos para escanear(ha local, pendrive e compartilhamentos).
  2. Selecione o checkbox “Delete crypted files after decryption” (este recurso vai apagar as copias dos arquivos originais com as extensões .locked, .kraken e .darkness).
  3. Click ОК.

  1. Agora clique em “Start scan” na janela do Kaspersky RakhniDecryptor.

  1. Agora, informe o caminho de um dos arquivos que foi infectado e selecione um arquivos que precise restaurar e clique em  Open.

  1. Agora a ferramenta iniciara o processo de descoberta da senha para posteriormente poder utilizar em todos os arquivos. Por favor saiba que este processo vai demorar, veja o aviso de Warning com atenção.

  1. Aguarde até que o processo de descriptografia finalize, não desligue ou reinicie o PC.

Infos Importantes

Trojan-Ransom.Win32.Rakhni creates the file exit.hhr.oshit which contains the password for decrypting the files in the encrypted form. If the file is preserved on the infected computer, decryption with the RakhniDecryptor tool will take significantly less time. If the exit.hhr.oshit file was deleted, you can try to restore it using special tools and move it to the %APPDATA% folder. After that, you can try runing the tool once again. The exit.hhr.oshit file is usually located in the following folder:

  • Windows XP: C:\Documents and Settings\<username>\Application Data
  • Windows Vista/7/8/8.1/10 C:\Users\<username>\AppData\Roaming

The file can be encrypted with the _crypt extension more than once. For example, the file test.doc was encrypted twice. The first encryption layer will be decrypted to test.1.doc.layerDecryptedKLR. In the tool performance report, the line Decryption success: disk:\path\test.doc_crypt -> disk:\path\test.1.doc.layerDecryptedKLR will appear. You will need to decrypt this file using the tool once again. In case of successful decryption, the file will be saved under the original name test.doc.

If the file was encrypted with the _crypt extension, decryption may take a long time. For example, for the Intel Core i5-2400 the procedure may take up to 120 days. 
Como este processo pode demorar muito recomendo visitar o site No More Ransom, eles tem serviço de descriptografia gratuito.