GetCrypt Ransomware Encrypts Files, Brute Forces Credentials
Here’s a new ransomware that not only encrypts files and programs on a computer, but attempts to brute force credentials as well.
GetCrypt, a new ransomware that’s being installed through malvertising campaigns and which redirects victims to the RIG exploit kit, encrypts all files on a computer and then demands ransom for decrypting the files. An interesting thing about this ransomware is that it attempts to brute force credentials on the infected systems as well.
Exploit kit researcher nao_sec had discovered the ransomware, which works by redirecting victims to a page hosting the RIG exploit kit. A BleepingComputer report says, “This ransomware was discovered by exploit kit researcher nao_sec who alerted BleepingComputer when they saw being installed via the RIG exploit kit in Popcash malvertising campaigns. When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.”
If this turns successful, the GetCrypt ransomware is downloaded and installed into Windows.
Lawrence Abrams of BleepingComputer writes that nao_sec’s tweet was also seen by security researcher Vitali Kremez, who then analyzed the ransomware and found some interesting features.
The most notable among his observations is that the ransomware, after being executed by the RIG exploit kit, checks if the Windows language is set to Russian, Ukrainian, Kazakh or Belarusian and then, if it is set to any of these languages, gets terminated and doesn’t encrypt the computer. If the ransomware finds that the Windows is not set to any of the above-mentioned languages, it would examine the CPUID of the computer and then use it to create a 4-character string, which would be used as the extension for encrypted files. Then it runs the vssadmin.exe delete shadows /all /quiet command and clears the Shadow Volume Copies. Then, the whole system is scanned for files to encrypt. The ransomware doesn’t target any particular kind of files for encryption; instead it encrypts all files, except those that are located in or under certain folders, namely :\$Recycle.Bin, :\ProgramData, :\Users\All Users, :\Program Files, :\Local Settings, :\Windows, :\Boot, :\System Volume Information and :\Recovery AppData.
GetCrypt reportedly uses the Salsa20 and RSA-4096 encryption algorithms to encrypt files and during encryption, uses the 4-character string it had created earlier as the extension. Simultaneously, it would also create a ransom note. The ransom note, named decrypt my files #.txt, is created in each folder that is encrypted and on the desktop too. It advises the victim to contact [email protected] for instructions regarding ransom payment. The ransomware also changes the desktop background to an image that contains a detailed message. The message says that the system has been infected and all files have been encrypted, and also gives instructions as to what needs to be done to get the files decrypted.
GetCrypt, like many other ransomware infections, also attempts to encrypt files on network shares during the encryption process, but in a rather different manner. The BleepingComputer report explains, “When encrypting, GetCrypt will utilize the WNetEnumResourceW function to enumerate a list of available network shares…If it cannot connect to a share, it will use an embedded list of usernames and passwords to bruteforce the credentials for shares and mount them using the WNetAddConnection2W function.”
“While encrypting unmapped network shares is not unusual, this is the first time we have seen a ransomware try to brute force shares so that they can connect to them from the infected computer,” the report further notes.
Anyhow, it’s possible to decrypt files on a system that has been infected with GetCrypt ransomware. The decryptor has been released. The victim can use the decryptor to decrypt all encrypted files, but it can be done only if an original unencrypted copy of a file that has been encrypted during the infection is available. The decryptor has to be run on an encrypted file and its original unencrypted version as well. Following this, the decryptor would brute force the decryption key and get all files decrypted.
Well, that once again proves the need of having offline back up of files, something that we’ve always been discussing in many of our posts. Backups can get you unencrypted versions of files, which could aid the decryption process in case your system has been infected with the GetCrypt ransomware.