Our CSIRT team responded to a ransomware attack at a small company specialized in the production of chocolate machines. All their documentation (technical, commercial, administration, …) was ransomed, and they would go out of business if they could not recover their documentation soon. To prevent this, they paid the ransom and obtained a decryption tool and a key, but it malfunctioned. The files were still ransomed. At this point, our CSIRT was called in and successfully decrypted the ransomed documentation. It turned out that, due to some malfunction, the original ransomware did not encrypt the original files (just changed their extension and added ransomware metadata), while the decryptor then actually encrypted the files (and restored the original extension and removed the ransomware metadata).

After this success, research into the algorithms implemented in this ransomware strain started. It became clear that this sample contains inherent flaws in its cryptographic design. Although well-established cryptographic primitives are used (like AES), they are used in a flawed way and introduce vulnerabilities that when exploited, lead to the decryption of ransomed files without knowing the encryption password and/or key.

The vulnerabilities are caused by the combination of 1) the use of AES CTR (counter) mode, 2) partial encryption of ransomed files, and 3) reuse of encryption keys across same and different ransomed files.

These vulnerabilities enabled our CSIRT to develop decryptor scripts that can decrypt ransomed files in most cases. For example, the redundancy in ransomed ZIP files (like .docx, .xlsx, …) can be used to decrypt a collection of these files. The more ransomed ZIP files available, the better for this decryption method. We will cover different decryption methods during the presentation.

Finally, during this presentation, we will demo and share YARA rules to detect this ransomware and new variants (associated with Scarab/Spacecolon), together with our decryption scripts.