Victims of a new ransomware that purports to be developed in India from just weeks ago can now retrieve their files with a new decryption tool without paying an extortion fee in bitcoin.
RansomWarrior first surfaced in early August from developers believed to be working out of India. “Have a good day with the love from India” read an excerpt of the ransom note delivered to victims.
"RansomWarrior 1.0" ransomware sample: https://t.co/poY2h8cg1V
Encrypted files are named "Encrypted%# of file%.THBEC".
Seen w/ name "A Big Present.exe".
"we are a group of dedicated hackers from India"
"Have a good day with the love from India."
?@BleepinComputer @demonslay335 pic.twitter.com/pe967kCDX1
— MalwareHunterTeam (@malwrhunterteam) August 8, 2018
Pointedly, the file-locking ransomware strain targeted Windows OS users by delivering an executable named ‘A Big Present.exe’ that encrypts files with a .THBEC extension when it’s run. Victims are given instructions and are shown a ransom note to visit a dark web address demanding a payment in bitcoin.
“[They] can’t help you” the attackers claimed, suggesting victims will not be able to gain anything from reporting the attack to the police.
Researchers at security firm Check Point took a deep dive into the malware code. Before long, they were able to retrieve the decryption keys from the malware. In what appears to be the work of amateur cybercriminals, the encryption used by the ransomware saw a steam cipher working a key that was randomly generated from 1000 hard-coded keys in the binary code.
“Written in .NET, the executable itself isn’t obfuscated, packed, or otherwise protected, suggesting those behind it are relatively new to the game,” researchers revealed.
Since the key’s index, in its entirety, is saved locally on victims’ machines to provide the decryption necessary to unlock the files upon paying a ransom, Check Point researchers built a decryption tool for all victims infected by the strain.
The decryption tool is available for free and can be downloaded here.
Image credit: LIFARS archive.