Check Point - “Offline” Ransomware Encrypts Your Data without C&C Communication

Softpedia.com reported on 5th November, 2015, stating that security researchers of security firm Check Point Technologies have analyzed an "offline" ransomware, which does not require to interact with a C&C (Command & Control) server for encrypting files of the infected machine.

From at least June 2014, Russian users are mostly targeted by the ransomware, which has released a dozen variants since then.

Once a computer gets infected, the potentially important files are encrypted by the threat. It further changes the background of the desktop with a message notifying the Russian users that it has encrypted their files, and ask them to send one of the files to a particular email address in a week's time. Victims are informed that they have to pay a sum between $300 and $380 - depending on how fast they pay - for receiving the key and the decryption tool necessary for recovering their files.

For encrypting files, this ransomware does not require any Internet connection and a successful link to its C&C server.

Check Point investigated the sample of the ransomware, which was from the version CL 1.0.0.0 (as seen from the encrypted file name). It uses a shield, which was penned in Visual Basic. The ransomware revives its own course by employing section mapping, overwriting 4 times to unpack the payload. The payload which is responsible for encrypting files is most probably penned in Delphi employing some extra Pascal modules.

The ransomware doesn't contain ample functionality except capability to encrypt files, which it does by creating a local RSA public key which it employs to encrypt files that it then stores in the metadata of every file. Whenever a victim seeks their data to be decrypted, they can get in touch with the the operator of the ransomware through email (mentioned in each file name) and send one of the files encrypted as an attached file.

Staff of Check Point said that it was not possible to brute-force the encryption of the ransomware. Embarking on such a task can take around 2 years, if only using a large computer cluster, which several home users don't have access to.

Researchers say that this is one such case about which FBI was speaking about, where it says that it was sometimes good to pay the ransom amount.

» SPAMfighter News - 11/10/2015