- Jan 19, 2017
- 40
A look at Jaff Ransomware and the Kaspersky RakhniDecryptor tool.
Jaff was been delivered through .WSF (windows script files) which are treated as exectubale files and use the wscript.exe untility. The dropper was double zipped in an effort to bypass security checking and heuristics and dressed up as an “invoice”.
Once the .wsf is executed it pulls down the payload and executes it, this took so long that I had actually wondered away from the keyboard, I gather a sleep function was employed to again bypass security.
Eventually I came back to my now infected windows 7 box, YAAAY!.
The encryption was effective against all of my test document and picture types. I also observed modification of my Firefox browser resulting in security certificate warnings, looked like a second certificate was added.
The ransomware
The ransomware directs you to a deepweb page accessed through TOR.
Once on the page you are directed to enter your decrypt ID, I didn’t try a bogus number at the time, I might go back and see if it takes just about anything. I entered my id and was presented with the payments screen to a specific wallet.
The payment requested calculates to around $2000.00 given today’s market value (June2017)
A range of buy Bitcoin options are presented with a wallet to send them to.
A senior researcher at Kaspersky found a vulnerability in the malwares encryption process and was able to reverse engineer the key to decrypt it, the exact details of the vulnerability is not disclosed for obvious reasons, I do however strongly believe I see how it was done which makes me smile.
But as there are cases where malware was improved by the author when vulnerabilities are identified I will reframe from even hinting at it.
PLEASE DO NOT HIGHLIGHT THE FAULT IF PICK IT UP DURING YOUR OWN ANALYSIS.
This did present an opportunity for me to test the tools effectiveness which is something I’ve been keen to see.
The tool itself is well designed , clean and fast. It asks you to select some encrypted files and goes to work very quickly. If you have downloaded this tool in the past you need to make sure it’s a newer version.
all up process took less than 15minutes to decrypt.
Once the tool was finished I checked its effectiveness It appears to have decrypted all files successfully which is very impressive work and hands down beats paying the ransom. Keep in mind it comes with no guarantees and does not remove the infection or the browser hijacking, but it does let you get your data back.
Jaff uses a Command and Control hidden by TOR so it’s likely the author will look to improve or close the vulnerability if they find it.
The Bitcoin wallet is likely part of a pool of wallets that is hardcoded within the malware, at the time of writing I have not confirmed this suspicion however may look to go trawling at a later point, would make sense.
Thankyou
MBYX