PandaLabs, Panda Security’s anti-malware lab, detected a new type of ransomware which they think could be reverse engineered to allow users to recover their files.
Named CryptoBit, this particular ransomware variant infects users via exploits. First infections appeared at the start of April, and security researchers claim the ransomware is somewhat strange in its mode of operation.
After infection, CryptoBit will first and foremost scan for files that have particular extensions. By default, it will look for 96 different file types, looking for regular data storage files, such as images, file archives, databases, and office documents.
CryptoBit uses AES+RSA encryption
Once CryptoBit identifies all valuable files, it will proceed to encrypt them using the AES algorithm which uses one key for encryption and decryption.
The AES encryption key is then encrypted itself with an RSA algorithm, which is a dual-key encryption model that uses a different key for encryption (public key) and decryption (private key). Researchers say the private key is most likely sent to a server under the ransomware author's control.
After the encryption process ends, CryptoBit will display a ransom note as the one below, telling the user his files were encrypted and that he must contact the ransomware's author via an email address or the Bitmessage network, using a special ID.
Compared to other ransomware families, CryptoBit is very greedy, asking for a whopping 2 Bitcoin (~$850). Most ransomware families these days only ask for 0.5 (~$215), maximum 1 Bitcoin (~$425).
CryptoBit may have a flaw
According to PandaLabs researchers, there might be a flaw in CryptoBit's armor.
"We notice[d] a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm," PandaLabs researchers say. "CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers (“big numbers”), making it possible to reproduce the RSA encryption algorithm."
As it looks right now, it may be possible for security researchers to reverse engineer the ransomware's custom RSA encryption operations and recover the original AES encryption file.
Users should not confuse CryptoBit with another ransomware family called CryptorBit, which was very active during 2014.
Named CryptoBit, this particular ransomware variant infects users via exploits. First infections appeared at the start of April, and security researchers claim the ransomware is somewhat strange in its mode of operation.
After infection, CryptoBit will first and foremost scan for files that have particular extensions. By default, it will look for 96 different file types, looking for regular data storage files, such as images, file archives, databases, and office documents.
CryptoBit uses AES+RSA encryption
Once CryptoBit identifies all valuable files, it will proceed to encrypt them using the AES algorithm which uses one key for encryption and decryption.
The AES encryption key is then encrypted itself with an RSA algorithm, which is a dual-key encryption model that uses a different key for encryption (public key) and decryption (private key). Researchers say the private key is most likely sent to a server under the ransomware author's control.
After the encryption process ends, CryptoBit will display a ransom note as the one below, telling the user his files were encrypted and that he must contact the ransomware's author via an email address or the Bitmessage network, using a special ID.
Compared to other ransomware families, CryptoBit is very greedy, asking for a whopping 2 Bitcoin (~$850). Most ransomware families these days only ask for 0.5 (~$215), maximum 1 Bitcoin (~$425).
CryptoBit may have a flaw
According to PandaLabs researchers, there might be a flaw in CryptoBit's armor.
"We notice[d] a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm," PandaLabs researchers say. "CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers (“big numbers”), making it possible to reproduce the RSA encryption algorithm."
As it looks right now, it may be possible for security researchers to reverse engineer the ransomware's custom RSA encryption operations and recover the original AES encryption file.
Users should not confuse CryptoBit with another ransomware family called CryptorBit, which was very active during 2014.
