Ransomcrypt authors are not known to have a conscience, and until now have always left their victims with no way out, other than paying the extortion demand to decrypt their files. This seems to have changed somewhat with the arrival of Trojan.Ransomcrypt.G. While the authors of this malware are still total scammers, they seem to have some principles and offer to decrypt the victim’s files for free after a one month period, even if the ransom has not been paid. While this behavior does not exonerate the actions of the malware authors, it does leave some light at the end of the tunnel for any unfortunate victims of this scam.
Figure 1. “how to get data.txt” snippet from ransom file left behind by Trojan.Ransomcrypt.G
Trojan.Ransomcrypt.G was first reported by affected users in an online forum. It is a typical ransomcrypt Trojan that encrypts data files on the infected system. File extensions are checked against a long list stored in the Trojan binary file. Most common data file types are affected and you can see the full list here. Encrypted files are given an extra file extension, .OMG!, by the Trojan. For example, if the Trojan encrypted the file hello.doc, it would rename it hello.doc.OMG!.
Compromised users may notice a text file called “how to get data.txt” in directories containing encrypted files.
Figure 2. Directory containing compromised files
This file informs the user that they must send an email to the attacker and attach the text file along with some encrypted files. The attacker will reply with the decrypted files and instructions on how to obtain the unlocker tool that they can use to decrypt all of their data files.
Users may also notice an unusual string of characters at the end of the “how to get data.txt” file.
Figure 3. Binary string from ransom file
This string is actually a binary dump of an encrypted cryptographic key and infection timestamp information. This locking key is used to encrypt and decrypt files on the infected system. It is dynamically generated on the infected system using standard cryptographic Windows functions. Rather than sending this key in plaintext, the Trojan encrypts the locking key with a public cryptographic key (RSA) that is included in the configuration data in the Trojan binary data. The attacker knows the corresponding private key and so they can use it to decrypt the binary string in the text file, recover the locking key, and decrypt the encrypted files sent to them by the victim. The attacker can also recover the infection timestamp from the decrypted string and determine if the victim is eligible for the free unlocker tool.
Most ransomcrypt Trojans automate this type of key exchange with network communications between the victim’s system and a server controlled by the attacker. Trojan.Ransomcrypt.G uses a more basic approach that requires user interaction to perform the same operation.
Users should never pay any ransom to have their files decrypted. The latest Symantec technologies and Norton consumer and Symantec enterprise solutions protect against these kinds of attacks. You should always backup your files, that way you can restore them if necessary.
Symantec customers are protected from this Trojan with the following detections: