Threat Research

CryptoWire with Decryption Key Included – ASEC BLOG

Ahnlab

AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of CryptoWire, a ransomware that was once viral in 2018.

Figure 1. CryptoWire Github

CryptoWire is mainly distributed via phishing emails and is made using Autoit script.

Main Features
The ransomware copies and pastes itself in the path “CProgram FilesCommon Files,” and registers a schedule to the task scheduler to maintain persistence.

Figure 2. Registering a task schedule

Figure 3. Registered task schedule

The malware explores the local and connected network environments to expand the file encryption process, saves the data as domaincheck.txt in the desktop, and explores the created account.

Figure 4. A partial source code related to the expansion of encryption

Additionally, the malware empties the recycle bin and deletes the volume shadow copy to prevent recovery.

Figure 5. Preventing decryption

The encrypted file takes the form of [Original file name].encrypted.[Original extension] and displays a message that you need to purchase decryption key to decrypt the file.

Figure 6. Encryption extension

Figure 7. Ransom note

Note that the ransomware contains the decryption key. Depending on the type of the attack, the decryption key is either included in the Autoit script as shown in Figure 8 or sent to the threat actor’s server along with the system information of the infected system like shown in Figure 9.

Figure 8. Decryption key

Figure 9. Source code related to the C2 server connection

Figure 10. Decryption key transmitted to the C2 server

Figure 11. When decryption is complete

Not many ransomware strains expose the decryption keys, and they usually demand users to go through an arduous decryption process. As such, users must take caution when opening files from unknown sources to prevent ransomware infection. Additionally, users must scan suspicious files using anti-malware software and update the software to the latest version.

[File Detection]
– Trojan/Win.Kryptik.C5576563 (2024.01.20.00)
– Ransomware/Win.bcdedit.C5590639 (2024.02.20.00)

[Behavior Detection]
– Malware/MDP.Ransom.M1171

[IoC]
MD5
– cd4a0b371cd7dc9dab6b442b0583550c
– a410d4535409a379fbda5bb5c32f6c9c

C2
– hxxp://194.156.98[.]51/bot/log.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/63200/

Tags: PHISHING, TROJAN, PERSISTENCE