Beware! A new .Net Ransomware is encrypting files with .Lime
Credit to Author: Bajrang Mane| Date: Tue, 06 Mar 2018 11:49:53 +0000
Cases of the “Lime ransomware” have been recently reported to Quick Heal Security Labs. Our research team has analyzed these cases deeply and found some useful information. This post shares this information to help users stay safe from ransomware attacks. ‘Lime’ is a newly discovered .net ransomware; it is also known as the ‘BigEyes’ ransomware. It uses two major ways to infect user’s systems, either spam emails or malicious downloads. Ransomware usually comes into the system without the user’s knowledge through online activities like software bundling, spam email attachments, infected links, malvertising, by visiting unknown sites, RDP (Remote desktop protocol) and exploit kits. Infection vector Fig 1 Lime Ransomware attack chain Technical analysis Encryption Process: in-depth description Lime is a ransomware that encrypts your files and demands Bitcoin as a ransom to get your files restored. Files are locked with the AES-256 encryption algorithm. The Lime ransomware encrypts your files and appends the “.Lime” extension. After encryption, the Lime ransomware drops a ransom note Fig 2. Fig 2 Ransom note The following e-mail address is used to contact the malware author to decrypt the encrypted files by paying them: “r3vo@protonmail-com” Key generation When Lime is first launched, it will call RandomString() function which will attempt to generate an AES key. It generates 50 bytes array from input string using a random index with the use of random() function to fetch one character and stores into output string as shown in Fig 3. Fig 3 Random Key Generation code It calculates md5 of generated output string using Computehash() and then it will copy the result into the result array. It will use this result array as an AES key to encrypt the files present on the system. Fig 4 AES Key Generation code It drops output string at path “C:Microsoft” by name “hash”. As we know that AES is symmetric algorithm so the key used for encryption and decryption will be the same. So, the malware author uses this hash file’s MD5 to decrypt the victim’s files when victim pays ransom amount to him. Lime ransomware encrypts files on specific folder paths using AES-256 in ECB mode to encrypt files. Paths are as per given below: My Music My Pictures My Videos Desktop UserProfile Components used in AES Different modes used in AES:- ECB, CBC, CFB, OFB, CTR. Key:- AES-128(16 Bytes), AES-192(24 Bytes), AES-256(32 Bytes) IV:- Initialization vector to use for encryption or decryption It encrypts files using AES-256 (32-byte key length) in ECB (Electronic Code Book) mode. In ECB mode, it doesn’t require IV (Initialization vector) for the encryption or decryption process. For all other modes, it uses IV (Initialization vector). IV is optional and when IV is not present then it will be given a default value of all zeroes. Modification in file extension List of extensions of files which get encrypted by Lime ransomware: .c, .cpp, .py, .ini, .hiv, .avi, .bmp, .log, .pdf, .zip, .bak, .rtf, .png, .wsf, .wsc, .ws, .vsw, .vst, .vss, .vsmac, .ros, .vbs, .vbe, .vb, .url, .tmp, .shs, .shb, .sct, .scr, .scf, .reg, .pst, .prg, .pif, .pcd, .ops, .mst, .msp, .msi, .msc, .mdz, .mdw, .mdt, .mde, .mdb, .mda, .maw, .mav, .mau, .mat, .mas, .mar, .maq, .mam, .mag, .maf, .mad, .lnk, .ksh, .jse, .js, .its, .isp, .ins, .inf, .hlp, .fxp, .exe, .csh, .crt, .cpl, .com, .cmd, .chm, .cer, .bat, .pdf, .pot, .xlt, .pps, .xlw, .dot, .rtf, .ppt, .xls, .doc, .xml, .htm, .html, .hta, .app, .asp The extension ‘.lime’ is placed as a secondary extension, without altering the original names and its extension. Example: Original file name : mydemo.cpp After encryption : mydemo.cpp.Lime And yes! Recovery of Encrypted File is possible We can decrypt all files which are encrypted by “Lime Ransomware”. The key is 32 bytes which is generated from MD5 of “hash” file which is dropped at “C:Microsoft” location of victim’s mchine. So, the key is different for different victim. To decrypt files, AES-256 is used in the ECB mode and key for that will be generated as given below, If MD5 of hash file is dropped on the victim’s machine: “05FF78F91FE2D008018A2F53792C0C28” Key generation from MD5 Take 15 bytes from MD5 + Take 16 bytes from MD5 + Append zero=32 bytes key Key =…
http://blogs.quickheal.com/feed/