Slashdot Mirror

← Back to Stories (view on slashdot.org)

Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key (softpedia.com)

Posted by samzenpus on from the better-luck-next-time dept.

An anonymous reader writes: A new ransomware family was not tested by its developer and is encrypting user files and then throwing away the encryption key because of an error in its programming. The ransomware author wanted to cut down costs by using a static encryption key for all users, but the ransomware kept generating random keys which it did not store anywhere. The only way to recover files is if users had a previous backup. You can detect it by the ransom message which has the same ID:qDgx5Bs8H

19 of 128 comments (clear)

  1. Like the old viruses by Anonymous Coward · · Score: 5, Funny

    So it's like the old fashion viruses that actually cause damage to your system then.

    1. Re:Like the old viruses by davester666 · · Score: 2

      Yes. It's the "erase your files" kind of virus...

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Like the old viruses by Anonymous Coward · · Score: 2, Insightful

      Hell yes! Those were the good old days. Corrupt and destroy, for no reason other than sheer malice. Yeah!

  2. This would have never happened. by Anonymous Coward · · Score: 5, Funny

    If the author decided on an open source project, the community could have found and developed a fix during beta testing.

    1. Re:This would have never happened. by BarbaraHudson · · Score: 2

      Worse, they give the instructions on how to fix it. Here is their rationale"

      At BleepingComputer we never disclose bugs in a ransomware infection as that will just alert the developer and cause them to fix the weakness. In this particular case, though, we are going to tell the developer how to fix his mistake so that he doesn't continue to destroy his victim's data going forward. In our opinion, if a person becomes infected, we would rather they have a fighting chance of recovering their files rather than no chance at all.

      So now, instead of abandoning it because it's broken, he can fix it and continue on his merry way:

      The problem is that the AES key was not properly padded when it was converted into a Base64 string. When the PowerShell script tried to decode this string, it failed, and instead of the variable $RgDhcxSdghWd containing his decoded AES string, it now contained a NULL or empty value. If he had added one one more = character to the string, it would have worked as intended and everyone would have had the same AES key.

      That's as stupid as pointing out to the guillotine operator who is about to behead you that the guillotine won't work because there's a knot in the rope.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re:This would have never happened. by Harlequin80 · · Score: 2

      No this is the same as pointing out the the guillotine operator the the blade is going to hit the trigger of the big ass pile of tnt that is under the platform and it is going to kill him and everyone around him. And suggesting that perhaps you move it to the right a little.

    3. Re:This would have never happened. by KGIII · · Score: 2

      Alerting the guillotine operator that there's a knot in the rope might be a prudent thing to do, if the knot is located where your head will only be partially lopped off and mean you get a more painful death.

      --
      "So long and thanks for all the fish."
  3. What a role model by Opportunist · · Score: 4, Interesting

    I always thought we should lock up those bastards and throw away the key. Shall we take it as a recommendation how he wants to be treated when we catch him?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. DUMB by jez9999 · · Score: 4, Funny

    Disasters Usually Motivate Backups

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  5. Re:Usually the case by NoZart · · Score: 2

    The malware producers release the keys mostly, because people that are infected hear about that and are more willing to pay up...

  6. Need for a Dedicated Download Computer by BoRegardless · · Score: 2

    Get a virtual machine up and running or an older MacBook off eBay and it does Internet and all downloads.

    Any crap needs to be isolated to the VM or email machine.

  7. Re:Usually the case by Sqr(twg) · · Score: 4, Interesting

    Nope, apparently they do give you the decryption key, once you pay. If word of mouth was that it doesn't help to pay, then a lot less people would pay the ransom.

    So this guy is destroying a very lucrative business model for some very evil people. It will probably not end well for him.

  8. Re:Developers... by meerling · · Score: 5, Informative

    For optimal software testing, you need several types of testers.
    The dev - Someone who knows how to code and what this software is supposed to do, and intimately.
    The hacker - Someone who knows how to code, and doesn't care what the software wants because dammit, he's going to make it dance a frigging jig for giggles.
    The user - Doesn't know coding, but knows the subject the software is based around because he's the one that uses it. He knows exactly what it needs to do and what he wants it to do and will gladly tell you how you are failing in that.
    The ignorant - Can't code, doesn't want to, isn't sure if this computer thing is actually filled with enslaved magic pixies. If there's anyone that will do something no intelligent rational person will ever think of, the ignorant is king. You'd be amazed how many show-stopper bugs have been found by them.

  9. Re:Usually the case by radarskiy · · Score: 4, Funny

    This is why we can't have nice hostages.

  10. Ummmm... about that linux "ransomware" by StevenMaurer · · Score: 4, Funny

    Now that we've decided to help bug-fix ransomware, anyone consider its usability?

    "Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:"

    In other words, it probably goes something like this:

    % tar -xf "ransomware-dontrunme-whatareyouanidiot?.tar"
    % cd ransomware-dontrunme
    % ./configure > /dev/null 2>&1
    % make > /dev/null 2>&1
    % make install > /dev/null 2>&1
    %./runransomware
    Error: Permission denied. Please run as root.
    % sudo ./runransomware
    Password:
    Segfault in libc.so. Please reinstall.

    Followed by much sighing, and trying to google what the problem is.

    See, this is the problem with the Linux desktop. Even installing malware is just too darned complicated.

  11. Re:Windows by Grishnakh · · Score: 3, Insightful

    And how exactly does someone get infected with this anyhow? According to your link: "The malware requires administrator privileges to run and, presumably, a sysadmin who would allow for such a program to run unbridled." There's no mention on that page, or the "Dr. Web" page it links to, how anyone actually gets infected with this thing other than somehow getting themselves a copy and then intentionally running it as root. If there is an infection path it takes in the wild, these pages aren't specifying.

    It's also mentioned that it works on systems running MySQL and Apache. Who runs Apache any more? Every serious Linux webserver is running Nginx now.

    Finally, you're comparing apples to oranges. The Windows malware is for desktop and/or server Windows. The Linux malware appears to only be targeted at webservers. I don't know about you, but I don't run a webserver; for my websites I just use simple shared hosting and let someone else worry about that stuff (if my web host gets infected, no big deal, I'll just reload from backups). I'm worried about my desktop (/laptop) PCs, but since I run Linux there, I don't have to worry about any *serious* malware threats. No one has yet proven that there is any *serious* malware threat for desktop Linux.

  12. Re:Windows by Grishnakh · · Score: 4, Informative

    A malware app that someone has to be dumb enough to manually install is one thing, getting infected with something because your web browser or your email program is vulnerable is another. Most of the Windows malware I've heard about doesn't require someone to manually install software, it's as easy as clicking on the wrong link in IE.

    Also, a lot of Windows malware seems to thrive because Windows is homogeneous. Remember that Lenovo malware that was (still is I think) baked into their laptops' BIOS, and would replace a critical Windows system DLL? That stuff only works because Windows is so uniform. If someone has Windows 8.1 installed, then you can count on that DLL being there, and you can count on being able to replace it with a modified DLL and have things work out the way you expect. This just isn't the case with Linux: every distro is different, files are in different places, files are not binary compatible (you can't just take libfoo.so.4.2.1.0 from Ubuntu and drop it into an Arch install and expect it to work), distros change versions every 6 months (so libfoo.so from Mint 17 is incompatible with libfoo.so from Mint 17.1), systems don't even use the same init system and low-level utils (Ubuntu and Mint still use upstart, Slackware still uses sysvinit), etc. Everything works fine because of package management and distros building everything all together at once, but malware expecting to monkey with the internals simply won't work because there's too many variables.

    Yes, if someone distributes some Linux dancing-monkey malware, there's nothing you can do to prevent people from being stupid and installing it, but I haven't heard about this attack vector being a serious problem on *Windows* for a long time. Even the Windows users aren't that naive any more; they've had this stuff drilled into their heads for years. They're getting infected in other ways.

  13. Re:Just asking...... by Anonymous Coward · · Score: 5, Insightful

    What the hell is wrong with people like you? It's not that the guy isn't a first class cunt, but what sort of poorly controlled emotion causes a person to warm to the idea of torture and death? I sometimes wonder whether some humans have a repressed bloodlust and they use righteous indignation as an excuse to bring it out.

    Sure, lock the guy up, seize everything, whatever, following due process. Be more civilised than he is, not less.

  14. Re:Just asking...... by Anonymous Coward · · Score: 2, Funny

    You're really one tough old guy, JustAnotherOldGuy.
    If you choked on your bagel tomorrow, I wouldn't give a shit