DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom (softpedia.com)

← Back to Stories (view on slashdot.org)

DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom (softpedia.com)

Posted by timothy on Saturday November 28, 2015 @07:13AM from the mel-gibson-is-coming-after-you dept.

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

49 comments

Min score:

Reason:

Sort:

Nice tool from Emsisoft by ITRambo · 2015-11-28 07:23 · Score: 5, Insightful

Apparently, the bad-guy equivalent of script kiddies (or toddlers) put this ransomware out. No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours. A lot of people dodged a bullet here as Emsisoft puts out great software. Kudos to them for offering this tool
1. Re:Nice tool from Emsisoft by BLKMGK · 2015-11-28 07:27 · Score: 2
  
  Agree on both counts! Someone made errors and these guys were smart enough and thoughtful enough to break the crypto. Kudos!
  
  --
  Build it, Drive it, Improve it! Hybridz.org
2. Re:Nice tool from Emsisoft by cfalcon · 2015-11-28 10:39 · Score: 2
  
  > No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours.
  No true encryption, eh?
  We have no reason to believe it's not real crypto. We have every reason to believe they screwed up their implementation.
  Do we need another word? I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show. But as reported it is accurate- you aren't even picking nits, you're asking for a much greater degree of insight than a headline can really provide.
3. Re:Nice tool from Emsisoft by Darinbob · 2015-11-28 12:58 · Score: 1
  
  You can build the best tools in the world but it's pointless if the user doesn't know how to use them. Encryption is hard, you can just follow a quick README to slap some on. It's like using the handle of a hammer to pound in nails.
4. Re:Nice tool from Emsisoft by mikael · 2015-11-29 04:33 · Score: 1
  
  There's probably a trade-off between encrypting as many files as possible before the user finds out (favoring simple methods or small block sizes), and encrypting individual files so hard that the user can't decrypt them in a reasonable time (favoring complex methods or large block sizes).
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
5. Re:Nice tool from Emsisoft by Anonymous Coward · 2015-11-29 08:59 · Score: 0
  
  There are relatively simple (or at least fast) known secure ways of quickly changing cipher output without having to rekey (e.g https://en.wikipedia.org/wiki/... ). Additionally, AES has hardware acceleration on almost everything these days. Disk encryption can usually be done so fast that the IO of the disk is still the bottleneck.
  I forget exactly what properties you do want if you're trying to encrypt files for the ransomware type case, but it's safe to say the trade off was not around CPU related issues and was instead a trade off between how much time they were prepared to spend learning crypto and how likely they thought it was that anyone would bother to break it.
6. Re:Nice tool from Emsisoft by uninformedLuddite · 2015-11-29 09:31 · Score: 1
  
  I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show.
  At least on TV you get to have a laugh as they use a 320p webcam to catch a reflection from 200 metres away giving them the key to crack the cookie thus saving the planet.
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
7. Re: Nice tool from Emsisoft by Anonymous Coward · 2015-11-29 12:13 · Score: 0
  
  *enhance*
8. Re: Nice tool from Emsisoft by Anonymous Coward · 2015-11-29 13:02 · Score: 0
  
  Hide hardware encryption threads, ignore hardware encryption posts, no not reply to hardware encryption posters.
  Hardware encryption offers a spread anus. Hardware encryption offers weaknesses only understood by a team of software engineers, hardware engineers, physiscists, and crystallographers.
  Software is understandable by anyone with an undergrad in many fields.
  Do not accelerate. Do not use. Do not trust.
Re:Really? by Anonymous Coward · 2015-11-28 07:33 · Score: 2, Insightful

It's the majority not using Linux who are keeping the Linux users safe by being the larger target.
Random .PNG file? by CanEHdian · 2015-11-28 07:40 · Score: 3, Insightful

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

--
When the copyright term is "forever minus a day", live every day like it's the last.
1. Re: Random .PNG file? by Redmancometh · 2015-11-28 07:52 · Score: 1
  
  The key has to be derived out.
2. Re: Random .PNG file? by kbg · 2015-11-28 08:09 · Score: 1
  
  And why does that need a random .png of the Internet?
3. Re: Random .PNG file? by Anonymous Coward · 2015-11-28 08:15 · Score: 2, Insightful
  
  Which they could do from a .PNG file stored in the binary in advance.
4. Re: Random .PNG file? by Anonymous Coward · 2015-11-28 08:18 · Score: 1
  
  I presume because you copy the random PNG onto the infected system (where it is encrypted by the malware) and voila, you have a known sample in enc/dec terms. Maybe there were technical reasons for not having the tool itself deploy the unsullied version.
5. Re: Random .PNG file? by Anonymous Coward · 2015-11-28 10:02 · Score: 0
  
  Ok, but even so, why not /dev/urandom? Why a random PNG from the Internet?
6. Re: Random .PNG file? by Anonymous Coward · 2015-11-28 15:05 · Score: 0
  
  Perhaps because the first 8 bytes of every PNG file is identical? That's all I can think of.
7. Re: Random .PNG file? by AK+Marc · 2015-11-28 16:05 · Score: 1
  
  It doesn't. It just needs to be a file that's encrypted and one that's not. You could have the tool generate it's own binary file with random contents, but that's not how the tool was made. The PNG doesn't need to be "on the Internet", it's just that when you have the infected system in Boston, and you are in Chicago, it's easier to have the Boston and Chicago systems access the same file from some public server, than to generate one locally and send it to the other system.
  
  --
  Learn to love Alaska
8. Re: Random .PNG file? by Anonymous Coward · 2015-11-28 20:01 · Score: 0
  
  Which, if they want to be general - which they apparently do, would require them to keep a file of ANY format stored in the binary in advance.
  Something even you should understand is stupid.
  Providing an arbitrary non-encrypted file, of any format, to the program is much more general and flexible.
  Don't be the moron here.
9. Re: Random .PNG file? by uninformedLuddite · 2015-11-29 09:32 · Score: 1
  
  That sounds like magic to me.
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
10. Re: Random .PNG file? by Redmancometh · 2015-12-01 15:25 · Score: 1
  
  There are a couple possibilities I can think of.
  A) Maybe there is a risk that the PNG you used would already be encrypted, so it says to use an external source.
  B) Malware tends to hook common system functions, such as those used to generate data for testing, and the malware author gives his solution just in case. This is particularly true with .net assemblies, as the entire set of addresses for the method table is readily available.
  C) Some combination of the 2.
Re:Really? by gweihir · 2015-11-28 07:45 · Score: 2

Does not help. Linux is making competent people a lot saver, but it will do nothing for incompetent ones, unless they are willing to pay for professional system administration. The difference is that even with professional system administration, Windows remains a problem, while Linux is not. But without it, they are both insecure.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Odd way to release a security tool by Anonymous Coward · 2015-11-28 08:08 · Score: 5, Interesting

I wondered why the summary has links to articles on Softpedia and Bleeping Computer instead of linking directly to Emsisoft, whose employee wrote the decryption utility. But it seems Emsisoft has dropped the ball, as they have nothing on their home page or their blog or their changelog that mentions this tool. In fact I can't find any reference to this on their site at all, which makes me suspicious about downloading it.
Both of the articles in the summary point to a link on emsi.at instead of emsisoft.com. Domain registration and name servers point to emsi.at being a legitimate host under the control of Emsisoft, but who knows? What a weird way to release a security tool, with zero announcements on your company website and the download hosted at a URL shortener.
1. Re:Odd way to release a security tool by campuscodi · 2015-11-28 10:05 · Score: 1
  
  That's why Bitdefender has a huge market share and almost nobody heard of Emsisoft. It's called a marketing department. Remember when Bitdefender cracked Linux.Encoder.1 and provided a shield tool for CryptoWall 4.0? It was everywhere on the Internet.
2. Re:Odd way to release a security tool by Anonymous Coward · 2015-11-29 04:38 · Score: 0
  
  I agree, its strange how there is nothing on Emsisoft's site, but if you look through BleepingComputer's articles on ransomware you see there is some sort of relationship between them and AV experts such as Fabian. As far as I am concerned, BleepingComputer has become the authority on crypto ransomware. If you look through their news, any new ransomware that comes out is typically reported by them first.
  What confuses me,though, is why softpedia is even mentioned at all considering they just regurgitated what was originally posted in BleepingComputer's article.
Re:I am writing ransomware for Linux by mukinrestak · 2015-11-28 09:54 · Score: 2

May I assume you are one of those folks that believe in the infallibility of Linux? There is already ransomware for Linux, although to the best of my knowledge most of it is in the form of a trojan, and not something that can run by itself or abuses privilege escalation. I use Linux for my daily driver, and thanks to Win 10s privacy shenanigans don't plan to ever go back, but that doesn't mean the shit's perfect. Hell, given the prevalence of linux in the web infrastructure, I could see linux ransomware having a serious boom soon. Corporations can pay a lot higher ransom than your average Joe. As for home linux ransomware, you can bet your sweet ass-meat that SteamOS will be a tempting target. Make individual customers pay up to get their machines working again, and then make Valve pay up to get you to release the rest that refused to pay in order to preserve their reputation.
Because backups are important by Anonymous Coward · 2015-11-28 11:07 · Score: 0

I don't see how people are still not making proper backups of their data to completely negate the effectiveness of ransomware.
It just seems like it would be common sense to consistently backup data s a good practice.
1. Re: Because backups are important by Anonymous Coward · 2015-11-28 13:50 · Score: 0
  
  We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups. Sooner or later data will be lost and they will learn the hard way.
2. Re: Because backups are important by Ungrounded+Lightning · 2015-11-29 04:28 · Score: 1
  
  We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups.
  Or they think they ARE keeping backups, because they ARE - on a different part of the same disk, using automated processes provided and touted by the vendor - but the ransomware disables the tools and deletes the backups. Oops!
  There's a difference between "backups" and "adequate, off-machine, backups".
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
old news by Anonymous Coward · 2015-11-28 14:12 · Score: 0

Is this old news day on /.? 3 articles in a row that have been reported elsewhere days ago.
1. Re:old news by Anonymous Coward · 2015-11-28 17:12 · Score: 0
  
  You must be new here.
2. Re:old news by Anonymous Coward · 2015-11-28 23:19 · Score: 0
  
  Ironically enough, they're sharing old news. We've had old news here since there was old news to have. This is not news.
Source Code by Fnord666 · 2015-11-28 15:49 · Score: 1

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.
They distributed the source code with the ransomware? I'll bet that was handy when it came to reverse engineering it.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
1. Re:Source Code by Ungrounded+Lightning · 2015-11-29 04:30 · Score: 1
  
  The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.
  They distributed the source code with the ransomware?
  Or the strings in the source code ended up generating strings in the object code and something like the "strings" tool found them.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
2. Re:Source Code by Anonymous Coward · 2015-11-29 04:48 · Score: 0
  
  Really?
  It would probably have been better if the original source of the story was posted rather than Softpedia's bad replay.
  Bleeping clearly states:
  "Other sites have also been calling this ransomware DecryptorMax due to a hard coded string found inside the ransomware executable"
CryptInfinite method of infection .. by nickweller · 2015-11-28 18:59 · Score: 1

How exactly does this ransomware get onto your computer?
1. Re:CryptInfinite method of infection .. by Anonymous Coward · 2015-11-29 14:31 · Score: 1
  
  For my boss, it was via a resume.doc attachment. We have several jobs posted :-(
  This was the low point of 2015 for me (backups several months out of date), so I'm hoping this recovery tool works.
  (certainly not logging in so you can make fun of my 5 digit /. id ....)
Looks to me like an oversight. by Ungrounded+Lightning · 2015-11-29 04:21 · Score: 1

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?
I'd guess:
- The authors wrote the tool to use enough of the start of an encrypted/clear file pair to generate / sieve the key and deployed that.
- Some used discovered, after the tool was deployed, that the invariant header of a .png file was long enough that any .png file could function as the "clear" for any encrypted .png (or at least that many unrelated pairs could do that.)
I'd bet that, if the authors had thought there was a nearly-universally-present file type the ransomware would chose to encrypt, with a large enough header to pull off this trick, they'd have included a canned header and the option to use it in the tool.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way