DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

I am writing ransomware for Linux

It will teach all you Linux using nerds a lesson.

Re:I am writing ransomware for Linux

This will only work if a novice Linux user doesn't encrypt during install. Good luck.

Re:I am writing ransomware for Linux

are you the cow troll

Re:I am writing ransomware for Linux

You have no idea what you're talking about

Re:I am writing ransomware for Linux

[mukinrestak]

May I assume you are one of those folks that believe in the infallibility of Linux? There is already ransomware for Linux, although to the best of my knowledge most of it is in the form of a trojan, and not something that can run by itself or abuses privilege escalation. I use Linux for my daily driver, and thanks to Win 10s privacy shenanigans don't plan to ever go back, but that doesn't mean the shit's perfect. Hell, given the prevalence of linux in the web infrastructure, I could see linux ransomware having a serious boom soon. Corporations can pay a lot higher ransom than your average Joe. As for home linux ransomware, you can bet your sweet ass-meat that SteamOS will be a tempting target. Make individual customers pay up to get their machines working again, and then make Valve pay up to get you to release the rest that refused to pay in order to preserve their reputation.

Re: I am writing ransomware for Linux

Agreed. Saying you're writing ransomware for Linux is like saying you're writing a good article for slashdot with a one-liner like "I am writing ransomware for Linux".

Nice tool from Emsisoft

[ITRambo]

Apparently, the bad-guy equivalent of script kiddies (or toddlers) put this ransomware out. No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours. A lot of people dodged a bullet here as Emsisoft puts out great software. Kudos to them for offering this tool

Re:Nice tool from Emsisoft

[BLKMGK]

Agree on both counts! Someone made errors and these guys were smart enough and thoughtful enough to break the crypto. Kudos!

Re:Nice tool from Emsisoft

[cfalcon]

> No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours.

No true encryption, eh?

We have no reason to believe it's not real crypto. We have every reason to believe they screwed up their implementation.

Do we need another word? I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show. But as reported it is accurate- you aren't even picking nits, you're asking for a much greater degree of insight than a headline can really provide.

Re:Nice tool from Emsisoft

[Darinbob]

You can build the best tools in the world but it's pointless if the user doesn't know how to use them. Encryption is hard, you can just follow a quick README to slap some on. It's like using the handle of a hammer to pound in nails.

Re:Nice tool from Emsisoft

[mikael]

There's probably a trade-off between encrypting as many files as possible before the user finds out (favoring simple methods or small block sizes), and encrypting individual files so hard that the user can't decrypt them in a reasonable time (favoring complex methods or large block sizes).

Re:Nice tool from Emsisoft

There are relatively simple (or at least fast) known secure ways of quickly changing cipher output without having to rekey (e.g https://en.wikipedia.org/wiki/... ). Additionally, AES has hardware acceleration on almost everything these days. Disk encryption can usually be done so fast that the IO of the disk is still the bottleneck.

I forget exactly what properties you do want if you're trying to encrypt files for the ransomware type case, but it's safe to say the trade off was not around CPU related issues and was instead a trade off between how much time they were prepared to spend learning crypto and how likely they thought it was that anyone would bother to break it.

Re:Nice tool from Emsisoft

[uninformedLuddite]

I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show.

At least on TV you get to have a laugh as they use a 320p webcam to catch a reflection from 200 metres away giving them the key to crack the cookie thus saving the planet.

Re: Nice tool from Emsisoft

*enhance*

Re: Nice tool from Emsisoft

Hide hardware encryption threads, ignore hardware encryption posts, no not reply to hardware encryption posters.

Hardware encryption offers a spread anus. Hardware encryption offers weaknesses only understood by a team of software engineers, hardware engineers, physiscists, and crystallographers.

Software is understandable by anyone with an undergrad in many fields.

Do not accelerate. Do not use. Do not trust.

Really?

Who the heck is getting infected with ransomware in 2015? Use Linux.

Re:Really?

It's the majority not using Linux who are keeping the Linux users safe by being the larger target.

Re:Really?

[gweihir]

Does not help. Linux is making competent people a lot saver, but it will do nothing for incompetent ones, unless they are willing to pay for professional system administration. The difference is that even with professional system administration, Windows remains a problem, while Linux is not. But without it, they are both insecure.

Random .PNG file?

[CanEHdian]

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

Re: Random .PNG file?

[Redmancometh]

The key has to be derived out.

Re: Random .PNG file?

[kbg]

And why does that need a random .png of the Internet?

Re: Random .PNG file?

Which they could do from a .PNG file stored in the binary in advance.

Re: Random .PNG file?

I presume because you copy the random PNG onto the infected system (where it is encrypted by the malware) and voila, you have a known sample in enc/dec terms. Maybe there were technical reasons for not having the tool itself deploy the unsullied version.

Re: Random .PNG file?

Ok, but even so, why not /dev/urandom? Why a random PNG from the Internet?

Re: Random .PNG file?

Because you're a fucking moron, evidently.

Re: Random .PNG file?

Perhaps because the first 8 bytes of every PNG file is identical? That's all I can think of.

Re: Random .PNG file?

[AK+Marc]

It doesn't. It just needs to be a file that's encrypted and one that's not. You could have the tool generate it's own binary file with random contents, but that's not how the tool was made. The PNG doesn't need to be "on the Internet", it's just that when you have the infected system in Boston, and you are in Chicago, it's easier to have the Boston and Chicago systems access the same file from some public server, than to generate one locally and send it to the other system.

Re: Random .PNG file?

Which, if they want to be general - which they apparently do, would require them to keep a file of ANY format stored in the binary in advance.

Something even you should understand is stupid.

Providing an arbitrary non-encrypted file, of any format, to the program is much more general and flexible.

Don't be the moron here.

Re: Random .PNG file?

The great poet, Eminem, has thus spake: But when they move their lips, nothing comes out but a bunch of gibberish.

(Sans punctuation and capitalization, presumably.)

Re: Random .PNG file?

[uninformedLuddite]

That sounds like magic to me.

Re: Random .PNG file?

[Redmancometh]

There are a couple possibilities I can think of.
A) Maybe there is a risk that the PNG you used would already be encrypted, so it says to use an external source.
B) Malware tends to hook common system functions, such as those used to generate data for testing, and the malware author gives his solution just in case. This is particularly true with .net assemblies, as the entire set of addresses for the method table is readily available.
C) Some combination of the 2.

Odd way to release a security tool

I wondered why the summary has links to articles on Softpedia and Bleeping Computer instead of linking directly to Emsisoft, whose employee wrote the decryption utility. But it seems Emsisoft has dropped the ball, as they have nothing on their home page or their blog or their changelog that mentions this tool. In fact I can't find any reference to this on their site at all, which makes me suspicious about downloading it.

Both of the articles in the summary point to a link on emsi.at instead of emsisoft.com. Domain registration and name servers point to emsi.at being a legitimate host under the control of Emsisoft, but who knows? What a weird way to release a security tool, with zero announcements on your company website and the download hosted at a URL shortener.

Re:Odd way to release a security tool

[campuscodi]

That's why Bitdefender has a huge market share and almost nobody heard of Emsisoft. It's called a marketing department. Remember when Bitdefender cracked Linux.Encoder.1 and provided a shield tool for CryptoWall 4.0? It was everywhere on the Internet.

Re:Odd way to release a security tool

How is it odd? BleepingComputer has become the authority on crypto ransomware. Look through their news and archived news in their forums and you will see they typically break all news on new ransomware before anyone else.

What confuses me is why softpedia is even mentioned at all considering they just regurgitated what was originally posted in BleepingComputer's article on this.

Re:Odd way to release a security tool

How is it odd? If you look through BleepingComputer's articles on ransomware you see there is some sort of relationship between them and AV experts such as Fabian. As far as I am concerned, BleepingComputer has become the authority on crypto ransomware. If you look through their news, any new ransomware that comes out is typically reported by them first.

What confuses me,though, is why softpedia is even mentioned at all considering they just regurgitated what was [url=http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/]originally posted[/url] in BleepingComputer's article on this.

Re:Odd way to release a security tool

I agree, its strange how there is nothing on Emsisoft's site, but if you look through BleepingComputer's articles on ransomware you see there is some sort of relationship between them and AV experts such as Fabian. As far as I am concerned, BleepingComputer has become the authority on crypto ransomware. If you look through their news, any new ransomware that comes out is typically reported by them first.

What confuses me,though, is why softpedia is even mentioned at all considering they just regurgitated what was originally posted in BleepingComputer's article.

Because backups are important

I don't see how people are still not making proper backups of their data to completely negate the effectiveness of ransomware.

It just seems like it would be common sense to consistently backup data s a good practice.

Re: Because backups are important

We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups. Sooner or later data will be lost and they will learn the hard way.

Re: Because backups are important

[Ungrounded+Lightning]

We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups.

Or they think they ARE keeping backups, because they ARE - on a different part of the same disk, using automated processes provided and touted by the vendor - but the ransomware disables the tools and deletes the backups. Oops!

There's a difference between "backups" and "adequate, off-machine, backups".

Tech Surver

Please help my team at #Greythorn be statistically relevant by taking our five minute anonymous tech market survey: http://bit.ly/tech-ashina -- for every survey completed we will donate a $1 to the Apache Foundation #TheASF #ApacheBrooklyn

old news

Is this old news day on /.? 3 articles in a row that have been reported elsewhere days ago.

Re:old news

You must be new here.

Re:old news

Ironically enough, they're sharing old news. We've had old news here since there was old news to have. This is not news.

Source Code

[Fnord666]

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

They distributed the source code with the ransomware? I'll bet that was handy when it came to reverse engineering it.

Re:Source Code

[Ungrounded+Lightning]

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

They distributed the source code with the ransomware?

Or the strings in the source code ended up generating strings in the object code and something like the "strings" tool found them.

Re:Source Code

Really?

It would probably have been better if the original source of the story was posted rather than Softpedia's bad replay.

Bleeping clearly states:

"Other sites have also been calling this ransomware DecryptorMax due to a hard coded string found inside the ransomware executable"

CryptInfinite method of infection ..

[nickweller]

How exactly does this ransomware get onto your computer?

Re:CryptInfinite method of infection ..

For my boss, it was via a resume.doc attachment. We have several jobs posted :-(

This was the low point of 2015 for me (backups several months out of date), so I'm hoping this recovery tool works.

(certainly not logging in so you can make fun of my 5 digit /. id ....)

Looks to me like an oversight.

[Ungrounded+Lightning]

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

I'd guess:
  - The authors wrote the tool to use enough of the start of an encrypted/clear file pair to generate / sieve the key and deployed that.
  - Some used discovered, after the tool was deployed, that the invariant header of a .png file was long enough that any .png file could function as the "clear" for any encrypted .png (or at least that many unrelated pairs could do that.)

I'd bet that, if the authors had thought there was a nearly-universally-present file type the ransomware would chose to encrypt, with a large enough header to pull off this trick, they'd have included a canned header and the option to use it in the tool.