Tuesday, 10 May 2016

On 01:50 by admin   No comments
A new ransomware called Enigma was discovered that targets Russian speaking countries. Discovered in late April by Jakub Kroustek, a reverse engineer and malware analyst for AVG, the Enigma Ransomware encrypts your data using AES encryption and then demands 0.4291 BTC or approximately $200 USD to get your files back.

Including the fact that this ransomware targets Russian speaking countries, another interesting feature is that Enigma also uses a HTML/JS based installer that contains an embedded ransomware executable. Some good news is that this ransomware does not appear to delete the Shadow Volume Copies, so a victim can use them to recover their files.

Javascript installer with an embedded executable
According to analysis done by MalwareHunterTeam and myself, the Enigma Ransomware is currently being distributed via HTML attachments that contains everything it needs to create an executable, save it to the victim's hard drive, and then execute it. When the HTML attachment is opened it will launch the default browser and execute the embedded javascript.

This javascript will create a standalone javascript file called Свидетельство о регистрации частного предприятия.js, which loosely translates to The certificate of registration of private predpriyatiya.js. 

When the javascript file is created, the HTML file will automatically pretend to download it and offer it as a file that the victim should execute. When this JS file is executed, it will create an executable called 3b788cd6389faa6a3d14c17153f5ce86.exe that is automatically launched and executed. This executable is created from an array of bytes stored in the javascript file.

Once executed, the executable will encrypt the data on the victim's computer and append the .enigma extension to them. For example, test.jpg would become test.jpg.enigma. 

When the encryption process is done, it will execute the %UserProfile%\Desktop\enigma.hta file to display the ransom note shown below. This ransom note contains information on what happened to the victim's files and a link to the TOR payment site. The text of this ransom note is:

Мы зашифровали важные файлы на вашем компьютере: документы, базы данных, фото, видео, ключи. 
Файлы зашифрованны алгоритмом AES 128(https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) с приватным ключем,который знаем только мы.
Зашифрованные файлы имеют расширение .ENIGMA . Расшифровать файлы без приватного ключа НЕВОЗМОЖНО.

Если хотите получить файлы обратно:

1)Установите Tor Browser https://www.torproject.org/
2)Найдите на рабочем столе ключ для доступа на сайт ENIGMA_(номер вашего ключа).RSA
3)Перейдите на сайт http://f6lohswy737xq34e.onion в тор-браузере и авторизуйтесь с помощью ENIGMA_(номер вашего ключа).RSA
4)Следуйте инструкциям на сайте и скачайте дешифратор

Если основной сайт будет недоступен попробуйте http://ohj63tmbsod42v3d.onion/ 

This loosely translates into English as:

We encrypt sensitive files on your computer: documents, databases, photos, videos and keys.
Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know.
Encrypted files have .ENIGMA extension. It decrypts files without the private key IMPOSSIBLE.

If you want to get the files back:

1) Install the Tor Browser https://www.torproject.org/
2) Locate the desktop key to access the site ENIGMA_ (your room key) .RSA
3) Go to the website http: //f6lohswy737xq34e.onion into a torus-browser and log in using ENIGMA_ (your room key) .RSA
4) Follow the instructions on the website and download the decoder

If the primary site is unavailable, try http: //ohj63tmbsod42v3d.onion/
During the encryption process it will also create the following files, which are described below.

%Temp%\testttt.txt - A debug file used to determine if the file handle could be opened for the creation of the ransomware executable.

%AppData%\testStart.txt - Debug file indicating that the encryption started and was successful.

%UserProfile%\Desktop\allfilefinds.dat - Encrypted list of files that were encrypted.

%UserProfile%\Desktop\enigma.hta - Is set as a Windows autorun to automatically display the ransom note shown above.

%UserProfile%\Desktop\ENIGMA_[id_number].RSA - The unique public key associated with the victim's computer. This is used to login to the payment site.

%UserProfile%\Desktop\enigma_encr.txt - Text based ransom note.

%UserProfile%\Downloads\3b788cd6389faa6a3d14c17153f5ce86.exe - Ransomware executable.
Last, but not least, this ransomware does not delete the Shadow Volume Copies. So you can use these instructions to recover them for free. If you need help with this method, you can ask in the dedicated Enigma Ransomware Support and Help Topic.

The Enigma Ransomware Payment Site
When a user is infected, if they wish to make a ransom payment they need to connect to a special TOR site created by the developers. The address for this TOR site is located in the ransom note and requires you to upload the ENIGMA_[id_number].RSA file in order to log in.

When a user logs in they will be presented with the amount of bitcoins they must send as the ransom as well as the bitcoin address payment must be sent to. This payment site offers a victim the ability to decrypt one file for free to prove that the ransomware developers can do so. It also includes a support chat box that a victim can use to talk to the malware developers.

Once a payment has been made, a download link will be made available that can be used to download the decryptor.

Files associated with the Enigma Ransomware:

Registry keys associated with the Enigma Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgram 3b788cd6389faa6a3d14c17153f5ce86.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyProgramOk %UserProfile%\Desktop\enigma.hta


Post a comment