This new RaaS ransom note from sample(4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058): Whats Happen? Your files are encrypted, and currently unavailable. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back.
When you open our website, put the following data in the input form: Key: - !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: Warning: secondary website can be blocked, thats why first variant much better and more available.
How to get access on website? You have two ways: 1) Using a TOR browser! a) Download and install TOR browser from this site: b) Open our website: 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. In practice - time is much more valuable than money. But you will lose your time and data, cause just we have the private key. If you will not cooperate with our service - for us, its does not matter. To check the ability of returning files, You should go to our website.
If we do not do our work and liabilities - nobody will not cooperate with us. We absolutely do not care about you and your deals, except getting benefits. Otherwise, you cant return your data (NEVER). By the way, everything is possible to recover (restore), but you need to follow our instructions. You can check it: all files on your system has extension csruj. =- Whats HapPen? Your files are encrypted, and currently unavailable. The ransomware note has some striking similarities to Revil but also some differences and misspellings: -= Welcome.
txt single network -data= \cmd.txt c:\ Your ID: Your support onion(TOR) url: Preconfig done: Work type - Network communication started - 1.
if _name_ = "_main_": data = open(sys.argv, 'rb').read() curr = 0 t = data.find(b'\xff\xff\xff\xff') done = False while not done and t: curr += t (a,b) = struct.unpack_from(' 1000: continue key = data next = data.find(b'\xff\xff\xff\xff') curr += 8+b+next (a2,b2) = struct.unpack_from(' 1000: continue blob = data curr += 8+b2 try: print(decode_data(key,data)) except: pass t = data.find(b'\xff\xff\xff\xff') if t = -1: done = Trueĭecoded strings: browser Software\Microsoft\Windows\CurrentVersion\Run notepad.exe desktop -c=show -net=0 Process started.
The malware is written in Delphi but the interesting part from a RE perspective was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates.īecause of the way Delphi lays out their strings decoding them is a pretty straight forward process using the same sort of code as the crypter, we just need to find each string and key pair.
Unpacking code: import yara from pefile import PE from struct import unpack from aplib import Decompress from io import BytesIO from sys import argv def main(): filepath = argv readbin = open(filepath, 'rb').read() rule = pile( source='rule sugar_RaaS_crypter ' 'condition: filesize 0: v = 1 while v c: t = d continue sbox, sbox = sbox, sbox t = d c -= 1 eb = sbox + ] + ] + ] + ] + ] for i in range(len(data)): eb = (eb + eb]) % 256 eb = (eb + 1) % 256 b1 = eb] eb] = eb] eb] = eb] eb] = eb] eb] = b1 eb = (eb + eb) % 256 b1 = (((eb] + eb]) % 256) + eb]) % 256 eb = data v = (eb] + eb]) % 256 x1 = eb ^ eb] x2 = x1 ^ data eb = x2 o += bytes() return o main() Ransomware Sample