CryptoWire with Decryption Key Included
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of CryptoWire, a ransomware that was once viral in 2018. 
Figure 1. CryptoWire Github CryptoWire is mainly distributed via phishing emails and is made using Autoit script. Main Features The ransomware copies and pastes itself in the path “C\Program Files\Common Files,” and registers a schedule to the task scheduler to maintain persistence. 
Figure 2. Registering a task schedule 
Figure 3. Registered task schedule The malware explores the local and connected network environments to expand the file encryption process, saves the data as domaincheck.txt in the desktop, and explores the created account. 
Figure 4. A partial source code related to the expansion of encryption Additionally, the malware empties the recycle bin and deletes the volume shadow copy to prevent recovery. 
Figure 5. Preventing decryption The encrypted file takes the form of [Original file name].encrypted.[Original extension] and displays a message that you need to purchase decryption key to decrypt the file. 
Figure 6. Encryption extension 
Figure 7. Ransom note Note that the ransomware contains the decryption key. Depending on the type of the attack, the decryption key is either included in the Autoit script as shown in Figure 8 or sent to the threat actor’s server along with the system information of the infected system like shown in Figure 9. 
Figure 8. Decryption key 
Figure 9. Source code related to the C2 server connection 
Figure 10. Decryption key transmitted to the C2 server 
Figure 11. When decryption is complete Not many ransomware strains expose the decryption keys, and they usually demand users to go through an arduous decryption process. As such, users must take caution when opening files from unknown sources to prevent ransomware infection. Additionally, users must scan suspicious files using anti-malware software and update the software to the latest version. [File Detection] – Trojan/Win.Kryptik.C5576563 (2024.01.20.00) – Ransomware/Win.bcdedit.C5590639 (2024.02.20.00) [Behavior Detection] – Malware/MDP.Ransom.M1171
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
