Posted By ,

CryptoWire with Decryption Key Included

AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of CryptoWire, a ransomware that was once viral in 2018.

Figure 1. CryptoWire Github

CryptoWire is mainly distributed via phishing emails and is made using Autoit script.

Main Features
The ransomware copies and pastes itself in the path “C\Program Files\Common Files,” and registers a schedule to the task scheduler to maintain persistence.

Figure 2. Registering a task schedule

 

Figure 3. Registered task schedule

 

The malware explores the local and connected network environments to expand the file encryption process, saves the data as domaincheck.txt in the desktop, and explores the created account.

Figure 4. A partial source code related to the expansion of encryption

 

Additionally, the malware empties the recycle bin and deletes the volume shadow copy to prevent recovery.

Figure 5. Preventing decryption

 

The encrypted file takes the form of [Original file name].encrypted.[Original extension] and displays a message that you need to purchase decryption key to decrypt the file.

Figure 6. Encryption extension

Figure 7. Ransom note

Note that the ransomware contains the decryption key. Depending on the type of the attack, the decryption key is either included in the Autoit script as shown in Figure 8 or sent to the threat actor’s server along with the system information of the infected system like shown in Figure 9.

Figure 8. Decryption key

Figure 9. Source code related to the C2 server connection

Figure 10. Decryption key transmitted to the C2 server

Figure 11. When decryption is complete

 

Not many ransomware strains expose the decryption keys, and they usually demand users to go through an arduous decryption process. As such, users must take caution when opening files from unknown sources to prevent ransomware infection. Additionally, users must scan suspicious files using anti-malware software and update the software to the latest version.

[File Detection]
– Trojan/Win.Kryptik.C5576563 (2024.01.20.00)
– Ransomware/Win.bcdedit.C5590639 (2024.02.20.00)

[Behavior Detection]
– Malware/MDP.Ransom.M1171

[IoC]
MD5
– cd4a0b371cd7dc9dab6b442b0583550c
– a410d4535409a379fbda5bb5c32f6c9c

C2
– hxxp://194.156.98[.]51/bot/log.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,,

5 1 vote
Article Rating
Subscribe
Notify of
guest

4 Comments
Inline Feedbacks
View all comments
trackback
CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence - Tempyx Blog
1 month ago

[…] to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a […]

0
Reply
trackback
CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence - h4ckers-news
1 month ago

[…] to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a […]

0
Reply
trackback
CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence - F1TYM1
1 month ago

[…] to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a […]

0
Reply
trackback
CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence – ZBM Security News
1 month ago

[…] to ASEC, the malware emptied the recycle bin and deleted shadow copies to hinder data recovery. Finally, a […]

0
Reply