The new ransomware, called CryCryptor, has been targeting Android device users in Canada. The malware has been spreading across two websites, pretending to be an official COVID-19 case tracking app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for victims.
CryCryptor appeared just a few days after the Canadian government officially announced its intention to support the development of a (voluntary) tracking application for the entire national territory called “COVID Alert”. The official app will be released under test in the province of Ontario next month.
ESET informed the Canadian Cybersecurity Center of this threat as soon as it was identified.
One of the websites used to distribute this malicious app. The other site is identical in design and only differs in domain name, which is covid19tracer Ca.
Once the user is a victim of CryCryptor, the ransomware encrypts the files on the device (the most common types of files) but instead of blocking the computer, it leaves a “readme” file that contains the attacker's email address in each directory containing encrypted files.
Fortunately, we were able to create a decryption tool for those who are victims of this ransomware.
After detecting a tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly classified the malware as a banking Trojan), we analyzed the application. We discovered a bug of the type "Incorrect export of Android components" that MITER labels as CWE-926 .
Due to this failure, any application that is installed on the affected device can start any exported service provided by the ransomware. This allowed us to create the decryption tool , an app that runs the decryption functionality incorporated by its creators into the ransomware app.
Encryption / functionality
After being started, the ransomware requests to access the files on the device. Once you get that permission, it encrypts files with certain extensions, like the ones shown in Figure 2.
File extensions encrypted by ransomware
Files selected by the threat are encrypted using AES with a randomly generated 16-character key. After the CryCryptor ransomware encrypts one file, three new files are created and the original file is deleted. The encrypted file has the extension " .enc ", and the algorithm generates a salt for each encrypted file, which is stored with the extension " .enc.salt "; and an initialization vector, " .enc.iv ".
Files after encryption
After encrypting the files, CryCryptor displays a message that says "Encrypted personal files, see readme_now.txt". The readme_now.txt file is placed in every directory that contains encrypted files.
File encryption notification (left) and file content readme_now.txt (right)
Decoded
The service responsible for decrypting files in CryCryptor has the encryption key stored in the shared preferences, which means that you do not have to contact any C&C to retrieve it. It is important to note that the service is exported without restrictions in the Android Manifesto ( CWE-926 ), which means that it can be started externally.
With this in mind, we created a decryption application for those affected by CryCryptor ransomware on Android. Naturally, the decryption application only works in this version of CryCryptor ransomware.
A new family of ransomware
CryCryptor ransomware is based on open source code on GitHub. We discovered it there by performing a simple search based on the name of the application package and some strings that seemed to be unique.
The developers of the open source ransomware, which they called CryDroid, must have known that the code would be used for malicious purposes. In an attempt to make the project appear in the repository as an investigation, they claim they uploaded the code to the VirusTotal service. Although it is not clear who uploaded the sample, the reality is that it appeared in VirusTotal the same day the code was published on GitHub it architect roles and responsibilities.
Open source ransomware
Likewise, we dismiss the claim that the project is for research purposes: No responsible researcher will publicly release a tool that is easy to use for malicious purposes.
We notify GitHub about the nature of this code.
ESET products provide protection against CryCryptor ransomware, which they detect as Trojan.Android/CryCryptor.A. In addition to using a quality security solution for mobile devices, we recommend Android users to install applications only from reliable sources, such as the Google Play store.
CryCryptor appeared just a few days after the Canadian government officially announced its intention to support the development of a (voluntary) tracking application for the entire national territory called “COVID Alert”. The official app will be released under test in the province of Ontario next month.
ESET informed the Canadian Cybersecurity Center of this threat as soon as it was identified.
One of the websites used to distribute this malicious app. The other site is identical in design and only differs in domain name, which is covid19tracer Ca.
Once the user is a victim of CryCryptor, the ransomware encrypts the files on the device (the most common types of files) but instead of blocking the computer, it leaves a “readme” file that contains the attacker's email address in each directory containing encrypted files.
Fortunately, we were able to create a decryption tool for those who are victims of this ransomware.
After detecting a tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly classified the malware as a banking Trojan), we analyzed the application. We discovered a bug of the type "Incorrect export of Android components" that MITER labels as CWE-926 .
Due to this failure, any application that is installed on the affected device can start any exported service provided by the ransomware. This allowed us to create the decryption tool , an app that runs the decryption functionality incorporated by its creators into the ransomware app.
Encryption / functionality
After being started, the ransomware requests to access the files on the device. Once you get that permission, it encrypts files with certain extensions, like the ones shown in Figure 2.
File extensions encrypted by ransomware
Files selected by the threat are encrypted using AES with a randomly generated 16-character key. After the CryCryptor ransomware encrypts one file, three new files are created and the original file is deleted. The encrypted file has the extension " .enc ", and the algorithm generates a salt for each encrypted file, which is stored with the extension " .enc.salt "; and an initialization vector, " .enc.iv ".
Files after encryption
After encrypting the files, CryCryptor displays a message that says "Encrypted personal files, see readme_now.txt". The readme_now.txt file is placed in every directory that contains encrypted files.
File encryption notification (left) and file content readme_now.txt (right)
Decoded
The service responsible for decrypting files in CryCryptor has the encryption key stored in the shared preferences, which means that you do not have to contact any C&C to retrieve it. It is important to note that the service is exported without restrictions in the Android Manifesto ( CWE-926 ), which means that it can be started externally.
With this in mind, we created a decryption application for those affected by CryCryptor ransomware on Android. Naturally, the decryption application only works in this version of CryCryptor ransomware.
A new family of ransomware
CryCryptor ransomware is based on open source code on GitHub. We discovered it there by performing a simple search based on the name of the application package and some strings that seemed to be unique.
The developers of the open source ransomware, which they called CryDroid, must have known that the code would be used for malicious purposes. In an attempt to make the project appear in the repository as an investigation, they claim they uploaded the code to the VirusTotal service. Although it is not clear who uploaded the sample, the reality is that it appeared in VirusTotal the same day the code was published on GitHub it architect roles and responsibilities.
Open source ransomware
Likewise, we dismiss the claim that the project is for research purposes: No responsible researcher will publicly release a tool that is easy to use for malicious purposes.
We notify GitHub about the nature of this code.
ESET products provide protection against CryCryptor ransomware, which they detect as Trojan.Android/CryCryptor.A. In addition to using a quality security solution for mobile devices, we recommend Android users to install applications only from reliable sources, such as the Google Play store.
No comments:
Post a Comment