Main module is a batch file that executes the commands

Aug 2, 2014 07:33 GMT  ·  By

Cybercriminals find simple ways to develop and maintain malware by leveraging open-source, legitimate tools to encrypt files on a victim’s computer and hold them hostage for a ransom.

Security researchers have found a new threat that relies on the open-source GnuPG program to encrypt data. The program is an implementation of the OpenPGP standard based on assymmetric cryptography, which requires a pair of keys (public and private) for encrypting and decrypting the data.

Identified as Trojan.Ransomcrypt.L by Symantec, after locking the files, the threat shows a ransom message (currently in Russian), asking the victim to pay a fee in order to receive the private key that would decrypt the hostage items.

An interesting aspect is the simplicity of the malware, since its main module is a batch file that permits the threat actor to easy update and maintain it.

A batch file is basically a script that allows running multiple commands through command line.

In order to encrypt the files, the batch file first downloads a 1024-bit RSA public key derived from a private one available to the cybercriminal. This is imported into the GnuPG program and used for locking up the data (XLS, XLSX, DOC, DOCX, PDF, JPG, CD, JPEG, 1CD, RAR, MDB and ZIP).

The information cannot be decrypted without the private key, which is always in the hands of the crook. As soon as the process is done, a ransom message pops up informing the victim that they have to pay at least €150 / $200 if they want to recover the data.

In such cases, security experts generally do not recommend paying the ransom fee because there is no guarantee that the unlocking private key will be sent to the victim. The best practice to prevent the loss of files is to have a backup solution in place and restore the data from there.

According to the technical details provided by Symantec, Trojan.Ransomcrypt.L can also steal passwords from web browsers, which makes it even more of a risk, despite its simplicity.

It is expected that more attempts to extort money from unsuspecting users to be made using similar methods.

More sophisticated ransomware use a complex method for communicating with the command and control server, as well as for making sure that the private keys necessary for decrypting the data are not available to the user unless the operators of the malware decide so.

However, simple methods such as this one used by Trojan.Ransomcrypt.L show that a cybercriminal does not require advanced programming skills to make a quick buck.