ElevenPaths discovers the Popcorn ransomware passwords: no need to infect other people to decrypt for free

Wednesday, December 14, 2016

MalwareHunterTeam has discovered a new variant of ransomware that is quite curious. At ElevenPaths we have been able to download and analyze the new improved versions that make several interesting mistakes, for example one that reveals your decryption password. This sample draws attention because, in theory, it offers two formulas to decrypt the files: either by paying, or if the infected succeeds in infecting two or more people who pay the ransom.

The "easy" way and… the "nasty" way

Apart from what has already been commented on this new version, we focus on the most interesting aspects of the evolution that we, at ElevenPaths, have analyzed. The basic functionality is as usual: a lot of files are encrypted depending on their extension, and a ransom of 1 bitcoin is requested (above the average that is usually demanded). What this ransomware does for the first time is to offer two ways to decrypt the content: the "normal" way, in which a ransom is paid, and the "nasty" way (so they call it), in which if a link to an executable is sent to two people and they get infected and pay, you will be given a "free" code to decrypt your content. A diffusion "Refer-a-friend plan" in which the attacker "ensures" two infections for the price of one, and a more effective dissemination method, since the victims chosen by the infected user will always be more predisposed to execute the link from an acquaintance. Another option is to pay (alleged condition for the "discount"). It is also important to note that the ransomware appeals to the sensitivity of the victim, stating that the money will go to a good cause: alleviate the effects of the Syrian war. It is called "popcorn" because the first version used the popcorn-time-free.net domain, although the latest versions do not.

Appealing to the sensitivity of the victim.
They also lie when they say that there is nothing to do and that only they can decrypt the data.

Technical aspects

How does this ransomware work at a technical level? It has been developed by an independent group without following the guidelines of the "known" families, and therefore, is not very developed yet. Apart from the versions analyzed by MalwareHunterTeam, at ElevenPaths we have had access to the new samples. These are some interesting aspects that we have noticed.

The program is written in C# and needs .NET4 to run. The executable is created "on the fly" for each infected user, with a unique ID code inserted for each victim. Interestingly enough, all variables are "embedded" in the code, and it is created on the server side. In addition, it does not follow the usual pattern of professional ransomware in which each file is encrypted with a different symmetric key and then this key is encrypted with asymmetric cryptography. On the contrary, all files are encrypted with the same symmetric key. From here, knowing the password is a matter of analyzing the code of the executable. 

The password

If we disassemble the code with, for example, ILSpy we can see the line containing the password in base64. A quick decode will allow us to get the password and the data back. We have not created a specific tool to do this, as it is more than likely that the attacker quickly changes the strategy and also, for now, this malware does not seem to be very advanced or widespread (if someone is infected, please contact us). In fact, the day before the password of its first versions was always "123456".

As mentioned, the password is supposed to be (along with all other variables) embedded by the server at the time the executable is created. After the analysis we have conducted, it turns out it is an MD5 hash of which we still do not know what it responds to. The MD5 hash is triply encoded with base64 in the code.

Partof the code where the password appears and how to decode it in base64. Click to enlarge

The result of the decoding is the password that can be entered in the corresponding dialog to decrypt the data without having to pay at all.

The rest of the code is sometimes messy, although it seems they are working day by day to improve it. For example, the salt in the cryptographic function is not random. This, which in any other circumstance would allow a precomputed dictionary attack, really does not have much effect here (the password is not in a dictionary, it is a hash), but it gives us an idea of the little cryptographic value that this ransomware has.

A not very useful salt (12345678), although it is not very important here.

HTML code

The HTML code that is displayed to the victim forms a very important part of this malware. It is also embedded encoded in base64 in the code. In it we can see that a verification is conducted using the APIs of the Blockchain.info (misused, it encloses the wallet in quotation marks) in order to know if the payment has been made and if it is validated in the blockchain. It uses Satoshis, which are a fraction of a bitcoin.

They misuse the API of Blockchain.info, although later they correct it

If so, they display some URLs hidden in JavaScript that are supposed to give access to the decryption code, and hosted in the Tor network. This protection (using a "hide" class) is ridiculous. When we access the URLs, the truth is we cannot see any decryption code (we guess that because they are still in the trial stage).

They are supposed to provide you with the decryption code when you pay and visit those URLs, but it does not look like it.

Refer-a-friend plan

What stands out the most about this is the "nasty way" to decrypt the files. Allegedly, if you send the executable link to two acquaintances and they pay, you will be given the unlock code. It is a very smart way to get a fast diffusion, but we think it is not true. The code does not contain any instructions to verify that this happens automatically. Unless all intelligence runs from the server side (which we doubt), we cannot guarantee (nor have we technically proven that it happens) that this is so and, therefore, this is more likely to be just a hoax to spread more malware. In fact, the generated executables do not contain information about who has recommended them, only the fact that they have been created under a URL that does indeed contain the ID of the initial victim. But looking at the entire system, its poor programming, unfulfilled promises, threatening countdowns that in the end do not erase a thing and the unstable infrastructure and "craftsmanship" in general, Occam's razor makes us lean to think that everything is false and that there is no mechanism to control this.

Remember that we have a tool with an approximation of proactive protection against ransomware that you can (soon) download from our laboratory.

Sergio de los Santos

Latch Plugins Contest 2016 is over

Monday, December 12, 2016

Today, Monday, December 12 at 1 pm (CET), was the deadline for the submission of plugin applications to the Latch Plugins Contest, the Latch contest that looks for innovative and handy plugins for the Latch service. Any project submitted after this deadline will be invalid and will not enter the contest.

Now it is the turn of our jury, a top-level jury, composed of Chema Alonso, CEO CDO; José Palazón, CTO CDO; Pedro Pablo Pérez, VP Global Security; Alberto Sempere, Security Global Product Director, and Olvido Nicolás, CMO Global Security.

As you know, the jury of ElevenPaths will acknowledge:
  • Creativity, we are sure that you are inventive! 
  • Utility of the solution, simplicity and usability are very important. 
  • Effort, which is always rewarded. 
  • Thoroughness of the solution, the more complete the better. 
  • Clarity of documentation. 
  • Compliance with the submission date of the candidature.
After the deliberation phase, you will know if you have won one of our juicy prizes: up to $5,000 (in bitcoins).

Stay tuned! Winners will be notified by email during the 14 days following the closing date of the contest. You will then have 10 days to accept the prize.

Follow all the details in our blog and in the #LatchPluginsContest hashtag.

You can still win 5000 dollars. Send your Latch plugins over!

Friday, December 2, 2016

Remember that on Monday, December 12 at 1pm (CET), the deadline for the submission of applications for our Latch plugins competition ends. You’ve had almost two months to think of a breakthrough idea and to develop it, but don’t worry; you still have a few more days to round it off.

However, if you still don’t know what you want to do, you still have time to register and, to help you, we will give you some ideas.

How about this Latch integration for the protection of payments developed by our collegues in Equinox (in just 23.5 hours!)? A great project that combines creativity, security and utility!
The idea is to be able to issue a token that gives access to a service or device. This token is printed on paper (which I have) and is only valid when the token Issuer authorizes its use from the Latch application (second authorization factor).

Or how about the integration of ElevenPaths’ Latch+Antiransomeware in the AntiRansomWare tool? It is the winning combination to address a problem as worrying and common nowadays as Randsomeware. It is a tool that adds an authorization layer on Windows systems for “protected” folders, in addition to the existing permissions of the operating system, so that any type of write or delete operation of the files is denied. The authorization in this case lays on Latch instances for each folder, and files in those folders cannot be modified or deleted if the associated Latch is closed.

Aren’t you inspired yet? How about you try the new Latch Cloud TOTP functionality? This functionality allows you to use Latch as an application to generate TOTPs that you can easily use with websites like Facebook, Dropbox or Google.

Get involved and enter the competition! Register in the Latch Plugins Contest. A prize of up to 5000 $ is waiting for you.

May the luck be with you!