Michal Nawrocik

Member
  • Content Count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Michal Nawrocik

  • Rank
    New Member
  1. Michal Nawrocik

    ransomware from 2016, probably a variant of CerberTear

    Thank you very much, I will contact Michael Gillespie. I have noticed that as well, that the criminals ask to send bitcoin but the bitcoin address is the same for all victims and no contact info is included. So they wouldn't know who paid them and should receive the decryptor anyway.
  2. A friend of mine asked me to try to decrypt their files which were encrypted with some kind of ransomware. They say the infection took place in 2016 or at the beginning of 2017. The newest encrypted file is dated 30.08.2016. Unfortunately, my friend is not very tech-savvy so they deleted the virus itself leaving only the encrypted files and the ransom note. I'm also not much into ransomware, I'm a programmer. I ran undelete on the disk I got from my friend and found no recoverable executable files. Then I used the online identification tool with the following result: https://id-ransomware.malwarehunterteam.com/identify.php?case=6a2aa256aee1d973b13b3bdd1725def73d88b997 Then I clicked the link to read more on the 1st result found: As you can see, it says this ransomware, called CerberTear, is a fake Cerber, actually a variation of HiddenTear. I tried several HiddenTear decryptors I found on the internet, none of them seemed to work and I guess they couldn't, I'll explain this below. I also tried decryptors for other malware types suggested by id-ransomware, obviously to no avail. The thing is: I don't see a decryptor for CerberTear specifically, only for HiddenTear and CerberTear is quite different from original HiddenTear actually. HiddenTear encrypts whole file content and the files I am trying to decrypt got first 127 bytes unencrypted, then n times 8 bytes encrypted, then the remainder unencrypted. I analyzed the source code of hidden-tear-bruteforcer https://github.com/Demonslay335/hidden-tear-bruteforcer and I found it tries to decrypt the very beginning of the file, for all supported variants of HiddenTear. This can't work for me as the beginning of the file is not encrypted in my case. I didn't find the CerberTear malware itself available online in a brief search, maybe I would need to search some more or contact the people who posted links to virustotal (it's not only the tweet above). I'm kinda familiar with unpacking and deobfuscating so having this malware executable would help my attempts to decrypt the files. HiddenTear is written in C# which I use for writing code on daily basis. I got some samples of big encrypted files together with their unencrypted versions. With some effort, I could also obtain a pair of small files, encrypted + unencrypted. Didn't do this yet as first I'd like to get some more light shed on this exact kind of malware. In case you cannot provide me with a working decryptor or the malware executable for me to analyze, maybe you know the answers to the questions below. I've seen that some variants of HiddenTear use a secure method of generating random numbers instead of the one seeded with current time. What about CerberTear? If it uses the secure generator, then I guess case is closed, no more questions, no chance to get the files back. What is the password length? What characters can the password contain? What encryption algorithm is used? With what parameters? I guess it's not AES as in original HiddenTear since AES has the block size of 16 bytes and some of the files encrypted with CerberTear have ie. 40 bytes encrypted and that's why I presume the block size is 8 bytes and not 16. How is the key derived from the password (if it's done for the algorithm used in this case)? In original HiddenTear it was SHA256 but I guess it might not be the case here. I understand that there may be different variants of CerberTear which makes it more difficult to decrypt the files without knowing the exact variant. If I succeed to write the decryptor, I will make the source code available to the public (even though not many people could still benefit from a decryptor of such an old ransomware). Thanks in advance for any help provided.