willaien 0 Posted February 7, 2017 Report Share Posted February 7, 2017 So, a small business I work for was hit with a variant of FenixLocker. RDP was bruteforced and the attacker copied a payload "svchost.exe" to a folder, executed it and left. It found our fileshares and went to town. As soon as we realized the culprit, we shut down the server in question and are in the process of rebuilding it. RDP has been disabled and we're working on scanning the network. Don't really need help there, more interested in the encrypted files at this point. So, here's the thing: we don't want to pay the ransom, so I've been doing some research. It appears that this variant isn't capable of being decrypted with the decryption tool provided. Observed differences: 1) Appended email address is [email protected] instead of [email protected] 2) Help to decrypt.txt email address changed. Aside from that, the "observable" behavior is the same as reported for FenixLocker. I can provide sample encrypted files and the executable upon request. Quote Link to post Share on other sites
willaien 0 Posted February 8, 2017 Author Report Share Posted February 8, 2017 The password for the zip file is "DoNotExecute" The RFC1053.txt is, as far as I know, the actual RFC1053 svchost.zip [email protected]!! Quote Link to post Share on other sites
willaien 0 Posted February 8, 2017 Author Report Share Posted February 8, 2017 Also, small file with known plaintext. I see something that looks like a signature at the end of each file. A sequence at the bottom of each file that's exactly the same. Also, IV is reused for each file - the same file was hit more than once and ciphertext is exactly the same. Whatever encryption is being used appears to be in block chaining mode, though. (Otherwise I'd use a two-pad attack and be done with it) robots.txt [email protected]!! Quote Link to post Share on other sites
Sarah W 26 Posted February 8, 2017 Report Share Posted February 8, 2017 Hi willaien, We will look into the malware file you provided and update you when we have something. Regards, Sarah 1 Quote Link to post Share on other sites
Fabian Wosar 390 Posted February 9, 2017 Report Share Posted February 9, 2017 It is FenixLocker. They switched to TEA and generate the key in a secure way now. Given that the RSA key they used to encrypt the generated keys are large enough to make brute force impractical, there is unfortunately nothing we can do in your case. 1 Quote Link to post Share on other sites
willaien 0 Posted February 9, 2017 Author Report Share Posted February 9, 2017 That, unfortunately, jives with my own findings. It's frustrating, but what I expected. Thanks for your time. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.