willaien

FenixLocker variant

Recommended Posts

So, a small business I work for was hit with a variant of FenixLocker. RDP was bruteforced and the attacker copied a payload "svchost.exe" to a folder, executed it and left. It found our fileshares and went to town. As soon as we realized the culprit, we shut down the server in question and are in the process of rebuilding it. RDP has been disabled and we're working on scanning the network. Don't really need help there, more interested in the encrypted files at this point.

So, here's the thing: we don't want to pay the ransom, so I've been doing some research. It appears that this variant isn't capable of being decrypted with the decryption tool provided. Observed differences:

1) Appended email address is [email protected] instead of [email protected]

2) Help to decrypt.txt email address changed.

Aside from that, the "observable" behavior is the same as reported for FenixLocker.

 

I can provide sample encrypted files and the executable upon request.

Share this post


Link to post
Share on other sites

Also, small file with known plaintext. I see something that looks like a signature at the end of each file. A sequence at the bottom of each file that's exactly the same. Also, IV is reused for each file - the same file was hit more than once and ciphertext is exactly the same. Whatever encryption is being used appears to be in block chaining mode, though. (Otherwise I'd use a two-pad attack and be done with it)

robots.txt

[email protected]!!

Share this post


Link to post
Share on other sites

It is FenixLocker. They switched to TEA and generate the key in a secure way now. Given that the RSA key they used to encrypt the generated keys are large enough to make brute force impractical, there is unfortunately nothing we can do in your case.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.