Michal Nawrocik

ransomware from 2016, probably a variant of CerberTear

Recommended Posts

A friend of mine asked me to try to decrypt their files which were encrypted with some kind of ransomware.

They say the infection took place in 2016 or at the beginning of 2017. The newest encrypted file is dated 30.08.2016.

Unfortunately, my friend is not very tech-savvy so they deleted the virus itself leaving only the encrypted files and the ransom note.

I'm also not much into ransomware, I'm a programmer.

I ran undelete on the disk I got from my friend and found no recoverable executable files.

Then I used the online identification tool with the following result:

https://id-ransomware.malwarehunterteam.com/identify.php?case=6a2aa256aee1d973b13b3bdd1725def73d88b997

Then I clicked the link to read more on the 1st result found:

As you can see, it says this ransomware, called CerberTear, is a fake Cerber, actually a variation of HiddenTear.

I tried several HiddenTear decryptors I found on the internet, none of them seemed to work and I guess they couldn't, I'll explain this below.

I also tried decryptors for other malware types suggested by id-ransomware, obviously to no avail.

The thing is: I don't see a decryptor for CerberTear specifically, only for HiddenTear and CerberTear is quite different from original HiddenTear actually.

HiddenTear encrypts whole file content and the files I am trying to decrypt got first 127 bytes unencrypted, then n times 8 bytes encrypted, then the remainder unencrypted.

I analyzed the source code of hidden-tear-bruteforcer https://github.com/Demonslay335/hidden-tear-bruteforcer and I found it tries to decrypt the very beginning of the file, for all supported variants of HiddenTear. This can't work for me as the beginning of the file is not encrypted in my case.

 

I didn't find the CerberTear malware itself available online in a brief search, maybe I would need to search some more or contact the people who posted links to virustotal (it's not only the tweet above).

I'm kinda familiar with unpacking and deobfuscating so having this malware executable would help my attempts to decrypt the files.

HiddenTear is written in C# which I use for writing code on daily basis.

I got some samples of big encrypted files together with their unencrypted versions.

With some effort, I could also obtain a pair of small files, encrypted + unencrypted. Didn't do this yet as first I'd like to get some more light shed on this exact kind of malware.

 

In case you cannot provide me with a working decryptor or the malware executable for me to analyze, maybe you know the answers to the questions below.

I've seen that some variants of HiddenTear use a secure method of generating random numbers instead of the one seeded with current time. What about CerberTear? If it uses the secure generator, then I guess case is closed, no more questions, no chance to get the files back.

What is the password length? What characters can the password contain?

What encryption algorithm is used? With what parameters? I guess it's not AES as in original HiddenTear since AES has the block size of 16 bytes and some of the files encrypted with CerberTear have ie. 40 bytes encrypted and that's why I presume the block size is 8 bytes and not 16.

How is the key derived from the password (if it's done for the algorithm used in this case)? In original HiddenTear it was SHA256 but I guess it might not be the case here.

I understand that there may be different variants of CerberTear which makes it more difficult to decrypt the files without knowing the exact variant.

If I succeed to write the decryptor, I will make the source code available to the public (even though not many people could still benefit from a decryptor of such an old ransomware).

 

Thanks in advance for any help provided.

 

 

 

Share this post


Link to post
Share on other sites

Karsten Hahn is a malware analyst from GData, so they may have a decrypter for it already, however a few years ago GData stopped decrypting ransomware for free unless you are a current customer with a license for their business anti-virus software. I am not certain if their decryption policy has changed since then.

I'll ask and see if anyone on our team knows of an already-existing decryption tool.

Share this post


Link to post
Share on other sites

One of our malware analysts took a look at the copy of CerberTear that was mentioned in the Twitter post you linked to. He said it looks easily decryptable, however the only details he gave me were that the ransomware didn't transmit decryption keys back to whoever made it, so if someone were to pay the ransom they wouldn't get a working decrypter back from the criminals who made/distributed this ransomware (if the criminals responded to the victim at all).

Michael Gillespie will also have access to the copy of the ransomware mentioned in the Twitter post, so he should have no trouble figuring out the encryption method. ;)

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you very much, I will contact Michael Gillespie.
I have noticed that as well, that the criminals ask to send bitcoin but the bitcoin address is the same for all victims and no contact info is included. So they wouldn't know who paid them and should receive the decryptor anyway.

Share this post


Link to post
Share on other sites
18 hours ago, Michal Nawrocik said:

... So they wouldn't know who paid them and should receive the decryptor anyway.

In this case there probably wouldn't be a decrypter (at least not a working one). Without knowing the private key, they wouldn't be able to send a decrypter capable of decrypting the files.

Share this post


Link to post
Share on other sites

It's been a while but I still didn't get these files decrypted. GData Business subscription does not include help with file decryption anymore, at least from what I've been told by their support. Michael Gillespie helped me a lot, gave me some possible salt values for decryption but he didn't have a sample of this exact variant of CerberTear (with 8 bytes block size so perhaps using 3DES) so the results were uncertain and in the end I failed to decrypt the files anyway.  Karsten Hahn couldn't help me to get it done either. I guess not much hope is left.

Quote

One of our malware analysts took a look at the copy of CerberTear that was mentioned in the Twitter post you linked to.

But what if it's a slightly different variant which uses another encryption algorithm and more importantly another value for salt in the encryption process? Would your malware analyst know the different salt value? Would I get help with this, free or in paid support (or support included with subscription of your software)?

Share this post


Link to post
Share on other sites
7 hours ago, Michal Nawrocik said:

But what if it's a slightly different variant which uses another encryption algorithm

CerberTear Ransomware 

In my description there are several different variants for this Ransomware.
November 2016 / December 2016 / February 2017
https://www.virustotal.com/gui/file/a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404/detection 
https://www.virustotal.com/gui/file/8a8823bb395a14da869c4720edf60d77870774f236792ee8ea7d73503d003e74/detection 
https://www.virustotal.com/gui/file/12437a49d298941af8d087a1ff478a68ab4c312654153e17d598ff1c87be6b3d/detection 

Share this post


Link to post
Share on other sites
8 hours ago, Michal Nawrocik said:

Would your malware analyst know the different salt value?

Analysts would only know the salt value if they were able to analyze a copy of the ransomware.

 

8 hours ago, Michal Nawrocik said:

Would I get help with this, free or in paid support (or support included with subscription of your software)?

We don't offer paid ransomware recovery services. Anything we're capable of doing, we currently do for free.

Share this post


Link to post
Share on other sites
On 6/30/2019 at 10:38 PM, Amigo-A said:

Thank you but I'm afraid these are just checksums which don't say if any of these variants uses 8 bytes block size encryption. Is there such a variant among them?

On 6/30/2019 at 11:55 PM, GT500 said:

Analysts would only know the salt value if they were able to analyze a copy of the ransomware.

 

We don't offer paid ransomware recovery services. Anything we're capable of doing, we currently do for free.

It's good to know and very nice of you that you don't charge for it.

I won't be able to retrieve the copy of that malware. It seems like the encrypting executable removed itself when the encryption was finished (which HiddenTear variants often do). And the file recovery software I consider very decent failed to find a suitable recoverable executable file.

Do I get it right that I should provide you with the copy of the ransomware? And if not, could your analyst check if they have records of CerberTear variants using 8 bytes block size encryption? I hope they index such information and wouldn't have to analyze all of the samples now to check it. And even if they have a lot of such variants I guess I could check all their salts (and perhaps other parameters if they differ from standard CerberTear). I guess there were never so many of these variants in existence to make checking their parameters programmatically against a single encrypted file difficult.

Share this post


Link to post
Share on other sites
55 minutes ago, Michal Nawrocik said:

It seems like the encrypting executable removed itself when the encryption was finished (which HiddenTear variants often do).

That's fairly common for ransomware in general. There are a few exceptions, however most will delete their files after encryption has finished.

 

56 minutes ago, Michal Nawrocik said:

Do I get it right that I should provide you with the copy of the ransomware?

Yes, we would need a copy of the ransomware that encrypted the files in order to assist.

 

59 minutes ago, Michal Nawrocik said:

I guess there were never so many of these variants in existence to make checking their parameters programmatically against a single encrypted file difficult.

I would believe that HiddenTear was in distribution for several years. As far as I am aware there are a lot of variants of it, and some may be from third parties. Checking them all would be extremely time consuming, and there's no guarantee that we have a copy of the variant that encrypted your files.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.