web analytics
News and Threat Analysis,  Tools, Tricks and More

ONE RANSOMWARE, TWO FAMILIES

Every organization, corporate or company invest a large amount of their revenue in protecting network infrastructure from cyber attacks. Though cyber criminals sometimes have strategical target, they can unconditionally attack any organization . For the organizations which got attacked, it becomes very difficult to recover data and revenue which it lost while recovering from attacks.

The most damaging tool for cyber criminal is to infect the victim’s computer with a ransomware. The simple reason behind this is the hard encryption which is almost impossible to decrypt. But some security experts with much experience and exceptional knowledge are able to do so.

These ransomware operators generally encrypt the victim’s file using one encryption algorithm. But the situation becomes worse as the encryption algorithm increases. The situation can be the worst when the two ransomware operators simultaneously encrypt your files.

This worst situation has been analyzed by some security experts from Tencent Security Intelligence. They have found a group named LaoXinWon in China targeting server with admin weak passwords. The researchers have found two ransomware families operating under this name, first is LaoXinWon itself, another is Scarab ransomware. Both of these ransomware use repeated encryption to make it more difficult to decrypt the encrypted content. Let’s have a look how they actually work.

ANALYZING THE RANSOMWARE

After successfully exploiting the weak password and gaining the access of the target server, the group delivers 5 different modules to the victim’s system. These are:

  • CleanExit.exe
  • Lao.exe
  • LaoXinwon.exe
  • NetworkShare_pre2.exe
  • Proc.exe

The Lao.exe is the ransomware written in C#. After entering into the victim’s system, it first check the root files which is to be encrypted excluding some file types that are not in the system data format. After selecting the files, then these are encrypted with AES encryption algorithm which is a symmetric cryptography which means that encrypt and decrypt key both are the same. This key is generated in a randomly strong manner which is very difficult to predict. Then as mentioned above the repeated encryption, this AES key is further encrypted using RSA algorithm. This is asymmetric cryptography which means that a pair of keys which are absolutely different from each other will be used for encryption and decryption.

The RSA 2048 algorithm is hard coded in the ransomware and after encrypting the AES key, the encrypted key which is public is made available at the end of the file. Don’t get confused by this public key, it cannot be used to decrypt the content. Thus, by using RSA+AES algorithms for encryption, it becomes very difficult to decrypt the content.

After encrypting, .aes extension suffix is ​​added to the encrypted files and a letter informing on how to decrypt the content mentioning contact details as LaoXinWon@protonmail.com is attached with it.

Then comes the second ransomware family, Scarab ransomware, which is dubbed as LaoXinWon.exe in these 5 ransomware modules. This ransomware is written in Delphi and it also uses the same RSA+AES encryption algorithms to make it difficult to decrypt. After encrypting the files, it adds .lampar extension to the encrypted files and attach letter with same information as that of the above ransomware written in C#.

Finally after encrypting the files, NetworkShare_pre2.exe and Proc.exe is used to scan the LAN to deliver the ransomware to other systems on the network and to monitor the process.

In the last CleanExit.exe will be used to clear all the traces and logs from the compromised system to make it difficult to identify them.

CONCLUSION

We see how cyber criminals are actively making new techniques to exploit the system and gain as much privileged rights as they can. It is better that if we take below precautions to prevent our systems from these kinds of attack:

  • Use complex passwords which is comprised of  small letter, capital letter, numbers and special characters.
  • Use multi factor authentication for your login.
  • Use strong firewall rules for your network.
  • Disable automatic run of Javascript in your browser.