Kaspersky Lab has released a decryption tool for Polyglot ransomware that disguises itself as CTB-Locker.
The Polyglot Trojan has been propagating via spam emails containing a malicious attachment packed in a RAR-archive. During the encryption process, the Trojan does not change the names of the files on an infected machine but it instead blocks access to them. After the encryption is completed, the desktop wallpaper on a victim’s screen is replaced with the ransom demand. Fraudsters request their ransom in bitcoins and, if the payment does not happen in time, the Trojan will delete itself from the infected device leaving all files encrypted.
This new ransomware looks similar to the infamous CTB-Locker ransomware, however after proper analysis, Kaspersky Lab experts haven’t found any similarities between their malware codes. The Polyglot ransomware mimics CTB-Locker in nearly every way. It has an almost identical graphics interface, a similar sequence of actions are required to obtain the decryption key, and the payment page, desktop Wallpaper etc. all look the same. The creators of Polyglot apparently thought that by mimicking CTB-Locker they could trick users, and make them think they are suffering from serious malware, leaving them with no option other than to pay the criminals.
Kaspersky Lab experts have carefully examined the Polyglot encryption mechanism and found that unlike CTB-Locker it uses a weak encryption key generator. A brute-force search through the whole set of possible Polyglot decryption key variants can be performed in less than a minute on a standard PC. Discovering this weakness has allowed Kaspersky Lab experts to develop a tool that can help to unlock user data.
“This case teaches us to never give up: ransomware has become a serious problem for all users, but sometimes a solution can be found. In this case the malware authors made an implementation mistake, making it possible to break the encryption. However, users should not rely only on luck when it comes to ransomware. This case is the exception rather than the rule, therefore we recommend all users to protect their devices proactively by using a reliable security solution and making sure all anti-encryption technologies are switched on,” said Anton Ivanov, Senior Malware Analyst at Kaspersky Lab.
Kaspersky Lab detects this ransomware as Trojan-Ransom.Win32.Polyglot and PDM:Trojan.Win32.Generic. Check the detailed blogpost on Securelist to find more about the technical specifications of this Trojan.
More decryption tools are available on the No More Ransom website. The “No More Ransom” project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and Intel Security. Its major goal is to help the victims of ransomware retrieve their encrypted data without having to pay the criminals.