TG Soft Software House - Vir.IT eXplorer: AntiVirus, AntiSpyware and AntiMalware
Detects viruses and malwareIdentifies polymorphic viruses thanks to DEEP SCANMacro Virus AnalyzerINTRUSION DETECTION TechnologyVirus/malware removal toolsInstallation on Active Directory16/32/64 bit Real-Time ProtectionVir.IT Scan MailVir.IT Console Client/ServerVir.IT WebFilter ProtectionAutomatic Live-UpdateVir.IT Personal FirewallItalian Tech SupportAntiMalware Reserch Center


Submit suspicious file
fb rss linkedin twitter

ICSA Lab

Vir.IT eXplorer PRO pass the test VB100 2017-04

AMTSO

OpsWat

EICAR Membro SERIT - SEcurity Research in ITaly

27/06/2017 10:20:46 - CryptoBubble a new ransomware made in Italy!




TG Soft's Research Centre (C.R.A.M.) has identified a new ransomware in the night of 26th june called CryptoBubble. This ransomware maybe is made in Italy.

CONTENTS

==> How CryptoBubble spreads
 
==> How to protect yourself from CryptoBubble

==> What to do to mitigate the damage from CryptoBubble

==> Can I restore the encrypted files

==> Conclusions



How CryptoBubble spreads


CryptoBubble  is a ransomware written in C# (MSIL). The name of main class is "preventivo.pdf" that makes think has been made in Italy.
The file infected by CryptoBubble analyzed:
  • name: preventivo.pdf.exe
  • size: 473.600 byte
  • MD5: 390684C72E22BDE7DFDDCE234F1EFFAA

At execution the ransomware generate a random key of 8 bytes.
It starts to enumerate the following directories (special folders):
  • MyPictures
  • Personal
  • MyVideos
  • MyMusic
  • DesktopDirectory

In the folder MyPictures it encrypts the following files:
png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi


In the folder Personal it encrypts the following files:
zip, doc, docx, docm, pdf, xls, xlsm, xlsx, mdb, accdb, accdt, dwg, cdr, rar, odt, ods, odg, odp, odb, odf, otg, otp, ott, csv, txt, png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi


In the folder MyVideos it encrypts the following files:
mp3, ac3, DivX, mpg, mpeg, mp4, mov, ogv, ogg, avi


In the folder MyMusic it encrypts the following files:
mp3, ac3, mid, wav, mp4, mov, mpeg


In the folder DesktopDirectory it encrypts the following files:
mp3, docx, zip, doc, docx, docm, pdf, xls, xlsm, xlsx, mdb, accdb, accdt, dwg, cdr, rar, odt, ods, odg, odp, odb, odf, otg, otp, ott, csv, txt, png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi

It creates a new file with the original name of document adding the extension .bubble
The ransomware CryptoBubble uses the algorithm DES to encrypt the document file with the secret key and the IV with the 8 random bytes.

After it deletes the original document file, but before it overwritten the first 50 lines with:
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...                  



It retrieves the following informations:
  • Operating System
  • Platform
  • Operating System version
  • Machine name
  • User name
  • is a 64 bit OS
After it sends an email with bubble.lck@gmail.com to bubble_lck@hmamail.com the following informations:
  • secret key
  • information about operting system and user
If the ransomware fails to send the email, it saves the secret key in:
HKEY_CURRENT_USER\WinNT
[SerialNumber] = secret key


After it shows the following message box:
Hello, I am Bob, do you remember the game? Unfortunately, the world has changed and I have changed too: once spit bubbles, today i encode your file! :)
Well, if you want to recover your files, please contact us at 'br5wf@notsharingmy.info' and we will find a solution and will promptly send you the unlock key to retrieve all your files... Good Lucky        



It adds the following key to run at startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[preventivo.pdf] = %path%\preventivo.pdf.exe
       

Back on top


How to protect yourself from CryptoBubble

Vir.IT eXplorer Pro is already able to block the crypto-Malware CryptoBubble on early stage.
As already reported, the Vir.IT eXplorer Pro's Anti-Ransomware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies.
 

Back on top

What to do to mitigate the damage from CryptoBubble

When the Alert screen on the side appears means that the Vir.IT eXplorer Pro's Anti-CryptoMalware integrated protection is acting and so, avoiding getting caught by the "panic" NOT close the window and perform the steps that are indicated:

  1. Make sure that Vir.IT eXplorer Pro is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE- by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM FULL SCAN using Vir.IT eXplorer Pro..
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.

    In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email toassistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Clicca per ingrandire l'immagine
 
99,63%

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information

Back to top

Can I restore the encrypted files


With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by Anubis will be at most a few dozen.
The "sacrificed" files during the mitigation must be replaced with a backup copy, currently there aren't tools for recovering files .bubble.
In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.



Final thoughts:

If you opened an infected attachment and has been started the encryption, you could:

  1. you have Vir.IT eXplorer Pro installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;

  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do

    • UNPLUG EVERY NETWORK CABLE

    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)

Either way, remain calm and do not panic.



 


Author: Gianfranco Tonello
Centro Ricerche Anti-Malware di TG Soft

Back on top





Any information published on our website can be used and posted on other websites, blogs, forums, facebook and/or in any other form both on paper and electronically so long as you always cited source explicitly "Fonte: C.R.A.M. by TG Soft www.tgsoft.it"
fb rss linkedin twitter
 




Legal & Eula | Privacy | Uninstall

TG Soft S.a.s. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283