27/06/2017
10:20

CryptoBubble a new ransomware made in Italy!


In these hours is spreading a new ransomware that encrypts the document files adding the extension .bubble.



TG Soft's Research Centre (C.R.A.M.) has identified a new ransomware in the night of 26th june called CryptoBubble. This ransomware maybe is made in Italy.

CONTENTS

==> How CryptoBubble spreads
 
==> How to protect yourself from CryptoBubble

==> What to do to mitigate the damage from CryptoBubble

==> Can I restore the encrypted files

==> Conclusions



How CryptoBubble spreads


CryptoBubble  is a ransomware written in C# (MSIL). The name of main class is "preventivo.pdf" that makes think has been made in Italy.
The file infected by CryptoBubble analyzed:
  • name: preventivo.pdf.exe
  • size: 473.600 byte
  • MD5: 390684C72E22BDE7DFDDCE234F1EFFAA

At execution the ransomware generate a random key of 8 bytes.
It starts to enumerate the following directories (special folders):
  • MyPictures
  • Personal
  • MyVideos
  • MyMusic
  • DesktopDirectory

In the folder MyPictures it encrypts the following files:
png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi


In the folder Personal it encrypts the following files:
zip, doc, docx, docm, pdf, xls, xlsm, xlsx, mdb, accdb, accdt, dwg, cdr, rar, odt, ods, odg, odp, odb, odf, otg, otp, ott, csv, txt, png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi


In the folder MyVideos it encrypts the following files:
mp3, ac3, DivX, mpg, mpeg, mp4, mov, ogv, ogg, avi


In the folder MyMusic it encrypts the following files:
mp3, ac3, mid, wav, mp4, mov, mpeg


In the folder DesktopDirectory it encrypts the following files:
mp3, docx, zip, doc, docx, docm, pdf, xls, xlsm, xlsx, mdb, accdb, accdt, dwg, cdr, rar, odt, ods, odg, odp, odb, odf, otg, otp, ott, csv, txt, png, jpeg, jpg, 3gp, bmp, tiff, mp4, mov, mpeg, avi

It creates a new file with the original name of document adding the extension .bubble
The ransomware CryptoBubble uses the algorithm DES to encrypt the document file with the secret key and the IV with the 8 random bytes.

After it deletes the original document file, but before it overwritten the first 50 lines with:
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...
bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble... bubble bobble...                  



It retrieves the following informations:
  • Operating System
  • Platform
  • Operating System version
  • Machine name
  • User name
  • is a 64 bit OS
After it sends an email with bubble.lck@gmail.com to bubble_lck@hmamail.com the following informations:
  • secret key
  • information about operting system and user
If the ransomware fails to send the email, it saves the secret key in:
HKEY_CURRENT_USER\WinNT
[SerialNumber] = secret key


After it shows the following message box:
Hello, I am Bob, do you remember the game? Unfortunately, the world has changed and I have changed too: once spit bubbles, today i encode your file! :)
Well, if you want to recover your files, please contact us at 'br5wf@notsharingmy.info' and we will find a solution and will promptly send you the unlock key to retrieve all your files... Good Lucky        



It adds the following key to run at startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[preventivo.pdf] = %path%\preventivo.pdf.exe
       

Back on top


How to protect yourself from CryptoBubble

Vir.IT eXplorer Pro is already able to block the crypto-Malware CryptoBubble on early stage.
As already reported, the Vir.IT eXplorer Pro's Anti-Ransomware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies.
 

Back on top

What to do to mitigate the damage from CryptoBubble

When the Alert screen on the side appears means that the Vir.IT eXplorer Pro's Anti-CryptoMalware integrated protection is acting and so, avoiding getting caught by the "panic" NOT close the window and perform the steps that are indicated:

  1. Make sure that Vir.IT eXplorer Pro is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE- by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM FULL SCAN using Vir.IT eXplorer Pro..
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.

    In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email toassistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Clicca per ingrandire l'immagine
 
99,63%

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information

Back to top

Can I restore the encrypted files


With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by Anubis will be at most a few dozen.
The "sacrificed" files during the mitigation must be replaced with a backup copy, currently there aren't tools for recovering files .bubble.
In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.



Back on top

Final thoughts:

If you opened an infected attachment and has been started the encryption, you could:

  1. you have Vir.IT eXplorer Pro installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;

  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do

    • UNPLUG EVERY NETWORK CABLE

    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)

Either way, remain calm and do not panic.



 


Author: Gianfranco Tonello
Centro Ricerche Anti-Malware di TG Soft

Back on top




Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: