TG Soft's C.R.A.M. has identified a new cryptomalware "e;Anubis""e;. This new crypto-malware, when is executed, encrypts all files in the computer and rename them by adding the .coded extension. To descryt file, it is needed to send an email to get the key and the program to decode the files.		INDEX ==> Anubis how it manifests...   ==> The ransom demandend by Anubis ==> How to protect yourself from Anubis ==> What to do to mitigate the damage from Anubis ==> Can I restore the encrypted files ? ==> Final thoughts

HydraCrypt how it manifests...

Trojan.Win32.HydraCrypt is downloaded and run on your PC via a malware belonging to the family Trojan.Win32.Sathurbot. Il Trojan.Win32.Sathurbot is loaded when the computer starts by grabbing the Windows shell, and more precisely using the registry key: [HKEY_CLASSES_ROOT\Drive\ShellEx\FolderExtensions\{stringCLSID}] where {stringaCLSID} match to the key: [HKEY_CURRENT_USER\Software\Classes\CLSID\{stringCLSID}] in its interior it contains the key "InprocServer32" where is written the path of the Trojan.Win32.Sathurbot %allusersprofile%\{random_stringCLSID}\<randomname>.dll   The Trojan.Win32.Sathurbot performs tasks downloader, by downloading other malware and allowing their execution in stealth mode (invisible / hidden). Usually the infection is carried from some vulnerabilities in Java, Flash Player e/o Adobe Reader that is activated when browsing the compromised websites. The Trojan.Win32.HydraCrypt  looks like a .dll file. and it is copied into a subfolder of the user's temporary folder %TEMP%\{randomstring}\ and from here it is put into effect by using the Windows rundll32.exe module, followed by the "Working" parameter. Some details regarding the samples collected from C.R.A.M .: FILE NAME: 13BO.tmp.dll SIZE: 319488 byte MD5: 9330242B1AB1BF2EB14142D1793BBA59 FILE NAME: api-ms-win-system-crypt32-l1-1-0.dll SIZE: 215040 byte MD5: 61A8470C8E299A036DFAE93BBF7788FD FILE NAME: api-ms-win-system-msvcp60-l1-1-0.dll SIZE: 215040 byte MD5: 29C97C6F6AAEF25690D78285EE41727A FILE NAME: api-ms-win-system-WMVCORE-l1-1-0.dll SIZE: 270336 byte MD5: F782229CFE781A1184289F9A600E007A As you can see, some samples collected have very similar names to legitimate windows DLLs. Logically, we should remember that the windows legitimate files are not found in the user's temporary folder but inside % systemroot% \ system32

HydraCrypt encrypts files with extensions such as those shown in the table below, and rename them by adding to the original name .crypt extension.

.3dm, .3ds, .7z, .accdb, .aes, .ai, .apk, .app, .arc, .asc, .asm, .asp, .aspx, .bat, .brd, .bz2, .c, .cer, .cfg, .cfm, .cgi, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .css, .csv, .cue, .db, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dtd, .dwg, .dxf, .eml, .eps, .fdb, .fla, .frm, .gadget, .gbk, .gbr, .ged, .gpg, .gpx, .gz, .h, .htm, .html, .hwp, .ibd, .ibooks, .indd, .jar, .java, .jks, .js, .jsp, .key, .kml, .kmz, .lay, .lay6, .ldf, .lua, .m, .max, .mdb, .mdf, .mfd, .mml, .ms11, .msi, .myd, .myi, .nef, .note, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .p12, .pages, .paq, .pas, .pct, .pdb, .pdf, .pem, .php, .pif, .pl, .plugin, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .priv, .private, .ps, .psd, .py, .qcow2, .rar, .raw, .rss, .rtf, .sch, .sdf, .sh, .sitx, .sldx, .slk, .sln, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tex, .tgz, .tlb, .txt, .uop, .uot, .vb, .vbs, .vcf, .vcxproj, .vdi, .vmdk, .vmx, .wks, .wpd, .wps, .wsf, .xcodeproj, .xhtml, .xlc, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx, , .3g2, .3gp, .aif, .asf, .asx, .avi, .bmp, .dds, .flv, .gif, .iff, .jpg, .m3u, .m4a, .m4v, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpg, .png, .pspimage, .ra, .rm, .srt, .tga, .thm, .tif, .tiff, .tmp, .vob, .wav, .wma, .wmv, .yuv

The ransom demandend by HydraCrypt

Files that are encrypted by HydraCrypt to be decrypted require the payment of a ransom of US $ 500 in BitCoin.

HydraCrypt, at the end of encryption, generates in the folders affected by his actions 3 file with instructions for the payment of redemption:

• de_crypt_readme.bmp
• de_crypt_readme.html
• de_crypt_readme.txt

The files containing the informations for the payment of the ransom and the same page where you enter your payment details are very similar to those associated with the TeslaCrypt 4.0.

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://klgpcoXXXjzpca4z.onion.to Your personal id 9AXXFB768741 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: http://klgpcoXXXjzpca4z.onion 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://klgpcoXXXjzpca4z.onion.to Your personal page Tor-Browser http://klgpcoXXXjzpca4z.onion Your personal id 9AXXFB768741

How to protect yourself from HydraCrypt

As of the 8.1.45  version(update  April 5, 2016) was adjusted heuristic behavioral automaton built in Vir.IT eXplorer PRO, making it able to block the attack early on also HydraCrypt.

As already reported, the Vir.IT eXplorer PRO's Anti-CryptoMalware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies:

• BackUp-On-The-Fly;
• Vir.IT Backup.

Assuming the correct:

• INSTALLATION;
• UPDATE of both the signatures and the engine;
• CONFIGURATION in particular of the resident shield Vir.IT Security Monitor with the "Anti-Crypto Malware Protection" flagged from the options window in real time, as well as Vir.IT BackUp activated, an advanced backup that allows you to have a copy of your work files preserved from encryption from which to proceed to recovery.

Remembering that the TeslaCrypt at every perform of the malware uses a different encryption key. This means that each time you reboot the computer with the active malware, at restart this will encrypt files with a different key from the previous. For example, if an infected computer was performed CryptoMalware and were later carried out two restarts, the files will be encrypted with three different keys.

Back to top

What to do to mitigate the damage from HydraCrypt

Quando compare la videata di Alert qui a fianco significa che la protezione Anti-CryptoMalware integrata in Vir.IT eXplorer PRO sta agendo e quindi, evitando di farsi prendere dal "panico" NON chiudere la finestra ed eseguire le operazioni che vengono indicate:

Make sure that Vir.IT eXplorer PRO is UP-TO-DATE; UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine. PERFORM a FULL SCAN using Vir.IT eXplorer PRO. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before. In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.

Click to enlarge   99,63%* Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information

Can I restore the encrypted files?

With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by HydraCrypt will be at most a few dozen.
The "sacrificed" files during the mitigation must be replaced with a backup copy, currently there aren't tools for recovering files .crypt.
In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.

Final thoughts

If you opened an infected attachment and has been started the encryption, you could:

1. you have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;
2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do
   
   • UNPLUG EVERY NETWORK CABLE
   • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)

Either way, remain calm and do not panic.


TG Soft
Anti-Malware Research Center