06/04/2016
15:10

New crypto malware spreading: caution with HydraCrypt!


This new type of cryptomalware is downloaded and executed by a Trojan Downloader and encrypts the file by renaming them in .crypt !!



TG Soft's C.R.A.M. has identified a new cryptomalware "e;Anubis""e;.

This new crypto-malware, when is executed, encrypts all files in the computer and rename them by adding the .coded extension.

To descryt file, it is needed to send an email to get the key and the program to decode the files.
 

INDEX

==> Anubis how it manifests...
 
==> The ransom demandend by Anubis

==> How to protect yourself from Anubis

==> What to do to mitigate the damage from Anubis

==> Can I restore the encrypted files ?

==> Final thoughts

 


HydraCrypt how it manifests...

Trojan.Win32.HydraCrypt is downloaded and run on your PC via a malware belonging to the family Trojan.Win32.Sathurbot.
Il Trojan.Win32.Sathurbot is loaded when the computer starts by grabbing the Windows shell, and more precisely using the registry key:

[HKEY_CLASSES_ROOT\Drive\ShellEx\FolderExtensions\{stringCLSID}]

where {stringaCLSID} match to the key:

[HKEY_CURRENT_USER\Software\Classes\CLSID\{stringCLSID}]

in its interior it contains the key "InprocServer32" where is written the path of the Trojan.Win32.Sathurbot

%allusersprofile%\{random_stringCLSID}\<randomname>.dll
 
The Trojan.Win32.Sathurbot performs tasks downloader, by downloading other malware and allowing their execution in stealth mode (invisible / hidden).
Usually the infection is carried from some vulnerabilities in Java, Flash Player e/o Adobe Reader that is activated when browsing the compromised websites.

The Trojan.Win32.HydraCrypt  looks like a .dll file. and it is copied into a subfolder of the user's temporary folder %TEMP%\{randomstring}\ and from here it is put into effect by using the Windows rundll32.exe module, followed by the "Working" parameter. Some details regarding the samples collected from C.R.A.M .:
  • FILE NAME: 13BO.tmp.dll
  • SIZE: 319488 byte
  • MD5: 9330242B1AB1BF2EB14142D1793BBA59
  • FILE NAME: api-ms-win-system-crypt32-l1-1-0.dll
  • SIZE: 215040 byte
  • MD5: 61A8470C8E299A036DFAE93BBF7788FD
  • FILE NAME: api-ms-win-system-msvcp60-l1-1-0.dll
  • SIZE: 215040 byte
  • MD5: 29C97C6F6AAEF25690D78285EE41727A
  • FILE NAME: api-ms-win-system-WMVCORE-l1-1-0.dll
  • SIZE: 270336 byte
  • MD5: F782229CFE781A1184289F9A600E007A
As you can see, some samples collected have very similar names to legitimate windows DLLs. Logically, we should remember that the windows legitimate files are not found in the user's temporary folder but inside % systemroot% \ system32


HydraCrypt encrypts files with extensions such as those shown in the table below, and rename them by adding to the original name .crypt extension.

.3dm, .3ds, .7z, .accdb, .aes, .ai, .apk, .app, .arc, .asc, .asm, .asp, .aspx, .bat, .brd, .bz2, .c, .cer, .cfg, .cfm, .cgi, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .css, .csv, .cue, .db, .dbf, .dch, .dcu, .dif, .dip, .djv, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dtd, .dwg, .dxf, .eml, .eps, .fdb, .fla, .frm, .gadget, .gbk, .gbr, .ged, .gpg, .gpx, .gz, .h, .htm, .html, .hwp, .ibd, .ibooks, .indd, .jar, .java, .jks, .js, .jsp, .key, .kml, .kmz, .lay, .lay6, .ldf, .lua, .m, .max, .mdb, .mdf, .mfd, .mml, .ms11, .msi, .myd, .myi, .nef, .note, .obj, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .p12, .pages, .paq, .pas, .pct, .pdb, .pdf, .pem, .php, .pif, .pl, .plugin, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .priv, .private, .ps, .psd, .py, .qcow2, .rar, .raw, .rss, .rtf, .sch, .sdf, .sh, .sitx, .sldx, .slk, .sln, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tex, .tgz, .tlb, .txt, .uop, .uot, .vb, .vbs, .vcf, .vcxproj, .vdi, .vmdk, .vmx, .wks, .wpd, .wps, .wsf, .xcodeproj, .xhtml, .xlc, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .zipx, , .3g2, .3gp, .aif, .asf, .asx, .avi, .bmp, .dds, .flv, .gif, .iff, .jpg, .m3u, .m4a, .m4v, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpg, .png, .pspimage, .ra, .rm, .srt, .tga, .thm, .tif, .tiff, .tmp, .vob, .wav, .wma, .wmv, .yuv

Back to top

The ransom demandend by HydraCrypt

Files that are encrypted by HydraCrypt to be decrypted require the payment of a ransom of US $ 500 in BitCoin.

HydraCrypt, at the end of encryption, generates in the folders affected by his actions 3 file with instructions for the payment of redemption:
  • de_crypt_readme.bmp
  • de_crypt_readme.html
  • de_crypt_readme.txt
The files containing the informations for the payment of the ransom and the same page where you enter your payment details are very similar to those associated with the TeslaCrypt 4.0.


NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 - http://klgpcoXXXjzpca4z.onion.to

Your personal id 9AXXFB768741
If for some reasons the addresses are not available, follow these steps:

1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar: http://klgpcoXXXjzpca4z.onion
4 - Follow the instructions on the site IMPORTANT INFORMATION

Your personal pages http://klgpcoXXXjzpca4z.onion.to
Your personal page Tor-Browser http://klgpcoXXXjzpca4z.onion
Your personal id 9AXXFB768741




Back to top

How to protect yourself from HydraCrypt

As of the 8.1.45  version(update  April 5, 2016) was adjusted heuristic behavioral automaton built in Vir.IT eXplorer PRO, making it able to block the attack early on also HydraCrypt.

As already reported, the Vir.IT eXplorer PRO's Anti-CryptoMalware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies:
  • BackUp-On-The-Fly;
  • Vir.IT Backup.

Assuming the correct:

  • INSTALLATION;
  • UPDATE of both the signatures and the engine;
  • CONFIGURATION in particular of the resident shield Vir.IT Security Monitor with the "Anti-Crypto Malware Protection" flagged from the options window in real time, as well as Vir.IT BackUp activated, an advanced backup that allows you to have a copy of your work files preserved from encryption from which to proceed to recovery.

Remembering that the TeslaCrypt at every perform of the malware uses a different encryption key. This means that each time you reboot the computer with the active malware, at restart this will encrypt files with a different key from the previous. For example, if an infected computer was performed CryptoMalware and were later carried out two restarts, the files will be encrypted with three different keys.

Back to top

What to do to mitigate the damage from HydraCrypt

Quando compare la videata di Alert qui a fianco significa che la protezione Anti-CryptoMalware integrata in Vir.IT eXplorer PRO sta agendo e quindi, evitando di farsi prendere dal "panico" NON chiudere la finestra ed eseguire le operazioni che vengono indicate:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.


  5. In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Vir.IT Exporer PRO's Anti-CryptoMalware integrated protection screenshot
Click to enlarge
 
99,63%*

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection ==> Check the information


Can I restore the encrypted files?

With the Anti-Crypto Malware protection integrated in VirIT, the number of encrypted files by HydraCrypt will be at most a few dozen.
The "sacrificed" files during the mitigation must be replaced with a backup copy, currently there aren't tools for recovering files .crypt.
In the analyzed cases by the TG Soft's C.R.A.M., it was possible to recover files by using the shadow copies of the days preceding the attack.

Back to top

Final thoughts

If you opened an infected attachment and has been started the encryption, you could:
  1. you have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;
  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do
    • UNPLUG EVERY NETWORK CABLE
    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)
Either way, remain calm and do not panic.


TG Soft
Anti-Malware Research Center
Back to top
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: