Donex a.k.a Muse/DarkRace/LockBit 3.0 Decryptor Released

On July 8 2024, researchers from Avast Decoded published a decryptor tool for DoNex ransomware. This malware family has been active since April 2022, originally bearing the name “Muse ransomware”. In November of the same year, they started mimicking the LockBit 3.0 ransomware, following the leak of the builder tool of this infamous malware. About half a year later, the threat actor opted for the name DarkRace, which changed once again in March 2024 to Donex ransomware. That March rebranding appears to be the last in the group’s existence, as no new samples appear since May of that year. And now, all its victims will get their files back to normal without paying a copper.

Ransom note of Muse ransomware

Ransom note of DarkRace ransomware

Ransom note of fake Lockbit 3.0 ransomware

Ransom note of Donex ransomware

For almost half a year, since March 2024, Avast had the decryptor on hand, using it without public disclosure. This allowed them to save money for quite a few companies that fell victim to the malware, while the hackers had no clue that something was going on. But now, a few months past the last sign of Donex ransomware activity, they decided to make the decryptor public. The entire case of having the effective and working decryption solution is possible due to the flaw present in the ransomware encryption mechanism.

Why didn’t they just make it public as soon as they discovered that flaw? Well, that would have given the hackers a clue about where exactly there has been a vulnerability, leading to it being patched, which would consequently render the decryptor useless. What cybercriminals have seen instead is a slow-but-steady decrease in the number of victims that have paid the ransom. And even though this may be a clue itself, there’s no guidance on where the issue is exactly.

How do I use the decryptor?

The program that the researchers released has a friendly interface that is not hard to deal with even for an ordinary user. After downloading it from the developers’ website, one will see an interface with detailed description for each step to come through. The only requirement is to have a so-called file pair: a version of a file in an encrypted and “normal” state. This would allow the tool to figure out the decryption key.

Once this manipulation with the key is complete, the program will automatically proceed with the rest of the files. Time elapsed for this procedure depends on the amount of files, and, obviously, the system’s calculation power. Unfortunately, there is no mass-decryption tool that will allow lifting the encryption from the entire network, for example. Still better than nothing though, especially considering that the frauds are no longer active and will likely ignore even genuine contacts for payment or negotiations.

The decryptor for one more ransomware is yet another reason to emphasize: you should never pay the hackers. Sooner or later, there will be a solution that will manage to get your files back. For now, make your infrastructure protected and always have a backup stored in a reliable place.

The post Donex, DarkRace, fake LockBit 3.0 and Muse Ransomware Decryptor Released appeared first on Gridinsoft Blog.

Tortilla Ransomware Decryptor Is Available

On January 9, a free decryptor for the Babuk ransomware variant used by Tortilla gang was released. It is the result of a collaboration between Cisco Talos, Avast and Dutch Police. Police operations related to the detainment of key Tortilla group members helped with recovering the original decryptor, which was further used to get the decryption key. Further, Cisco shared this key with Avast Threat Labs, whose Babuk decryptor is now capable of decrypting Tortilla ransomware, too.

After receiving the key, Avast analysts discovered that the pattern they use is in fact the same as in the case of the original Babuk string. This simplified the integration of a new variant into the existing decryptor. Due to the use of a single private key for all victims, there is the possibility of all the victims to get their files back. The updated decryptor is now available on the developer site.

What is Tortilla Ransomware?

Tortilla is a sample of Babuk ransomware that emerged a month after the original malware shutdown in September 2021. Possibly, it is one of the earliest offsprings, as it emerged in October of the same year. Contrary to other Babuk-like ransomware samples, Tortilla almost repeats the original, which made the analysts believe that it is just a continuation of the old group. However, the names for the payload that granted the group the name, pointed at a different actor managing the campaign.

Babuk itself was a prolific ransomware strain, used by the eponymous threat actor in attacks on corporations. Emerged in November 2020 as Vasa Locker, it hacked over a dozen of companies. Everything was ruined by a single post on the Darknet forum in September 2021, when one of the key members leaked the admin panel key and the source code. This made the gang cease further operations. The end? No, the continuous resurface of Babuk code in a number of other ransomware samples, like ESXIArgs and Rorschach.

Can Other Ransomware Samples Get the Decryptor?

As some of the recent events show, it is possible to happen to any ransomware group, both active and defunct. Even prolific groups such as LockBit and BlackBasta are not invulnerable – some of their past samples used vulnerable encryption algorithms and analysts managed to create a decryptor. For defunct groups, especially ones that have their members apprehended, the chance of getting the decryptor is even higher. This once again explains why you hear the advice to avoid paying the ransom: the free decryptor is more possible to appear than you’d think.

Still, the best decision in that case is to avoid ransomware attacks at all. Robust cybersecurity within the perimeter, employee training, vulnerability patching – these steps are much easier and cheaper than solving the consequences of a ransomware attack.

The post Tortilla (Babuk) Ransomware Decryptor Available appeared first on Gridinsoft Blog.

Black Basta Decryptor Available to Public

Being late for 2 days, SRLabs made an amazing New Year gift to quite a few companies attacked by Black Basta ransomware. On January 2, 2024, analysts published the utility called Black Basta Buster on their GitHub, with the explanation of how this works. However, the limitations are here as well: the decryption is not guaranteed; not all files can be decrypted; not all versions of the ransomware are supported.

So, to the details. As SRLabs says in the description to the utility, the key thing it bears on is the error in XOR key advancement. That leads to the use of the same 64-bit key to the entirety of a file. By analyzing the file, particularly the sections filled with zeros, it is possible to recover the key and then use it to decrypt the file. The procedure should be repeated for every file.

Though, as I mentioned, the decryption has its limitations and “recommended circumstances”. The said key advancement error does not happen in the first 5000 bytes of the encrypted file, meaning that files that are smaller than that are off the grid for the tool. Devs additionally note that the peak efficiency is reached when working with files on a virtual machine disk. Due to the specific way the ransomware operates, VM files are much more likely to be ciphered with the aforementioned bug.

Another limitation is the attack date. Black Basta reportedly used the flawed encryptor from November 2022 up until December 2023. Most likely, the gang will fix the issue and the decryptor will not work for further attacks.

Is that the end for Black Basta?

Most likely, it is not. The infamous gang that emerged in spring 2022 is rumored to be the ancestor of Conti ransomware, an infamous threat actor that ceased its activity a month before the Black Basta appearance. Therefore, its hackers are experienced enough to find and fix the flaw in the matter of days. The amount of ransoms paid since November 2022 make it completely OK for them to lose some of the potential revenue.

There were quite a few cases when researchers elaborated a decryptor for a currently running ransomware family. Lockbit is among the most famous ones, though there were also tools for Akira and BlackByte ransomware. As 2 out of 3 are still running, it is obvious that such a situation is nothing but a minor inconvenience.

How to protect against ransomware attacks?

Ransomware has become a major threat for both home users and corporations over the last 7 years. Moreover, the evolution of its practices and tactics makes creating comprehensive protection a long and problematic process. However, there are several tips that will make the possibility of a ransomware attack much lower.

Be careful with email messages. Email spam is a primary spreading vector for a lot of malware types, not only ransomware. By reviewing the sender and the attached file/link, you can avoid getting infected.

Install the latest software and firmware updates. Vulnerability exploitation is hackers’ bread and butter when it comes to lateral movement and payload deployment. The majority of exploitation happens after the vulnerability becomes public and gets patched – so do not hesitate to update the programs you use.

Avoid using cracked software. Cracks are an ideal breeding ground for different malware due to the mandatory interference to the program’s code. This spreading approach exists for several decades, and plagues both home users and workstations.

Employ using a reliable anti-malware software. By having anti-malware software you ensure that malware will not slip through the method you are not aware of. A well-designed security solution will detect and remove even the newest malware with heuristic and AI detection systems. GridinSoft Anti-Malware is a program that offers such functionality – give it a try.

The post Black Basta Ransomware Free Decryptor Available appeared first on Gridinsoft Blog.

Unit221b succeeded at hacking Zeppelin after seeing ransomware operators targeting charities, nonprofits and even hospices. Malware analysis from Blackberry Cylance helped the company discover vulnerabilities in the ransomware.

What is Zeppelin ransomware?

Zeppelin is a ransomware gang that started its activity around the spring of 2019, under the name of Vega/VegaLocker. Their malware also featured the name Jamper, Storm and Buran, but some analysts consider it a spin-off rather than a renamed copy. Contrary to a great number of other ransomware groups, they first aimed for ex-USSR countries. Since the beginning of 2022, they drastically changed their looks and opted to avoid Russian-speaking countries. Like most other groups, Zeppelin uses the ransomware-as-a-service model, thus its developers do not take part in distribution. Instead, they offer their “product” to hackers at different Darknet marketplaces, receiving an initial payment and per-ransom contribution. The key way of distribution threat actors chose and still use is malvertising and watering hole attacks.

Aiming generally for organizations, Zeppelin never followed the so-called “blacklist” of possible targets. That list is an agreed selection of sectors that should not be attacked – governmental and non-profit organizations, hospitals, humanitarian orgs and educational infrastructure. The group freely attacked any kind of company, asking for a separate ransom for data decryption and non-publishing of the leaked information. This practice, called “double extortion”, can sometimes increase the ransom amount multiple times.

Zeppelin ransomware cipher hacked by Unit221b

The researchers noticed that Zeppelin uses an ephemeral 512-bit RSA key to encrypt the AES key, which actually ciphers the files. The AES key was stored in the footer of each encrypted file. Hence, if someone could crack the RSA-512 key, they would be able to decrypt the files without paying the attackers.

Specialists also found that the public key remained in the attacked system’s registry for about 5 minutes after the encryption was completed. The key could be extracted in three ways. Those are cutting the registry data from the raw file system, registry.exe memory dump, and directly from the NTUSER.Dat file in the “/User/[username]/” directory. The resulting data was obfuscated using RC4. Once the experts figured out this encryption layer, they had to overcome the last obstacle – the encryption layer using RSA-2048.

To overcome this hurdle, Unit221b used a total of 800 CPUs across 20 servers, each handling small portions of the key. Six hours later, the key was cracked, and analysts succeeded to extract the key from the file footer. Unit221b founder Lance James said in his interview that the company decided to make the details public because Zeppelin ransomware victims have dropped significantly in recent months. Lance said the decryption tool should work even with the latest versions of Zeppelin. It will also be available to all victims who leave a request.

What then?

Zeppelin definitely lost its image, but that won’t likely create many problems for them. Last month, their activity plummet to zero. The latest submissions related to the attack of this group appeared at the end of October. They’ve likely got an ancestor – Vice Society ransomware, that successfully attacks companies almost daily. Overall, that’s not the first time the ransomware cipher was hacked. Multiple vulnerabilities within HiddenTear ransomware allowed the analysts to break the cipher easily. Some of the encryption cases were solved via hacking into the ransomware gang’s infrastructure or capturing the threat actors. But those cases still have a share of statistical errors. Ransomware was and remains one of the most dangerous malware types, which attack may cost not only thousands of dollars but also a reputation.

The post Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years appeared first on Gridinsoft Blog.

Journalists remind that the Maze ransomware has been active since May 2019 and quickly gained wide popularity, as its operators first came up with the idea of using the “double extortion” tactic. Then the hackers began not only to encrypt the data of their victims, but also began to publish files stolen from the attacked companies, if they refused to pay. Maze operators set up a dedicated website for these leaks, and other groups soon followed their example, including Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker.

When Maze announced its closure in October 2020, the Egregor ransomware entered the scene, which was basically just a rebrand of Maze. However, it did not last long, as soon the Ukrainian authorities arrested some of the criminals associated with it.

The Sekhmet ransomware stands a little apart on this list, as it appeared in March 2020, when Maze was still active.

Bleeping Computer writes that the master keys were posted on the forum by a user named Topleak, who claims to have had a hand in the development of all three malware. At the same time, the hacker writes that this is a “planned leak” that has nothing to do with the recent law enforcement operations that led to the seizure of servers and the arrests of “partners” of various extortion groups.

Topleak also emphasized that in the future, none of the members of his hack group will return to the development of ransomware, and they generally destroyed all their source codes.

The message is accompanied by a 7zip file with four archives, which contain the decryption keys for Maze, Egregor and Sekhmet, as well as the source code of the M0yv malware, which the hacker called a bonus.

The keys provided by Topleak have already been checked by information security experts Michael Gillespie and Fabian Vosar from Emsisoft, confirming that they can indeed be used to decrypt files.

Emsisoft has already released its own free decryption tool that allows victims of Maze, Egregor and Sekhmet (who have been storing the affected files all this time) to recover their data. In order to use this utility, victims will need a ransom note created during the attack, as it contains the encrypted key needed to “rescue” the files.

Let me remind you that we wrote that Free decryptor for BlackByte ransomware was published, and that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

The post Decryption keys for Maze, Egregor and Sekhmet ransomware were posted on the Bleeping Computer forum appeared first on Gridinsoft Blog.