Specialists from Acronis cracked the encryption algorithm and shared the ready-made solution with the world.
In the cybercrime world, a new version of ransomware called QazLocker is gaining momentum. It is used in a variety of attacks to target companies in different business sectors from different countries. However, there is something interesting about how this malware works.
Acronis conducted a detailed analysis of this threat and identified serious vulnerabilities in file encryption algorithms. These errors allow you to recover encrypted data without paying a ransom to cybercriminals.
Unlike well-known hacker groups that specialize in ransomware, the creators of QazLocker seem to have a low level of technical skill. To gather intelligence and move laterally around the victim's local network, they use well-known hacked utilities like Mimikatz, NirSoft, and Advanced Port Scanner.
The cryptographer itself is written in the AutoIt language and packaged using the standard UPX tool. The program recursively traverses all disks in the system and encrypts the detected files using the AES algorithm in CBC mode with a zero initialization vector.
However, when generating the AES key, QazLocker developers made a number of serious mistakes. First, the victim's LOCK-ID is calculated by concatenating the MAC address of the network adapter and the month number in hexadecimal. Secondly, based on the last 5 bytes of this identifier, an RC4 encryption key is generated, which in turn is used to "protect" the seed of the AES key.
The approach used by hackers makes it easy to recover encryption keys and decrypt files of affected companies. To do this, you just need to know the MAC address of the victim's device and the month in which the attack occurred.
Acronis specialists have already developed a decryptor in the form of a Python script that helps QazLocker victims recover their files on their own, without having to go along with the ransomware.
Unfortunately, most other types of ransomware still pose a serious threat to your business. Their authors carefully mask their code, use strong cryptographic primitives without vulnerabilities, and regularly modify their algorithms. In such cases, recovery of encrypted data is extremely difficult or almost impossible.
In the cybercrime world, a new version of ransomware called QazLocker is gaining momentum. It is used in a variety of attacks to target companies in different business sectors from different countries. However, there is something interesting about how this malware works.
Acronis conducted a detailed analysis of this threat and identified serious vulnerabilities in file encryption algorithms. These errors allow you to recover encrypted data without paying a ransom to cybercriminals.
Unlike well-known hacker groups that specialize in ransomware, the creators of QazLocker seem to have a low level of technical skill. To gather intelligence and move laterally around the victim's local network, they use well-known hacked utilities like Mimikatz, NirSoft, and Advanced Port Scanner.
The cryptographer itself is written in the AutoIt language and packaged using the standard UPX tool. The program recursively traverses all disks in the system and encrypts the detected files using the AES algorithm in CBC mode with a zero initialization vector.
However, when generating the AES key, QazLocker developers made a number of serious mistakes. First, the victim's LOCK-ID is calculated by concatenating the MAC address of the network adapter and the month number in hexadecimal. Secondly, based on the last 5 bytes of this identifier, an RC4 encryption key is generated, which in turn is used to "protect" the seed of the AES key.
The approach used by hackers makes it easy to recover encryption keys and decrypt files of affected companies. To do this, you just need to know the MAC address of the victim's device and the month in which the attack occurred.
Acronis specialists have already developed a decryptor in the form of a Python script that helps QazLocker victims recover their files on their own, without having to go along with the ransomware.
Unfortunately, most other types of ransomware still pose a serious threat to your business. Their authors carefully mask their code, use strong cryptographic primitives without vulnerabilities, and regularly modify their algorithms. In such cases, recovery of encrypted data is extremely difficult or almost impossible.
