Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday July 25 2016, @01:27PM   Printer-friendly
from the we-should-flog-the-virus-writers dept.

Original URL: http://www.itworld.com/article/3099084/researchers-release-free-decryption-tools-for-powerware-and-bart-ransomware.html#tk.rss_news

Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.

PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.

Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.

This is not the first time the PowerWare/PoshCoder creators have imitated well-designed ransomware threats, probably in an attempt to convince users that there's no point in trying to recover their files without paying. In the past, they've used the CryptoWall and TeslaCrypt ransom notes.

Luckily, PowerWare is nowhere near as strong as the ransomware programs it impersonates. It uses the AES-128 encryption algorithm, but with a hard-coded key, which allowed the Palo Alto researchers to create a decryption tool that should work at least for this latest variant.

Also this week, researchers from antivirus firm AVG managed to crack another ransomware program called Bart that first appeared in June. This threat is notable because it locks files inside password-protected ZIP archives instead of using sophisticated encryption algorithms.

Bart infections are easy to identify because the affected files will have the extension .bart.zip appended to their original name and extension -- for example document.docx will become document.docx.bart.zip.

Bart's ZIP-based encryption uses a very long and complex password, but the AVG researchers have figured out a way to guess the key using brute-force methods. Their Bart decryption tool requires the user to have at least one unaffected copy of a file that has been encrypted.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Capt. Obvious on Monday July 25 2016, @04:05PM

    by Capt. Obvious (6089) on Monday July 25 2016, @04:05PM (#379871)

    Keep in mind that they have the unencrypted zip (since they can zip the plain version of a file), and the encrypted version of same. So they are pulling the key. They could be bruteforcing it, but I think it's a known vulnerability in the zip encryption that you can determine the key from the plain version. Not that that is usually considered a vulnerability, because if you have the plain version, the only thing that gets you is the key - which is only valuable if its being reused everywhere. And in this case, it definitely is being reused everywhere.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 1, Informative) by Anonymous Coward on Monday July 25 2016, @05:47PM

    by Anonymous Coward on Monday July 25 2016, @05:47PM (#379935)

    There are four different methods to encrypt a zip file. Only the first two are widely used because they are the oldest, license free, have multiple FLOSS implementations, and are completely backwards compatible with any reader (in that they may not be able to decrypt but at least recognize it is a zip file using unsupported mehods)

    The first two are called traditional and "simple password" and are slightly different versions but use the same encryption algorithm with multiple weaknesses: 1 it is password based and can be bruted that way, 2 it uses three related 32-bit keys and can be bruted that way, 3 multiple known-plaintext attacks exist, and 4 the technique itself is fundamentally broken due to advances in cryptanalysis even with unknown plaintext. Not to mention the metadata leaks involved.

    There are two other techniques that somewhat overlap. The main difference is where they get the keying material. They can use either passwords (brute able) or certificates. Beyond that, they encrypt the data with the same sets of cipher-key length pairs, namely RC2 up to 128-bit (broken) RC4 up to 128-bit (broken) DES (laughably broken) 3DES 168-bit (broken) or AES 128 or 256-bit. Of those only the Lat one is secure, but beyond WinZip and PKZIP, not widely supported and only then since 2012 or so.

    • (Score: 0) by Anonymous Coward on Monday July 25 2016, @06:07PM

      by Anonymous Coward on Monday July 25 2016, @06:07PM (#379951)

      D'oh "license free" was supposed to be "licensing cost free," as you have to get a special license, and usually pay for it, in order to implement that part of the specification.

  • (Score: 2) by frojack on Monday July 25 2016, @07:41PM

    by frojack (1554) on Monday July 25 2016, @07:41PM (#379999) Journal

    Keep in mind that they have the unencrypted zip (since they can zip the plain version of a file), and the encrypted version of same.

    But since the ransomeware MOVES the documents (most often the only copy) into an encrypted zip, (with god only knows what other content), you don't actually have the original document with which you can make a new unencrypted zip for cracking. You might not actually have ANY document originals if the ransomware was left running long enough.

    And yes, you are correct, TFS says you have to have at least one unencrypted copy of one document to use as a cracking source. That kind of suggests these weak ransomwares are using the same key on all their encrypted documents,

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 1) by cbiltcliffe on Tuesday July 26 2016, @03:10PM

      by cbiltcliffe (1659) on Tuesday July 26 2016, @03:10PM (#380314)

      That kind of suggests these weak ransomwares are using the same key on all their encrypted documents,

      Well, what makes you think ransomware developers are any smarter, security-wise, than the average person? I would be very surprised if ransomware wasn't full of vulnerabilities and bugs like this.