SoylentNews is people
SoylentNews
Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.
PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.
Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.
This is not the first time the PowerWare/PoshCoder creators have imitated well-designed ransomware threats, probably in an attempt to convince users that there's no point in trying to recover their files without paying. In the past, they've used the CryptoWall and TeslaCrypt ransom notes.
Luckily, PowerWare is nowhere near as strong as the ransomware programs it impersonates. It uses the AES-128 encryption algorithm, but with a hard-coded key, which allowed the Palo Alto researchers to create a decryption tool that should work at least for this latest variant.
Also this week, researchers from antivirus firm AVG managed to crack another ransomware program called Bart that first appeared in June. This threat is notable because it locks files inside password-protected ZIP archives instead of using sophisticated encryption algorithms.
Bart infections are easy to identify because the affected files will have the extension .bart.zip appended to their original name and extension -- for example document.docx will become document.docx.bart.zip.
Bart's ZIP-based encryption uses a very long and complex password, but the AVG researchers have figured out a way to guess the key using brute-force methods. Their Bart decryption tool requires the user to have at least one unaffected copy of a file that has been encrypted.
-- submitted from IRC
(Score: 2) by frojack on Monday July 25 2016, @07:41PM
Keep in mind that they have the unencrypted zip (since they can zip the plain version of a file), and the encrypted version of same.
But since the ransomeware MOVES the documents (most often the only copy) into an encrypted zip, (with god only knows what other content), you don't actually have the original document with which you can make a new unencrypted zip for cracking. You might not actually have ANY document originals if the ransomware was left running long enough.
And yes, you are correct, TFS says you have to have at least one unencrypted copy of one document to use as a cracking source. That kind of suggests these weak ransomwares are using the same key on all their encrypted documents,
No, you are mistaken. I've always had this sig.
(Score: 1) by cbiltcliffe on Tuesday July 26 2016, @03:10PM
That kind of suggests these weak ransomwares are using the same key on all their encrypted documents,
Well, what makes you think ransomware developers are any smarter, security-wise, than the average person? I would be very surprised if ransomware wasn't full of vulnerabilities and bugs like this.