French researchers crack BitCrypt ransomware

News by Tim Ring

Two senior French security experts at Airbus Defence & Space made it their personal mission to crack the newly discovered BitCrypt ransomware, after it encrypted and threatened to destroy all the family photos of a close friend.

Paris-based security expert Fabien Perigaud and threat intelligence analyst Cedric Pernet, from Airbus Defence & Space - CyberSecurity (formerly Cassidian), describe in a 20 February blog how their professional view of ransomware changed when “one very close friend just got infected with a brand new piece of ransomware called BitCrypt... a nasty piece of malware which encrypted all pictures of his lovely children from their birth to now”.

The two set about investigating BitCrypt, which was demanding a ransom 0.4 bitcoins - or £132 - at the time the threat was made, or it would destroy the photos.

Fortunately, they found a flaw in the Delphi-compiled malware's key encryption - “a big mistake from the author” – and, helped by a cryptography expert and the cado-nfs tool, they broke the 464-bit key. This took 43 hours on a quad-core PC and just 14 hours on a 24-core server.

The two researchers then built a Python script to decipher the hijacked files “and save the precious pictures”. They have made the decryption script available at the following bitbucket repository site (free sign-in required):

But they told via email: “The decryption mechanism requires the breaking of an RSA key and the use of a Python script, which is not something a normal user could do. The tool is mostly for researchers and people with a solid knowledge of computer security.”

Perigaud and Pernet established that BitCrypt is new ransomware, with the domain only registered on 3 February and a first sample submitted to Virus Total on 9 February. The malware encrypts not just photos but over 50 file types including .doc and .txt files, as well as PowerPoint, JPEG and other common extensions.

They said the origin of the ransomware is still to be determined but told “The web pages are only in two languages: English and Chinese”. But they added: “There has been no report of massive infections with this ransomware for the moment.”

The two are long-standing friends and work together on a daily basis. They said it took Pernet some hours at night to gather information and analyse the malware sample, before he gave it to Perigaud for reverse engineering. It then took Perigaud about two days to find the vulnerability in the algorithm, break it and write the decryption tool.

Commenting on their discovery, Professor John Walker, a director of Integral Security Xssurance, said BitCrypt is evidence that “the new age of ransomware” has extended to SMEs and home users, attacking personal or business-related data such as “insurance documents, correspondence or other irreplaceable objects, such as a photograph of a deceased mother or father”.

As a result, Walker told via email: “The time has arrived when all users who care about what is stored on their PCs, and other computer-related assets, start to exercise what I call ‘home-front security', starting with the basics of up-to-date anti-virus/malware protection.”

But with BitCrypt Walker said: “We see the clear need for other extended measures to preserve security in the form of backup.” He suggested low-cost attachable storage, cloud storage such as Dropbox – “again not forgetting security” – or more professional forms such as Microsoft's OneDrive (recently renamed from SkyDrive).

Walker added: “As the use of computers ever increases, the related risk posed by cyber-criminals should be expected to follow an exponential path, and will get much, much worse, before it gets better. So no matter how unimportant the home user feels their data is, just ask the question – if I lose it, would I care? If the answer is yes, the time has arrived to start thinking about ‘home-front security' with some urgency.”

In their blog, Perigaud and Pernet describe the emotional impact of ransomware then say: “Some lucky people do not care at all: they have done regular backup of their important data on an external hard drive. Luckily enough, they disconnect that external hard drive every time they do not use it. Their data is safe, and they will just try to disinfect their computer from the malware. If they cannot do it, well they will reinstall the whole operating system.”

But they add: “Everything changes when someone you know is hit by this kind of malware.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews