Ransom Warrior defeated by decryption tool

News by Robert Abel

Cyber-security researchers have developed a decryption tool to unlock machines infected by Ransom Warrior ransomware.

Cyber-security researchers have developed a decryption tool to unlock machines infected by Ransom Warrior ransomware.

The Malware Hunter Team first spotted the malware on 8 August and researchers believe the threat actors are India-based and inexperienced malware developers dude to the malware being written in .NET, an obfuscated executable that isn’t packed or otherwise protected, according to a 30 August Check Point blog post.

"In fact, the "encryption" used by the ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code," researchers wrote.

As a result, the Check Point Research team has been able to extract those keys, and, as the key’s index is saved locally on the victim’s computer, provide the correct keys to the Ransomware itself in order to unlock the files. "

Researchers also noted that the encryption used by the ransomware is a stream cipher using a key that is generated randomly from a list of 1000 hard-coded keys in the ransomware’s binary code.

Check Point researchers extracted the keys and because the index is saved locally on the victim’s computer, provide the correct keys to the ransomware allowing them to unlock the malicious files.

Threat actors are delivering the malware via an executable named ‘A Big Present.exe’ which, if run, will encrypt files with a .THBEC extension and are targeting Microsoft Windows users.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews