{"id":11660,"date":"2018-03-06T04:20:04","date_gmt":"2018-03-06T12:20:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/06\/news-5430\/"},"modified":"2018-03-06T04:20:04","modified_gmt":"2018-03-06T12:20:04","slug":"news-5430","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/03\/06\/news-5430\/","title":{"rendered":"Beware! A new .Net Ransomware is encrypting files with .Lime"},"content":{"rendered":"<p><strong>Credit to Author: Bajrang Mane| Date: Tue, 06 Mar 2018 11:49:53 +0000<\/strong><\/p>\n<p>Cases of the \u201cLime ransomware\u201d have been recently reported to Quick Heal Security Labs. Our research team has analyzed these cases deeply and found some useful information. This post shares this information to help users stay safe from ransomware attacks. \u2018Lime\u2019 is a newly discovered .net ransomware; it is also known as the \u2018BigEyes\u2019 ransomware. It uses two major ways to infect user\u2019s systems, either spam emails or malicious downloads. Ransomware usually comes into the system without the user\u2019s knowledge through online activities like software bundling, spam email attachments, infected links, malvertising, by visiting unknown sites, RDP (Remote desktop protocol) and exploit kits. Infection vector Fig 1 Lime Ransomware attack chain Technical analysis Encryption Process: in-depth description Lime is a ransomware that encrypts your files and demands Bitcoin as a ransom to get your files restored. Files are locked with the AES-256 encryption algorithm. The Lime ransomware encrypts your files and appends the \u201c.Lime\u201d extension. After encryption, the Lime ransomware drops a ransom note Fig 2. Fig 2 Ransom note The following e-mail address is used to contact the malware author to decrypt the encrypted files by paying them: \u201cr3vo@protonmail-com\u201d Key generation When Lime is first launched, it will call RandomString() function which will attempt to generate an AES key. It generates 50 bytes array from input string using a random index with the use of random() function to fetch one character and stores into output string as shown in Fig 3. Fig 3 Random Key Generation code It calculates md5 of generated output string using Computehash() and then it will copy the result into the result array. It will use this result array as an AES key to encrypt the files present on the system. Fig 4 AES Key Generation code It drops output string at path \u201cC:Microsoft\u201d by name \u201chash\u201d. As we know that AES is symmetric algorithm so the key used for encryption and decryption will be the same. So, the malware author uses this hash file\u2019s MD5 to decrypt the victim\u2019s files when victim pays ransom amount to him. Lime ransomware encrypts files on specific folder paths using AES-256 in ECB mode to encrypt files. Paths are as per given below: My Music My Pictures My Videos Desktop UserProfile Components used in AES Different modes used in AES:-\u00a0 ECB, CBC, CFB, OFB, CTR. Key:- AES-128(16 Bytes), AES-192(24 Bytes), AES-256(32 Bytes) IV:- Initialization vector to use for encryption or decryption It encrypts files using AES-256 (32-byte key length) in ECB (Electronic Code Book) mode. In ECB mode, it doesn&#8217;t require IV (Initialization vector) for the encryption or decryption process. For all other modes, it uses IV (Initialization vector). IV is optional and when IV is not present then it will be given a default value of all zeroes. Modification in file extension List of extensions of files which get encrypted by Lime ransomware: .c, .cpp, .py, .ini, .hiv, .avi, .bmp, .log, .pdf, .zip, .bak, .rtf, .png, .wsf, .wsc, .ws, .vsw, .vst, .vss, .vsmac, .ros, .vbs, .vbe, .vb, .url, .tmp, .shs, .shb, .sct, .scr, .scf, .reg, .pst, .prg, .pif, .pcd, .ops, .mst, .msp, .msi, .msc, .mdz, .mdw, .mdt, .mde, .mdb, .mda, .maw, .mav, .mau, .mat, .mas, .mar, .maq, .mam, .mag, .maf, .mad, .lnk, .ksh, .jse, .js, .its, .isp, .ins, .inf, .hlp, .fxp, .exe, .csh, .crt, .cpl, .com, .cmd, .chm, .cer, .bat, .pdf, .pot, .xlt, .pps, .xlw, .dot, .rtf, .ppt, .xls, .doc, .xml, .htm, .html, .hta, .app, .asp The extension \u2018.lime\u2019 is placed as a secondary extension, without altering the original names and its extension. Example: Original file name\u00a0 :\u00a0 mydemo.cpp After encryption\u00a0\u00a0\u00a0 \u00a0 :\u00a0 mydemo.cpp.Lime And yes! Recovery of Encrypted File is possible We can decrypt all files which are encrypted by \u201cLime Ransomware\u201d. The key is 32 bytes which is generated from MD5 of \u201chash\u201d file which is dropped at \u201cC:Microsoft\u201d location of victim\u2019s mchine. So, the key is different for different victim. To decrypt files, AES-256 is used in the ECB mode and key for that will be generated as given below, If MD5 of hash file is dropped on the victim\u2019s machine: \u201c05FF78F91FE2D008018A2F53792C0C28\u201d Key generation from MD5 Take 15 bytes from MD5 + Take 16 bytes from MD5 + Append zero=32 bytes key Key =&hellip;<br \/><a href=\"http:\/\/blogs.quickheal.com\/beware-new-net-ransomware-encrypting-files-lime\/\" target=\"bwo\" >http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Bajrang Mane| Date: Tue, 06 Mar 2018 11:49:53 +0000<\/strong><\/p>\n<p>Cases of the \u201cLime ransomware\u201d have been recently reported to Quick Heal Security Labs. Our research team has analyzed these cases deeply and found some useful information. This post shares this information to help users stay safe from ransomware attacks. \u2018Lime\u2019 is a newly discovered .net ransomware; it is also&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[3764,3765,666],"class_list":["post-11660","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-malware","tag-ransomware","tag-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11660"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11660\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11660"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}