{"id":15853,"date":"2019-07-19T12:40:01","date_gmt":"2019-07-19T20:40:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9598\/"},"modified":"2019-07-19T12:40:01","modified_gmt":"2019-07-19T20:40:01","slug":"news-9598","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9598\/","title":{"rendered":"LooCipher: Can Encrypted Files Be Recovered From Hell?"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>LooCipher is a new ransomware being distributed in the wild. While there have been articles discussing its main behaviour, how this new ransomware is being spread, and how it communicates with its command and control server to send victim machine information, this blog will focus on LooCipher\u2019s file encryption mechanism and take a look at the possibility of decrypting affected files without paying the ransom.<\/p>\n<p>Despite the suggestive implication of its being hellish (the name sounds like Lucifer), this malware is actually pretty straight forward. For example, it doesn\u2019t use any obfuscation. However, due to its use of high-level libraries such as Crypto++ for its encryption functions, it\u2019s a bit more difficult to reverse engineer compared to those ransomwares that use low-level Windows APIs.<\/p>\n<h2>File Encryption Mechanism<\/h2>\n<p>Although our FortiGuard Labs team found several encryption codes in the body of the malware \u2013 such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and ECC\/ECDSA (Elliptic Curve Cryptography or Elliptic Curve Digital Signature Algorithm) \u2013 in our test only the AES-128 ECB mode (Electronic Codebook) was used to encrypt files. However, it is possible that since LooCipher was only recently discovered it might be still in the initial stage of development, and that those other encryption codes are there for future use.<\/p>\n<p>LooCipher starts its encryption routine by generating a 16-byte data block with random characters chosen from the following predefined characters, using the current system time as seed.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1475944784.img.png\" alt=\"Fig. 1. Predefined characters used in generating random 16-byte data block\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 1. Predefined characters used in generating random 16-byte data block<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This data block is then shuffled to form the 16-byte key that this ransomware uses for encrypting files with the AES-ECB encryption algorithm. This key is used for all file encryption. This is unlike most ransomwares, which generate a different key for each file they encrypt.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_887837885.img.png\" alt=\"Fig. 2. Generated 16-byte AES key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 2. Generated 16-byte AES key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following directories are excluded from its file encryption routine to prevent corrupting critical files used by the Windows operating system to start and work properly.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_899132305.img.png\" alt=\"Fig. 3. Directories exempted from file encryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 3. Directories exempted from file encryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then searches all attached drives to encrypt files with the following extension names.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_944473899.img.png\" alt=\"Fig. 4. LooCipher encrypts files with specific extension names\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 4. LooCipher encrypts files with specific extension names<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When a target file has been found, LooCipher creates a file with the original name of the file being encrypted, then adds a .lcphr extension to the name. It then encrypts the content of the file with the AES-128 ECB algorithm using the generated 16-byte random key and writes it to the newly created file with the .lcphr extension and leaving the original file as a 0-byte file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_169904742.img.png\" alt=\"Fig. 5. Encrypted files have the .lcphr extension name\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 5. Encrypted files have the .lcphr extension name<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We validated this finding by creating a simple AES-128 EBC mode decryption code in Python and then using the code to decrypt several files that had been encrypted with the generated key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1001096935.img.png\" alt=\"Fig. 6. Decrypting an encrypted file using AES-128 ECB mode\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 6. Decrypting an encrypted file using AES-128 ECB mode<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_31472004.img.png\" alt=\"Fig. 7. Successfully decrypting the encrypted file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 7. Successfully decrypting the encrypted file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Can Your Encrypted Files Be Recovered?<\/h2>\n<p>The version of LooCipher we analyzed only uses the AES-128 ECB mode to encrypt files. Since it is executed in ECB mode, it doesn\u2019t need an IV (initial vector) and only uses a 16-byte key, which is randomly generated from the following 74 characters:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_268056791.img.png\" alt=\"Fig. 8. Predefined 74 characters from which a random key is generated\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 8. Predefined 74 characters from which a random key is generated<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. So, in order for us to recover the files, we just needed the key used for the encryption.<\/p>\n<p>This is also unlike other ransomware that use both symmetric and asymmetric encryption, where the private key \u2013 which is held only by the attacker \u2013 is required to decrypt the files.<\/p>\n<p>Since LooCipher only generates a single key for all file encryption, and it only chooses from the 74 characters shown above to generate the key, one might think that it\u2019s easier to recover the key using crypto attacks compared to other ransomwares. But it turns out that that\u2019s not the case.<\/p>\n<p>To recover the key using brute-force, we first need to have the original file to compare to the decrypted file. Then we need to test all possible combinations that can be made from these 74 characters. That requires performing 74<sup>16<\/sup> = 808,551,180,810,136,214,718,004,658,176 (808 Octillion) AES-128 ECB operations, which will take an impractically long period of time even on a super computer.<\/p>\n<p>There is a <a href=\"https:\/\/zachgrace.com\/posts\/attacking-ecb\/\">chosen plaintext attack on AES-128 ECB mode<\/a> that can be used to decrypt the ciphertext without breaking the key. But this requires a cryptographic oracle that is always running, which in this case should be the LooCipher process. However, LooCipher only performs a single run of its encryption routine, so this isn\u2019t possible. Also, this method brute-forces each byte by iterating through all possible values and comparing the outcome to a reference value which, again, will take an enormous amount of time since LooCipher doesn\u2019t just encrypt one file.<\/p>\n<h2>Key Recovery from C2 Communication Traffic<\/h2>\n<p>A capture of network traffic during ransomware attacks can really be very helpful, especially for ransomwares like LooCipher that send the encryption key to a C2 (command and control) server where the threat actors keep a database of these keys.<\/p>\n<p>LooCipher sends a victim ID (<i>u<\/i>), the encoded AES key (<i>k<\/i>), and the IP address (<i>i<\/i>) of the machine to the C2 server.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_2074832849.img.png\" alt=\"Fig. 9. Data sent to the C2 server\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 9. Data sent to the C2 server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since AES is a symmetric-key algorithm, it turns out that we only need to decode the value of <i>k<\/i>. Fortunately, <i>k<\/i> is just encoded with some kind of position encoding. Each character in the key is represented by a value depending on the character\u2019s position in the array\/string.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1294420558.img.png\" alt=\"Fig. 10. Key representation using position encoding\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 10. Key representation using position encoding<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The python code below shows how to decode the value of <i>k<\/i>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1181975386.img.png\" alt=\"Fig. 11. Script to decode LooCipher AES key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 11. Script to decode LooCipher AES key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In the network capture above, the value of <i>k<\/i> is \u201c69604607186414680318386143262470\u201d which is a representation of the original AES key \u201cX?+evRC1%v_hIc4G\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1156825617.img.png\" alt=\"Fig. 12. Output showing the decoded AES key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 12. Output showing the decoded AES key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Using this information, we may be able to decrypt the encrypted files using the following script.<\/p>\n<p><b>Disclaimer:<\/b> Please be aware that while all scripts here were written with the intention of helping users recover their encrypted files, you must use them at your own risk.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1102896163.img.png\" alt=\"Fig. 13. Decrypting encrypted files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 13. Decrypting encrypted files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>However, it is unlikely that someone would capture the traffic all the time, so this method may not always be useful.<\/p>\n<h2>Key Recovery from Memory of a Running LooCipher Process<\/h2>\n<p>For this option to work, the first instance of LooCipher should still be running. If any AV tool has removed LooCipher, and its process has been terminated, the key won\u2019t be recovered from memory as LooCipher uses the current time as the seed to generate the key. However, if LooCipher is still running, we can extract the key from its process memory.<\/p>\n<p>We start with using Sysinternals ProcessExplorer to create a full dump of the LooCipher process memory. LooCipher uses a randomly generated-looking process name.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1666005890.img.png\" alt=\"Fig. 14. Creating a full dump of LooCipher\u2019s process memory\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 14. Creating a full dump of LooCipher\u2019s process memory<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After dumping the memory, we can use <i>PowerShell<\/i> to search for the generated URLs. Just type the following command:<\/p>\n<p><i>Select-String \u2013Encoding Unicode \u2013Path &lt;memory dump file&gt; -Pattern \u2018(ttps?:\/\/.*\/k.php.*o=[0-9])\u2019 \u2013AllMatches | %{$_.Matches} | %{$_.Value}<\/i><\/p>\n<p>Note: If Unicode encoding didn\u2019t work, use BigEndianUnicode.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_772611863.img.png\" alt=\"Fig. 15. Searching for the generated URLs using PowerShell\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 15. Searching for the generated URLs using PowerShell<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen above, the command gives us a bunch of references to the encoded key.<\/p>\n<p><i>Sysinternals Strings<\/i> and <i>findstr<\/i> command can also give us these strings with references to the encoded key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Fig. 16. Searching for the generated URLs using Strings and FINDSTR\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 16. Searching for the generated URLs using Strings and FINDSTR<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After getting the URL, we can now use the script provided on Fig. 13 to decode the key and decrypt the affected files<i>.<\/i><\/p>\n<h2>Looking at the Infection Timestamp to Generate Keys<\/h2>\n<p>While we believe that it\u2019s possible to generate keys based on the infection timestamp, we haven\u2019t completed any proof of concept yet, but we are looking into this and hopefully we\u2019ll publish something about it also for similar ransomware families that use the current time as the seed for generating random keys.<\/p>\n<h2>Conclusion<\/h2>\n<p>LooCipher currently only uses AES-128 with ECB mode, but since it may still be in the initial stages of development, and because those other encryption algorithms are already present in its body, this may only be temporary and those other encryption algorithms are likely to have been put there for future use.<\/p>\n<p>However, until that changes, we have shown that there is still a chance to recover LooCipher encrypted files. AES is a symmetric-key algorithm. With a network capture during the infection, a skilled analyst can extract the key from the data that is being sent to the attacker. If network traffic was not captured but LooCipher is still running, they can extract the key from the memory and then use that key to recover the files using AES-128 ECB.<\/p>\n<p>As it seems like LooCipher is still in the initial development stage, we will keep an eye out for any further developments.<\/p>\n<p style=\"text-align: left;\">-= FortiGuard Lion Team =-<\/p>\n<h2>Solution<\/h2>\n<p>Fortinet customers are protected by the following:<\/p>\n<ul>\n<li>Samples are detected by W32\/Filecoder.NWG!tr signature<\/li>\n<li>FortiSandbox rates the LooCipher\u2019s behavior as high risk<\/li>\n<\/ul>\n<h2>IOCs<\/h2>\n<p><u>Sha256<\/u><\/p>\n<p>924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d \u2013 W32\/Filecoder.NWG!tr<\/p>\n<p><u>C2<\/u><\/p>\n<p>hxxps:\/\/hcwyo5rfapkytajg.onion.pet<br \/> hxxps:\/\/hcwyo5rfapkytajg.darknet.t<br \/> hxxps:\/\/hcwyo5rfapkytajg.onion.sh<br \/> hxxps:\/\/hcwyo5rfapkytajg.onion.ws<br \/> hxxps:\/\/hcwyo5rfapkytajg.tor2web.xyz<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/uAymCtq_z4w\/loocipher-can-encrypted-files-be-recovered.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/loocipher-can-encrypted-files-be-recovered\/_jcr_content\/root\/responsivegrid\/image_1475944784.img.png\"\/><br \/>Learn more about the LooCipher ransomware file encryption mechanism and take a look at the possibility of decrypting affected files without paying the ransom.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/uAymCtq_z4w&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15853","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15853"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15853\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15853"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}