{"id":6834,"date":"2017-03-02T07:40:22","date_gmt":"2017-03-02T15:40:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-625\/"},"modified":"2017-03-02T07:40:22","modified_gmt":"2017-03-02T15:40:22","slug":"news-625","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/02\/news-625\/","title":{"rendered":"Dot Ransomware: Yet another Commission-based Ransomware-as-a-Service"},"content":{"rendered":"

Credit to Author: Rommel Joven| Date: Thu, 02 Mar 2017 06:54:42 -0800<\/strong><\/p>\n

\n

Dot ransomware is a new Ransomware-as-a-service<\/a> (RaaS) that is openly available in hacking forums. And following the current trend in malware services, it uses web portals hosted in the TOR network for anonymity.<\/p>\n

Commission-based Profit<\/h2>\n

While lurking in hacking forums, we came across a post for this new ransomware service. RaaS services are now switching from a one-time fee or subscription payment model to a commission based strategy. One advantage of this scheme is that the up front price for the ransomware is free, and any profits realized are just split 50\/50 between the author and affiliate. This is an easy, no pressure gateway for aspiring affiliates since nothing is invested in obtaining the ransomware.<\/p>\n

\"Figure<\/p>\n

Figure 01 Dot Ransomware<\/p>\n

Visiting a Tor links directs potential affilaites to the Dot ransomware homepage. The site itself is relatively new. The ad shown in Figure 01, above, was posted on Feb 21 of this year, but the project was only launched a few days earlier, on Feb 19 (Figure 02.) Recent updates to the site show that this RaaS variant has continued to receive support and refinements from the author in order to improve the product.<\/p>\n

\"\"<\/p>\n

Figure 02 Dot Ransomware Homepage<\/p>\n

To start, an affiliate needs to register using a Bitcoin Address.<\/p>\n

\"Figure<\/p>\n

Figure 03 Login Page<\/p>\n

Once logged in, the malware builder can be downloaded, along with the core component, which is basically the payload itself with a default configuration.<\/p>\n

\"Figure<\/p>\n

Figure 04 Download Builder and Core<\/p>\n

In order for affiliates to track the number and status of infections, a statistics page is made available. During our testing we found that the statistics only counts an infection as successful if the victim visits the decryption page. This has the advantages of eliminating automated infections and providing a more realistic return from real victims.<\/p>\n

\"Figure<\/p>\n

Figure 05 Statistics Page<\/p>\n

Straight-forward Builder<\/h2>\n

The builder comes with a setup guide, although its usage is fairly straight-forward even without it.<\/p>\n

\"Figure<\/p>\n

Figure 06 Content of Builder Zip file<\/p>\n

To guide complete newbies in the intricacies of RaaS, the setup guide includes recommendations on prices for particular countries and includes also a list of 380 suggested file target extensions.(Complete list of extensions is in the end of the article)<\/p>\n

Country Code|Price(Bitcoin)<\/p>\n

\n

FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2<\/p>\n<\/blockquote>\n

As previously mentioned, configuring the payload is pretty straight-forward. The following features can be set in the builder.<\/p>\n

\"Figure<\/p>\n

Figure 07 Ransomware Builder<\/p>\n

After setting up the necessary configurations and a generating a successful build, the DotRansomwareBuilder generates a Tracking ID that is unique for every build.<\/p>\n

\"Figure<\/p>\n

Figure 08 Build Ransomware<\/p>\n

Configuration<\/h2>\n

The configuration is then encrypted and written in the overlay of the payload binary, as seen below.<\/p>\n

\"Figure\"\"\"\"<\/p>\n

Figure 09 Encrypted-Decrypted Configurations<\/p>\n

The decrypted configurations include the following data:<\/p>\n

Author Comes First<\/h2>\n

After decryption of the configuration, it continues to decrypt the URL for the decryption and payment page unlock26ozqwoyfv<\/em>. This URL is hard-coded by the author and cannot be configured by the user. To make sure that the URL has not been tampered with, it computes the SHA256 hash of the URL and compares it to a hard coded value. This is to ensure that the payments go through the author first. Only then will the user get paid, or at least hope to be paid.<\/p>\n

\"Figure<\/p>\n

Figure 10 Hardcoded SHA256 value<\/p>\n

It does the same for the embedded RSA-4096 public key in the file. It computes the SHA256 hash and compares it to a hardcoded SHA256 value. This ensures that the private key on the C&C side will be able to decrypt the “Signature”<\/em> that was encrypted by the hard-coded public key.<\/p>\n

\"Figure<\/p>\n

Figure 11 Decrypted RSA-4096 Key<\/p>\n

\"Figure<\/p>\n

Figure 12 Hard-coded SHA256 hash value<\/p>\n

If the computed SHA256 hash is not equal to the hard-coded value, dot ransomware will terminate.<\/p>\n

Signature<\/h3>\n

Since there is no network traffic during run time to notify the C&C, the Signature<\/em> is important to differentiate between victims. The link to the decryption page of the ransomware is appended by the signature and is unique for every victim.<\/p>\n

\"Figure<\/p>\n

Figure 13 URL for Unlock26 website<\/p>\n

The unique Signature<\/em> of the victim consists of the following data:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\n

Signature<\/strong><\/p>\n<\/td>\n

\n

Description<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

key{38 bytes }<\/strong><\/p>\n<\/td>\n

\n

Randomly generated and used as key for encryption<\/p>\n<\/td>\n<\/tr>\n

\n

iv{8 bytes}<\/strong><\/p>\n<\/td>\n

\n

Randomly generated and used as Initialization Vector(iv)<\/p>\n<\/td>\n<\/tr>\n

\n

bitcoinAddress<\/strong><\/p>\n<\/td>\n

\n

Bitcoin address of affiliate<\/p>\n<\/td>\n<\/tr>\n

\n

appID(TrackingID)<\/strong><\/p>\n<\/td>\n

\n

Unique for every build<\/p>\n<\/td>\n<\/tr>\n

\n

country<\/strong><\/p>\n<\/td>\n

\n

Country of infected victim<\/p>\n<\/td>\n<\/tr>\n

\n

price<\/strong><\/p>\n<\/td>\n

\n

Price set by the affiliate to decrypt files<\/p>\n<\/td>\n<\/tr>\n

\n

partEncryption<\/strong><\/p>\n<\/td>\n

\n

True\/false – encrypt only first 4MB of file<\/p>\n<\/td>\n<\/tr>\n

\n

uniqueExtension<\/p>\n

{3 char}<\/strong><\/p>\n<\/td>\n

\n

Randomly generated value appended to the encrypted filename<\/p>\n

 i.e. .locked-{uniqueExtension}<\/filename><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

After accumulating all the needed data for the Signature<\/em> it is encrypted by the embedded RSA-4096 public key. Some characters from the encrypted Signature<\/em> are replaced from “+ to @”, “\/ to –“ and  “= to !” as added encoding.  The final output will serve as the unique Signature<\/em>.<\/p>\n

Offline Encryption using Blowfish<\/h1>\n

Offline encryption is gaining popularity since it causes minimal network traffic noise, thus,making it less suspicious.<\/p>\n

The encryption used by Dot ransomware is Blowfish, a symmetric-key block cipher, and uses a randomly generated 38 bytes-length key alongside the 8 bytes initialization vector. An initialization vector (iv) prevents repetition in data encryption, making it more difficult to find a pattern in the encrypted file. Although the actual encryption for the file is a symmetric algorithm, the encryption key is encrypted using RSA-4096, which means that to be able to decrypt the files the private key is needed.   <\/p>\n

Infected files are appended by .locked-{3 random char}.<\/p>\n

\"Figure<\/p>\n

Figure 14 Encrypted files<\/p>\n

After encryption, the ransomware opens the ReadMe HTML file , which shows the sites the victim needs to visit to get instructions for unlocking the files.<\/p>\n

Taking a look at the unlock page, it is pretty straight-forward as only has one instruction, which is to pay.  However, there’s not much information on what happens after paying. Usually, a decryptor application is given to the victim.<\/p>\n

\"Figure<\/p>\n

Figure 15 Unlock page<\/p>\n

Conclusion<\/h2>\n

The simplistic and straight-forward design of Dot ransomware enables just about anyone to conduct cybercrime. With all the support for bug fixes and developments, it’s astonishing to think that these malware services have evolved using traditional business models. Moreover, it allows cyber criminals to easily start a RaaS business with the free additional safety of an online anonymity framework from Tor service and Bitcoin.<\/p>\n

Although we haven’t seen this ransomware in the wild, with the advertisements being made accessible on hacking forums it’s only a matter of time until people start taking the bait.<\/p>\n

-= FortiGuard Lion Team =-<\/p>\n

*Special thanks to my team mate Joie Salvio for additional insights <\/em><\/p>\n

 <\/p>\n

IOCs<\/p>\n

Dot Ransomware will be proactively detected as W32\/Filecoder.DOT!tr<\/p>\n

SHA256<\/p>\n

core.exe – db43d7c41da0223ada39d4f9e883611e733652194c347c78efcc439fde6dde1c<\/p>\n

 <\/p>\n

builder.zip – dd03307aa51cfb1c5a3c3fafc65729ad5b50a764354ef3919b7f9d0b4c6142a5<\/p>\n

 <\/p>\n

DotRansomwareBuilder.exe – fb250ebe87db2c01cc13abed8bbdd66e0670071c0d51c56215ab86de6ed1c738<\/p>\n

 <\/p>\n

Dropped Files:<\/p>\n

%Temp%ReadMe-{3char}.html<\/p>\n

{Infected directory}ReadMe-{3char}.html<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Setup Guide.txt<\/p>\n

Recommended attacked file extensions:<\/p>\n

001|1dc|3ds|3fr|7z|a3s|acb|acbl|accdb|act|ai|ai3|ai4|ai5|ai6|ai7|ai8|aia|aif|aiff|aip|ait|anim|apk|arch00|ari|art|arw|asc|ase|asef|asp|aspx|asset|avi|bar|bak|bay|bc6|bc7|bgeo|big|bik|bkf|bkp|blob|bmp|bsa|c|c4d|cap|cas|catpart|catproduct|cdr|cef|cer|cfr|cgm|cha|chr|cld|clx|cpp|cr2|crt|crw|cs|css|csv|cxx|d3dbsp|das|dayzprofile|dazip|db|db0|dbf|dbfv|dcr|dcs|der|desc|dib|dlc|dle|dlv|dlv3|dlv4|dmp|dng|doc|docm|docx|drf|dvi|dvr|dwf|dwg|dxf|dxg|eip|emf|emz|epf|epk|eps|eps2|eps3|epsf|epsp|erf|esm|fbx|ff|fff|fh10|fh11|fh7|fh8|fh9|fig|flt|flv|fmod|forge|fos|fpk|fsh|ft8|fxg|gdb|ge2|geo|gho|h|hip|hipnc|hkdb|hkx|hplg|hpp|hvpl|hxx|iam|ibank|icb|icxs|idea|iff|iiq|indd|ipt|iros|irs|itdb|itl|itm|iwd|iwi|j2k|java|jp2|jpe|jpeg|jpf|jpg|jpx|js|k25|kdb|kdc|kf|kys|layout|lbf|lex|litemod|lrf|ltx|lvl|m|m2|m2t|m2ts|m3u|m4a|m4v|ma|map|mat|mb|mcfi|mcfp|mcgame|mcmeta|mdb|mdbackup|mdc|mddata|mdf|mdl|mdlp|mef|mel|menu|mkv|mll|mlx|mn|model|mos|mp|mp4|mpqge|mrw|mrwref|mts|mu|mxf|nb|ncf|nef|nrw|ntl|obm|ocdc|odb|odc|odm|odp|ods|odt|omeg|orf|ott|p12|p7b|p7c|pak|pct|pcx|pdd|pdf|pef|pem|pfx|php|php4|php5|pic|picnc|pkpass|png|ppd|ppt|pptm|pptx|prj|prt|prtl|ps|psb|psd|psf|psid|psk|psq|pst|ptl|ptx|pwl|pxn|pxr|py|qdf|qic|r3d|raa|raf|rar|raw|rb|re4|rgss3a|rim|rofl|rtf|rtg|rvt|rw2|rwl|rwz|sav|sb|sbx|sc2save|shp|sid|sidd|sidn|sie|sis|skl|skp|sldasm|sldprt|slm|slx|slxp|snx|soft|sqlite|sqlite3|sr2|srf|srw|step|stl|stp|sum|svg|svgz|swatch|syncdb|t12|t13|tax|tex|tga|tif|tiff|tor|txt|unity3d|uof|uos|upk|vda|vdf|vfl|vfs0|vpk|vpp_pc|vst|vtf|w3x|wb2|wdx|wma|wmo|wmv|wallet|ycbcra|wotreplay|wpd|wps|x3f|xf|xl|xlk|xls|xlsb|xlsm|xlsx|xvc|xvz|xxx|zdct|zip|ztmp|py|rb|tar|gz|sdf|yuv|max|wav|dat<\/p>\n

 <\/p>\n

Sign up<\/i><\/a> for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.<\/i><\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Rommel Joven| Date: Thu, 02 Mar 2017 06:54:42 -0800<\/strong><\/p>\n

Dot ransomware is a new Ransomware-as-a-service(RaaS) that is openly available in hacking forums. And following the current trend in malware services, it uses web portals hosted in the TOR network for anonymity. Commission-based Profit While lurking in hacking forums, we came across a post for this new ransomware service. RaaS services are now switching from a one-time fee or subscription payment model to a commission based strategy. One advantage of this scheme is that the up front price for the ransomware is free, and any profits realized…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-6834","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6834"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6834\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6834"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}