Pages

Wednesday, 19 November 2014

decode@india.com ransomware


If you get something alike:

Attention! Your computer was attacked by virus-encoder.

All your files are encrypted cryptographically strong, without the original key recovery is impossible!
To get the decoder and the original key, you need to to write us at the email decode@india.com with the subject "encryption" stating your id.
Write in the case, do not waste your and our time on empty threats. 

Responses to letters only appropriate people are not adequate ignore.

You probably already know that you are infected with decode@india.com ransomware and you will most probably search all the blogs, install all the tools they are advertising which do not remove anything, because anyway this ransomware as it seems to me self-deletes itself after encryption.


Some antivirus vendors already  detect the ransomware and you can have a look here (5fab6fbdff1a72cd5eafdd27b5ee11a9):


What else can we say about this ransomware, well first about the infection and how it happens. A registry entry that exploits a vulnerability:  

HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\TILEWALLPAPER = 48
HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\WALLPAPER = %APPDATA%\bytor.bmp

Here I noticed some different location for the files:

C:\Documents and Settings\<User>\Start Menu\Programs\Startup\Autostart\bytor.bmp
but also:
C:\Users\<User>\AppData\Roaming\bytor.bmp
C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe 
or something like this
C:\Users\<User>\appdata\local\temp\vup.exe
C:\Windows\system32\isobwdev.exe
C:\Windows\SysWOW64\cleen.bat
C:\Users\rado\AppData\Local\Temp\oQ3jKRk.exe

The following files were temporarily written to disk then later removed:
C:\cleen.bat


Anything else we can say is that it pretty much resembles the functions of Cryptolocker, so if you like to restore the files from shadow copies (Shadow Explorer) it is pointless. Read the following I found about Cryptolocker:


In addition to encrypting the files, the malware also executes several commands to make recovery of files even more difficult. The following command is executed to delete the volume's shadow copies, which removes Windows automatic volume backups:

vssadmin.exe Delete Shadows /All /Quiet
The following commands are also executed to disable the Windows Error Recovery screen at startup:
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

The malware also attempts to disable the following services to reduce security, disable Windows updates, and disable error reporting in order to avoid detection:
wscsvc
WinDefend
wuauserv
BITS
ERSvc
WerSvc

What happens if you write to decode@india.com:
Hello. The cost of obtaining a decoder and a unique key is 1 Bitcoin.
_________________________________________________________________________________

Send us an example of an encrypted file, upload the file to sendspace.com and send us the link, we decrypt it and send it,

After payment we will send  decoder and unique password for your id. 
_______________________________________________________________________________

Payment can be made by exchanging e-currency you comfortable in your country on Bitcoin,
In exchange, you must specify our Bitcoin wallet, our Bitcoin Wallet is _____________________  repeat our Bitcoin Wallet is ________________________
After payment email us quoting the number Bitcoin wallet on which the payment was made and your id.

What can be done?
- Make regular backups.
- Patch your windows:
- If you think an e-mail has a strange attach file - don't open it. If it is from someone you know, first verify that indeed this is the case.

Disinfecting (based on the information we have) and if we suppose anything is left at all:

You will need AVZ4 ( Get it from here http://www.z-oleg.com/secur/avz/download.php) and load a custom script (File>Customscripts). Before loading add the user profile (Replace <User> with what you use). This script might or might not work - use at your own risk!

begin
ExecuteAVUpdate;
ShowMessage('AVZ automatically will close all network connections.'+#13#10+'After restarting networks will be up.');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
  then
   begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(true);
   end;
ClearQuarantine;

TerminateProcessByName('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
TerminateProcessByName('C:\Users\<User>\appdata\local\temp\vup.exe');
TerminateProcessByName('C:\Windows\system32\isobwdev.exe');
TerminateProcessByName('C:\Windows\SysWOW64\cleen.bat');
TerminateProcessByName('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');
QuarantineFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
QuarantineFile('C:\Users\<User>\appdata\local\temp\vup.exe', '');
QuarantineFile('C:\Windows\system32\isobwdev.exe' , '' );
QuarantineFile('C:\Windows\SysWOW64\cleen.bat', '');
QuarantineFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe' , '');
QuarantineFile('C:\Users\<User>\AppData\Roaming\bytor.bmp', '');
DeleteFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');
DeleteFile('C:\Users\<User>\appdata\local\temp\vup.exe');
DeleteFile('C:\Windows\system32\isobwdev.exe');
DeleteFile('C:\Windows\SysWOW64\cleen.bat');
DeleteFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');
DeleteFile('C:\Users\<User>\AppData\Roaming\bytor.bmp');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','vup'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','isobwdev'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','cleen'); 
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','oQ3jKRk');
RegKeyParamDel('HKEY_CURRENT_USER','Control Panel\Desktop\','bytor');   
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(false);
end.

After the restart you can collect a sample that you can send:
begin
CreateQurantineArchive(GetAVZDirectory+'sample.zip'); 
end.

References: