A ransomware Trojan that encrypts files on the computer and demands a ransom for decryption of compromised data. It is distributed as an installer created with Smart Install Maker, and it is attached to an email message that claims to be sent from an arbitration court or in the form of a link for file download.
The following email addresses are currently known to belong to cybercriminals:
email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org
The Trojan is installed as a Windows system service. Depending on the bitness of the system, it chooses either the %SYSTEMDRIVE%\Program Files\winrar_update directory or %SYSTEMDRIVE%\Program Files (x86)\winrar_update.
If the attacked computer is running Windows XP, the Trojan also checks whether it has been launched from the specified directories and whether the WCS service is running. If not, the Trojan copies itself in one of these folders with byte-to-byte reading and writing, sets incorrect creation time for this file and runs the copy with the /install and /silent parameters. If any other Windows operation system is installed, the Trojan runs its copy attempting to to acquire higher privileges (runas).
The Trojan sends the following three parameters to the C&C server: version—the Trojan’s version, id—the computer identifier that is generated from the current date and a random number, and pass—encrypted password.
The Trojan encrypts files on all the computer’s disks except ones that are located in the Windows folder. For every disk, it calls a recursive function of file encryption. Then it creates the update.bin file (which stores the id vale and the encrypted password) and the checkdata.diff file (which temporary stores names of encrypted files) in the winrar_update folder.
The Trojan encrypts files that have the following extensions:
.r3d; .rwl; .rx2; .p12; .sbs; .sldasm; .wps; .sldprt; .odc; .odb; .old; .nbd; .nx1; .nrw; .orf; .ppt; .mov; .mpeg; .csv; .mdb; .cer; .arj; .ods; .mkv; .avi; .odt; .pdf; .docx; .gzip; .m2v; .cpt; .raw; .cdr; .cdx; .1cd; .3gp; .7z; .rar; .db3; .zip; .xlsx; .xls; .rtf; .doc; .jpeg; .jpg; .mp3; .zip; .ert; .bak; .xml; .cf; .mdf; .fil; .spr; .accdb; .abf; .a3d; .asm; .fbx; .fbw; .fbk; .fdb; .fbf; .max; .m3d; .dbf; .ldf; .keystore; .iv2i; .gbk; .gho; .sn1; .sna; .spf; .sr2; .srf; .srw; .tis; .tbl; .x3f; .ods; .pef; .pptm; .txt; .pst; .ptx; .pz3; .mp3; .odp; .qic; .wps
This Trojan has several modifications. Depending on the modification, the Trojan uses a particular encryption algorithm. The only common feature of these versions is that the Trojan chooses several file fragments and encrypts them one by one. At that, it adds offsets of the encrypted elements and MD5 hash from the original file (which is then used to check correctness of decryption) to the end of the file. Other information can also be present in the end of the file. This data is represented in decimal numeration system, except MD5 hash that is written in hexadecimal numeration system. Presumably, some versions of the Trojan also add random data that is then cut off during the decryption procedure.
In most cases, the Trojan’s version is specified in the end of a file name (for example, ver-126.96.36.199, ver-CL 0.0.1.0). Moreover, the file name contain email address of the attackers and the computer’s ID.
At present, those files can be entirely decrypted that were compromised with early versions of this ransomware program. For the 4th and the 5th modifications, it is possible to find the key and decrypt files in some cases. Files infected with the 6th version or later cannot be restored.