Now this is all theoric. Everything changes when someone you know is hit by this kind of malware. This is what happened to one of us. One very close friend just got infected with a brand new piece of ransomware called BitCrypt and you know what? That nasty piece of malware encrypted all pictures of his lovely children from their birth to now. No backup, except for some pictures on Facebook. Now we feel very concerned, because one of us is the godfather of one of those adorable kids, a rock’n’roll boy called Keziah.

Should we really mention that investigations started right away?

The problem was that the infected computer was 400 kilometers away. The only information was this screenshot.

bitcrypt m

 

A quick look around for resources on this piece of ransomware lead to a dead end: this ransomware seemed to be quite new. The domain bitcrypt.info had been registered on the 3rd of February 2014, and quick investigations around it did not reveal much.

When you accessed the website, a single page appeared, asking for the user’s bitcrypt ID (format will be described later):

bitcrypt2

 

After login, the website shows this page:

bitcrypt3

 

So, things were clear: the cybercriminal wants 0.4 Bitcoin, which made about 260 Euros at the time of infection, but only 89 Euros at the time of writing (Once again this shows how unreliable the Bitcoin money is, but that is something else).

Thanks to Virus-Total, a sample was available. It has been submitted to Virus Total the 9th of February, once again showing us that this threat was quite new.

Next step was of course to start the sample analysis. The malware indicates use of RSA-1024 cryptography, but such claims should always be verified 😉

The sample is packed with a simple packer, and we soon face a disgusting Delphi-compiled malware. We then started to study the Bitcrypt ID generation and files encryption.

When first run on the system, the malware creates a configuration file (bitcrypt.ccw in %APPDATA%). It then choses a random number between 1 and 999, and uses it as an index to extract a base64-looking string from an array. The Bitcrypt ID is then computed as follows, and both are stored in the configuration file:

DRU-<nation>-<rand><index>
  • nation is the value of the registry key “Control Panel\International\Geo\Nation”
  • rand are 3 random digits
  • index is the index of the chosen string

The previously chosen string is in fact encoded using a custom base64 alphabet:

aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ0123456789+=

Once decoded, the chosen string appears to be used as a public RSA key modulus (with public exponent fixed at 0x10001).

The malware then starts looking for interesting files to crypt on the disk, while a watching thread will kill any attempt to run taskmgr.exe or regedit.exe. Files with the following extensions will be encrypted:

dbf mdb mde xls xlw docx doc cer key rtf xlsm xlsx txt xlc docm xlk text ppt djvu pdf lzo djv cdx cdt cdr bpg xfm dfm pas dpk dpr frm vbp php js wri css asm jpg jpeg dbx dbt odc sql abw pab vsd xsf xsn pps lzh pgp arj gz pst xl

For each interesting file it encounters, a new 16 characters random password is generated, and a 192-bits key is derivated using PBKDF2 with HMAC-SHA1, with a random salt and 1000 iterations. The resulting key is used to encrypt the file content using AES in CTR mode. All these operations are performed using AESLib.pas.

The AES key is then RSA-encrypted using the previously chosen key. This time, the FGIntRSA module is used.

The resulting file has the “.bitcrypt” extension appended to its filename, and the following structure:

  • Header consisting in a 12-bytes salt and 2-bytes password verifier
  • Ciphered data
  • Trailer consisting in the 10-bytes HMAC-SHA1 for the ciphered data (key is also derived from the password)
  • XML-like structure containing the following 3 tags:
    • <cfg++0><cfg–0>: size of raw data before the structure
    • <AesRPass++><AesRPass–>: the encrypted AES key
    • <IDPubKey++><IDPubKey–>: the base64-like encoded RSA public modulus

The whole model seems rather secure, even if one could wonder why a new AES key is generated for each file (implying a new RSA cipher for each key!).

However, a quick look at the base64-like strings raised doubts about the key length… For example, here is the configuration file from the previous infection:

FRzXsfaUXv2MGBtstNDDXX0OQhQF8luWe+eszngsgYgBOq5E3JcZWQuv94SzOHBOrSSZGh7
DRU-84-539467
EncryptComplete

Once decoded, the key translates to the following number:

31298847196625400639506938637161930162789011464295952600544145829335849533528834917800088971765784757175491347320005860302574523

This is definitely not a 1024 bits key! The number has 128 digits, which could indicate a (big) mistake from the malware author, who wanted to generate a 128 bytes key.

Finally, we simply deal with RSA-426 encryption, which can easily be broken on a standard PC in a matter of hours.

One of our cryptography experts led us to the cado-nfs tool implementing the Number Field Sieve algorithm to factor numbers (and thus break RSA keys). With such a tool, breaking a 426-bits key took 43 hours on a quad-core PC, and only 14 hours on one of our 24-cores servers.

$ ./factor.sh <key> -s 4 -t 6
...
Info:Complete Factorization: Total cpu/real time for everything: 751058/51141
4627583475399516037897017387039865329961620697520288948716924853 6763540271723193027434512605129229364869394444394656022641769391

With such factors, we could build a Python script implementing all the cryptographic operations to decipher the encrypted files, and save the precious pictures. Such a Python script is available on our bitbucket repository.

$ python ./bitdec.py "Blue hills.jpg.bitcrypt"
[*] Pub key: FRzXsfaUXv2MGBtstNDDXX0OQhQF8luWe+eszngsgYgBOq5E3JcZWQuv94SzOHBOrSSZGh7
[*] Ciphered AES key: 3a86d0605bef536e2e8a531e1e0530f27fb835f1f4daa55c285c3d02dff9332e3ea1ccfa35eec202a1974f316da72d8d70c839fba6
[+] AES Password: _yj^O@1p"CLKfPoK*A{fVm2S0@,G6,s*
[+] Derived AES Key: d5a2bdf7cd03ff2368519840fc1b8d9eb8f542e30a6f34f2
[+] Key is correct
[+] Ciphered text hmac is correct
[+] Decryption done. Output in "Blue hills.jpg.bitcrypt.clear"

As a conclusion, we can only warn users about this kind of threat and try to raise user awareness:

  • Always have an anti-virus product which is up-to-date.
  • Always update all your software on your computer.
  • Make regular backup of your sensitive data on an external harddrive, and disconnect it as soon as it’s done. A backup drive always connected to the computer doesn’t make sense. In this case, the malware would have encrypted the backuped images too.
  • If possible, make another backup of your data somewhere on Internet: images hosting services, SkyDrive, etc.