In this article we examine a ransomware which is detected by Sophos products and the sample is Troj/Ransom-FXO. It is also called as Vcrypt after the filename extension used by the malware.
The ransomware installs itself as video_driver.exe and claims to be a video driver.
This malware scrambles the files on your C: drive using a secret decryption key and wipes out the files on all the other drives, looping through all the letters A: to Z: except C:, issuing commands to delete all the files and directories it can find.
The malware developer however did not do the encryption part properly and used a hardcoded cryptographic key which can be easily extracted from the malware file.
The attacker behind this did not use Tor or the dark web to host the “buy page” where you find the ransom demand and where to send the bitcoins. Instead they used a regular web page on a free hosting service which has been removed now.
Ransom-FXO itself is written in C, but it does not use its own C code to do the encryption.
The developer used the free file archiving tool 7-Zip for the encryption, so the video_drive.exe ransomware program has to just call the Windows system() function to run the 7-Zip program as an operating system command.
This makes the main part of the ransomware very simple. Look at the directory listing taken after the ransomware had installed itself to launch its attack
The malware copies itself to your %TEMP% folder where the temporary files usually go and is 794KB in size.
733KB of the video_driver.exe consists of a copy of the mod_01.exe file that the malware extracts into a program of its own at the start, so that it can call on it later.
The mod_01.exe file is a pirated copy of the 7-Zip archiving and compression program, which lets you package entire directory structures into individual archive files, encrypting them using the AES algorithm.
How it works
The video_driver.exe is simple and it starts two threads of execution that run side-by-side, each running a sequence of system() commands over and over again via the built-in Windows cmd.exe program:
The first thread repeatedly does the following:
The C: drive is omitted from the list of drives to wipe because that is where the other thread looks for files to scramble.
The B: drive, if present, does not get wiped because the programmer checks for the existence of B: but then wipes the A: drive again in the second part of the line.
And the F: drive was omitted altogether. This might be a mistake while copy-and-paste.
The second thread repeatedly runs a sequence of commands which are stored inside the malware like this:
This is obfuscated using a Caesar cipher, where all the characters are shifted back three places just before the system() command gets called.
Using the ASCII character set as the decryption table for the text above, li moved back three letters gives if, the hash sign (#) turns into a space, and XVHU comes out as USER, and so on.
So, this is what actually executed:
The file %TEMP%\mod_01.exe program name here refers to the pirated copy of the 7-Zip command brought along by the malware.
The password in the command line above is the text immediately following the command option -p, namely:
There are actually twelve variations of the above command in the malware, each having a go at scrambling one of the folders in this list:
If either of these folders exist and contain files, their contents end up in encrypted 7-Zip archives with the extension .vcrypt, like this:
In the above listing, two other files created by the malware can be seen, they are: help.html which indicates that your files have been scrambled, and new_background.bmp, which is an all-black rectangle that replaces your desktop wallpaper.
The twelve file encrypting commands run again and again as long for as you are logged in. So any files you save into one of the above mentioned folders after the malware has started running will soon get noticed, added into to the relevant .vcrypt archive, and then deleted.
What you see
The malware adds itself to the Windows registry entry as follows:
video_driver = “%TEMP%\video_driver.exe”
This indicates that whenever you logon to Windows, the file-deleting-and-encrypting threads start up again in the background.
The all-black Windows desktop with no file icons or shortcuts on it looks like this:
The web page that is supposed to tell you what to do has been taken down.
What to do?
A good anti-virus program can be used to remove the malware, or stop it running yourself as follows:
- Delete the file C:\USERS\[yourname]\AppData\Local\Temp\video_driver.exe
- Reboot or log off and come back in.
You can recover your files by installing the 7-Zip utility and then opening up the .vcrypt files in your home folder one by one.
When you ask 7-Zip to extract the files, a password prompt will pop up. Unfortunately, there is not easy methods to get back files deleted from other drive letters than C:
Those users who have the practice of keeping regular backups can however recover it anyway. So do not hesitate to backup your data at the earliest.