CRaZyKeL Posted June 7, 2016 #1 Posted June 7, 2016 Decryption We developed a tool that decrypts files encrypted by this malware only. First, the tool will recover the encryption key using one encrypted file. Please use an encrypted file with the last modification timestamp untouched. Conclusion Statistics show that the threat of being infected by a ransomware has only begun. Each month, more and more ransomware variants are detected. Some of them do not use state of the art cryptography yet, or badly use it to encrypt files, such as in our case. But in most cases, there is no way to decrypt the file without having the secret key of the attacker. Here, the fail comes from the rand function call which is not correctly seeded beforehand, the use of the timestamp which can easily be bruteforced and the number of milliseconds which holds a limited space of possibilities. This post also highlights the good cooperation between the Pentest and the R&D team of Sogeti ESEC. For that, special thanks to lerobert, jbedrine, meik, who also worked on this incident response. Hidden Content Give reaction to this post to see the hidden content. Hidden Content Give reaction to this post to see the hidden content. Ransomware-xtbl-decrypt-tool 4 1
Recommended Posts