Cybercrime: LooCipher, the probable heir of GandCrab, has been beaten

Articolo di Francesco Bussoletti su Difesa&Sicurezza del 15/07/2019

Yoroi-Cybaze ZLab: LooCipher cybercrime ransomware has its decryptor and it’s free

LooCipher, the probable heir of GandCrab ransomware, has a decryptor and it’s free. It has been developed by Yoroi-Cybaze ZLab cyber security experts, who studied the new malware and it’s behaviour. The cybercrime malicious code spreads using weaponized Word document and abuses ToR network proxy services to reach its command and control servers. According to Fortinet, the encryption algorithm used by the LooCipher is AES-128 ECB with a 16-bytes key. The key is generated in a random way, starting from an array of pre-defined characters. Since AES is a symmetric-key algorithm, retrieving the key it is possible to restore all encrypted files. The key will be sent to the C2 over HTTP as GET parameter (“k=”), but obviously it is obfuscated. But the obfuscation method is very trivial. It consists in a simple replacing of each key characters with a pre-defined double-digit number.

The tool, however, to work requires the malware process to be active

According to the cyber security experts, once retrieved the obfuscated key it is possible to reconstruct the original key and decrypt all files. The crucial point is to extract the obfuscated key. As shown by Fortinet, this can be done in two ways: Intercepting the network traffic, when the malware sends the key to the C2. This method could be difficult because the key is sent only once, and it is necessary to capture the exact network traffic containing this request. Exploring the memory map of LooCipher process after the completion of the encryption. The entire path (including the key) used to contact the C2 is still stored in the process memory location. This could be complex to not experienced users. So, Cybaze-Yoroi ZLab released an automatic tool that is able to extract the secret key and proceed with the decryption of all files previously encrypted by the ransomware. The tool, however, requires the malware process to be active.