Threat Management, Malware, Ransomware, Security Strategy, Plan, Budget

Ransom Warrior defeated by decryption tool

Cybersecurity researchers have developed a decryption tool to unlock machines infected by Ransom Warrior ransomware.

The Malware Hunter Team first spotted the malware on August 8 and researchers believe the threat actors are India-based and inexperienced malware developers dude to the malware being written in .NET, an obfuscated executable that isn’t packed or otherwise protected, according to a an Aug. 30 Check Point blog post.

“In fact, the “encryption” used by the ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code,” researchers wrote.

As a result, the Check Point Research team has been able to extract those keys, and, as the key’s index is saved locally on the victim’s computer, provide the correct keys to the Ransomware itself in order to unlock the files. ”

Researchers also noted that the encryption used by the ransomware is a stream cipher using a key that is generated randomly from a list of 1000 hard-coded keys in the ransomware’s binary code.

Check Point researchers extracted the keys and because the index is saved locally on the victim’s computer, provide the correct keys to the ransomware allowing them to unlock the malicious files.

Threat actors are delivering the malware via an executable named 'A Big Present.exe' which, if run, will encrypt files with a .THBEC extension and are targeting Microsoft Windows users.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds