Security researchers have managed to crack new ransomware purporting to come from India, providing a decryption tool and usage guide for victims.
RansomWarrior was discovered by the MalwareHunterTeam in early August. Alongside instructions on how to pay using Bitcoin, a lock screen presents victims with a list of “bonus tips.”
These include suggestions for older users to ask a younger relative for help if they are confused about the process, and not to report the incident to police because it will cost valuable time and “they can’t help you anyways.”
The message concludes with the cheery: “Have a good day with love from India.”
However, the malware writers themselves appear to have made a few mistakes.
“Written in .NET, the executable itself isn’t obfuscated, packed, or otherwise protected, suggesting those behind it are relatively new to the game. In fact, the ‘encryption’ used by the ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code,” said Check Point Research.
“As a result, the Check Point Research team has been able to extract those keys, and, as the key’s index is saved locally on the victim’s computer, provide the correct keys to the ransomware itself in order to unlock the files.”
Users simply execute the decryption tool as “administrator,” and when prompted, return to the original ransom note and click “get your important files back.”
A pop-up will notify when all files have been decrypted.
Cyber-criminals in general are increasingly eschewing ransomware in favor of easier ways to make money, such as cryptojacking.
Trend Micro reported last week that cryptocurrency mining malware detections soared a staggering 956% from 1H 2017 to the first six months of 2018. At the same time, ransomware detections grew by just 3% from the previous half year.