CryptoWire ransomware not dead

CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:
"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families

I already encountered a CryptoWire variant last year, when it was used to target users in Brazil:
Ransomware, fala sério!

In this blog post, we'll briefly analyse another, recent, CryptoWire sample.

Analysis

This CryptoWire variant has the following properties:

• MD5: f6d01e72a58a8bdf14f9a103250f779e
• SHA1: 3b97bac22a04282ebbaef60beb168a41e4449239
• SHA256: 4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c
• Compilation timestamp: 2018-04-10 16:00:12
• VirusTotal report:
  4deff7d8434583ea8e5c3ef9b4c64674dfb165b1720ddf63b5abdd8ed6a7399c

Figure 1 - Typical CryptoWire layout

The message reads:

The only way you can recover your files is to buy a decryption key
The payment method is: Bitcoins. The price is: $1000 = Bitcoins
When you are ready, send a message by email to wlojul@secmail.pro
We will send you our BTC wallet for the transfer
After confirmation we will send you the decryption key
Click on the 'Buy decryption key' button.

CryptoWire will encrypt files with the following extensions (282 total):

3fr, 7z, EPS, M3U, M4A, PEM, PSD, WPS, XLSX, abw, accdb, afsnit, ai, aif, arc, arw, as, asc, asd, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bay, bbb, bdb, bibtex, bkf, bmp, bmp, bpn, btd, bz2, c, cdi, cdr, cer, cert, cfm, cgi, cpio, cpp, cr2, crt, crw, csr, cue, dbf, dcr, dds, dem, der, dmg, dng, doc, docm, docx, dsb, dwg, dxf, dxg, eddx, edoc, eml, emlx, eps, epub, erf, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, himmel, hpp, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpeg, jpf, jpg, jpm, jpx, jsp, jspa, jspx, jst, kdc, key, keynote, kml, kmz, lic, lwp, lzma, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mef, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, mrw, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nef, nes, note, nrg, nri, nrw, odb, odc, odm, odp, ods, odt, ogg, one, orf, ova, ovf, oxps, p12, p2i, p65, p7, p7b, p7c, pages, pct, pdd, pdf, pef, pem, pfx, php, php3, php4, php5, phps, phpx, phpxx, phtm, phtml, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, ptx, pub, pvm, qcn, qcow, qcow2, qt, r3d, ra, raf, rar, raw, rm, rtf, rtf, rw2, rwl, s, sbf, set, skb, slf, sme, smm, snp, spb, sql, sr2, srf, srt, srw, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, til, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, vsdx, wav, wb2, wbk, wbverify, webm, wmb, wpb, wpd, wps, x3f, xdw, xlk, xlr, xls, xlsb, xlsm, xlsx, xz, yuv, zip, zipx

It will also encrypt files, regardless of extension, in certain folders such as Desktop.

Files are encrypted with AES, and prepends extension of encrypted files with ".encrypted.". For example: Tulips.encrypted.png.

CryptoWire will delete Shadow Volume Copies and disable BCDEdit by executing these commands:

vssadmin.exe Delete Shadows /All /Quietbcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailures

It will additionally create a scheduled task for persistence.

You can decrypt files for this specific variant with the following Decryption Key:
VgjRPoOM0oa92_jId!/wkMeW6,guuSe

Conclusion

Some ransomware variants simply do not die, one example of these appears to be CryptoWire. If you have been hit by this particular strain, use the decryption key as instructed above, and your files will be decrypted.

Make sure to read the dedicated page on ransomware prevention to prevent CryptoWire or any other "open-source" ransomware to infect your machine, and encrypt your files.

IOCs

Ransomware, fala sério!

Recently, a user contacted me in regards to what looks like a new, Brazilian ransomware. In this blog post, we're taking a quick look at the ransom and how to unlock or decrypt your files.

TL;DR: to unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

The title of this blog loosely translates to: ransomware, no way! (excuse my Portuguese)

The ransomware appears to call itself 'Sem Solução'; which translates to 'Hopeless' or 'No Solution'. I propose we call it 'Hopeless ransomware':

Figure 1 - 'Seus arquivos foram criptografados'

Sua IDNão a formas de recuperar sem comprar a senha, ser tenta eu apago tudo!O método de pagamento é via Bitcoins.  O preço é: 600,00 REAIS =  Bitcoins
Não tem Bitcoins?, pesquise no google e aprenda comprar ou clique em Compra Bitcoinsenvie os bitcoins para: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1Para receber a senha, voce precisa criar uma e-mail em https://mail.protonmail.comE enviar SUA ID para 785910@protonmail.com em 24h ou mais voce receberá a sua senha!, Obrigado..

Translated:

Your IDNot the ways to recover without buying the password, be try I delete everything!The method of payment is via Bitcoins. The price is: 600,00 REAIS = Bitcoins
Do not have Bitcoins ?, search google and learn how to buy or click Buy BitcoinsSend the bitcoins to: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1To receive the password, you need to create an email at https://mail.protonmail.comAnd send YOUR ID to 785910@protonmail.com in 24h or more you will receive your password !, Thank you ..

The price is 600 REAIS (Brazilian Real), which currently amounts to 0.15 BTC.
(176 EUR | 155 GBP | 199 USD)

Interestingly enough, the ransomware has a built-in function to detect whether or not your machine belongs to a domain, and if so, will increase the amount of ransom to be paid to a whopping 1000 REAIS, or 0.25 BTC. (293 EUR | 259 GBP | 333 USD)

Figure 2 - Func _get_bitcoin_value()

The ransomware author or authors is/are definitely not kidding: if you enter a wrong password, the ransom will start deleting files.

Figure 3 - 'Error!", "Senha de descriptografia errada, NA PROXIMA 500 ARQUIVOS SERÃO EXCLUIDOS!'

Files to encrypt, including those used in virtualization software such as VMware for example:

zip, 7z, rar, pdf, doc, docx, xls, xlsx, pptx, pub, one, vsdx, accdb, asd, xlsb, mdb, snp, wbk, ppt, psd, ai, odt, ods, odp, odm, , , odc, odb, docm, wps, xlsm, xlk, pptm, pst, dwg, dxf, dxg, wpd, rtf, wb2, mdf, dbf, pdd, eps, indd, cdr, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, abw, til, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, himmel, cert, cfm, cgi, cpio, cpp, csr, cue, dds, dem, dmg, dsb, eddx, edoc, eml, emlx, EPS, epub, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, hpp, ics, idml, iff, img, ipd, iso, isz, iwa, j2k, jp2, jpf, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, M3U, M4A, m4v, max, mbox, md2, mdbackup, mddata, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, afsnit, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, PEM, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, ppdf, pps, ppsm, ppsx, ps, PSD, pspimage, pvm, qcn, qcow, qcow2, qt, ra, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, WPS, xdw, xlr, XLSX, xz, yuv, zipx, jpg, jpeg, png, bmp

Additionally, Steam users aren't spared of getting their files encrypted either:

Figure 4 - Executable files in Steam's games directory will be encrypted

In reality, it appears all files are encrypted, regardless of extension.

The ransomware ultimately calls home and leverages Pastebin to do so. However, when analysing the ransomware, none of the Pastebin links were online as they had been removed.

$data = "pcname=" & @ComputerName & "&hwid=" & $key & "&version=Locker"

At time of writing, no payments have been made as of yet to the Bitcoin address:
1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1

The ransomware encrypts files prepending the original extension with '.encrypted.'. For example;
image.png would become: image.encrypted.png

The ransomware is based on CryptoWire, an open-sourced ransomware written in AutoIT.


Decryption

To unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

Note: as always, prevention is more important than decryption or disinfection! Have a look at the dedicated page I've set up here.


Conclusion

While ransomware is anything but uncommon, ransomware very likely stemming from Brazil and specifically targeting Brazilian users and businesses, is a less frequent occurence. In fact, the only notable example, as far as I know, is TeamXRat also known as Xpan ransomware.

Below you may find IOCs.

IOCs