November 10, 2015 by

Poorly Coded Ransomware Doesn’t Decrypt Files after Ransom Payment

A poorly written malware strain of the ‘Power Worm’ ransomware family has been discovered to implement AES encryption to lock a victim’s files and shoddily proceeds to lose the key. This leads to a circumstance wherein a victim could ostensibly pay a ransom and yet, the files remain unrecoverable due to the loss of the encryption key.

Ransomware are among the most destructive and intrusive Trojan malware strains in recent times and although malicious, routinely release a victim’s files after a ransom demand is paid. However, a newly discovered version of ransomware virus – Power Worm shows that a terribly-written virus can serve to inconvenience the victim and the malware author as well.

According to Bleeping Computer, a sample of a malware strain was analyzed to find it using the AES encryption engine through which the malware author looked to use a static AES key for all of his victims.

Essentially, having one singular decryption key ensures the developer to have one tool to work for all of his victims, negating the need for an extensive payment system or decryption engine. However, researchers discovered that the AES key was improperly padded when converted into a Base64 string. Unsurprisingly, any attempt by the PowerShell script to decode this string failed, resulting in a NULL or empty value.

Related article: Cryptowall Ransomware May Have Banked $325 Million for Its Developers

Furthermore, with the NULL value, every attempt from the malware author to use the variable to initialize the AES cryptography API created a random key for every victim.

The developer thought that he knew that the key was being used while the random key was never truly saved, rendering it impossible for anyone with any means to recover it in the future.

The ransomware strain creates a ransom note similar to that of the most notorious ransomware of them all – Cryptowall. Titled “DECRYPT_INSTRUCTION.html,” the ransom note is placed inside every folder containing encrypted files. Much like Cryptowall, the ransom note includes an ID that claims to be unique to every victim. However, unlike Cryptowall, the note is the same for all who are unfortunate to fall prey to the ransomware.

LIFARS has repeatedly reported about ransomware strains in recent times, proving just how significant they are as a real world threat. If you haven’t backed up your files already, now would be the time to do so.


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Singapore Comes First as Launchpad for Global Cyber Attacks

The small Asian nation of Singapore has overtaken countries including Russia, China and the United...

Read more arrow_forward

Data Breach of Medical Supply Firm Affects Over 21,000

The hack of a Nebraska-based medical supply company has affected over 21,000 individual victims in...

Read more arrow_forward

NotPetya Cyberattack Costs FedEx’s TNT Arm $300 Million in Damages

Delivery and logistics giant FedEx has revealed the cost of damages incurred by its TNT division due...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.