Imagine a scenario -:
You login into your official email or personal email account and find an email from an email address that seems to be of the bank in which you are a customer; You are asked to read the new “Terms and Conditions” for operating your bank account in the email attachment, or a link which re-directs you to it.
Much like the example shared below -:
You click on the link and after few minutes you notice -:
- Either your system is working slow, or
- You get error messages like “Unknown file type”, “Windows can’t open this file”, “No associated application” when accessing any file, or
- Worst case scenario, system is completely locked and a message appears on your screen – “Your files are encrypted”.
These are the signs that you have been hit by a RANSOMWARE.
“Source code of ransomware(s) are being distributed as freebies.”
Dissecting ArisLocker Ransomware
Recently, during the monitoring of dark web, Cyble’s Threat Researchers discovered the source code of ArisLocker Ransomware.
The source code was provided to our Malware Analysis team to gain some insights on the working of the malware. Below is an overview of the activity of ransomware code, once it gets executed –
- Initially, a login_screen function is called to input your password on a fake login screen
It would not matter if you enter the password or not, because the function will run anyway.
2. Now it will scan the paths “C:\Users\” #C:\Users\ and walk through all the directories and sub-directories, and collect the files of specific file types mentioned in the code file.
Few Examples -:
3. A queue is created where all files are pushed and a function is called to put the queue in a thread
4. Encrypt_file function is called to encrypt the files with AES.MODE_ECB encryption. There was no trace of any encryption key being stored on a local path or being sent to a remote address.
However, after further analysis it was noted that ECB is generally a bad choice since identical plain text blocks are encrypted to identical cipher text blocks – This is the reason for using AES.MODE_ECB encryption making it easier for the ransomware operator to decrypt the files through the decryptor and decryption key after payment.
5. Within the thread, after the files are encrypted, they are saved on their original paths with a new file extension i.e. <filename>.aris
6. Last step of execution – After the encryption, alert() function gets executed which generates a readme.txt file on the desktop of the infected system.
It also generates a pop-up on the user’s screen, asking to check the readme.txt file
and the background of the screen changes to the image below -:
readme.txt file contains the information / further instructions for decryption of system files i.e. instructions for payment of ransom.
The five most common methods through which a ransomware infect your system are -:
- Malicious E-mail attachments
- Malicious E-mail links
- Malicious code is hidden on the site, often in an advertisement (malvertisement)
- Drive-by downloads
- Unfamiliar USBs
Tips on how to prevent ransomware attacks -:
For both individuals and Organisations –:
- Never click on unverified/unidentified links
- Do not open untrusted email attachments
- Only download from sites you trust
- Never use unfamiliar USBs
- Use security software and keep it updated
- Backup your data periodically
- Isolate the system from the network
It is recommended to follow the above-mentioned prevention methods and never pay the ransom.
About Cyble:
Cyble is a US-based cyber threat intelligence company with the express mission to provide organizations with real-time views of their supply chain cyber threats and risks.
