A new form of ransomware that has been spotted in the wild uses what researchers call “overkill” levels of encryption to hijack infected systems.
This week, FortiGuard Labs said the new variant, known as Nemty, was recently shared as a sample by a Twitter bot that posts PasteBin links to malware code.
One of the samples shared by the bot was meant to link to a Sodinokibi ransomware variant, but the source ended up being a new malware family altogether.
Sodinokibi, also known as Sodin or REvil, is malware in a constant state of evolution and employs tactics ranging from Windows zero-day exploits to compromised remote management software consoles to infect systems.
Due to the discovery of a key which gives the ransomware’s operators the opportunity to decrypt any file regardless of public and private key setups, it is possible the malware is being offered as ransomware-as-a-service (RaaS). Researchers have previously outlined the similarity between GandCrab and Sodinokibi code.
While a link embedded in the binary of the Nemty sample was also used by GandCrab before the operator’s ‘retirement’ — having made their money — and the Nemty appears to be distributed through the same channels as Sodinokibi, the researchers say they are yet to prove a solid link between the trio.
It is not known whether or not Nemty has any links to these malware families beyond the binary link and distribution by the Sodinokibi group, but it is possible that the early-stage ransomware could be the latest malware offering of cyberattackers connected to RaaS schemes.
Nemty appears to still be in the development stage. A payment page has been set up in the Tor network and $1000 in Bitcoin (BTC) is requested in return for a decryption key to unlock infected systems.
See also: Financial asset firm PCI ordered to pay $1.5 million for poor cybersecurity practices
While there is a function to send encrypted configuration information from a target machine to the ransomware’s command-and-control (C2) server, at the moment, the IP address intended to be used for the C2 is just a loopback address.
“It is possible that they simply have not configured an operational server to receive the data yet,” the researchers say.
In order to encrypt a victim’s PC, Nemty utilizes both base64 encoding and RC4 encryption. In a snide jab at any researchers reverse-engineering the code, the developers have used a Russian phrase, “f**kav\x00,” as their RC4 encryption key.
AES-128 in CBC mode, RSA-2048, and RSA-8192 are used for encrypting files and generating keys. A 32-byte value is used as an AES key, an RSA-2048 key pair is generated, and unusually, RSA encryption with 8192 bits of key size is used to encrypt both configuration files and a private key.
CNET: The pivot to privacy could come with a $100 million grant
FortiGuard Labs says that 2048 and 4096 strings are generally more than adequate to encrypt and secure messages, and so the use of an 8192 size is “overkill and inefficient for its purpose.”
“Using the longer key size adds a large overhead due to significantly longer key generation and encryption times […] RSA-8192 can only encrypt 1024 bytes at a time, even less if we consider the reserved size for padding,” the researchers note. “Since the configuration’s size will surely be more than that due to the fact that it contains the encoded private key, the malware cuts the information into chunks of 1000 (0x3e8) bytes and performs multiple operations of the RSA-8192 until the entire information is encrypted.”
The heavy use of encryption means that it is “not practically possible” to decrypt a compromised system, according to the cybersecurity firm. This is unfortunate, as decryption programs offered by cybersecurity firms can sometimes be the only way to recover files lost to ransomware infections without paying up.
TechRepublic: DNS amplification attacks increase by 1,000% since 2018
There are issues with the code which indicate development may be underway, such as file comparison repetition without purpose and an inefficient method employed to whitelist some file extensions. The malware will also check to see if the system’s IP address relates to Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine — but regardless of the result, encryption will continue.
Indicators of affiliate IDs buried in the malware’s code also point to RaaS.
Despite code issues and indicators that Nemty is still in development, the researchers say that as it can still encrypt systems effectively, the malware is “a real threat” even in its current state. Indeed, as the report was being finalized, a new variant of Nemty was found — which may suggest distribution is underway.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0