An additional.. more of "copy paster evidence" :)
let's take a look into file restoring decryption, and AES key restoring decryption done by this ransomware.
You can see in the above last picture of my reversing pad
here in
0x400836 that
aes_decrypt
function was called. If you trailed that function you will see that the
decrypting process (for restoring the crypted files) is using the
function called
mbedtls_aes_setkey_dec and
mbedtls_aes_crypt_cbc - it is a well known function to decrypt AES on the CBC crypt mode if you familiar with the
Polar SSL, since they are functions described in the
mbedtls/pk.h - So apparently the coder is copy pasting these codes for the ransomware decryption purpose.
Below is the reversing illustration (click to enlarge)
Those two calls that are significantly important for decrypting functions, the
mbedtls_aes_setkey_dec
(0x4005db) is a decrypting AES function and by default is using the 128
bit length key (like what this ransomware used..default base setting of
a pure copy-paste :D ) - and
mbedtls_aes_crypt_cbc (0x4005f9) that is explaining the CBC crypt method in AES is used.
Also in the above last picture
here in 0x400753 was stated the call to
private_decrypt() and following its trail you'll see the call for
mbedtls_pk_decrypt()
with the purpose to decrypt the AES key for restoring encrypted files
by this ransomware, by using the RSA private key. This function is also
using Polar SSL source code used for decrypting an encrypted
messages/communication, and it is supported to RSA keys with the
default padding type PKCS#1 v1.5, and again, this is what the RSA
specification used by these copy-paster :lol:
The flow of private key decrypting of the AES key used for restoring files, can be seen with commented reversing code below:
Understanding these methods is making us easier to seek a howto prevent
and even the ways in cracking "the necessaries" to restore the crypted
file. There are weaknesses in the scheme of this ransomware that can be
used for it. I leave it to you all to provide mitigations.
Moreover, this is not the first time that open source codes were used by
the criminal in a malware.. And this is a sample of bad result of too
many ransomware concept and source codes that is openly shared in
internet, there are more bad that good in sharing these kind of stuff
openly.
@unixfreaxjp of MalwareMustDie - heil to fellow
unix shell reversers - thanks for cool aeim asm.emu/emuwrite from pancake - it worked well! :)