CyberInsecure.com

System Locking SMS Ransomware Trojan.Ransomlock Can Be Removed Manually

Another ransomware threat have been reported recently by Symantec: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way. “Ransomware” threats became pretty familiar by now. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. In the case of the Trojan.Gpcoder family, the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.

When run, the Trojan displays the following window:

Notice how the design of the window attempts to mimic the Microsoft Windows interface. The text is in Russian and it says:

To unlock you need to send an SMS with the text 4113558385 to the number 3649

Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage

The code shown is randomly generated each time. Apparently the purpose of the Trojan is to ask users to send an SMS to receive a corresponding code that will disable the Trojan, thus unlocking the computer. The attacker probably receives money for each SMS sent to the number.

Although this Trojan is not particularly dangerous, it is quite annoying. The Ctrl+Alt+Del sequence is inhibited so that a user cannot access the Task Manager to end the Trojan’s process. Rebooting will not help, even in Safe Mode, since the threat installs itself in the “Userinit” registry key so that it runs every time Windows is started.

If you get infected, be careful: don’t send any SMS messages to the number. Symantec has created a tool that you can download to generate the code needed to unlock the computer. You can also refer to the Trojan.Ransomlock write-up for more details. If you cannot download the code generator, then you will have to boot the computer with an external operating system in order to access the file system and delete the Trojan.

How to generate a valid unlock code by yourself:

1. Get the input code; it should be in the form of “411xxxxxxx.” The length of the code can be 10 or 11 digits.

2. Discard the first three digits. For example, if your code is “4111234567” then “1234567” is the number you need.

3. Convert this number to hexadecimal notation. You can do so using the Windows calculator. All of the following calculations will be in hexadecimal. In our case, “1234567” in decimal is “12D687” in hexadecimal notation.

4. Consider only the five less important digits of the hexadecimal number. We only consider “2D687.”

5. Start from the left-most digit, and apply the formula with the parameters as they appear in the disassembly:

x1 = (2 * 0×95) % 0xA7
x2 = (D * 0x6C) % 0×97
x3 = (6 * 0x1F) % 0xA3
x4 = (8 * 0x1D) % 0xB3
x5 = (7 * 0×35) % 0xC5

After this, your values should be:

x1 = 0×83, x2 = 2D, x3 = 0×17, x4 = 0×35, x5 = AE

6. Now you can use these five numbers to compose the unlock code. Perform a “left shift” operation (a multiplication by 0×10) to your values, starting from x1, and then add the result to the next number. In our example:

0×83 * 0×10 = 0×830
0×830 + 0x2D = 0x85d ;  0x85d * 0×10 = 0x85d0
0x85d0 + 0×17 = 0x85e7 ;  0x85e7 * 0×10 = 0x85e70
0x85e70 + 0×35 = 0x85EA5 ;  0x85EA5 * 0×10 = 0x85EA50
0x85EA50 + 0xAE = 0x85EAFE

7. Finally, convert this hexadecimal number back to decimal notation (in our example, you obtain “8776446”), which is the unlock code that you can use in order to get rid of the Trojan.

After you enter a valid unlock code, the malicious window will disappear, but the Windows desktop could still be frozen. Don’t worry—all you need to do is to hit Ctrl+Alt+Del on the keyboard, click on the log-off button, and then log back in. (A reboot will work as well.) At this point, you have control of the computer again and the Trojan will be gone.

Credit:  Andrea Lelli, Symantec

Share this item with others:

Posted in Cybercrime, Malware, Scams, Software, Trojans & Worms, Windows |  Print This Post