McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files is not unique, it is uncommon.
We analyzed the following SHA-256 hashes of the malware GPGQwerty:
- 2762a7eadb782d8a404ad033144954384be3ed11e9714c468c99f0d3df644ef5
- 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502
- f5cd435ea9a1c9b7ec374ccbd08cc6c4ea866bcdc438ea8f1523251966c6e88b
We found these hashes need many support files for successful execution. The three files themselves will not encrypt anything. GPGQwerty consists of a bundle of files that runs together to encrypt a victim’s machine. The bundle comprises ten files:
This ransomware was first seen at the beginning of March. Generally, this type of malware spreads by spam email, malicious attachments, exploits, or fraudulent downloads. The binary 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 was spotted in the wild at hxxp://62.152.47.251:8000/w/find.exe; it may be part of a drive-by download strategy or was hosted on a legitimate site.
Key.bat, run.js, and find.exe are three files that play a vital role in the encryption process. The infection process follows this path:
Analysis
The binary find.exe has eight sections and the raw size of its .bss section is zero.
It also has an unusual time and date stamp:
The file includes malicious thread local storage (TLS) callbacks as an anti-analysis trick. Generally, this technique allows executable files to include malicious TLS callback functions to run prior to the AddressOfEntryPoint field (the normal execution point of a binary) in the executable header.
The action starts with the execution of the batch file key.bat. It imports the key and launches find.exe on the victim’s machine by executing the JavaScript run.js. The contents of the batch and JavaScript files are shown in the following snippet:
This ransomware kills some selected running tasks using command-line utility taskkill. This command has options to kill a task or process either by using the process ID or the image filename. In the following snippet, we see it terminating some processes forcefully by using their image names.
The ransomware tries to encrypt data using GnuPG (gpg.exe). The malware appends the extension .qwerty to the encrypted files:
The malware overwrites the original files using shred.exe:
After encryption, the ransomware allots a unique ID that identifies each victim. It also creates a .txt file that states all files on the computer have been locked and the victim must pay to decrypt the files.
GPGQwerty deletes the recycle bin using the Windows utility del:
Using the command “vssadmin.exe Delete Shadows /All /Quiet,” the ransomware silently removes the volume shadow copies (vssadmin.exe, wmic.exe) from the target’s system, thus preventing the victim from restoring the encrypted files. It also deletes backup catalogs (wbadmin.exe) and disables automatic repair at boot time (bcdedit.exe):
Finally, it creates the ransom note readme_decrypt.txt in each folder that holds an encrypted file. The ransom note gives instructions to communicate with an email address within 72 hours to arrange payment.
This Yara rule detects GPGQwerty:
rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty
{
meta:
author = “McAfee Labs”
description = “Detect GPGQwerty ransomware”
strings:
$a = “gpg.exe –recipient qwerty -o”
$b = “%s%s.%d.qwerty”
$c = “del /Q /F /S %s$recycle.bin”
$d = “cryz1@protonmail.com”
condition:
all of them
}
McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as Ransomware-GKF! [Partial hash] with DAT Versions 8826 and later. For more on combating ransomware, visit NoMoreRansom.org.