A ransomware infection can affect both home users and business organizations. It can result in financial losses if you pay the attacker in an effort to preserve your data, a disruption of normal business operations and brand reputation, and most importantly, the possibly permanent loss of important, sensitive, and critical data - all of which can negatively impact business productivity. Attackers may either be a well-organized cybercrime organizations, using their own infrastructure to target their victims, or a single person working on their own. A single attacker is more likely to buy off-the-shelf malware or modify a piece of code they find to create a new one. Once the attacker has created the ransomware, they only need to find a delivery mechanism to spread it and infect users.
We look at a new CrypVault ransomware variant called LovxCrypt that we recently uncovered being spammed as an email attachment.
Just like any other malware, this one arrives as an attachment to spammed emails with a fake “Resume” theme. The attachment is a zip file which then contains a file with a .CHM extension. We have seen this kind of spammed email format and social engineering trick many times before. Despite the frequency of this method of attack, users still fall for it on a regular basis, which is why it’s used so often.
Figure 1: The .chm File Posing as a Resume
This section describes the flow of execution and will also describe all the components that were either downloaded or created.
Once the .CHM file loads, it downloads a file from 'hxxp://xxx.xxx.58.24/zae/br(dot)css' and saves it as ‘br.wsf’ in the Windows %TEMP% folder. This is accomplished with a simple PowerShell one-liner (Figure 2).
Figure 2: Decompiled CHM File
hxxp://xxx.xxx.58.24/zae/fildo(dot)jpg --> '%TEMP%/houp.docx'
hxxp://xxx.xxx.58.24/zae/vnm(dot)jpg --> '%TEMP%/vnm.jpg'
hxxp://xxx.xxx.58.24/zae/logiz(dot)jpg --> '%TEMP%/zart.bat'
‘houp.docx’ – This is a valid Microsoft Word Document file which opens immediately so the victim thinks that they opened an actual document file. It is most likely written in a non-English language that it does not properly show the contents when opened in an English version of Microsoft Word, as shown in Figure 3 below.
‘vnm,jpg’ – This is the ‘gnupg.exe’ encryption tool that will encrypt the user’s files.
‘zart.bat’ – This is the main module which is in the form of a batch file.
The ‘wsf’ file also creates and runs the file ‘testfile.js’ which will then open the file ‘houp.docx’ in Microsoft Word, while also running the main module ‘zart.bat’ in the background.
Figure 3: The Word Document File - Used to Distract the Victim
The Main Component
Like the old CrypVault ransomware, the main component is a Windows batch file responsible for all the actions taken by this ransomware, including configuration of the GnuPG environment, enumerating all drives and searching for specific files to encrypt, encrypting the files, and showing the ransom notes. Besides being written with a sort of spaghetti code to make analysis of the code difficult, the batch file also contains a bunch of ‘echo’ commands with random strings that really have nothing to do with the code. Their job is to try to evade traditional AV signatures, and it typically works.
The GnuPG encryption needs a public and a private key pair to work. For this ransomware, the author sends the public key and uses it to encrypt the victim’s file. Once the files are encrypted, they cannot be decrypted without the corresponding private key. If the victim wants their files back, they must contact the author and buy the key to decrypt them.
As seen in the code snippet on Figures 4a and 4b below, it first renames the GnuPG file ‘vnm.jpg’ to ‘zzd.exe’ so that it can properly execute. It can also be seen that the batch file contains the public key that will be saved to a file named ‘%temp%\ib2h1fmf.vay1wsjl.’
Figure 4a: Renaming the GnuPG program
Figure 4b: The Batch File Commands Creating the Author’s Public Key
The ransomware then proceeds to search for files to encrypt. It does this by enumerating all drives and recursively searches all folders for files with the following extensions:
*.xls, *.doc, *.xlsx, *.docx, *.pdf, *.rtf, *.cdr, *.psd, *.dwg, *.mdb *.1cd *.dbf *.sqlite *.cd, *.jpg *.zip
Once a file is found, it will not immediately encrypt it, but only saves the path and filename in a text file. It will also construct a batch file command for each file which does the encryption. These batch file commands will be saved in another text file that will later be saved as another batch file and execute it to complete the encryption process.
The malware, using the ‘FOR’ command, enumerates all drives from A to Z, and then uses the combination of ‘DIR’ and ‘FOR’ commands to search for files with the extensions *.xls, *.doc, *.xlsx and *.docx. And for every file that it finds, it generates the batch command for encryption (Figure 5). The batch command runs the file zzd.exe (GnuPG tool) with specific parameters for encrypting a file. The encrypted file will then be renamed using its original filename plus the added ‘.lovx’ extension appended at the end. The batch commands are saved to the file ‘mizby432.36oz0u00’ while the file list is saved to ‘fo8hf4fo.uhbc0ckw.’ The same codes will be repeated for the other file extensions.
Figure 5: Searching For Targeted Files to Encrypt
To ensure that the system will still function properly after encrypting files, the ransomware avoids encrypting files in the %APPDATA% and %TEMP% folders, as well as those that are inside a folder with its name containing any of the following:
It does this by re-processing the files ‘fo8hf4fo.uhbc0ckw’ and ‘mizby432.36oz0u00’ and removing any lines containing any of the strings mentioned above, as shown below:
Figure 6: Removing Specific Files to Skip Encryption
Finally, the file ‘mizby432.36oz0u00’ is renamed as ‘jb3rwma7.cmd’ and is run as another batch file. After all this setup, the malware finally begins the encryption process. As mentioned, all encrypted files are renamed with the extension '.lovx.’
Figure 7: Encrypted Files With the New ‘.lovx’ Extension
The Ransom Note
After the encryption step, the ransomware generates the ransom notes (Figure 8). It creates the text file ‘lovx.txt’ containing the plain text ransom note and copies it to the desktop folder. It also creates the file ‘r7cwt808pg03o62d.hta’ with another note formatted as HTML. The .HTA file will then be opened using the command ‘mshta.exe’ to display the main ransom note (Figure 9). To ensure the user receives the message, registry entries are added to display the ransom notes every time Windows starts (Figure 10).
Figure 8: Creating the Ransom Note
Figure 9: Here is the Actual Ransom Note Displayed and Contents of the Dropped Text File ‘lovx.txt’
Figure 10: Added Registry Entries
It also creates a file association for files with the ‘.lovx’ extension, as well as assigning it the default icon of an image of a padlock. It then creates a custom VBScript command for that file association so that whenever a ‘.lovx’ file is double-clicked, it displays a message box informing the victim that the file is blocked and requires a key to unblock it (Figure 11).
Figure 11: Encrypted Files With the New Icon and the MessageBox Alert When a File is Double-Clicked
Even with the rising number of newer and more complex ransomware coming out, something like the LovxCrypt will still come out in the mix. Because of its simplicity, all the attacker must do to generate new variants is to change the code a little bit and find new ways to distribute it. As usual, we see attackers going after the low-hanging fruit – using an easy bit of code to make a quick buck.
As we showed, by using just a combination of scripting languages, as well as some known encryption tools like GnuPG, a working and effective ransomware like the LovxCrypt can be easily written. We expect more of this to come out in the future.
If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Indicators of Compromise (IOCs)