Cracking ransomware: RansomWarrior victims can now retrieve files for free

Researchers at Check Point examined this recent form of ransomware and found it relatively easy to crack.
Written by Danny Palmer, Senior Writer

Victims of a new form of ransomware that appeared just weeks ago can now retrieve their encrypted files without having to pay a bitcoin ransom.

Discovered in early August, RansomWarrior appears to be the work of hackers working out of India, if the inclusion of "Have a good day with the love from India" on the ransom note is to be believed.

The file-locking malware targets Microsoft Windows users and is delivered to victims via an executable named 'A Big Present.exe' which, if run, will encrypt files with a .THBEC extension.

Victims are shown a ransom note and given instructions to visit a dark web address in order to pay an unspecified ransom in bitcoin cryptocurrency.


RansomWarrior ransom note.

Image: Check Point

The attackers offer victims the opportunity to decrypt two files for free but the note also reminds victims that if they don't pay the ransom, they won't get their files back.

Victims are also intimidated into not reporting the attack to the police, with the attackers claiming law enforcement "can't help you".

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

Researchers at Check Point analysed RansomWarrior and found it to be the work of seemingly inexperienced attackers, and were able to retrieve the decryption keys from the malware.

Check Point succeeded due to the weak encryption used by the ransomware, which is a stream cipher that uses a key randomly generated from 1000 hard-coded keys in the RansomWarrior binary code.

As the key's index is saved locally on the victim's computer to provide the means of unlocking the files, researchers have been able to build a decryption tool for anyone infected by RansomWarrior.

While many cyber criminals have switched focus to cryptocurrency mining malware as a stealthier and less risky means of acquiring bitcoin and other cryptocurrencies, ransomware still remains a prominent cyber threat.

Instead of deploying mass spam campaigns in an effort to infect as many users as possible, the most successful ransomware campaigns have developed new tactics.

In many cases, the attackers put time and effort into compromising whole networks before eventually pulling the trigger on the ransomware infection.

It's this form of targeted campaign that helped one cyber criminal operation make over $6m, and which continue to net an additional $300,000 each month.


Editorial standards