A new ransomware specimen has started infecting computers called CryptoBit (not to be confused with the specimen launched in September 2013 called CryptorBit, which was quickly decrypted by Nathan Scott). CryptoBit has been analyzed by PandaLabs and a flaw has been detected that could allow for decryption. It has been spread so far using exploit kits to infiltrate operating systems. It has interested the researchers at PandaLabs because it is not generic – it has certain differences from other species. Ransomware enters covertly, encrypts files and then holds them hostage.
CryptoBit enters with the aid of the EK and scans files, detecting 96 different extensions. The ransomware then goes ahead encrypting them using AES-256 encryption, the key of which is then encrypted with an RSA-4096 algorithm. This makes it a dual-key malware that uses a public key for encryption and a private key for the decryption. The key for decrypting is then sent to a server that is hacker-controlled. PandaLabs were impressed with this encryption.
After the encryption process is complete, CryptoBit produces a ransom note telling the victim how to pay. The price for the key is 1 bitcoin (about $425 U.S) which rises by the same rate each day. The victim’s reference number should be e-mailed to the ransomware-author for payment details. There is also a Bitmessage network address.
A Malware Mistake?
The flaw that may enable decryption is explained by a PandaLabs researcher: “We notice[d] a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm… CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers (‘big numbers’), making it possible to reproduce the RSA encryption algorithm.”
So, there may be a key to CryptoBit. Watch this space for more news!