A free decryption tool for the recently detected Alma Locker ransomware is now available, thanks to the PhishLabs security company.
Alma Locker was first discovered by the Proofpoint security expert, Darien Huss, and then analyzed by Lawrence Abrams of Bleeping Computer. Unlike other newly found pieces of ransomware, which have been more of samples, Alma Locker is a fully-developed working threat and it is already being widely distributed via the RIG exploit kit.
At this point, researchers are not sure how exactly the hackers behind Alma are sending hijacked traffic to the RIG exploit kit landing page. Is it from malvertising on legitimate websites, or from hacked websites, it is about to be determined.
Researchers haven`t been able to crack Alma Locker`s strong encryption at first, but luckily, the PhishLabs team has finally managed to find a couple of weaknesses in the operation mode of the ransomware. Leveraging on these weaknesses, they were able to create a C-Sharp file whit which victims can restore their locked data without paying the ransom sum.
Alma Locker encrypts files using an unusual two-phase approach. During the encryption process, the ransomware sends to its C&C server an AES key in cleartext via HTTP. The AES key can both encrypt and decrypt files because AES is a symmetric encryption algorithm. Unless the user stores network activity logs, the decryption key is unobtainable after the encryption process ends.
Once the file encryption process is completed, the ransom note is displayed. Unlike most of the ransomware families, which include other information in the note, like messages, for example, Alma Locker`s note only contains links to a TOR-based website and the decryptor. Only after the users has downloaded and run the decryptor, they are given more detailed information, including the ransom demanded – 1 Bitcoin ($585) and the Bitcoin address to complete the payment.
PhishLabs` team said the weaknesses they found in the decryptor are is susceptible to a basic Man-in-the-Middle attack. That`s how they managed to spoof communications from the crooks’ C&C server and see how their decryptor actually works. Knowing this information, they managed to create a C-Sharp file which is able to decrypt victims` files for free, if they manage to discover the encryption/decryption key stored in network logs. The file is available for download on the PhishLabs` blog.
“The .CS file is self-containing.”– King Salemno, PhishLabs malware researcher told Softpedia – “All one needs to do is compile it via a C# compiler and run it. First run will indicate the parameters needed for decryption.”