A newly-found flaw in the Radamant command and control (C&C) server has allowed security experts to trick the malware into decrypting victims’ machines for free.
Radamant is a well-known ransomware kit on the black market, which is focused on infecting English-speaking users since December 2015. Security researchers claim that currently there are at least two known versions of this malware, known as RDM v.1and RKK v.2.
Radamant ransomware has been created to encrypt all data repositories on the infected virtual machines, including the HDD, USB-flash and the Shared folder, and to use a unique AES-256 key for each file. In addition, the AES-256 key is encrypted with an RSA-2048 master key which is embedded into the target file.
Just like some other ransomware, Radamant demands victims to pay a ransom using crypto-currency to receive a special tool containing a decryption key that can be used to unlock and restore their files. Nevertheless, malware experts have discovered a method of attacking the Radamant C&C server which could potentially let them decrypt victims’ files for free.
The cyber-threat intelligence provider points that this method relies on the Radamant C&C server being used to control all of the infected machines with a targeted vulnerability exploit to initialize the decryption process. Due to the fact that the malware creator is not aware of the flaw, the attack has been very effective in helping thousands of infected victims.
The new method involves registering the infected machine within the malware control center via a HTTP POST request. Nevertheless, this request should contain both public and private encryption keys, along with a unique identifier of the bot, which needs to be modified to bypass the filter and to avoid any additional vulnerability exploits.
The “ReplaceContent” function is used for validating and cleansing the external input, though it appeared to be ineffective due to not filtering backslashes that can be used for escaping special characters in the MySQL database, thus leaving the application vulnerable for SQL Injection attacks.
If all the right circumstances are met, the entire database can be retrieved, while the ransomware can be manipulated to believe that the infected machines paid the ransom. According to the experts, this is the reason why the malicious application initializes the decryption procedure and restores files to their original state.
The security researchers also claim that as soon as the new bot has been registered with the server, a specific HTTP request needs to be created and executed to change the status of all infected machines to paid and unlock their files.
After that, the script automatically searches for the specific bot ID in the database, while updating the bots’ last visit time, and it is during the execution of this SQL query that the customized bot identifier can be set to execute unintended commands to change the status of all machines to paid.
Once the query has been executed, every infected computer connected to the Radamant C&C server will automatically receive a private key which can be used to decrypt files with specific extensions.
This operation can be performed on a large number of bots to activate the process of data decryption without the knowledge of malware creator.
In addition, the experts said that Radamant’s creator is working on other crime kits, and that a new product was identified in early February 2016 as “KimChenIn Coin Kit.” This is an advanced crypto-currency malware stealer developed to target popular wallets, including Bitcoin Core, LiteCoin Core, Dash Core, NameCoin Core and Electrum-BTC/LTC/Dash.
Considering all the malicious threats lately, security specialists keep trying hard to help ransomware victims by creating free decryption tools and protection programs for their virtual machines, and these will be released as soon as possible.