Rokku ransomware was discovered a few weeks ago. One of the most common methods for distributing it is via spam emails, where a malicious executable is dropped by a VB script belonging to the e-mail’s attachment.
What is interesting Rokku, is that its building blocks remind of Chimera ransomware. For that reason, security researchers decided to take a closer look, not only at the internal structure of this malware, but also at the similarities and differences between the two infections.
When deploying the executable, it runs silently – first dropping ransom notes (in two formats – HTML and TXT), and after that substituting files with their encrypted versions.
Rokku ransomware doesn’t retrieve keys from the server, thus the encryption process can be executed off-line as well.
Files encrypted by Rokku ransomware can be identified by the extension .rokku added to the original name. The encrypted content has a high level of entropy and no patterns are visible.
As many products of this type, Rokku has a web panel for victims, used to manage the payment and decrypt files. It is available via Tor. Instead of forcing the victims to type a unique ID, Rokku just asks them to upload one file. All the necessary data is automatically fetched from the file. After that it redirects to the personalized part of the panel and shows the order ID. This unique identifier can be used further to regain access to this page without the necessity to upload a file again.
When compared to other ransomware, it appears that Rokku’s demanded ransom amount is relatively low – 0.2402 BTC (around 100 USD).
From the same website we can download the decrypting application. After the payment is processed, the root key, required to decrypt all the files is made available.
Even without the payment, one chosen file can be unlocked for demonstration purposes. After an encrypted file is uploaded, it’s individual file key is released. After that, it can be decrypted using this key and the decryptor available on the website.
In the initial phase, the malware makes a preparation to deploy its malicious features. It scans the environment and closes some programs. This malware uses encrypted strings. They are decrypted on fly, just before they are needed. It is implemented with the help of small in-line routine using SSE. Using an in-line routine have an advantage over a separate decrypting function – it is harder to locate all the calls to it and to decrypt strings just by tracing it’s output.
After that it reads a unique identifier of the current machine: retrieves GUID from the registry and the volume serial number of the disk, where the Windows is installed (using GetVolumeInformation). Both parts are concatenated together () and hashed using local implementation of SHA512 (this implementation comes from OpenSSL).
First half of the SHA512 hash and the are concatenated together and used as a mutex name (with the help of mutex malware prevent from being run more than once at the same time). Finally, removing backups and stopping backup services is performed.
Based on the behavioral analysis and experiments, it turns out that Rokku, identically to most of the ransomware, uses symmetric and asymmetric encryption.
As the main symmetric encryption algorithm, the security researchers decided to use Salsa20.
Every file is encrypted by Salsa20 with a new, random key. Random values are retrieved using advapi32.SystemFunction036 – that is RtlGenRandom. After that, the random key is encrypted with a locally implemented RSA algorithm.
Rokku ransomware attacks local disks as well as network shares.This malware doesn’t have any external configuration – all the strings (including attacked file extensions and blacklisted paths) are hardcoded in obfuscated form and decrypted in-line. Loading the hardcoded settings is performed by dedicated functions (in the described sample it starts at RVA = 0x2dcf). Attacked extensions are decrypted in chunks (each chunk contains several extensions) and then added to the list. In the same way, blacklisted paths are deobfuscated and loaded.
When it comes to its architecture, Rokku has several similarities with Chimera ransomware:
- the main part is a DLL, using ReflectiveLoader
- cryptography implemented locally (not via API calls)
- external decryptor that can be downloaded from the given location, before paying the ransom
However, both infections use different ways to communicate with victims. Chimera uses bitmessage, while Rokku uses a Tor website. Also, Chimera requires an Internet connection in order to work, while Rokku in contrary is fully independent from the CnC server.
Considering all the above-mentioned, it is very likely that Rokku may be a product of the authors of Chimera, created with a similar schema but with different needs.