Russian Hackers Debut Simple Ransomware Service, But Store Keys In Plain Text (theregister.com) 6
The pro-Russian CyberVolk group resurfaced with a Telegram-based ransomware-as-a-service platform, but fatally undermined its own operation by hardcoding master encryption keys in plaintext. The Register reports: First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment. CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.
But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code in a Thursday report.
But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code in a Thursday report.
They have a decryption key... (Score:4, Funny)
Which is more integrity than I expected from a ransomware scammer. I assumed they all just replaced the files with noise and PROMISED to decrypt in exchange for payment.
Re: (Score:2)
Some still do that. And some send ransomware threats when there is no attack. Apparently the both approaches continue to work to some degree.
the worst part is.. (Score:1)
This seems intentional (Score:3)
It seems to me that, if you were developing something like this, you'd want to write the encryption and decryption code separately from the non-trivial key management code, so that you can unlock it easily if someone accidentally locks the wrong system. You only make the build that doesn't have an obvious key when you're really going to use it. For that matter, it's probably wise to do your demos with the version with the master key, so that potential affiliates can't attack a real target for the demo. Then you give the version that doesn't make it easy to unlock to paying affiliates who aren't SentinelOne. It's not like they'd need to redesign the whole system to generate a random key and not write it in plaintext anywhere.
Re: (Score:2)
These people operate on the same level as clueless major software makers like Cloudstrike, Microsoft, etc. Hence while this could be done a lot better and competently, these people just do not have the skills.
Criminals are stupid (Score:2)
Otherwise they would be able to make more money (as soon as you take risk-costs into account) in a regular job.