An encryption ransomware written in Delphi. This Trojan is a later modification of Trojan.Encoder.102 and is similar to its predecessor in many ways. The Trojan performs two-tier file encryption. First, data blocks of 0x200 bytes are encrypted using the XOR algorithm (the block length and gamma can vary). Then files are encrypted with the RSA algorithm. The Trojan adds additional extensions to the names of the encrypted files.
- Additional extensions *.HELP@AUSI.COM_XQxxx, *.HELP@AUSI.COM_XOxxx, contact email—HELP@AUSI.COM
- Additional extension *.sos@ausi.com_ZQxxx, contact email—sos@ausi.com
- Additional extension *.SAD@FIREMAN.NET_AMxxx, contact email—SAD@FIREMAN.NET
- Additional extension *.COMODO@EXECS.COM_hexxxx, contact email—COMODO@EXECS.COM
- Additional extension *.SOS@AUSI.COM_IDxxx, contact email—SOS@AUSI.COM
- Additional extension *.ZANZIBAR@umpire.com_ZAxxx, contact email—ZANZIBAR@umpire.com
- Additional extensions *.REDBULL@PRIEST.COM_RBxxx or *.REDBULL@PRIEST.COM_RExxx, contact email—REDBULL@PRIEST.COM
- Additional extension *.Heinz@oaht.com_hxxx, contact email—Heinz@oath.com
- Additional extension *.NUMBAZA@SEZNAM.CZ_Qxxx, contact email—NUMBAZA@SEZNAM.CZ
- Additional extension *.backspace@riseup.net_xxx, contact email—backspace@riseup.net
- Additional extension *.SOS@AUSI.COM_FGxxx
- Additional extension *.numlock@riseup.net_*, contact email—numlock@riseup.net
- Additional extension *.starpex@riseup.net_*, contact email—starpex@riseup.net
- Additional extension *.HELP@AUSI.COM_XE, contact email—HELP@AUSI.COM
- Additional extension *.numlock@2riseup.net_*
- Additional extension *.HELP@AUSI.COM_DE*
- Additional extension *.oduvansh@aol.com_*, contact email—oduvansh@aol.com
- Additional extension *.evromaidan2014@aol.com_*, contact email—evromaidan2014@aol.com (not to be confused with the cases WITHOUT extensions!)
- Additional extension *.byaki_buki@aol.com_*
- Additional extension *.iizomer@aol.com_*
- Additional extension *.Support@casinomtgox.com*, usually *.Support@casinomtgox.com_lot*
- Additional extension *.kolobocheg@aol.com_*
- Additional extension *.anna_stepanova@aol.com_*
- Additional extensions *.two@AUSI.COM, *.ONE@AUSI.COM
- Additional extension *.moshiax@aol.com_*
- Additional extension *.contact@casinomtgox.com (Trojan modifications that use this extension were detected on July 15, 2014)
During the first step, the number of encrypted blocks depends on the original file size. Blocks are encrypted in threes in one cycle, then an offset of one block is performed and other 3 blocks are encrypted, etc. During the second step, a block of 0x31 is completed with space characters until it has the size of 0x62. Then the bytes in the even positions get values by the following formula:
str[2 * i - 2] = str [ i - 1], i = n..1, where n indicates the string length (31 bytes). The read block is replaced with the sequence of ')' symbols (0x29). The block with the displaced bytes is converted into a hexadecimal string, which is encrypted using the RSA algorithm. Space characters are added to the encrypted string. The first bytes are moved to odd positions. Then the string is converted into a hexadecimal notation and added to the end of the file.
Currently, Doctor Web possesses a technology that can help decrypt the data encrypted by this malicious program (if the Trojan itself is available). If the malware’s executable file is not available, it is possible to decrypt the information partially.