<img height="1" width="1" alt="" style="display:none" src="https://www.facebook.com/tr?id=619966238105738&amp;ev=PixelInitialized">

CryFile - From 0-Day to detection in 48-hours

CUSTOMER ADVISORY WARNING: Variant of CryFile ransomware

 What is known?

  • November 17, 2017, enSilo’s Post-Infection Protection platform blocked in real-time, a variant of a CryFile ransomware and the 0-day detection rate in VirusTotal.

 

Why it matters? 

  • enSilo detects and stops a zero day ransomware from encrypting files

 

How we do it?

  • Post infection protection is required to block zero-day threats in real time, post infection protection technologies are required to block a potential threat that could have an effect like WannaCry.

 

Top concern?

  • Known Anti-Virus companies have impressive results, nonetheless attacks CCleaner, NotPetya and WannaCry bypassed numerous traditional malware detection technologies and after a day nearly all Anti-Virus products adapted enabling detection.  Timing is everything and Anti-Virus products are a day behind, risking entire organizations of not detecting widespread attacks of damaging organizations.  

 

See for yourself, see a demo today                                                                              

Sign-up for a Demo Today

 

 

Here is the proof:  See VirusTotal and our data.

 

EXECUTIVE SUMMARY:

During the time of detection, the ransomware had 0-day detection rate in VirusTotal
Figure 1.png

 

Figure 1: 11.17.2017- VirusTotal 0-day Detection Rate 


The detection rate of this malware is still fairly low five days after this ransomware was first seen by VirusTotal: 

Figure 2.png

Figure 2: 11.20.2017- VirusTotal Low Detection Rate


Technical analysis of cryfile:

Characteristics:

 

The CryFile ransomware binary file contains the following static characteristics:

Filename: fdbe.exe
SHA256 Hash: 2cc830c530ae1c03d9c4a8ffb74aa39d4393f524177edb0166125d88d795e3be
File size: 23552 bytes
File Compile Time: 2017-09-20 12:54:20

On execution: CryFile ransomware does two main things:


1)  The CryFile ransomware encrypts some of the files on the affected system.
2)  Fills the affected system drive completely.


The CryFile ransomware encrypts some of the files on the affected system. The file types that the ransomware encrypts are:

1cd, 7z, accdb, backup, cd, cdr, dbf, doc, docx, dwg, jpeg, jpg, mdb, odr, pdf, psd, rar, rtf, sqlite, tiff, txt, xlsx, xls, zip, dt, ert, pst, mdf, ldf

The files that are encrypted are then renamed in the following format:


File_name+.acryhjccbb@protonmail.com

Figure 3.png

Figure 3: In some directories an encrypted file is created with a folder named .corrupt 

 

This folder contains the files that the ransomware didn’t fully encrypt. In addition, a file named DECRYPTKEY is created under the path C:\exportKey. This file contains the generated key (AES key) wrapped by the public key that is used to encrypt the files.

 

Figure 4.png

Figure 4: Hardcoded RSA Public key -This public key is hardcoded and used in the encryption process. 

RSA Public Key value:

<-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAJ/pgAk5IFg+97WOlgPOr7D77xhWgBMj9gKL9EplpCT6XZl+hRCDSqtit+TN6g5r+p3lUuNNO8cSdDBeeUNcx+j69KDGixTEM5lcxMGokY5WK/krZAG+TwDXCLiTy26j/s5bJrb0e9x9q9STdhdpXZgV7xXqyxpmM1xVaYN2Oo2RfAgMBAAE=-----END RSA PUBLIC KEY----->

 

Encryption Begins:

  • Encrypting 16 bytes each time:
  • The ransomware does at most 0x32 encryption iterations
  • 32 bytes on the last encryption. 32 bytes are encrypted, but only 16 bytes are written to the file

 

Furthermore, the encryption process uses the rand function which gives a random number. This random number is used to decide how many bytes are written to the file. That means that some files can’t be decrypted.
 

Screen Shot 2017-11-22 at 08.32.56.png

Figure 5: The encryption process

Fills the affected system drive completely. The CryFile ransomware creates a file called Fill0 under the path C:\fill and fills it with data until the drive is almost full.

 

Figure 6.png

Figure 6: Indicates how the C: volume was filled after the execution of this ransomware

 

 

Figure 7.png

 

Figure 7: Huge file - C:\fill\fill0 - identifies the large size of this file

 

enSilo Post-Infection Platform in Action

 

The CryFile ransomware sample was executed in a controlled environment protected by enSilo platform .

 

4adi.jpg


Figure 8:  enSilo detected and blocked the CryFile ransomware activity and stopped the file encryption

 

The enSilo file encryptor rule detected that a binary file named crss.exe (the CryFile ransomware) attempted to encrypt a file called ReadMe.txt on the affected system. The enSilo post-infection platform blocked CryFile’s encryption process from occurring on the affected system in real-time and not a single file was encrypted.

 

FINAL NOTE


This blog post demystified traditional AV vendors respond fast when a threat is detected in the wild, in this case around 48-hours after the initial detection many vendors already identified this sample as malicious. However, in order to block 0-day threats in real time post infection protection technologies are required.

 

See for yourself, see a demo today 

Sign-up for a Demo Today

CATEGORIES

FEATURED ARTICLES

tag cloud