January 13, 2017

A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours.

Discovered by MalwareHunterTeam, first signs of this threat appeared yesterday evening when a spam campaign started distributing Word files that would download and install the ransomware on users' computers.

MR Word File                                                  Word file that will download and install the Marlboro ransomware (via GrujaRS)

MR Downloader                                                   Network traffic downloading Marlboro ransomware installers (via MalwareHunterTeam)

The ransomware, named Marlboro, comes with separate versions for 32-bit and 64-bit systems, which is the first time we've seen ransomware drop two separate installers depending on the target's architecture. Other malware, such as backdoor trojans, banking trojans, or PoS malware employ this technique quite often.

Marlboro's downloaders are fetched from free hosting accounts, which have been suspended in the meantime. Despite the usage of free hosting to store the Marlboro binaries, a researcher that wanted to remain anonymous said the "[spam] campaign was really well crafted," as the threat actor appeared to have more knowledge of spam distribution methods rather than malware coding.

Ransomware uses simplistic encryption

Marlboro uses XOR encryption to encrypt the user's files. All encrypted files will be renamed and will receive an extra ".oops" extension at the end. For example, a file named "image.png" will be renamed to "image.png.oops".

After the encryption process ends, the ransomware will drop and open a ransom note on the user's computer. This file is named "_HELP_Recover_Files_.html," pictured below.
MR ransom note                    Marlboro ransomware ransom note (via MalwareHunterTeam)

The ransom note alleges that the Marlboro ransomware uses a strong combination of AES and RSA encryption to unlock the user's files. This is a lie.

The ransomware also drops a second file on the user's desktop, which is a decrypter created by the Marlboro author himself. This file's name is "deMarlboro,", which also gives the ransomware's name.

The decrypter works by checking the crook's server for a ransom payment and then starting the decryption process. The decrypter also contains a human operator challenge to block users from spamming the author's server with requests.

MR Decrypter                                             Marlboro decrypter, provided by malware author (via MalwareHunterTeam)

First victims appeared today when infected users started uploading their ransom notes and encrypted files on the ID-Ransomware service that helps users identify the ransomware that locked their files.

According to current statistics, only Serbian and Croatian users appear to have been targeted by Marlboro's first wave.

Free Marlboro decrypter available

The good news is that security researchers quickly identified a problem with the ransomware's encryption routine and created a free decrypter to help victims recover their files.

The decrypter, created by Emsisoft CTO and security researcher Fabian Wosar, is available via the Emsisoft website. Wosar was quick to identify several bugs in the ransomware's mode of operation.

"Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts," the researcher said. "It is, unfortunately, impossible for the decrypter to reconstruct these bytes." Nevertheless, for some files those bytes are insignificant and won't mangle their content.

The overall quality of the Marlboro ransomware source code is low, according to both MalwareHunterTeam and Wosar. In fact, some of the ransomware's inner guts appear to have been put together using code borrowed from StackOverflow's C++ section.


SHA256 Hashes

Files targeted for encryption
ioc2Verbatim ransom note
News Courtesy :