Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Encryption The Almighty Buck

DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom (softpedia.com) 49

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.
This discussion has been archived. No new comments can be posted.

DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom

Comments Filter:
  • by ITRambo ( 1467509 ) on Saturday November 28, 2015 @02:23PM (#51018559)
    Apparently, the bad-guy equivalent of script kiddies (or toddlers) put this ransomware out. No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours. A lot of people dodged a bullet here as Emsisoft puts out great software. Kudos to them for offering this tool
    • by BLKMGK ( 34057 )

      Agree on both counts! Someone made errors and these guys were smart enough and thoughtful enough to break the crypto. Kudos!

      • You can build the best tools in the world but it's pointless if the user doesn't know how to use them. Encryption is hard, you can just follow a quick README to slap some on. It's like using the handle of a hammer to pound in nails.

    • by cfalcon ( 779563 )

      > No program should be able to decrypt a "properly" encrypted file, or set of files, in a few hours.

      No true encryption, eh?

      We have no reason to believe it's not real crypto. We have every reason to believe they screwed up their implementation.

      Do we need another word? I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show. But as reported it is accurate- you aren't even picking nits, you're a

      • by mikael ( 484 )

        There's probably a trade-off between encrypting as many files as possible before the user finds out (favoring simple methods or small block sizes), and encrypting individual files so hard that the user can't decrypt them in a reasonable time (favoring complex methods or large block sizes).

      • I don't think so. Maybe if we want to abolish the notion of "ok, their files are encrypted... this is hard encryption... ok done!" as seen on pretty much any TV show.

        At least on TV you get to have a laugh as they use a 320p webcam to catch a reflection from 200 metres away giving them the key to crack the cookie thus saving the planet.

  • Random .PNG file? (Score:4, Insightful)

    by CanEHdian ( 1098955 ) on Saturday November 28, 2015 @02:40PM (#51018647)
    Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?
    • The key has to be derived out.

      • by kbg ( 241421 )

        And why does that need a random .png of the Internet?

        • by Anonymous Coward

          I presume because you copy the random PNG onto the infected system (where it is encrypted by the malware) and voila, you have a known sample in enc/dec terms. Maybe there were technical reasons for not having the tool itself deploy the unsullied version.

        • by AK Marc ( 707885 )
          It doesn't. It just needs to be a file that's encrypted and one that's not. You could have the tool generate it's own binary file with random contents, but that's not how the tool was made. The PNG doesn't need to be "on the Internet", it's just that when you have the infected system in Boston, and you are in Chicago, it's easier to have the Boston and Chicago systems access the same file from some public server, than to generate one locally and send it to the other system.
          • There are a couple possibilities I can think of.
            A) Maybe there is a risk that the PNG you used would already be encrypted, so it says to use an external source.
            B) Malware tends to hook common system functions, such as those used to generate data for testing, and the malware author gives his solution just in case. This is particularly true with .net assemblies, as the entire set of addresses for the method table is readily available.
            C) Some combination of the 2.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Which they could do from a .PNG file stored in the binary in advance.

    • Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

      I'd guess:
      - The authors wrote the tool to use enough of the start of an encrypted/clear file pair to generate / sieve the key and deployed that.
      - Some used discovered, after the tool was deployed, that the invariant header of a .png file was long enough that any .png file could function as the "clear" for any encrypted .png (or at least that many unrelated pairs co

  • by Anonymous Coward on Saturday November 28, 2015 @03:08PM (#51018775)

    I wondered why the summary has links to articles on Softpedia and Bleeping Computer instead of linking directly to Emsisoft, whose employee wrote the decryption utility. But it seems Emsisoft has dropped the ball, as they have nothing on their home page [emsisoft.com] or their blog [emsisoft.com] or their changelog [emsisoft.com] that mentions this tool. In fact I can't find any reference to this on their site at all [google.com], which makes me suspicious about downloading it.

    Both of the articles in the summary point to a link on emsi.at instead of emsisoft.com. Domain registration and name servers point to emsi.at being a legitimate host under the control of Emsisoft, but who knows? What a weird way to release a security tool, with zero announcements on your company website and the download hosted at a URL shortener.

    • That's why Bitdefender has a huge market share and almost nobody heard of Emsisoft. It's called a marketing department. Remember when Bitdefender cracked Linux.Encoder.1 and provided a shield tool for CryptoWall 4.0? It was everywhere on the Internet.
  • The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

    They distributed the source code with the ransomware? I'll bet that was handy when it came to reverse engineering it.

    • The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

      They distributed the source code with the ransomware?

      Or the strings in the source code ended up generating strings in the object code and something like the "strings" tool found them.

  • How exactly does this ransomware get onto your computer?
    • by Anonymous Coward

      For my boss, it was via a resume.doc attachment. We have several jobs posted :-(

      This was the low point of 2015 for me (backups several months out of date), so I'm hoping this recovery tool works.

      (certainly not logging in so you can make fun of my 5 digit /. id ....)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...