There are many ways to fight cyber-crime, but what we used to do in Yoroi is Malware analysis and Incident response by using special and proprietary technologies. Often analyses are enough to temporary block cyber-criminals by sharing to everybody IOC allowing National and International players (ISP, AV vendors, CERTs and so on) to block connections or to trash files. But sometimes when a ransomware hits a victim, the ultimate desire is to be able to decrypt those files and to restore the last consistent data set. Today we realized this ultimate scope and we want to release it public, to everybody needs a decryptor for LooCipher.
At the beginning of July Yoroi Z-Lab Team publicly released a quite exhaustive report about LooCipher (available here). The initial vector (through Microsoft Office Macro) was foreshadowing an important spread over the next few days. Indeed few days later Fortinet researchers released a nice report on LooCipher (available here) mostly focused on the encryption algorithm, where they discussed it through a python POC.
“LooCipher starts its encryption routine by generating a 16-byte data block with random characters chosen from the following predefined characters, using the current system time as seed. ”From Fortinet report
Most of the LooCipher technical features are described as follows:
- The ransomware spreads using weaponized Word document.
- The Command and Control is hosted on the TOR Network, at the following onion address “hxxp://hcwyo5rfapkytajg[.]onion” .
- The attackers leverage several Tor2Web proxy services to easily allow the access to the Tor C2.
- The binary can work both as cryptor and decryptor.
- The C2 dynamically generates a different Bitcoin address for each infection.
The Fortinet researches spent time in describing the used algorithm (AES-256-ECB) and portrayed a decryption code as showed in the following image. By focusing on how to recover the obfuscated key – which was retrievable either via network or via memory dumping Fortinet researchers gave us the right reading key to be able to write our own decryptor code.
The turning point was on the way the key was encoded. The obfuscation method was quite trivial. It consists in a simple find-and-replace of each key characters with a pre-defined double-digit number, belonging to the following set:
So once retrieved the obfuscated key it was possible to reconstruct the original key to decrypt all involved files.
The master key is available directly in memory into LooCipher segments. So please remember to not kill the process even if you have been infected or to not reboot your windows box. If you kill the process or reboot your system, ZLab Team decrypter is not going to work there. You can download it HERE and use it for free.
- Find the Process ID of the LooCipher ransomware
- Open cmd with the Administrator privileges in the path where is downloaded the tool
- In cmd prompt: ZLAB_LOOCIPHER_DECRYPTION_TOOL.exe <PID>
Happy recovery !