It is currently 15-12-2017 13:20

Alma Locker – efficient Trojan-extortionist with the C&C server in the Tor network

Alma Locker – efficient Trojan-extortionist with the C&C server in the Tor network

by sigismund » 2016-08-24 11:00:23


Vulnerability that can decrypt the files of the victims without payment of ransom has not been found yet.


A researcher from the company Proofpoint Darien Huss (Huss Darien) found a new malware Alma Locker, which encrypts files on the victim's computer and require for their restoration a ransom of 1 bitcoin, which must be paid within five days.

Recently it was discovered a huge number of new samples of Trojans, cryptographers, but almost all of them have low sales, and C&C servers, many of them disabled. Despite some errors in the implementation of Alma Locker is one of several recently discovered rent-seeking programs with a secure encryption algorithm that uses Tor as a working C&C server. The vulnerability allows to decrypt the files of the victims without payment of ransom has not been found yet.

As reported by Lawrence Abrams (Lawrence Abrams) from Bleeping Computer, Alma Locker is spread using the set of exploits RIG. Once installed on the system, the Trojan generates for the encrypted file extension, consisting of five random characters, and the eight-digit ID of the victim. This ID consists of the serial number of drive C:\ and the MAC address of the first network interface.

Alma Locker encrypts files using 128-bit encryption and adds them to the generated five-digit extension. For example, if the extension is .a5zfn, then after encrypting a file with a filename test.jpg turn into a test.jpg.a5zfn.

In the encryption process, the extortionist sends to C&C server with the following information: encryption private key encrypted using AES-128, file extensions, user names and active network interface, the Locale ID and the operating system version, user ID, registered Windows antivirus and timestamps indicating the start time of the program.

After completion of the encryption process on the screen of the victim notification appears with the ransom, as well as links to the payment site in the Tor network and the decryptor. After running the decryptor is connected to the C&C server and checks to see whether the ransom paid, what amount was placed on account and met the victim within five days.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5