1  Sample Overview

Recently, some users infected with the virus and asked our company for help. After analysis the infected sample is a type of ransomware. The sample icon is disguised as an office document. The sample code is written in Python, packaged by a packaging tool, and signed. After the sample runs, it will release a file with ransom functionality and a large number of library files (the sample depends on these files at runtime) in the system temporary directory. After executed, the sample file will get the system information and send it back to the server, and traverse the disk to encrypt files with specified suffixes. For a low-configuration device, the sample will wait for some time to perform encryption operations. The sample itself determines that the file encrypted by the ransomware can be restored very possibly.

The sample information list is as follows:

The sample signing information is as follows:

2  Sample Analysis

The sample is an executable file packaged by innosetup. It contains a lot of c++ library files and Python library files on which the virus depends at runtime, and a sample exe file converted from Python code. You can unpack the installation package file and decompile the virus file to get its Python code, and then analyse the functional code to know the execution flow and specific functionality of the sample.

2.1 Decompilation

The sample is an executable file packaged by innosetup. You can unpack installation pack file with related tools to get the file collection before packaging. After unpacking, you get a lockyfud.exe file generated from Python code, and a large number of library files on which the sample depends at runtime, such as mfc library files and python27 library files. The file information after unpacking is as follows:

Use the relevant tool to convert the lockyfud.exe file to get its pyc file. In the conversion result, lockyfud is the pyc file corresponding to lockyfud.exe, the out00-PYZ.pyz file is a collection of library files that lockyfud.exe runs on, and the out00-PYZ.pyz_extracted folder is the list of pyc files to be depended on. The result of the file conversion is as follows:

You can decompile the lockyfud file to get its python code. The Lockyfud file header data is missing, so you need to fill in the 8 bytes of missing data before decompilation. The 8 bytes of missing data is as follows:

After filling in the missing data, decompile the lockyfud file with a decompiler, you get the following code:

The decompiled Python code decrypts a coded string and executes it. Modify the last line of the decompiled Python code to make it send output to a file, execute the code, you get the original code of the encrypted encoded string.

2.2 Functional Analysis

Analysis of the decrypted code reveals that the code has no complex logic and the execution flow is very simple. The flow chart is as follows:

The sample sets the key length and uses a random function to generate a random key for file encryption.

Initialize environment variables to obtain system-related information.

Obtain and detect device information. The sample sleeps for 999999 seconds if the device memory is less than 4G.

The generated random key is encrypted with the default public key. It will be used to display ransom information to user.

Decrypt the base64 encoded message text, combine user information and ransom message to form ransom information to be displayed to the user.

The decrypted message text contains four languages: English, French, Italian, and Korean. The English message is as follows:

The obtained user information, encryption key, etc. are returned in plaintext. The data in the red box in the figure below is the plaintext key used for encryption.

Traverse the disk and encrypt files. Only the user directory is encrypted in C drive, and it’s full encryption in other drives.

 2.3 Encryption Types

The sample supports the encryption of 10 types of documents (including 167 types of extensions). The list is as follows:

 2.4 Encryption Method

The sample encrypts local files using the symmetric encryption algorithm DES3. The file encryption is a process of replacing the original file content with the message content. The original file content is first base64 encoded, and then written to a file with the suffix "lockedfile" after encrypted with generated key.

During the process of file encryption, the code determines whether the file is encrypted through suffix, and a file with the suffix "lockedfile" will not be encrypted.

In addition to encrypting code, the code also contains decryption code and some test code. The code content is as follows:

3  Sum-up

The sample has no complicated logic, and the execution process is simple and the functionality is clear. The sample only judges the memory size of the infected system and adopts no countermeasure against security software.

There is a bug in the sample code. By default, the sample takes C drive as the partition where the Windows system is installed. In other words, it doesn't judge whether the system is installed to C drive, and if this is the case, the system files will be encrypted, leading to startup failure of the infected device.

4  Restoring

The sample prompts the user that all files have been encrypted through an asymmetric encryption algorithm in the ransom text presented to the user, but the symmetric encryption algorithm DES3 is actually used to encrypt the sample. When the sample returns information such as local user information and encryption key, the data is not encrypted and is transmitted in plaintext.

When the information returned by the infected device to the attacker is recorded by the network monitoring device, the encrypted files can be directly restored with the returned information, such as plaintext key. Since the sample code contains the decryption function, the infected user can directly call the decryption function to decrypt files after obtaining the key information such as the key.