Jump to content
Sign in to follow this  
Scorpion

Qwerty Ransomware Utilizes GnuPG to Encrypt a Victims Files

Recommended Posts

 

A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program*to encrypt a victim's files.* Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.

It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware*using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen.

While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.* First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further.

How the Qwerty Ransomware encrypts a computer

 

The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG*gpg.exe*executable, the*gnuwin32*shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program.

package.jpgQwerty Ransomware Package

The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially.

batch-file.jpgBatch File

When the batch file is executed, the keys will be imported as shown below.

batch-file-running.jpgImporting Keys

After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt.

js-script.jpgJavaScript File

When find.exe is executed it will launch the following commands on the victim's computer.

 

taskkill /F /IM sql /T

taskkill /F /IM chrome.exe /T

taskkill /F /IM ie.exe /T

taskkill /F /IM firefox.exe /T

taskkill /F /IM opera.exe /T

taskkill /F /IM safari.exe /T

taskkill /F /IM taskmgr.exe /T

taskkill /F /IM 1c /T

vssadmin.exe delete shadows /all /quiet

wmic shadowcopy delete

bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe bcdedit /set {default} recoveryenabled no

wbadmin.exe wbadmin delete catalog -quiet

del /Q /F /S %s$recycle.bin

 

It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file:

 

gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s"

 

This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the*.qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty.

encrypted-files.jpgEncrypted Qwerty Files

When encrypting files, it will encrypt any file that does not contain the following strings:

 

Recycle

temp

Temp

TEMP

windows

Windows

WINDOWS

Program Files

PROGRAM FILES

ProgramData

gnupg

.qwerty

README_DECRYPT.txt

.exe

.dll

 

After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it.

 

shred -f -u -n 1 "%s%s"

 

It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file.

In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt*which contains instructions to contact cryz1@protonmail.com to receive payment instructions.

ransom-note.jpgQwerty Ransom Note

Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files.

How to protect yourself from the Qwerty Ransomware

 

In order to protect yourself from ransomware*in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections*or heuristics.* For example,*Emsisoft Anti-Malware*and*Malwarebytes Anti-Malware*both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

 

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like*VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our*How to Protect and Harden a Computer against Ransomware*article.

IOCs

 

Hashes:

 

find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9a e558a41841e502

gpg.exe:2b605abf796481bed850f35d007dad24

iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608 f821becd646efb

key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f 9eec663733a09e

libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da 02182eee3bcf02

libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5f b2f11e46955154

ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f6773309 08a4c3c87a2b48

qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344 dfaadaf54330b8

run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b06 4f2b2e34bf20bf

shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490 ff822ac68bc23a

 

Associated Files:

 

README_DECRYPT.txt

 

Ransom Note Text:

 

Your computer is encrypted . Mail 

cryz1@protonmail.com 
. Send your ID 5612.

Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost!

 

Associated Emails:

 

cryz1@protonmail.com
Executed Commands:

 

taskkill /F /IM sql /T

taskkill /F /IM chrome.exe /T

taskkill /F /IM ie.exe /T

taskkill /F /IM firefox.exe /T

taskkill /F /IM opera.exe /T

taskkill /F /IM safari.exe /T

taskkill /F /IM taskmgr.exe /T

taskkill /F /IM 1c /T

vssadmin.exe delete shadows /all /quiet

wmic shadowcopy delete

bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe bcdedit /set {default} recoveryenabled no

wbadmin.exe wbadmin delete catalog -quiet

del /Q /F /S %s$recycle.bin

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...