Security researchers have identified flaws in a specific ransomware encryptor that allow victims to decrypt their files without having to pay in 70% of cases. The encryptor, known as Trojan-Ransom.Win32.Scraper, was first detected in an attack against Japanese users on October 24, 2014. Along with CTB-Locker, it marks a new generation of ransomware that are based on encryptor Trojans. Scraper encrypts victims’ files with AES-256 with a randomly generated one-time key and demands a ransom payment of at least USD $300 to decrypt them. However, as Kaspersky Lab security researchers Victor Alyushin and Fedor Sinitsyn explain in a blog post published on Securelist, there is a flaw in Scraper’s encryption mechanism.
“Although Trojan-Ransom.Win32.Scraper encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted because of the errors made during the implementation of cryptography algorithms,” they observe.
Kaspersky Lab does not go into much detail about the encryptor’s flaws, leading some security experts to weigh in on the matter and propose their own explanations. Scraper, which is written in assembler, uses the Tor network to contact its “owners” and the proxy server polipo. To avoid detection, the encryptor often comes packed with the KazyLoader and KazyRootkit protectors along with UPX. Scraper is commonly distributed to victims via the Andromeda botnet. Criminals interested in using Scraper to their advantage can purchase the ransomware’s builder for a few Bitcoins on underground markets, such as the now defunct Evolution, which had replaced Silk Road as the top dark web drug trading site. The builder allows criminals to modify certain aspects of the malware, including what payment forms it accepts and whether they want to block the removal of Windows recovery points. Users who believe they may have been affected by the Scraper ransomware encryptor are encouraged to use Kaspersky Lab’s ScraperDecryptor utility, which will help them decrypt and restore their files.