Trojan.Encoder.398

An encryption ransomware written in Delphi. Apparently, this Trojan is a modification of Trojan.Encoder.225. The malware receives the encryption keys from the server.

Once launched for the first time, Trojan.Encoder.398 copies itself with the ID.exe name (ID stands for the hard drive serial number) to the %APPDATA%\ID\ folder. Then it displays a message informing the user that the archive is damaged and runs its copy from the C:\ directory terminating the work of the original file.

The Trojan’s copy looks for the %APPDATA%\ID directory, gets the hard disk serial number and sends it to the server using the InternetOpenUrlA feature. In reply, the Trojan receives an XML configuration file containing the following encryption parameters: cybercriminals’ email address, the encryption key, the encryption algorithm number, and part of file name extensions of the encrypted files (the ext parameter).

Once the variables are initialized, the file encryption begins. Only fixed drives are encrypted (DRIVE_FIXED). The Trojan does not encrypt files in the following directories:

$RECYCLE.BIN, Windows,Program Files (x86), Program Files, Games, ProgramData, UpdatusUser, AppData, Application Data, Cookies, Local Settings, NetHood, PrintHood, Recent, SendTo, Main Menu (“Главное меню”), Searches (“Поиски”), Links (“Ссылки”), System Volume Information, Recovery, NVIDIA, Intel, DrWeb Quarantine, Config.Msi, All Users, All Users (“Все пользователи”).

The malware saves the “HOW_TO_DECRYPT_YOUR_FILES.txt” file (“КАК_PАЗБЛOКИРOВАТЬ_ВАШИ_ФAЙЛЫ.txt”) with the following contents to every directory:

All files on your computer have been encrypted with a crypto-secure algorithm.

To decrypt the files, you must have a decryptor and a unique password.

You can purchase the decryptor within the next 7 days. If you do not make the purchase during the specified period, the decryption password will be deleted from the base and decryption will be impossible.

To purchase the decryptor, send a message to mrcrtools@aol.com.

If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its decrypted version.

The decryptor costs 5,000 rubles. We will inform you regarding payment methods in the reply to your message.

Contact email address—mrcrtools@aol.com

The Trojan can encrypt files with the following extensions:

The malware can use the following encryption algorithms (in the following order):

1. DES
2. RC2
3. RC4
4. RC5
5. RC6
6. 3DES
7. Blowfish
8. AES (Rijndael)
9. ГОСТ 28147-89
10. IDEA
11. Tea
12. CAST-128
13. CAST-256
14. ICE
15. Twofish
16. Serpent
17. MARS
18. MISTY1

The encryption routine is selected based on the parameter specified in the configuration file.

Once the first encryption cycle is complete, the Trojan initiates the second cycle to encrypt 1C databases from Program Files and Program Files (x86).

Files with the following extensions can be encrypted:

The Trojan has different modifications. Some of them look as follows:

1. Using back_files@aol.com

   The malware saves the file with the following message to the hard drive:

   All files on your computer have been encrypted.
   To decrypt the files, you must purchase a decryptor and a unique password.
   You can purchase the decryptor for 5,000 rubles by sending a message to back_files@aol.com.
   If you want to make sure that we have the decryptor, attach any encrypted file (except for databases) to your message and we will send you its original version.

2. Using backyourfile@aol.com

   Once launched for the first time, the Trojan adds the following parameters to the Software\ENCRYPTOR registry key:

   • files—path to the text file containing the list of all encrypted files,
   • hid—hard drive serial number,
   • inst—set up flag (true/false),
   • mg—path to the HTML file containing cybercriminals’ demands,
   • p—path to the encoder’s executable file,
   • w—path to the image with cybercriminals’ demands.

   Then it places an HTML file with the following contents in the startup folder:

   All files on your computer have been encrypted with a crypto-secure algorithm.
   It is impossible to decrypt the files without a unique password!
   Any attempt to decrypt a file without the password will lead to its permanent damage!
   The decryptor costs 5,000 rubles.
   You can purchase the decryptor and the password by sending a message to
   backyourfiles@aol.com.
   If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will decrypt it.

   The Trojan sets the following image as a desktop background:

   

   Files with the following extensions can be encrypted:

   *.odt,*.ods,*.odp,*.odb,*.doc,*.docx,*.docm,*.wps,*.xls,*.xlsx,*.xlsm,*.xlsb,*.xlk,*.ppt,*.pptx,*.pptm,
   *.mdb,*.accdb,*.pst,*.dwg,*.dxf,*.dxg,*.wpd,*.rtf,*.wb2,*.mdf,*.dbf,*.psd,*.pdd,*.eps,*.ai,*.indd,*.cdr,
   *.jpg,*.jpeg,*.arw,*.dng,*.3fr,*.srf,*.sr2,*.bay,*.crw,*.cr2,*.dcr,*.kdc,*.erf,*.mef,*.mrw,*.nef,*.nrw,*.orf,
   *.raf,*.raw,*.rwl,*.rw2,*.r3d,*.ptx,*.pef,*.srw,*.x3f,*.der,*.cer,*.crt,*.pem,*.p12,*.p7b,
   *.pdf,*.p7c,*.pfx,*.odc,*.rar,*.zip,*.7z,*.png,*.backup,*.tar,*.eml,*.1cd,*.dt,*.md,*.dds

   The malware can use the following encryption algorithms (in the following order):

   1. Blowfish
   2. CAST-128
   3. CAST-256
   4. DES
   5. ГОСТ 28147-89
   6. ICE
   7. IDEA
   8. MARS
   9. MISTY1
   10. 3DES
   11. RC4
   12. RC5
   13. RC6
   14. AES (Rijndael)
   15. Serpent
   16. TEA
   17. Twofish
   18. RC2
3. Using vernut2014@qq.com

   Once the Trojan is launched, the “File is damaged” message is displayed on the screen. The malware creates the HKCU\Software\LIMITED key in the Windows system registry and saves the following parameters there:

   • pth—path to the Trojan’s executable file,
   • installd (possible value—true),
   • wall—path to the image displaying cybercriminals’ demands,
   • msge—path to the HTML file containing cybercriminals’ demands (this path is also saved to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run branch),
   • files—path to the text file containing cybercriminals’ demands,
   • huid—infected computer ID.

   Then the Trojan saves the files with random names to the %APPDATA% directory’s subfolders whose names are assigned randomly too.

4. Using yourfiles2014@yahoo.com

   The Trojan places an HTML file with the following contents in the startup folder:

   All files on your computer have been encrypted with a crypto-secure algorithm!!!
   It is impossible to decrypt the files without a unique password!
   Any attempt to decrypt a file without the password will lead to its permanent damage!
   The decryptor costs 5,000 rubles.
   You can purchase the decryptor and the password by sending a message to
   yourfiles2014@yahoo.com.
   If you want to make sure that we can decrypt your files, attach any encrypted file to your message and we will send you its original copy.

   The Trojan sets the following image as a desktop background:

   

5. Using restorefiles2014@yahoo.fr

   The Trojan places an HTML file with the following contents in the startup folder:

   All files on your computer have been encrypted with a crypto-secure algorithm. It is impossible to decrypt the files without a unique password and not knowing the encryption type!
   Any attempt to change a file name, file structure, or decrypt a file using decryptors available on the Internet will lead to its permanent damage.
   The decryptor costs 5,000 rubles.
   You can purchase the decryptor and the password by sending a message to
   restorefiles2014@yahoo.fr.
   If you want to make sure that we have the decryptor, attach any encrypted file to your message and we will send you its original version.

   The Trojan sets the following image as a desktop background:

   

6. Using filescrypt2014@foxmail.com

   Currently, data encrypted by any Trojan belonging to the Trojan.Encoder.398 family can be fully recovered with a success probability of 90 per cent.