.. but security researchers already cracked it According to security experts from Cylance, in the underground world of ransomware peddlers, there’s no ransomware kit better than AlphaLocker, sold by a Russian malware coder for around $65.
Luckily for us, other security experts have already cracked its secrets over the past weekend, and a decrypter was published that helps any of the infected victims recover their files for free, without paying the ransom.
Nevertheless, here’s a small intro into how crooks are creating, advertising, and then selling ransomware on the underground market.
Start your own ransomware crime career for just $65
Cylance says that AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen.
The Russian coder seems to have cloned this repo before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2.
Unlike other ransomware offerings which are MaaS (Malware-as-a-Service) services, AlphaLocker is not offered as a hosted service through which its creator gets a cut from all your successful infections.
Instead, the ransomware is sold in the classic meaning of the word, the crook offering each buyer a downloadable package that contains the ransomware executable, the master decryptor binary, and a PHP & MySQL-based admin panel to manage infections.
AlphaLocker is constantly updated
Cylance says that the ransomware’s author is paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.
“There is another critical point worth mentioning here. AlphaLocker is based on the Eda2 project, by Utku Sen. This was an ‘open source’ ransomware project,” the Cylance team emphasized. “This is a CRITICAL point. Not only is the behavior blatantly and contextually malicious, but the actual source code is public and easy to find. […] There is no reason why any reputable AV product should fail to detect this ransomware.”
Nevertheless, it appears that most antivirus engines do, and that’s why the ransomware has already made some victims in the past few weeks.
AlphaLocker encryption system: professional, but flawed
As for its technical capabilities, AlphaLocker, just as EDA2, has a sound encryption system that’s hard to find cracks in. Fortunately, as mentioned above, someone did.
AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server.
On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.
To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.
All of these details are part of a series of ads, which the ransomware author has plastered all over underground hacking forums ever since March 2016.