It is a good day when a ransomware programmer channels their noobness and releases an insecure ransomware. This is the case with a new variant of the NoobCrypt Ransomware that was discovered by security researcher Jakub Kroustek. Living up to its name, the developer of NoobCrypt uses the same encryption key for every victim. This allowed Jakub to easily retrieve the password and post it on Twitter for victims to use.
NoobCrypt gets its name from taunts found in the executable’s source code. These taunts would be displayed when victim’s enter various passwords in the key field to try and decrypt their files. For example, as seen by the source code below, when a victim enters 123, the ransomware would display an alert that taunts them with the message “123 is not the code! You idiot. GO PAY IF U WANT UR PC BACK. NOOB HAH”.
Looks like the joke is on the ransomware dev, as thanks to Jakub we have a list of known decryption keys that a victim can use to decrypt files affected by NoobCrypt.
When a user is infected with NoobCrypt they will be shown a ransom lock screen like the one below. This lock screen will state “Your personal files are encrypted”, that it was “Made in R0MANIA”, the bitcoin address a payment must be paid to, and the amount of the ransom.
As each release of NoobCrypt has a specific bitcoin address and ransom amount that associated with that release, we can use this information and the table below to determine the decryption key. With the help of Jakub, the known list of passwords and how to identify what version you are infected with is below.
Once the associated decryption key is identified, a vicitm needs to enter it into the Key field of the ransom screen and then click the Check button. If the key is accepted, it will display a message and decrypt the victim’s files.
If the key is not accepted, simply send us a sample of the executable and we will retrieve the key for you.