CryptoWire Ransomware with Decryption Key

AhnLab SEcurity intelligence Center (ASEC) confirmed that CryptoWire ransomware, which was created based on open source and was popular in 2018, is currently being distributed.

[Figure 1] CryptoWire Github

CryptoWire ransomware is mainly distributed through phishing emails and is characterized by being created with Autoit script.

main function

The ransomware copies itself to the “C\Program Files\Common Files” path and registers a task scheduler to maintain continuity.

[Figure 2] Registering work schedule
[Figure 3] Registered task schedule

To expand file encryption, search the locally connected network environment, save it as domaincheck.txt on the desktop, and search for the created account.

[Figure 4] Part of source code related to encryption expansion

Additionally, delete the Recycle Bin and Volume Shadow Copy to prevent recovery.

[Figure 5] Decryption prevention

The encrypted file is in the form of [existing file name].encrypted.[existing extension] , and a window pops up asking you to purchase a decryption key to decrypt the file.

[Figure 6] Encryption extension
[Figure 7] Ransom note

The characteristic of this ransomware is that it contains a decryption key. There is a type that includes a decryption key in the Autoit script, as shown in [Figure 8], or sends the decryption key along with the infected system information to the attacker’s server, as shown in [Figure 9].

[Figure 8] Decryption key
[Figure 9] Source code related to C2 server connection
[Figure 10] Decryption key sent to C2 server
[Figure 11] Decryption completed screen

Ransomware that can confirm the decryption key is not common, and in general, decryption is very difficult, so be careful about executing files from unknown sources to prevent ransomware. Additionally, in case of suspicious files, it is necessary to scan through antivirus and update the latest antivirus.

[File Diagnosis]
– Trojan/Win.Kryptik.C5576563 (2024.01.20.00)
– Ransomware/Win.bcdedit.C5590639 (2024.02.20.00)

[Behavior Diagnosis]
– Malware/MDP.Ransom.M1171

– cd4a0b371cd7dc9dab6b442b0583550c
– a410d4535409a379fbda5bb5c32f6c9c

– hxxp://194.156.98[.]51/bot/log.php