Fortinet has discovered a new open-source PHP ransom malware that has been targeting web sites using a simple encryption algorithm that is effective enough to really frighten web server owners. What is more interesting, however, is the information we have uncovered regarding the possible roots of the attacks/attackers.
Basing only on the email address that it uses for ransom negotiations, “firstname.lastname@example.org”, victims and researchers alike may make an obvious guess where the attacks may have come from. However, our investigation reveals otherwise. For this reason, researchers may need to use a more appropriate name besides “JapanLocker”.
Our investigation team not only found the archive of this malware’s source, which enabled us to analyse its encryption process, it has also uncovered an Indonesian hacking team who used to specialize on defacing web sites, but now uses those same skills to encrypt web site files for profit.
As mentioned, this malware uses PHP to encrypt files, which is an appropriate platform to execute inside web servers. For now, we can only speculate what kind of tools or exploits were used to insert the malware into the servers.
As a result of our investigation, we were able to acquire the open-source code of the ransom malware, dubbed as “shc Ransomware” or “SyNcryption” by its creator named “ShorTcut”.
The ransomware’s panel is fairly straight-forward. It includes a textbox for the directory or file to be encrypted, an option to “lock” or “unlock” (encrypt or decrypt), and a “Save Mode” option to delete itself from the system.
Fig.1 sch Ransomware panel
Comparing sch Ransomware with “JapanLocker” encrypted files reveals an undeniable similarity. Aside from the different email addresses they use, the latter has an embedded ransom “lock” image and a ransom note with fancier HTML formatting. Other than that, however, they’re practically the same in terms of the infection marker and the encryption file content format (aside from the fact the we were able to use this script to decrypt the actual infected files, of course *wink*). This led us to believe that they are based on the same source code, with only a few alterations.
Fig.2 Comparison of sch Ransomware (top) and “JapanLocker” (bottom 2) comparison
Figuring out the encryption code of the malware was basic enough, since it only uses a simple combination of Base64 encoding, ROT13, and top-bottom swapping.
Fig.3 Encryption routine
This means the files can be easily decrypted by reversing the process. Conveniently, the decryption routine is already included in the same PHP source. A standalone decryptor tool is also provided in this article’s Appendix section.
Fig.4 Decryption routine
The final structure of the encrypted file is in HTML format, with the marker and the encrypted file content treated as comments. In addition, every encrypted file is appended with the b64-encoded ransom image and the ransom note. However, for some reason, the malware does not change the file extension of the encrypted files – losing some sense of the effectiveness in using the HTML format.
Fig.5 File structure of the encrypted file
Fig.6 Encrypted file opened as HTML
Before we uncovered a clue revealing the malware’s existence crossed our radar, the Fortinet team only had encrypted samples downloaded from compromised web sites to work with. Looking for a malware sample to analyse the encryption algorithm, and discover the possible attackers, was a tricky business that required a great deal of digging.
Our investigation started with several sites that had been compromised by the ransom malware, and we used some unique details from the encrypted files’ structure to find more connections that we could work with.
Fig.7 An encrypted document from a compromised Indonesian web site
While scouring the web for other servers with similar infections, another Indonesian site came up. Based on its Google cache information, the infection occurred around October 6th – which was fairly recent.
Fig.8 Another encrypted file with similar structure from a compromised Indonesian web site
The most interesting part of this encryption information was the email address, “shor7cut@localhost”, which is obviously not in the format of a real email. After further digging, we discovered that this and other addresses were actually the aliases of hackers from an Indonesian hacking team that was responsible for the defacing and encrypting of several web servers.
Follow the shor7cut
Tracking the alias led us to several web sites that had been defaced by the group, and they have clearly been very busy.
Fig.9 Sites defaced shor7cut’s (sometimes with “t”) team
Note that these defaced web sites have Indonesian messages all over the place. Another interesting detail is the mention of their team name on the last image - “Indonesia Defacer Tersakiti”.
So, who are they and how were they able to hack into these sites, deface them, and then execute ransomware? We can only speculate, but we have uncovered some solid clues.
Just a slight detour and we are almost there.
To learn more about our actor, we decided to learn more about his other activities.
In the hacking forum indonesianbacktrack.or.id, a member with the name of “shor7cut” posted an automated exploitation tool that uses shodan.io, a search engine designed to gather information on internet-connected devices. As the post claims, this tool automatically scans for vulnerable sites, a step that simplifies the infiltration of web servers. In this post, a link to the script tool was provided, which led to even more interesting information.
Fig.10 An exploit tool posted by shor7cut in a hacking forum
In the header of the advertised script tool is information about “shor7cut,” with a link to a Facebook page.
Fig.11 Link from the forum post leading to a script tool stored in Pastebin
In the header of this script was information about the author (Short7cut) and a link to the Facebook page of a group called “bug7sec”.
The page looks interesting and strange at the same time: they sell Raspberry Pi 3 devices and provide some services. They even have a specified location in Jakarta. But the most interesting part is that when you click “Learn More” it leads to the Github page of the group.
Fig.12 Facebook page of Bug7sec.
The group’s GitHub page contains two versions of open-source ransomware, which they have developed using PHP – the same ransomware used by “JapanLocker”.
Our analysis of the two versions revealed that there is a very strong resemblance between the files encrypted by the first version (“v1”) and “JapanLocker,” both in terms of their infection markers (“<!--#LOCK#”) and the appearance of the file content encryption. Our hypothesis that these were using the same code was further supported by the fact that, during testing, the encrypted files we gathered from compromised websites were able to be successfully decrypted by the first version.
Fig.13 Github page of Bug7sec.
Fig.14 sch Ransomware (“v1”) source code uses the same marker as “JapanLocker”
Using the information we uncovered about “shor7cut” and the Indonesian-based hacking team’s capabilities to deface sites, create exploit tools, and ransom malware, we tried to find more clues as to their real identities.
Our continued investigation uncovered some interesting videos that had been posted by an account named “Pay Scure”. The videos demonstrated some exploits for Joomla, a website platform, but what got our attention was a video titled “Sql Base64” that showed how to perform SQL injections on vulnerable sites. Another interesting detail was the mention of a link (tagged as “my fp”) on the video’s description, which led to the Facebook page of “Defacer Tersakiti” - the same hacking team responsible for the previously mentioned web-defacing attacks.
Fig.15 Youtube video post involving shor7cut with Facebook page to their hacking group
It appears that team members of this hacking group post their site-defacing work on this Facebook page. One particular recent post was an attack by a member named “MALIKAT GALAU” (Google-translated as “Troubled/Confused Angel”).
Fig.16 Facebook page of “Defacer Tersakiti Team” posting recent site-defacings
Fig.17 A website defaced by shor7cut and malaikat Galau
Going back to the video we discovered, there is a brief moment during the demonstration when the hacker may have slipped his guard and revealed his identity.
At 1m:11s into the video, the demonstrator minimized some windows, and in doing so a Facebook page was briefly exposed. Closer inspection uncovered that this page was a logged in account, which strongly suggests that it is the Facebook page of the video poster and the demonstrator – in other words, the hacker himself.
A closer inspection on the Facebook page suggests that while the user uses a VPN or proxy browser plugin, at the time that the page was exposed this protection was disabled. This allowed the user’s real IP to be revealed, and it was no surprise to learn that it was located in Indonesia. Another interesting connection between the video demonstrator (hacker) and the Facebook page is the mention of his other hacker name – “Indonesia galauer’s.” This name was used in both the video and the social media page.
Fig.18 Screenshot of the video on 1m:11s.
Fig.19 A screenshot from the video (09m:37s) displaying the hacker’s nicknames
All of this information led us to possibly identifying one of the members in the Indonesian hacking team, “Defacer Tersakiti Team”. However, we also realize this just may be a bluff to twist our heads the other way. We can’t know for sure without a legal investigation. Based on the revelation of the IP address used by the hacker, combined with the date and time the video was recorded (12.03.2016 18:32), law enforcement should be able to trace its owner and conduct a more proper investigation.
Ransomware has created its own dominion in the malware landscape due to its promising profit potential. With the emergence of open-source malware codes, anyone can be tempted by the low investment cost and the possible high rewards.
As long as hackers publicize their work instead of keeping a low profile, it doesn’t take a lot of time to follow their tracks if one knows where to look. However, many hackers are masters at misdirection, making drawing conclusions a tricky business. While the evidence in this case study seems solid, our years of experience also shows that not all obvious answers can be considered to be facts.
-= FortiGuard Lion Team =-
5794d9ed081ca8ff137d32d960be62ffcfcffbbb45a280b513ad828a6e828aa1 (schRansomware v1) - PHP/schRansom.A!tr
Standalone decryptor tool for schRansomeware v1 (“JapanLocker”):