Wednesday, 15 February 2017

Targeted Attack on the National Police of Ukraine

According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.

Thursday, 2 February 2017

Decrypting DeriaLock

Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:
openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png
Or use our Python script or executable to decrypt all '.deria' files that can be found on your computer.