Wednesday, 15 February 2017

Targeted Attack on the National Police of Ukraine


According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to admin@police.gov.ua with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.

Thursday, 2 February 2017

Decrypting DeriaLock



Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb) for Acronis International GmbH -  a maker of the backup solution capable of defending users against ransomware attacks.

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack. Read the Acronis blog to find the attack details.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:
openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png
Or use our Python script to decrypt all '.deria' files that can be found on your computer.