Looking Inside The Hood Of Malware

This is a post series on cyber crime. For more posts click here or the cybercrime tag below.


In this post we are going to take  look inside the guts of a ransomware program. How this stuff comes about is unknown, but there are some clues.  The key thing is that the malware relies on the TOR browser anonymity to do it’s work.

Hacker Lexicon: A Guide to Ransomware, the Scary Hack That’s on the Rise

What is Onion Ransomware?

The “Onion” is an encrypting ransomware which encrypts user data and uses a countdown mechanism to scare victims into paying for decryption in Bitcoins. The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever. Kaspersky Lab calls the malware the “Onion” because it uses the anonymous network Tor (the Onion Router) to hide its malicious nature and to make it hard to track the actors behind this ongoing malware campaign.

Technical improvements to the malware have made it a potential successor to Cryptolocker, a truly dangerous threat as one of the most sophisticated encryptors today.

How Onion Ransomware Works

To transfer secret data and payment information, the Onion communicates with command and control servers located somewhere inside the anonymous network. Hiding the command server in an anonymous Tor network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server


Seemingly for innocent or just plain stupid reasons, academic computer scientist types come up with the stuff and then let it out into the world.  With unsurprising results.

Ransomware author’s bravado shot down by release of decryption keys


Trillium Toolkit Leads to Widespread Malware

You take piece from one bit of code and something from another and you end up the nasty thing below.

The sample discussed in this analysis (MD5 47363b94cee907e2b8926c1be61150c7) exhibited minor anti-reversing and anti-debugging techniques in the form of junk code, hidden internal PE, and a segment-register modification. Eventually, the dropped payload file (MD5919034c8efb9678f96b47a20fa6199f2) was clean of anti-probing techniques.


First, the CW3 malware generates a unique computer identifier by calculating an MD5 hash on the following string:


Next, the malware generates the hexadecimal string representation of the MD5 hash of the above string. This hexadecimal string will be referred to as the CUUID.

The malware then tries to open a new event called /BaseNamedObjects/{CUUID} to make sure it is the only instance running on a system, otherwise it terminates. If it doesn’t terminate, the malware proceeds to calculate the CRC32 of the CUUID, generates the hexadecimal representation of this new result, and finally appends an .exe suffix. This results in a somewhat random filename which the malware stores locally on the victim’s computer.


In short: ToHexString(CRC32(ToHexString(MD5(ComputerDetails)))).exe

CW3 then proceeds to copy that file into the default Startup directory and register it into the Run and RunOnce registry keys (under HKLM or HKCU, depending on whether it’s running as administrator or not).

In contrast with CW2, where the file name was merely the CUUID, CW3 adds the CRC32. However, as with CW2, the persistence methods are erased once the malware finishes its job and it uninstalls itself.


Before starting its intended task, and even before persisting on the system, the malware spawns a new suspended explorer.exe process, allocates some memory inside it, and writes a designated code section into the process. It creates a remote thread and calls NtResumeThread on it. Once it is running as explorer, it performs the actions described in the above persistence routine, and starts downgrading the host system’s security. It begins by patching RtlQueryElevationFlags to prevent the UAC elevation dialog for certain actions (technique described in detail here http://www.rohitab.com/discuss/topic/38607-disable-uac-elevation-dialog-by-patching-rtlqueryelevationflags-in-windows-explorer/).

The malware calls WinExec(“vssadmin.exe Delete Shadows /All /Quiet”), which deletes “shadow copies” (automatic filesystem snapshots that Windows routinely takes for you with the Volume Snapshot Service).

It calls WinExec(“bcdedit /set {default} recoveryenabled No”), which disables Startup Repair from automatically booting when there is a problem.

It calls WinExec(“bcdedit /set {default} bootstatuspolicy ignoreallfailures”), which disables windows error recovery on startup.

The malware stops the following services, and changes them so they do not begin on startup:

Wscsvc | WinDefend | Wuauserv | BITS | ERSvc | WerSvc

Deletes the registry key

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.Windows Defender – to prevent Windows Defender from starting automatically on system boot.

Deletes the registry key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellServiceObjects/{FD6905CE-952F-41F1-9A6F-135D9C6622CC} – used to disable the security center notifications And finally, writes HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRestore.DisableSR = “1” – to disable System Restore.

Main Payload

A “svchost.exe –k netsvcs” is spawned, suspended, and injected with a thread executing the main payload, which performs the rest of the malware’s work.

The sample needs a key to encrypt the files, and it contacts the home server to request one. The communication and encryption CW3 uses are similar to, but different from CW2.

First, CW3 generates a 10-15 character long random alphanumeric string, and uses the sortedversion of it as an RC4 key for the message it is about to send, an introduction message for the server:


(in CW2 the “1” at the end is a “4”)

The key will also be used to decrypt the server’s reply. Next, the malware needs to find a home server to contact. It keeps a very short, hard-coded list of i2pproxies – “proxy1-1-1.i2p” and “proxy2-2-2-.i2p” (newer samples have more proxies – up to “proxy5-5-5.i2p”). This utilization of i2p is new in CW3. While i2p is similar to Tor, it has numerous architectural and design differences; the most relevant difference is Tor’s central-oriented directory listing versus i2p’s peer to peer, dynamic listing.

CW2 used a few “Tor to web” services to bridge the gap between Tor-only sites (such as those used to pay ransom) and victims’ non-Tor computers that couldn’t access these sites unless they installed the Tor client. However, censors blocked CW2 from using those bridging services once its usage of them became known. i2p is harder to detect and block, as it’s not kept in a centralized location. In addition to using i2p proxies, CW3 also keeps a short, hard-coded and RC4-encrypted list of IP and port pairs, which it decrypts using the hard-coded key “6hehbz4fp” into the following list:



The malware then connects to the chosen endpoint and makes an HTTP request for the proxy name, with the object name being the unsorted RC4 key. The content of the HTTP request is “(last letter of sorted RC4 key)=(RC4 encrypted message)”. It looks like this:



The server’s RC4-encrypted reply includes the infected computer’s two letter country code, the victim’s unique payment page, and the public key that the server generated for this victim.



The country code undergoes CRC32 and is matched against a table of “forbidden” country code hashes. If matched, the virus immediately uninstalls itself and terminates. In CW2, this contained four forbidden countries: RU, BY, KZ, and UA (for Russia, Belarus, Kazakhstan and Ukraine, respectively). CW3 adds a fifth forbidden entry “AM” for Armenia.



CW3 then unpacks a lot of internally stored HTML files, all of them identical except that each one is in a different language, and tries its best to match the country code of the victim with the right language.

These HTML files are the “your files have been encrypted” message.

The malware calculates the MD5 hash of the server’s public key and sends it back to the server using a new RC4 key, in the following format:

{7|CAMPAIGN_IDENTIFIER|CUUID|2|Hex Representation of Hash}

The response from the server contains a user-unique PNG file, effectively a splash-screen for the ransomware.

This second message (and reply) did not appear in CW2. Finally, CW3 begins the encryption process, iterating over all letter drives in the system (except for CD drives) and recursively encrypting all files with specific suffixes. The malware excludes certain directories and specific files, but the encrypted files list has expanded greatly from CW2 to the following in CW3:

Note that these suffixes represent only 311 out of 312 suffixes. The last one is probably a unique long suffix (like the above db-journal).

The encryption process has changed from CW2 to CW3. CW3 starts the same as CW2 by creating a file with the same name as the target file, adding a random alphanumeric suffix, reading the content of the target file and encrypting it into the temporary file, then renaming the temporary file to overwrite the target file.

However, unlike CW2, instead of using the server’s public key for encryption, in CW3 a local AES-256 key is generated using Windows API and used for all encryption purposes. The header of each encrypted file has also changed, and is now composed of the 16-byte MD5 hash over the server’s public key, followed by the AES-256 key encrypted by the server’s public key. In this way, CW3 took a big performance leap by using symmetric encryption and only encrypting the symmetric key with the public key.

Every file encrypted is saved in the registry under HKCU/Software/(CUUID)/(sorted 2nd half of CUUID)/(FullFilePath) = (Volume Serial Number)

The final message reports the amount of encrypted files to the server:


After the server sends it “1” as a response, it uninstalls itself, cleans various temporary registry values it saved except for the list of encrypted files, and terminates itself.

Anatomy of CryptoWall 3.0 – a look inside ransomware’s tactics


What ransomware is is a patched together conglomeration of coded together fairly limited code strings.  it doesn’t have to be complicated or sophisticated, because it requires no interface with any users or alternate command structures.  It just opens up every folder and looks for files that match it’s look up table and encrypts them using an algorithm apparently from the MS windows API.  The reason this is so successful is that Windows doesn’t really have a way of securing the files from the inside.  Back in my UNIX days you could set the permissions on files so that they couldn’t be messed with.  The various   Versions of windows have never had that feature and thus once an executable gets in, you are screwed. Now that malware is attacking files directly, internal file security is going to become an issue.

Still the ultimate defense is to start shutting these clowns down.  These are serous crimes and they are hurting people and companies.  There needs to be a hard crackdown with perp walk and long, long sentences. Deterrence  is the best prevention.



  1. Anonymous · June 26, 2016

    I erected a fence around my house — it’s just one single fencepost, I expect the bad guys to line up behind it — but somehow the attacks keep getting through. Obviously I need to spend more on local law enforcement so they can recover my stuff, if they ever catch one of the thieves located in Whateverstan. My neighbor with the free Linux house never seems to have these problems, but he’s a kook. Some jerk published the location of my fencepost, says now everybody knows the security approach is weak and I can’t mislead customers anymore. Obviously I need to take all that customer license money and hire programmers to reorganize the menus on the word processor again.


    • jccarlton · June 26, 2016

      Two words: grow up. If you think this is about me or any other individual all by themselves, you don’t understand the social and commercial consequences of what’s happening. I would suggest looking up some stuff about high and low trust societies, but I don’t think that you would understand the way that stuff works. So you can hide behind your Tor ip and be a coward or you can face up to the fact that if things go on as they are, it’s not going to end well for anybody. The problem is that with too many fences the system will collapse.


  2. Pingback: A Good Inside Look At How Ransomware Operators Work | The Arts Mechanical

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s