Cracking The Chaos Ransomware Family - Alexander

yes so I'm going to talk about cracking the chaos ransomware and this Story begins on a dark place on the Internet it's a uh hacking Forum called uh xss and I don't know if anyone speaks Russian here but it says something like uh I developed this new ransomware I decided to publish it for free here you go it's a builder so that link is actually gone now but if you check the like web AR we can see that it looked something like this so that's the first version uh if you look into this ransomware it's actually not really a ransomware it's more of a wiper Weare because it just actually just overwrites every file on

the system it doesn't really encrypt anything so there's no chance of getting anything back uh when we look into the origins of this we can track that user posing on xss back to another user which developed on another form here that developed a ranser called Bagley and that one was also wiper by the way so this is some person that develops this kind of you know wipers it just overrides pretty much everything uh and so on but after that they actually started developing this wiper and in version three it actually implemented uh actual encryption which turns it into a ransomware the only problem is that every file that is larger than 2 megabytes it just still wipes which

means that yeah it's you know you're not going to have that many files that you can get back so we you know what happens when someone distribute something like this uh we looked into it a bit and you can see that you know it spreads like crazy and it starts being used all over the place you don't have to read everything here just to show you like how crazy it gets when someone develops something like this so just to give you a quick example instead of going into every detail this is the ASO St steel plant in Ukraine and as part of the kinetic War this was actually used at the same time that Russia was you

know uh yeah making war on as of stall and the marle uh they attacked the steel plant with this propaganda message and on the other side we have kids that are trolling each other and selling the decryptor Via roblo money so you know that's sort of the fal scale of this right we have everything from actual War to kids just you know playing around so yeah this keeps going on and we have some Forks after a while uh so you have something called Onix and then you have like you know different branches that people call different Forks but it's just really the same name but they you know change the ranser note and call it

something else so when this starts become interesting is when you know these what you say like proper Ransom groups actually start using this so you know you have like these groups that actually do does not just Target a individual PC but they actually break into a company they escalate to the main admin they push the ransomware to everywhere and you know do this like proper ransomware attacks and one of the groups that started using this is called VSOP news uh that's the same as Onyx but they rebranded after a while and you can see that like one of the victims is like a sheriff's office for example another one is called solid bit they also use the same basic ransomware

but their own Fork of it uh and they also have like this you know onion site where they publish victims and uh yeah you can do trial the Crypt to see that it actually works and so on another one which is kind of interesting is Kil net so Kil net actually started using this we haven't really seen any actual successful attack by Kil net but uh at least they are claiming that they're using this ransomware so the picture you know it keeps growing and at this point we have vop which is their own Branch we have the like yashma and solid bit and asra locker and you know this sort of just keeps growing and this is where we come

into the story and it was actually a German company that calls us and I'm going to do a demo just to kind of show you what their environment uh looked like so it's going to restore this and when we uh yeah look at this company we see that you know it's the kind of ranser case that we uh do investigations of all the time at trusk and it's not like a single PC investigation but rather it's you know they taken over the entire environment they created a group policy object and pushed it everywhere or whatever method they yeah tend to use so in here I have like a few files you can see this one for example my uh yeah

presentation that I'm doing today to show you that it's a actual file here and we have onx to XC and didn't really have that much time to prepare this environment so let's hope I don't screw up my real computer now are you ready so you know it starts have this annoying teams notification actually keeps running for a while and aside from that file I have a few other here as well uh it keeps prompting because I'm running it interactively um but we have a few files here and you know this just keeps going trying to iterate every file on the system um when it finds it it's you know probably going to encrypt it and it's very slow

today there we go so files are renamed to onx prompts me with some kind of rware note and it says that all my files are now encrypted by onx go to this onion site enter this blah blah blah to L in and chat with us so you can imagine this company having all systems looking like that is not a great situation so we started looking into this and we quickly realized that it's chaos when you just Google for chaos at the time you can see that the encryption of the files looks something like this so it has like this tag encrypted key in front and then it's the encrypted message but the thing is when we looked

at the files they didn't look like that at all so instead there was like this static salt in the beginning so it's always started with the same sequence and then it had this other format and the key was appended to the end of the file so we figured maybe it's a good idea to look into what is what else was changed in this ransomware because it said online you know that it had this like two megabyte limit and basically swipes every file so we saw that the file size has actually changed which is I mean it's not a super great thing because all their like you know big databases and so on will still be wiped

but that important file share that has a lot of like PDFs and Excel documents and whatever we can actually maybe uh yeah do something with that so we keep looking into this and we see that there is a create password function that creates the password with a unique password for every file it uses that password to you know use as and then it encrypts with a public key so you have like RSA and as and it seems very solid right probably nothing we can do but let's look at that key generation function again it says random generate a random password is that random really random no it's not in the official documentation it actually says that you

should not use the is for the purpose that they're actually using it for so that's interesting uh you know I don't know that much about crypy so I call Carl which is my awesome colleague and I ask him is that system random thing actually just you know can I use that or is it just theoretical and he says that yep I already got a Pock on YouTube it's very basic or not YouTube but GitHub so how would this work when we have this like random function uh they basically use like you give it a seed and then it gives you something random so if you change the seed you get something completely different same thing you keep

changing it and you just get different output if you give it the same input two times you're going to get the same output so it's you know it's mapped to that seed if you give it a negative number it's also going to give you the same so it's the absolute value of the seed that we're going to get so what is that seed it's a 32bit integer and you know in an integer you can only have like two billion possible seeds so let's kind of interesting right the random password can probably only be two billion different passwords that's not that much so we look also into the details what they're doing here they derive the key from that random sequ

like that random password but they only use one iteration which is really really weak and they also use a Mode called CFB which is kind of an interesting choice so we can actually look at like if you take the seed you generate the random password you derive the key then it does that block Cipher thingy and then finally it exorts the plain text with the encrypted IV which is basically the first steps right and that's sort of the way this cfp uh thing works the thing is that we actually know the plain text right I mean we don't know the full plain text because then we don't need to decrypt anything but at least we know

the start of pretty much every file because every file has these magic bites in the beginning at least like most well-known file types so we can actually do that last step back and we can get back the encrypted IV with that known we just need to sort of create a table right so if we take every possible seed two billion possible seeds and then we get the encrypted IV for the first four bytes then we have a table of every possible password and we don't really need to care about the you know RSA part we just crack the as part and that file is just 8 gigs it's not that big right so it's going to be

pretty fast to iterate that 8 uh gigaby file so let's Implement a decryptor we go through the steps so we read the first four bytes then based on the file extension we look up the plain text which is just you know a guess but it's probably going to be correct then we calculate the encrypted IV based on the um yeah table and then we look up the seed by comparing it you know in that big table that we have and then basically we calculate the prams from the seed so it's a pretty straightforward way and um yeah this worked so we managed to decrypt you know 10 thousands of files for the customer so they were pretty happy about that and

we uh yeah so we have cracked the Onyx vop ransomware at this point but then we thought that yeah since this is this you know big thing that they have forked and so on then maybe we can actually crack the entire ransomware family and we started looking into how the others looked and we see that there are some things that are changed uh when it comes to onx for example it's thousands of iterations of the key derivation function and they also use CBC which means that we can't use that you know plain text attack trick that we used before so that kind of sucks but on the other hand we can maybe do something else because you know it's still limited

to two billion possible passwords that's still the limitation so even if we can't be smart and just use the plain text we can still like create a table which contains all those possible encrypted IVs problem is that file is going to be 1003 gigs I mean it's not horrible if you're going to restore your entire company so you might take the time to download that but the bigger problem is when I tried to generate this on my computer it took like three yeah I calculated something like 200 days but my friend Carl he actually knows Cuda so if you implement this on GPU it just takes like a minute and you know the bottleneck is sort of the yeah SSD not

being able to ride it faster so with that said we have actually decrypted then the main brand branch of the chaos ransomware as well and we still have the other ones right we are not really happy yet we still have solid bit and so on so that one is a bit also changed so it takes the seed generates an IV but that is also does another system random and generates the key so those are like two different randoms and that's not that good because you know then you have like all those two billion but for all those everyone you have two billion so it becomes like much much bigger so we really need to figure out

like what is the seed really and see if I have probably encrypted My Demo

now uh yeah I didn't really think that true all right yeah let's start SN let's skip with that yeah we can start with SNAP but that's going to ruin my second demo all right so what is the seed the seed is actually the system uh time like the millisecond since the system booted okay so the number of milliseconds guess if the first IV that they generating and the key that they generating guess how many times out of 100 that's going to be the same value because they're same amount of times as a system booted right which means that the seed and the IV is still the same even if you do it in two different

instances so this doesn't really change anything for us so we still have just that same thing so we can still crack this the same way that we did before and if it's not the same then it's going to be the next millisecond so it's going to be super trivial to get it and if someone is actually following what I'm saying here you might suggest that but don't you see the last right time of the file and then you have the time the system was booted in the event log or something so you could actually just sort of get when this was encrypted that should be the that kind of milliseconds and then you know the seed and it's

actually true that would actually work but the problem is like when we wanted to write this in a like very generic way then you maybe try to decrypt files from multiple different system at the same time and maybe that's the you know there's a lot of different things when you do this in a really big complex environment so we wanted to write a like generic method but if you don't want to wait you can definitely uh change that and uh yeah do it that way and I mean it's sort of if you're cracking something else with has the same vulnerability then that's something you can definitely uh make use of so let's get our files back including

my demo so I was actually being smart with my this demo because it has an explicit like uh list of files that is going to encrypt and seven said underscore underscore is not one of them so this file is still

valid so let's see we have these set

up so we have this decryptor that is um yeah you follow this guide you should accept and you should also read the documentation uh one reason for actually doing that is that this like some branches of this ransomware creates persistence which means that if you do if you uh decrypt the ransomware that persist you know it's just going to keep encrypting but the fun part is that that uh persistence is actually also decrypted because it's written before the encryption which means that that persistence will only start working if you decrypt your files which means that you actually need to remove that unless you want to you know get encrypted again so yeah read the documentation if you're

unlucky enough than having to use this so we specify the uh file extension we set the decryptor to Onyx we select the database file which I have here and then we add the folder that we want to decrypt and I'm just pick the desktop you can always do this for your hopeful system but it's a bit slow to iterate everything so and yeah there we go so it has decrypted most of the files the other ones are probably encrypted at some other point which means that they are uh slower in time and we have this presentation again and it's back and then I can maybe uh yeah it's keep encrypting that one so

see yeah so let's continue from the decrypted presentation so we have decrypted uh and uh yeah pretty much the entire family at this point right so we have the op one which was we used in um yeah that company that we helped out then you have the main branch which is the uh chaos Builder one that was used by you know killet and so on the limitation with that one is that that still has that 2 megabyte limit so it's you know it's kind of a wiper but all files below that you can decrypt it but most of it's going to be uh destroyed uh the thing is though that it actually doesn't properly overwrite the file so if you don't make

any it just deletes the file which means that you can actually carve out important files uh it's going to be a mess to do that in a big environment but yeah you can still get your files back that way and smaller files that are encrypted you can uh get back with the decryptor so yeah then we have solid bit and you know what do you do when you uh manage to do this uh we actually had a kind of long discussion on how to approach this because you don't really want to expose to the Fret actor that you're able to get their files back after you know that the ransomware doesn't work anymore so we figured

because at the time there was uh you know we saw that there were indications that it was used against Ukraine so we started with contacting uaer and then we reached out to like first n TFC which are some like Global uh seert communities as well as some police agencies and distributed it in this you know like trusted channels uh but eventually we uh yeah U talked to europool and they published it on no more Ransom uh so basically you can if you're a victim of this or if you know someone's a victim you can go to this website and you can download the decryptor for free and use it to get your file back which I think one of the

like big reasons also to do that is because a lot of these are also used in like these uh you know personal PC kind of attacks so yeah it's published there uh go and download it if you need to and we actually also decided to publish the source so if you're interested in how this works in detail or if you you know crack another ransomware then you can just Fork this it's like yeah glp V fre license so hopefully that can be of use in case you want to write a decryptor or if you just want to see and yeah look how it works and uh with that said uh I'm done and open for questions thank

you very much [Applause] there would be some questions for our speaker thank you very much my name is Jasmine um I'd like to have a or a question on a timeline between the company being or encountering this issue and you coming up with a solution like approximately how much time did you spend on it I think it was uh something like one and a half week something like that wow that's really fast thank you very much thank you yeah any other question yeah don't be shy raise your

hands hi and thanks again for the great presentation it was it was really great to hear um just a question um in the the first case the first the first round from where you decrypted the weak point was if I understand correctly that there's only one round of encryption for the IV or what what was the fact that they they where did they screw up that yeah well I mean the the core issue is the random weak random right so like as long as you have that weak password generation or essentially the uh key generation uh CU that should be secret if you can guess that then it's going to be uh trivial to break it in one way or

another but in the first case they use this CF B CBF mode which is you know CBC is like the encrypting the um yeah key with the plane text and then it's xoring with the IV but that one is sort of flipped around so the last step is that it's doing an exor with the plane text so if you know you know exor is this math function that you can sort of roll back by doing the same thing again so that was the trick and you can um since it's the first block you you can just do that exor on the first four B um so yeah that's pretty much it thank

you um so iFood correctly you were breaking the individual encryption of each file yeah um why was it not possible to um decrypt the master key did it use a different random function or yeah so the the master key so it it encrypts the file uh with a unique AES key that that's the one we can break and then it encrypts that a key with a public RSA key so that's a completely different um yeah uh key that is being used uh and that one is generated on the Fret dector side before the attack so when you if you if you pay the ransom you're going to get some kind of tool with the private RSA key because with

that key you can decrypt all the as keys and then yeah get every file back so that's sort of how yeah that

works thank you uh would this private key unique to the system or it actually would be valid across more system as far as you know I'm sorry one more time would the private key assuming you pay the ransom once you get private key yeah the scope of this private key is that system only so the public key is just generated for that system or uh the the RSA you mean yeah so that one is uh per victim so to speak per victim okay so they generate that before the attack and then the publicy is embedded into the executable yeah no was fair to ask I mean otherwise you would have paid once and decrypted forever yeah yeah thank

you oh yeah yeah any other

questions he uh thanks again for the talk uh I just have a question are you familiar with the approach that some antiviruses do like um Dr web I don't know if you're familiar with it uh where they say that if you are or you have our agent already then if you got Ransom word we can always um give you your files back or decrypt it do you know how does this happen or yeah so uh the thing is the the way it usually works is that the FR actor escalate to the highest possible privileges in the environment and I used to like ask my customers can you yourself change antivirus the question is I mean the answer is yes

right so why wouldn't the threet actor be able to remove and change your antivirus right so all these kind of solutions they only work until the fet actor has escalated to the full privileges then they just delete all the backups they kill all the antivirus they and so on stop all services that are locking files Etc and then they push out the ransomware so the the only real way to defend against this is of course to stop the attack before it happens but if if you're going to Pro protect against the actual encryption is to have yeah offline backups that are offsite off domain it should not be in the same active directory domain and pretty much

every word with off in front of uh to ensure that they're yeah not writable uh so you cannot overwrite them y do you have a feeling how many people use to your tool like do you have random people telling you thanks for the tool or how prevalent is the ransomware uh I I don't think it's not like the biggest ransomware definitely not uh so it's not like you know I don't know lock bit or I don't know re is gone now but yeah that kind of it's not that kind of big group um so I don't really have that good answer for it uh but uh yeah it would be interesting to know but we we we de Ed

not to include any Telemetry or anything like that because yeah we want to sort of respect the privacy of those who are infected with this yeah I believe there are going to be much more questions to our speaker uh also feel free to engage with him after his talk he's going to be around to grab a coffee and discuss this uh really really super important topic so feel free to reach out to him one big Applause to our speaker thank you