Endpoint Protection

 View Only

SMS Ransomware Threat 

Apr 16, 2009 02:38 PM

We are pretty familiar with “ransomware” threats. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. You may remember the case of the Trojan.Gpcoder family, where the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.

We have found another ransomware threat recently: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way.

When run, the Trojan displays the following window:





Notice how the design of the window attempts to mimic the Microsoft Windows interface. The text is in Russian and it says:

    To unlock you need to send an SMS with the text 4113558385 to the number 3649

    Enter the resulting code:

Also, there is a fake warning in the bottom of the window:

    Any attempt to reinstall the system may lead to loss of important information and computer damage


The code shown is randomly generated each time. We did not try sending the SMS to the required number, but apparently the purpose of the Trojan is to ask users to send an SMS to receive a corresponding code that will disable the Trojan, thus unlocking the computer. The attacker probably receives money for each SMS sent to the number.

Although this Trojan is not particularly dangerous, it is quite annoying. The Ctrl+Alt+Del sequence is inhibited so that a user cannot access the Task Manager to end the Trojan’s process. Rebooting will not help, even in Safe Mode, since the threat installs itself in the “Userinit” registry key so that it runs every time Windows is started.

If you get infected, be careful: don’t send any SMS messages to the number. We have created a tool that you can download to generate the code needed to unlock the computer. You can also refer to the Trojan.Ransomlock write-up for more details. If you cannot download the code generator, then you will have to boot the computer with an external operating system in order to access the file system and delete the Trojan.

How to generate a valid unlock code

Because it is quite difficult to remove the threat after it has locked the computer, I decided to take a look at the code generation routine to see if I could calculate a valid code. This is the core routine:

push    ebp
mov     ebp, esp
push    ecx
mov     ecx, [ebp+NumberToCheck]
and     ecx, 0FFFFFh
mov     [ebp+NumberToCheck], eax
mov     eax, ecx
shr     eax, 10h
and     eax, 0Fh
imul    eax, 95h
xor     edx, edx
push    ebx
push    edi
mov     edi, 0A7h
div     edi             ; (x1 * 0x95) / 0xA7
mov     eax, ecx

shr     eax, 0Ch
and     eax, 0Fh
imul    eax, 6Ch
mov     ebx, 97h
mov     edi, edx
xor     edx, edx
div     ebx             ; (x2 * 0x6C) / 0x97
mov     eax, ecx

shr     eax, 8
and     eax, 0Fh
imul    eax, 1Fh
shl     edi, 4
add     ebx, 0Ch
add     edi, edx
xor     edx, edx
div     ebx             ; (x3 * 0x1f) / 0xa3
mov     eax, ecx

shr     eax, 4
and     eax, 0Fh
imul    eax, 1Dh
shl     edi, 4
mov     ebx, 0B3h
add     edi, edx
xor     edx, edx
div     ebx             ; (x4 * 0x1d) / 0xB3
mov     eax, ecx

and     eax, 0Fh
imul    eax, 35h
shl     edi, 4
lea     ecx, [ebx+12h]
add     edi, edx
xor     edx, edx
div     ecx             ; (x5 * 0x35) / 0xC5
shl     edi, 4
add     edi, edx
mov     eax, edi

pop     edi
pop     ebx

All of these instructions can be reduced to the following formula:

    (n * key1) % key2

Where n is the n-th hexadecimal digit of the number to be calculated (with n ranging from 1 to 5) and key1 and key2 are the values that you can see in the comments in the disassembly. For each of the n digits, you have to take the modulus given by the formula, multiply it by 0x10 and add to it the result from the next step.

Let’s see step-by-step how to calculate a valid unlock code:

   1. Get the input code; it should be in the form of “411xxxxxxx.” The length of the code can be 10 or 11 digits.

   2. Discard the first three digits. For example, if your code is “4111234567” then “1234567” is the number you need.

   3. Convert this number to hexadecimal notation. You can do so using the Windows calculator. All of the following calculations will be in hexadecimal. In our case, “1234567” in decimal is “12D687” in hexadecimal notation.

   4. Consider only the five less important digits of the hexadecimal number. We only consider “2D687.”

   5. Start from the left-most digit, and apply the formula with the parameters as they appear in the disassembly:

      x1 = (2 * 0x95) % 0xA7
      x2 = (D * 0x6C) % 0x97
      x3 = (6 * 0x1F) % 0xA3
      x4 = (8 * 0x1D) % 0xB3
      x5 = (7 * 0x35) % 0xC5

      After this, your values should be:

      x1 = 0x83, x2 = 2D, x3 = 0x17, x4 = 0x35, x5 = AE

   6. Now you can use these five numbers to compose the unlock code. Perform a “left shift” operation (a multiplication by 0x10) to your values, starting from x1, and then add the result to the next number. In our example:

     0x83 * 0x10 = 0x830
      0x830 + 0x2D = 0x85d ;  0x85d * 0x10 = 0x85d0
      0x85d0 + 0x17 = 0x85e7 ;  0x85e7 * 0x10 = 0x85e70
      0x85e70 + 0x35 = 0x85EA5 ;  0x85EA5 * 0x10 = 0x85EA50
      0x85EA50 + 0xAE = 0x85EAFE

   7. Finally, convert this hexadecimal number back to decimal notation (in our example, you obtain “8776446”), which is the unlock code that you can use in order to get rid of the Trojan.


After you enter a valid unlock code, the malicious window will disappear, but the Windows desktop could still be frozen. Don’t worry—all you need to do is to hit Ctrl+Alt+Del on the keyboard, click on the log-off button, and then log back in. (A reboot will work as well.) At this point, you have control of the computer again and the Trojan will be gone. So long, Ransomlock!

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.