We are pretty familiar with “ransomware” threats. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. You may remember the case of the Trojan.Gpcoder family, where the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.
We have found another ransomware threat recently: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way.
When run, the Trojan displays the following window:
Notice how the design of the window attempts to mimic the Microsoft Windows interface. The text is in Russian and it says:
To unlock you need to send an SMS with the text 4113558385 to the number 3649
Enter the resulting code:
Also, there is a fake warning in the bottom of the window:
Any attempt to reinstall the system may lead to loss of important information and computer damage
The code shown is randomly generated each time. We did not try sending the SMS to the required number, but apparently the purpose of the Trojan is to ask users to send an SMS to receive a corresponding code that will disable the Trojan, thus unlocking the computer. The attacker probably receives money for each SMS sent to the number.
Although this Trojan is not particularly dangerous, it is quite annoying. The Ctrl+Alt+Del sequence is inhibited so that a user cannot access the Task Manager to end the Trojan’s process. Rebooting will not help, even in Safe Mode, since the threat installs itself in the “Userinit” registry key so that it runs every time Windows is started.
If you get infected, be careful: don’t send any SMS messages to the number. We have created a tool that you can download to generate the code needed to unlock the computer. You can also refer to the Trojan.Ransomlock write-up for more details. If you cannot download the code generator, then you will have to boot the computer with an external operating system in order to access the file system and delete the Trojan.
How to generate a valid unlock code
Because it is quite difficult to remove the threat after it has locked the computer, I decided to take a look at the code generation routine to see if I could calculate a valid code. This is the core routine:
push ebp
mov ebp, esp
push ecx
mov ecx, [ebp+NumberToCheck]
...
and ecx, 0FFFFFh
...
mov [ebp+NumberToCheck], eax
mov eax, ecx
shr eax, 10h
and eax, 0Fh
imul eax, 95h
xor edx, edx
push ebx
push edi
mov edi, 0A7h
div edi ; (x1 * 0x95) / 0xA7
mov eax, ecx
shr eax, 0Ch
and eax, 0Fh
imul eax, 6Ch
mov ebx, 97h
mov edi, edx
xor edx, edx
div ebx ; (x2 * 0x6C) / 0x97
mov eax, ecx
shr eax, 8
and eax, 0Fh
imul eax, 1Fh
shl edi, 4
add ebx, 0Ch
add edi, edx
xor edx, edx
div ebx ; (x3 * 0x1f) / 0xa3
mov eax, ecx
shr eax, 4
and eax, 0Fh
imul eax, 1Dh
shl edi, 4
mov ebx, 0B3h
add edi, edx
xor edx, edx
div ebx ; (x4 * 0x1d) / 0xB3
mov eax, ecx
and eax, 0Fh
imul eax, 35h
shl edi, 4
lea ecx, [ebx+12h]
add edi, edx
xor edx, edx
div ecx ; (x5 * 0x35) / 0xC5
shl edi, 4
add edi, edx
mov eax, edi
pop edi
pop ebx
leave
retn
All of these instructions can be reduced to the following formula:
(n * key1) % key2
Where n is the n-th hexadecimal digit of the number to be calculated (with n ranging from 1 to 5) and key1 and key2 are the values that you can see in the comments in the disassembly. For each of the n digits, you have to take the modulus given by the formula, multiply it by 0x10 and add to it the result from the next step.
Let’s see step-by-step how to calculate a valid unlock code:
1. Get the input code; it should be in the form of “411xxxxxxx.” The length of the code can be 10 or 11 digits.
2. Discard the first three digits. For example, if your code is “4111234567” then “1234567” is the number you need.
3. Convert this number to hexadecimal notation. You can do so using the Windows calculator. All of the following calculations will be in hexadecimal. In our case, “1234567” in decimal is “12D687” in hexadecimal notation.
4. Consider only the five less important digits of the hexadecimal number. We only consider “2D687.”
5. Start from the left-most digit, and apply the formula with the parameters as they appear in the disassembly:
x1 = (2 * 0x95) % 0xA7
x2 = (D * 0x6C) % 0x97
x3 = (6 * 0x1F) % 0xA3
x4 = (8 * 0x1D) % 0xB3
x5 = (7 * 0x35) % 0xC5
After this, your values should be:
x1 = 0x83, x2 = 2D, x3 = 0x17, x4 = 0x35, x5 = AE
6. Now you can use these five numbers to compose the unlock code. Perform a “left shift” operation (a multiplication by 0x10) to your values, starting from x1, and then add the result to the next number. In our example:
0x83 * 0x10 = 0x830
0x830 + 0x2D = 0x85d ; 0x85d * 0x10 = 0x85d0
0x85d0 + 0x17 = 0x85e7 ; 0x85e7 * 0x10 = 0x85e70
0x85e70 + 0x35 = 0x85EA5 ; 0x85EA5 * 0x10 = 0x85EA50
0x85EA50 + 0xAE = 0x85EAFE
7. Finally, convert this hexadecimal number back to decimal notation (in our example, you obtain “8776446”), which is the unlock code that you can use in order to get rid of the Trojan.
After you enter a valid unlock code, the malicious window will disappear, but the Windows desktop could still be frozen. Don’t worry—all you need to do is to hit Ctrl+Alt+Del on the keyboard, click on the log-off button, and then log back in. (A reboot will work as well.) At this point, you have control of the computer again and the Trojan will be gone. So long, Ransomlock!