Skip to main content

Ransom Warrior rendered toothless by hard-coded keys

Published on: 10 Sep 2018

The Ransom Warrior ransomware may have been tamed for good after cyber security researchers developed a decryption tool to unlock affected machines.

Researchers at the Malware Hunter Team believe that the encryption used by the ransomware is a stream cipher using a key randomly chosen from a list of 1,000 hard-coded keys in RansomWarrior’s binary code.

Consequently, a separate research team from Check Point has been able to extract those keys, which are saved locally on the victim’s computer, and provide the correct keys to the ransomware itself to unlock the files.

Scmagazineuk.com reports that threat actors have been targeting Microsoft Windows users and delivering the malware via an executable named ‘A Big Present.exe’.

If run, the program will encrypt files with a .THBEC extension.

In other news, security researchers have broken the 512-bit RSA key in the so-called Chainshot malware, enabling them to decrypt the exploit and malware payloads.

The malware was discovered after researchers at Palo Alto Networks discovered a new Adobe Flash zero-day exploit and found several documents using the same exploit that were used in targeted attacks.