GetCrypt Ransomware: Modus Operandi and Solutions

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.

Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works

Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:

·       :\$Recycle.Bin

·       :\ProgramData

·       :\Users\All Users

·       :\Program Files

·       :\Local Settings

·       :\Windows

·       :\Boot

·       :\System Volume Information

·       :\Recovery

·       AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution

All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

https://www.emsisoft.com/decrypter/getcrypt

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.