Decryptable iswr Ransomware Being Distributed in Korea

ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.

A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from STOP.

Figure 1. iswr ransom note

Encryption occurs 25 seconds after the ransomware is executed. Files with extensions that are relatively smaller in size are encrypted before files with generally larger file extensions. The encryption targets are as follows.

  • Encryption target: Every file in every drive with the following extensions
  • List of extensions with small file sizes targeted for encryption: pdf, doc, docx, jpeg, png, jpg, ai, aep, eps, psd, dwg, odt, odp, odb, docm, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, mdb, pst, dxf, rtf, pdd, indd, cdr, dng, arw, sr2, crw, pst, nef, raw, rwl, rw2, r3d, crw, sr2, crw, x3f, max, 3DS, skp
  • List of extensions with large file sizes targeted for encryption: mp4, zip, rar
Figure 2. Files encrypted after ransomware infection

Unlike the encryption method of other ransomware, iswr does not mix asymmetric and symmetric keys like other ransomware do. It instead uses only an asymmetric key. It uses a randomly generated key value (6 bytes) to create a 256-byte key box before ultimately putting the key box through a certain operation and encrypting it through a data and XOR operation.

Decryption is possible due to its incredibly simplistic encryption method, but as long as infected users do not analyze the files themselves, they cannot discern what encryption routine was used. This causes users to either pay the threat actor to receive the decryption tool (uncertain whether the decryption tool will actually be given or not) or format their system.

ASEC has created a script that can decrypt damage caused by iswr and will distribute it here. This decryption script runs in a Python 3.x environment and the code is as follows.

import sys
import os
import ctypes

key = “”
keyBox =

suc_cnt = 0
fail =

def genKeyBox():
global key, keyBox

k_arr = []

for i in range(0, 256):
    keyBox.append(i)
    k_arr.append(key[i % 6])

num = 0
for i in range(0, 256):
    num = (num + keyBox[i] + ord(k_arr[i])) % 256
    keyBox[i], keyBox[num] = keyBox[num], keyBox[i]

def decrypt(filePath):
global keyBox, suc_cnt, fail

keyBoxCp = keyBox[:]

file_ori = filePath[0:-5]

try:
    fr = open(filePath, mode='rb')
    
    data = fr.read()
    
    num = 0
    num2 = 0
    res = bytearray()
    
    for i in range(0, len(data)):
        num2 = (num2 + 1) % 256
        num = (num + keyBoxCp[num2]) % 256
        keyBoxCp[num], keyBoxCp[num2] = keyBoxCp[num2], keyBoxCp[num]
        num3 = keyBoxCp[(keyBoxCp[num2] + keyBoxCp[num]) % 256]
        res.append(num3 ^ data[i])

    fr.close()

    fw = open(file_ori, mode='wb')
    fw.write(res)
    
    fw.close()
    
    os.remove(filePath)
    
    suc_cnt += 1   
except Exception as e:
    fail.append(filePath)

def search_dir(path):
num = 0

for (root, dirs, files) in os.walk(path):
    for file in files:
        if file[-5:]==".iswr":
            num += 1

if num == 0:
    return
    
print("[+] Number of encrypted files : " + str(num) + "\n")

cnt = 0

for (root, dirs, files) in os.walk(path):
    for file in files:
        if file[-5:]==".iswr":
            cnt += 1
            print("\r[+] Progress : %0.1f%% (%d/%d)"%(cnt / num * 100, cnt, num), end='')
            filePath = os.path.join(root, file)
            decrypt(filePath)

def help():
print(“Usage : decryptor.py [Personal_ID] [Recovery_Directory_Path]\n”)
print(“Personal_ID : Personal ID at the bottom of the ransom note (44 characters)”)

def main():
global key, suc_cnt, fail
print(“iswr Decryptor v1 by ASEC Analysis Team\n”)

arg = sys.argv

if len(arg) < 3:
    print("[-] Invalid parameter\n")
    help()
    return

if len(arg[1]) != 44:
    print("[-] Invalid Personal ID\n")
    help()
    return
    
if os.path.isdir(arg[2]) == False:
    print("[-] Not exist directory\n")
    help()
    return

print("[+] Personal ID : " + arg[1])

key = arg[1][-6:]

print("[+] Key : " + key + "\n")

genKeyBox()

search_dir(arg[2])

total = suc_cnt + len(fail)

print("\n[+] Total : " + str(total) + " / Success : " + str(suc_cnt) + " / Fail : " + str(len(fail)) + "\n")

if len(fail) > 0:
    print("[-] Fail list\n")

    for failFile in fail:
        print(failFile)

print("\n[+] End")

main()

The following parameter must be given when executing the script and the 44-character string at the end of the ransom note should be inputted for the Personal_ID. Once the parameter is given and executed, the files are automatically decrypted. The originally encrypted files are also deleted automatically.

decryptor.py [Personal_ID] [Target folder for recovery]

To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version.

V3 detects this malware in the following way.

Figure 3. V3 product detection results

[File Detection]

  • Ransomware/Win.Generic.C5387930 (2023.02.25.01)

[Behavior Detection]

  • Ransom/MDP.Decoy.M1171

[IOC Info]

  • f791d1cf335353ea57c9475a69b261b0

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Decryptable iswr Ransomware Being Distributed in Korea appeared first on ASEC BLOG.

Article Link: Decryptable iswr Ransomware Being Distributed in Korea - ASEC BLOG