ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.
A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from STOP.
Encryption occurs 25 seconds after the ransomware is executed. Files with extensions that are relatively smaller in size are encrypted before files with generally larger file extensions. The encryption targets are as follows.
- Encryption target: Every file in every drive with the following extensions
- List of extensions with small file sizes targeted for encryption: pdf, doc, docx, jpeg, png, jpg, ai, aep, eps, psd, dwg, odt, odp, odb, docm, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, mdb, pst, dxf, rtf, pdd, indd, cdr, dng, arw, sr2, crw, pst, nef, raw, rwl, rw2, r3d, crw, sr2, crw, x3f, max, 3DS, skp
- List of extensions with large file sizes targeted for encryption: mp4, zip, rar
Unlike the encryption method of other ransomware, iswr does not mix asymmetric and symmetric keys like other ransomware do. It instead uses only an asymmetric key. It uses a randomly generated key value (6 bytes) to create a 256-byte key box before ultimately putting the key box through a certain operation and encrypting it through a data and XOR operation.
Decryption is possible due to its incredibly simplistic encryption method, but as long as infected users do not analyze the files themselves, they cannot discern what encryption routine was used. This causes users to either pay the threat actor to receive the decryption tool (uncertain whether the decryption tool will actually be given or not) or format their system.
ASEC has created a script that can decrypt damage caused by iswr and will distribute it here. This decryption script runs in a Python 3.x environment and the code is as follows.
import sys import os import ctypes
key = “”
keyBox = 
suc_cnt = 0
fail = 
global key, keyBox
k_arr =  for i in range(0, 256): keyBox.append(i) k_arr.append(key[i % 6]) num = 0 for i in range(0, 256): num = (num + keyBox[i] + ord(k_arr[i])) % 256 keyBox[i], keyBox[num] = keyBox[num], keyBox[i]
global keyBox, suc_cnt, fail
keyBoxCp = keyBox[:] file_ori = filePath[0:-5] try: fr = open(filePath, mode='rb') data = fr.read() num = 0 num2 = 0 res = bytearray() for i in range(0, len(data)): num2 = (num2 + 1) % 256 num = (num + keyBoxCp[num2]) % 256 keyBoxCp[num], keyBoxCp[num2] = keyBoxCp[num2], keyBoxCp[num] num3 = keyBoxCp[(keyBoxCp[num2] + keyBoxCp[num]) % 256] res.append(num3 ^ data[i]) fr.close() fw = open(file_ori, mode='wb') fw.write(res) fw.close() os.remove(filePath) suc_cnt += 1 except Exception as e: fail.append(filePath)
num = 0
for (root, dirs, files) in os.walk(path): for file in files: if file[-5:]==".iswr": num += 1 if num == 0: return print("[+] Number of encrypted files : " + str(num) + "\n") cnt = 0 for (root, dirs, files) in os.walk(path): for file in files: if file[-5:]==".iswr": cnt += 1 print("\r[+] Progress : %0.1f%% (%d/%d)"%(cnt / num * 100, cnt, num), end='') filePath = os.path.join(root, file) decrypt(filePath)
print(“Usage : decryptor.py [Personal_ID] [Recovery_Directory_Path]\n”)
print(“Personal_ID : Personal ID at the bottom of the ransom note (44 characters)”)
global key, suc_cnt, fail
print(“iswr Decryptor v1 by ASEC Analysis Team\n”)
arg = sys.argv if len(arg) < 3: print("[-] Invalid parameter\n") help() return if len(arg) != 44: print("[-] Invalid Personal ID\n") help() return if os.path.isdir(arg) == False: print("[-] Not exist directory\n") help() return print("[+] Personal ID : " + arg) key = arg[-6:] print("[+] Key : " + key + "\n") genKeyBox() search_dir(arg) total = suc_cnt + len(fail) print("\n[+] Total : " + str(total) + " / Success : " + str(suc_cnt) + " / Fail : " + str(len(fail)) + "\n") if len(fail) > 0: print("[-] Fail list\n") for failFile in fail: print(failFile) print("\n[+] End")
The following parameter must be given when executing the script and the 44-character string at the end of the ransom note should be inputted for the Personal_ID. Once the parameter is given and executed, the files are automatically decrypted. The originally encrypted files are also deleted automatically.
decryptor.py [Personal_ID] [Target folder for recovery]
To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version.
V3 detects this malware in the following way.
- Ransomware/Win.Generic.C5387930 (2023.02.25.01)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Decryptable iswr Ransomware Being Distributed in Korea appeared first on ASEC BLOG.
Article Link: Decryptable iswr Ransomware Being Distributed in Korea - ASEC BLOG