We investigated some recent Ransomware called Mira (Trojan:W32/Ransomware.AN) in order to check if it’s feasible to decrypt the encrypted files.
Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the encrypted file itself.
Encryption Process
The ransomware first initializes a new instance of the Rfc2898DeriveBytes class to generate a key. This class takes a password, salt, and iteration count.
The password is generated using the following information:
- Machine name
- OS Version
- Number of processors
The salt, on the other hand, is generated by a Random Number Generator (RNG):
The ransomware then proceeds to use the Rijndael algorithm to encrypt files:
After encryption, it appends a ‘header‘ structure to the end of the file.
This header conveniently contains the salt and the password hash. In addition to that, the iteration count is hard-coded into the sample, in this case, the value was 20.
By retrieving the password, salt, and the iteration count from the ransomware itself, we were able to obtain all the information needed to create a decryption tool for the encrypted files.
Decryption tool
You can download our decryption tool from here.
Here’s a video of how you can use our tool:
Article Link: https://labsblog.f-secure.com/2019/04/01/mira-ransomware-decryptor/