Every shrub, every tree — if one has not forgotten where they were planted — has beneath the fallen snow some vestige of its form.Must Read 32TB of Windows 10 internal builds and portions of core source code leaked online US intelligence claims Russian hackers probed electoral networks in 21 US states UK politicians’ login credentials up for sale in the dark web Experts devised the GhostHook Attack technique to bypass Windows 10 PatchGuard Protections Two men suspected of being part of international plot to hack Microsoft networks OpenVPN fixed several remotely exploitable flaws that were not detected by recent audits Why do we need for Incident Response plan?Due to the constant growth in the number of cyber attacks it is necessary to properly define the actions composing an incident...by | |  Filed in: Security Research Dot ransomware is a new Ransomware-as-a-service (RaaS) that is openly available in hacking forums.And following the current trend in malware services, it uses web portals hosted in the TOR network for anonymity.

While lurking in hacking forums, we came across a post for this new ransomware service.RaaS services are now switching from a one-time fee or subscription payment model to a commission based strategy.One advantage of this scheme is that the up front price for the ransomware is free, and any profits realized are just split 50/50 between the author and affiliate.This is an easy, no pressure gateway for aspiring affiliates since nothing is invested in obtaining the ransomware.Visiting a Tor links directs potential affilaites to the Dot ransomware homepage.The site itself is relatively new.The ad shown in Figure 01, above, was posted on Feb 21 of this year, but the project was only launched a few days earlier, on Feb 19 (Figure 02.)Recent updates to the site show that this RaaS variant has continued to receive support and refinements from the author in order to improve the product.Figure 02 Dot Ransomware Homepage To start, an affiliate needs to register using a Bitcoin Address.Once logged in, the malware builder can be downloaded, along with the core component, which is basically the payload itself with a default configuration.

Figure 04 Download Builder and Core In order for affiliates to track the number and status of infections, a statistics page is made available.During our testing we found that the statistics only counts an infection as successful if the victim visits the decryption page.nxt next bitcoinThis has the advantages of eliminating automated infections and providing a more realistic return from real victims.litecoin use gpuThe builder comes with a setup guide, although its usage is fairly straight-forward even without it.free bitcoin botnetFigure 06 Content of Builder Zip file To guide complete newbies in the intricacies of RaaS, the setup guide includes recommendations on prices for particular countries and includes also a list of 380 suggested file target extensions.(Completeethereum live transactions

list of extensions is in the end of the article) As previously mentioned, configuring the payload is pretty straight-forward.The following features can be set in the builder.After setting up the necessary configurations and a generating a successful build, the DotRansomwareBuilder generates a Tracking ID that is unique for every build.bitcoin battle of the bandsThe configuration is then encrypted and written in the overlay of the payload binary, as seen below.bitcoin talk brasilThe decrypted configurations include the following data: {4 alphanumeric chars} - Unique for every build Bitcoin address of affiliate {1} – default price if not specified by the affiliate {True/false} – encrypts only first 4MB of file Target file extensions specified by affiliate Countries with special decryption prices Decryption price for specific countries set by the affiliate After decryption of the configuration, it continues to decrypt the URL for the decryption and payment page unlock26ozqwoyfv.bitcoin profit calculator india

This URL is hard-coded by the author and cannot be configured by the user.To make sure that the URL has not been tampered with, it computes the SHA256 hash of the URL and compares it to a hard coded value.This is to ensure that the payments go through the author first.bitcoin tor setupOnly then will the user get paid, or at least hope to be paid.ethereal blade heroesFigure 10 Hardcoded SHA256 value It does the same for the embedded RSA-4096 public key in the file.It computes the SHA256 hash and compares it to a hardcoded SHA256 value.This ensures that the private key on the C&C side will be able to decrypt the “Signature” that was encrypted by the hard-coded public key.Figure 11 Decrypted RSA-4096 Key Figure 12 Hard-coded SHA256 hash value If the computed SHA256 hash is not equal to the hard-coded value, dot ransomware will terminate.

Since there is no network traffic during run time to notify the C&C, the Signature is important to differentiate between victims.The link to the decryption page of the ransomware is appended by the signature and is unique for every victim.Figure 13 URL for Unlock26 website The unique Signature of the victim consists of the following data: Randomly generated and used as key for encryption Randomly generated and used as Initialization Vector(iv) Bitcoin address of affiliate Country of infected victim Price set by the affiliate to decrypt files True/false – encrypt only first 4MB of file Randomly generated value appended to the encrypted filename i.e..locked-{uniqueExtension} After accumulating all the needed data for the Signature it is encrypted by the embedded RSA-4096 public key.Some characters from the encrypted Signature are replaced from “+ to @”, “/ to –“ and  “= to !”The final output will serve as the unique Signature.

Offline encryption is gaining popularity since it causes minimal network traffic noise, thus,making it less suspicious.The encryption used by Dot ransomware is Blowfish, a symmetric-key block cipher, and uses a randomly generated 38 bytes-length key alongside the 8 bytes initialization vector.An initialization vector (iv) prevents repetition in data encryption, making it more difficult to find a pattern in the encrypted file.Although the actual encryption for the file is a symmetric algorithm, the encryption key is encrypted using RSA-4096, which means that to be able to decrypt the files the private key is needed.Infected files are appended by .locked-{3 random char}.After encryption, the ransomware opens the ReadMe HTML file , which shows the sites the victim needs to visit to get instructions for unlocking the files.Taking a look at the unlock page, it is pretty straight-forward as only has one instruction, which is to pay.However, there’s not much information on what happens after paying.