Maktub ransomware becomes Iron ransomware

This is the malware analysis report about what it is possible to be a new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Malware Analysis
The file that was discovered and analysed by researchers is ado64 and it has the following properties:
– MD5: 1e60050db59e3d977d2a928fff3d34a6
– SHA1: f51bab89b4e4510b973df8affc2d11a4476bd5be
– SHA256: 19ee6d4a89d7f95145660ca68bd133edf985cc5b5c559e7062be824c0bb9e770
– Compilation timestamp: 2018-04-05 03:47:19

Maktub was distributed as a fake graphically appealing lock screen or payment portal. In previous versions of Maktub, you could decrypt one file for free, but now in this new variant, this option has been removed. Because this new variant’s decrypter is named IronUnlocker, researchers called the ransomware Iron.
They discovered that Iron encrypts a total of 374 extensions:
.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp

Iron hits gamers too; it encrypts Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and many other game related extensions.
This cybersecurity problem can be easily avoided by implementing a cybersecurity solution inside every device, so don’t let your guard down depending of which OS your device is running it is mandatory to install an antivirus for Windows or antivirus for Mac.

If you are a company the install of antivirus is only the first layer of security, you must contract a cybersecurity company that will carry some advance cybersecurity tests to your company networks, like penetration tests, and ethical hacking tests.

Folders containing the following words are excluded from encryption:
Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild

What is curious and interesting is that 360sec, 360rec, and 360sand are developed by Qihoo 360, an internet security company based in China. This makes us conclude that a Chinese individual or group may develop this variant.

After encryption, the ransomware will delete the original files, and will also empty the recycle bin.

Iron public RSA key:
—–BEGIN RSA PUBLIC KEY—–
MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr
l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb
zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=
—–END RSA PUBLIC KEY—–

The Iron ransomware sends user’s WAN IP and POST request to its C2 server located at http://y5mogzal2w25p6bn.ml.
After sending the pieces of information from above it creates a random GUID, and use it as a mutex, to not infect the machine twice, then it sends the following values to the C2 server:
– Encryption key;
– Randk;
– GUID;
– Start (whether ransom successfully started);
– Market.
The C2 server will send another set of values, including a unique Bitcoin address. Remember the golden rule: do not pay the ransomware.

All compromised files are encrypted securely with AES and the AES key with RSA. All encrypted data will have the .encry extension.

Malware Analysis conclusion:
Decryption is impossible without the hackers’ private key.
Those are the best cybersecurity pieces of advice for companies that want to prevent future ransomware cyber attacks:
1. Always update and backup your important files regularly and verify that the backups can be restored.
2. Do not use pirated software or download paid software offered for free.
3. Don’t download anything that came from shady sources.
4. Don’t use or download any keygen, password cracking or license check removal software
5. Don’t open or download any email attachments from unknown or unexpected senders
6. Install and use at least one cybersecurity solution like an anti-malware or an anti-ransomware tool

Ransomware attacks represent reality for all major companies, and unfortunately, this kind of cyber attacks will keep coming. However, there are steps companies can take to protect and secure themselves which includes adopting a top cybersecurity solution like an antivirus, implementing robust procedures for patching software and technologies against security vulnerabilities and hiring a specialized cybersecurity firm that would run extra tests like penetration test and ethical hacking test on their network. Maintaining a routine like this closes potential holes in company infrastructure.

Ransomware spreads like wildfire and is the most time critical of cyber threats. The ability to detect the pre-cursor behaviors of ransomware is the only way to get ahead of the attack. Unfortunately, that’s almost impossible to do if you are unprotected. To be safe and secured against ransomware like this, depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac.