Malvertising campaigns redirect victims to the RIG exploit kits, which are installing new ransomware called GetCrypt. BestCrypt, once installed, will encrypt all files on a computer then demand ransom payments to unlock the files.
Exploit kit researcher Nao_sec discovered the ransomware and alerted BleepingComputer after they noticed it being installed using the RIG exploit kits in the Pop cash malvertising campaign. Malicious scripts can be installed on a victim’s computer if they are redirected to the exploit kit page.
It will then download and install GetCrypt onto Windows if it is successful. You can see an example of the exploit kit infecting a computer from this
How GetCrypt encrypts your computer
Security researcher Vitali Kremez who also saw nao_sec’s tweet analyzed the ransomware and found some interesting features, which he shared with BleepingComputer.
BestCrypt checks if Windows is set to Ukrainian or Belarusian languages when the exploit kit executes ransomware. If it is, the ransomware will stop working and not encrypt your computer.
The ransomware will then examine the CPUID and create a 4-character string that will be used to encrypt encrypted files. The ransomware then deletes Shadow Volume Copies and runs thevssadmin.exe delete shadows /all /quiet command.
The program now scans the computer to find files to encrypt. It does not target specific file types when encrypting files. Instead, it encrypts all files that are not found in the following folders.
According to Michael Gillespie, GetCrypt utilizes the Salsa20 and RSA-4096 encryption algorithms.
Encrypting files will add the previous 4 characters to it. On my test run, a file called 1.doc was encrypted. It was then renamed as 1.doc.ELSE.
BestCrypt can also create ransom notes by encrypting files# Decrypt my files #.txtIn each encrypted folder and on your desktop. The ransom note recommends that you contactGetcrypt@cock.liFor payment instructions
BestCrypt will also change your desktop background to the following image, which is stored at %LocalAppData%\Tempdesk.BMP.
BestCrypt, like many ransomware infections, will attempt to encrypt files on a network share. They do it differently.
Tries to brute force network account passwords
BestCrypt uses the WNetEnumResourceW function when encrypting to list all available network shares.
It will connect to a share if it is unable to. If this happens, it will use the embedded list of usernames and passwords to brute force the credentials and mount them using WNetAddConnection2W.
Below is a list of usernames and passwords Kremez discovered in ransomware while he was analyzing it.
Although it is not uncommon to encrypt unmapped network shares, this ransomware attempt to brute force shared files so they can be connected from infected computers is unprecedented.
BestCrypt Decryptor Now Available
It is possible to retrieve your files if you were infected by the GetCrypt Ransomware. You will need an original, unencrypted copy of a file that was encrypted.
If you have an encrypted/unencrypted file pair, simply download thedecrypt_GetCrypt.expensive the link below to program it and install it on your desktop.
After downloading, open the decryptor to select both an encrypted and unencrypted file. Click the button.StartClick here
BestCrypt Decryptor can now brute for your decryption keys and decrypt your files.