A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files.  Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.

 

It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen.

 

While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.  First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further.

 

How the Qwerty Ransomware encrypts a computer

 

The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG gpg.exe executable, the gnuwin32 shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program.

 

package.jpg
Qwerty Ransomware Package

 

The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially.

 

Batch File
Batch File

 

When the batch file is executed, the keys will be imported as shown below.

 

Importing Keys
Importing Keys

 

After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt.

 

JavaScript File
JavaScript File

 

When find.exe is executed it will launch the following commands on the victim's computer. 

taskkill /F /IM sql /T
taskkill /F /IM chrome.exe /T
taskkill /F /IM ie.exe /T
taskkill /F /IM firefox.exe /T
taskkill /F /IM opera.exe /T
taskkill /F /IM safari.exe /T
taskkill /F /IM taskmgr.exe /T
taskkill /F /IM 1c /T
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe bcdedit /set {default} recoveryenabled no
wbadmin.exe wbadmin delete catalog -quiet
del /Q /F /S %s$recycle.bin

 

Source

It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: 


gpg.exe --recipient qwerty  -o "%s%s.%d.qwerty" --encrypt "%s%s"

 

This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the .qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty.

 

Encrypted Qwerty Files
Encrypted Qwerty Files

 

When encrypting files, it will encrypt any file that does not contain the following strings: 

Recycle
temp
Temp
TEMP
windows
Windows
WINDOWS
Program Files
PROGRAM FILES
ProgramData
gnupg
.qwerty
README_DECRYPT.txt
.exe
.dll

 

After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. 


shred -f -u -n 1 "%s%s"

 

It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file.

 

In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt which contains instructions to contact [email protected] to receive payment instructions.

 

Qwerty Ransom Note
Qwerty Ransom Note

 

Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files.

 

How to protect yourself from the Qwerty Ransomware

 

In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

 

As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

 

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

 

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

 

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

 

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

 

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

IOCs

Hashes: 

find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502
gpg.exe:2b605abf796481bed850f35d007dad24
iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608f821becd646efb
key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f9eec663733a09e
libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da02182eee3bcf02
libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5fb2f11e46955154
ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f677330908a4c3c87a2b48
qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344dfaadaf54330b8
run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b064f2b2e34bf20bf
shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490ff822ac68bc23a

 

Associated Files: 


README_DECRYPT.txt

 

Ransom Note Text: 


Your computer is encrypted . Mail [email protected] . Send your ID 5612.
Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost!

 

Associated Emails: 


[email protected]

 

Executed Commands: 


taskkill /F /IM sql /T
taskkill /F /IM chrome.exe /T
taskkill /F /IM ie.exe /T
taskkill /F /IM firefox.exe /T
taskkill /F /IM opera.exe /T
taskkill /F /IM safari.exe /T
taskkill /F /IM taskmgr.exe /T
taskkill /F /IM 1c /T
vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe bcdedit /set {default} recoveryenabled no
wbadmin.exe wbadmin delete catalog -quiet
del /Q /F /S %s$recycle.bin