So far, RanRan ransomware has been spotted on victims’ computers in Saudi Arabia and The Philippines.
The good news is that the developers of RanRan made several mistakes, and researchers at Palo Alto Networks have created two decryptors that can restore a victim’s files under certain conditions.
RanRan installs itself on a user’s computer under the guise of “C:\services.exe.” It then creates an autorun key that allows the ransomware to run each time the computer boots.
To ensure it has enough time to encrypt a victim’s files, the ransomware monitors for windows with titles that contain “task manager” and closes them. This makes it less likely that victims will end the routine themselves. The crypto-malware also looks for services/processes that would potentially prevent it from encrypting important database files.
In total, RanRan targets 96 different file types. It encrypts these files using an RC4 stream cipher as a password. The ransomware makes a different password for each group of files that fit these sizes:
0 – 5 MB
5 – 30 MB
30 – 100 MB
100 – 300 MB
300 – 700 MB
700 – 2000 MB
2000 – 3000 MB
3000 MB and greater
After their files are encrypted, victims are presented with a ransom note attempting to force them to “generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file,” according to Palo Alto Networks.
Possible decryption routes
Palo Alto Networks discovered that RanRan is making use of a recycled encryption key and fails to delete the original versions of the files it encrypts. As a result, they were able to create two decryptors that allow victims to recover their files provided that the following conditions are met:
- An encrypted and non-encrypted version of a single file within a certain file size group must be present.
- Encrypted files are eligible for decryption only if they fall into a group that’s smaller in size than the cluster encrypted by the available RC4 cipher.
For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.