The Marlboro Ransomware was defeated and cracked in less than 24 hours as security experts managed to track it down, find several bugs in its code and create a free decrypter.
Marlboro was discovered only a day ago by the security researcher MalwareHunterTeam. The ransomware`s authors have been distributing their product via spam messages with malicious Word files attached. This files, when opened, would download and install Marlboro on victims` machines.
This ransomware, researchers say, is the first one to ever come in two separate version for 64-bit and 32-bit systems. Marlboro drops its installer depending on its targets` systems. However, other malware like banking Trojans, PoS malware, or backdoor Trojans use this tactic very often.
The Marlboro developers used free hosting accounts to store the ransomware`s binaries. Moreover, another researcher, who wanted to stay anonymous, said that the “[spam] campaign was really well crafted,” and that apparently, the ransomware`s author was better at distributing spam than he was at malware coding.
Marlboro encrypts users` files with the XOR encryption and appends the “.oops” extension at the end of each locked one. For instance, a file named “summer.png”, after being encrypted will become “summer.png.oops”. Once the encryption process is over the ransomware drops its ransom note which is called “_HELP_Recover_Files_.html”.
The note states that Marlboro utilizes a combination of RSA and AES encryption to lock files but this is not true. The ransomware also drops another that is named “deMarlboro”.
This is a free decrypter which is created by the Marlboro`s author himself. The decrypter operates in the following way: first, it checks the hacker`s server to see if the payment was received and, if yes, it starts the decryption process. The tool also contains a human operates challenge to prevent victims from spamming the developer`s server with questions and requests.
The first users attacked by Marlboro were registered yesterday when they started uploading the ransom note and locked files on the ID-Ransomware service. The service helps victims identify which ransomware exactly they are stuck with. As it turns out, the victims attacked by Marlboro`s first spam wave are only Croatian and Serbian users.
Luckily, security researchers managed to identify the ransomware in no time as well as to find a couple of vulnerabilities in its code that helped them create a decryption tool. The tool is created by Emsisoft CTO and security researcher Fabian Wosar and it is available for free on the Emsisoft website.
“Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts.” – Wosar said – “It is, unfortunately, impossible for the decrypter to reconstruct these bytes.”
Also, according to both Wosar and MalwareHunterTeam, the ransomware`s source code is not good. Moreover, Marlboro`s authors seem to have put together some of the ransomware`s inner guts by using code borrowed from StackOverflow’s C++ section.