The ransomware Polyglot delivers a ransom message in English, Russian, Italian, Spanish and Ukranian. But regardless of language, it can be decrypted, according to Kaspersky Lab.
The ransomware Polyglot delivers a ransom message in English, Russian, Italian, Spanish and Ukranian. But regardless of language, it can be decrypted, according to Kaspersky Lab.

A recently discovered ransomware trojan known as Polyglot tries very hard to imitate the menacing cryptor CTB-Locker, but ultimately falls short in its encryption strength and can be defeated, according to Kaspersky Lab.

Polyglot is so named so because it supports five different languages, allowing victims to switch translations by clicking on flags representing the native tongues of U.S., Russia, Italy, Spain and Ukraine. While this indicates that all five countries are intended targets, “Our data…suggests, however, that the majority of detections occurred in Russia,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, in an email interview with SCMagazine.com.

According to a Kaspersky blog post published today, Polyglot is distributed via spam emails containing a link to a malicious RAR archive that carries the cryptor's executable code. Following encryption, the malware delivers a ransom note via desktop wallpaper that, strangely enough, displays an image unique to each individual victim. The malware demands payment in bitcoins, granting the victim only 96 hours to respond before files are permanently encrypted.

First appearing in late August, Polyglot has quite a few elements in common with CTB-Locker, including “the graphical interface window, language switch, the sequence of actions for requesting the encryption key, the payment page [and] the desktop wallpapers,” Kaspersky reported. Moreover, Polyglot's visual appearance is strikingly similar to CTB-Locker and its ransom message and instructions are literally lifted from its predecessor.

Just as CTB-Locker compresses victims' files with Zlib, Polyglot packs file content into a ZIP archive. In both cases, the compressed content is then encrypted with AES-256. “This technique seems noteworthy, because we don't often see ransomware that packs the data before encryption. Most trojans just encrypt the original file content,” said Sinitsyn.

The two malicious trojans also use the same algorithms to create encryption keys, allow victims to decrypt five files for free, and communicate with a command-and-control server located on the Tor network.

Despite these parallels, a Kaspersky Lab analysis has revealed that Polyglot was developed separately from CTB-Locker, with markedly different program architectures and virtually no coding shared between them.

Imitating more successful, established ransomware is a common trick, Sinitsyn told SCMagazine.com. “For example, the Crysis ransomware currently gives the extension .xtbl to... encrypted files, while originally this extension was used by Shade. What's more, we have discovered a sample of Xorist that mimics the version of Crysis that mimics Shade!” said Sinitsyn. “However, we haven't seen ransomware that would try to copy another trojan so thoroughly” as Polyglot does with CTB-Locker.

Sinitsyn, along with fellow blog post authors and analysts Anton Ivanov and Orkhan Mamedov, has theorized that perhaps Polyglot's creators want to trick victims and researchers into thinking the trojan actually is CTB-Locker, leaving no hope that the files can be salvaged without paying up.

But they can, because unlike CTB-Locker, Polyglot contains several fatal mistakes that allow victims to decrypt their files without paying the bitcoin ransom.

For starters, the ransomware generates symmetric encryption keys based on a randomly generated array of characters; however, the strength of the random sequence generation procedure is surprisingly weak. In fact, reported Kaspersky, it takes mere minutes on a standard PC to conduct a thorough search of the entire set of possible keys for an encrypted file.

Even though there is a password-protected ZIP archive below this layer of encryption, this feature is also flawed because the archive key length is only four bytes, and those bytes are borrowed from a unique ID assigned to the computer by the operating system, known as MachinGUID. “Furthermore, a slightly modified MachineGUID string is displayed in the requirements text displayed to the victim; this means that if we know the positions in which the four characters of the ZIP archive password are located, we can easily unpack the archive,” reads the blog post.