Skip to content

Decryption tool for the "Embrace", "PainLocker" and "Everbe" ransomwares files (with extensions .[[email protected]].embrace, .[[email protected]].pain and .[[email protected]].everbe)

License

Notifications You must be signed in to change notification settings

themaks/embrace_decryptor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

embrace_decryptor

Decryption tool for the "Embrace", "PainLocker" and "Everbe" ransomwares files (with extensions .[[email protected]].embrace, .[[email protected]].pain and .[[email protected]].everbe)

The tool exploits several weaknesses in the malware to recover the files:

  • Only one AES key is generated for every file on a same host
  • During key-generation, the malware uses the weak msvcrt's rand() function, which is not cryptographically secure
  • The random generator is seeded using srand(time(0))
  • The IV is derived from the last 16 characters of the encrypted file path, which are known even after encryption
  • AES mode of operation used is CBC : decrypting a file using the correct key but the wrong IV still leads to full file recovery (minus the first 16 bytes at most).

This decryption tool works as follows:

  • It bruteforces the probable value of the original time(0), using the file's last modification time as a hint
  • For each value, it generates an AES key using the derivation algorithm present in the malware, and try to decrypt the file with it
  • The tool computes the avererage Shannon's entropy per byte of the decryption result.
    • A high value of entropy (~8 bits by byte) indicates a "random" result, likely to be the product of a decryption with a wrong key.
    • A lesser value indicates "non-random" content (text content, or binary file with structured headers), which means the the right key has been found.

Once one file has been decrypted, the initial value of time(0) is known, and so the corresponding generated AES key. This key can then be reused to decrypt instantaneously any other file on the same infected machine.

Script usage

usage: decrypt_file.py [-h] [-l LOCALTIME | -t TIME] [-d DELTA] [-v] [-o]
                       [-e EXTENSION] [-r]
                       file [file ...]

Decrypt .embrace ransomware files

positional arguments:
  file                  file(s) to decrypt

optional arguments:
  -h, --help            show this help message and exit
  -l LOCALTIME, --localtime LOCALTIME
                        time of the encryption (local time, format YYYY-MM-DD-
                        hh-mm-ss), if known. Can be approximative if you pass
                        the --delta argument
  -t TIME, --time TIME  time of the encryption (in seconds since Epoch), if
                        known. Can be approximative if you pass the --delta
                        argument
  -d DELTA, --delta DELTA
                        number of seconds to bruteforce, around the provided
                        encryption time, or the file's last modification date
  -v, --verbose         verbose mode
  -o, --overwrite       automatically overwrite decrypted files. Ex: after
                        decryption of xxx.ext..[[email protected]].embrace,
                        xxx.ext will be overwritten
  -e EXTENSION, --extension EXTENSION
                        manually provide the encrypted file extension. The
                        tool currently supports
                        ".[[email protected]].embrace" (default),
                        ".[[email protected]].everbe" and
                        ".[[email protected]].pain"
  -r, --recursive       performs decryption recursively on folders

For this tool to work, the last 16 characters of the encrypted file's path
(including the file's name, without '.[[email protected]].embrace') must be
the same as when the file was encrypted If this condition is not met, only the
16 first bytes of the file at most will be destroyed. The rest of the file
will be correctly decrypted.

About

Decryption tool for the "Embrace", "PainLocker" and "Everbe" ransomwares files (with extensions .[[email protected]].embrace, .[[email protected]].pain and .[[email protected]].everbe)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages