Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Bitdefender Decryption Utility for MaMoCrypt ransomware 1.0.0.2 Freeware
#1
https://labs.bitdefender.com/2020/10/mam...tion-tool/      Anti-Malware Research Free Tools
MaMoCrypt Ransomware Decryption Tool
October 16, 2020
5 Min Read
We’re happy to announce the availability of a new decryptor for MaMoCrypt, a strain of ransomware that appeared in December last year.

MaMoCrypt is an unusual piece of ransomware, a variant of MZRevenge written in Delphi and packed using mpress.

If you don’t want to go through the technical analysis, you can jump straight to decryption by downloading the utility below:  http://download.bitdefender.com/am/malwa...ptTool.exe      Ransomware behavior

1. MaMoCrypt deletes shadow volumes, disables the firewall and UAC. These features are nothing unusual in the malware universe, and we will not go into further details.

2. Using Delphi’s random generator (based on a linear congruential generator) and a DWORD seed based on time (using QueryPerformanceCounter or GetTickCount), it will generate two buffers which will be base64 encoded and prepended with MZRKEYPUBLIC / MZRKEYPRIVATE

3. Based on these two keys and a mask (see more details below), it will generate two encryption keys per file, which will be used for encryption. The content will be first encrypted with AES 128 CBC and then re-encrypted with Twofish 128 NOFB. The remainder % 16 from AES encryption will be encrypted using AES 128 CFB. All encrypted files will have their name appended with “.MZ173801”.

4. After encryption, the malware iterates the encrypted folders again to place the ransom note in them. The note will also contain the 2 MZR keys.

Although the MZR keys will not be changed during key generation or encryption, the mask will be continuously updated. Their generation is based on a mix of SHA1, SHA512, and some custom computations. The AES and TWOFISH keys are computed by using SHA512 16 times for each key and XORing the bytes, using the result as the n-th byte of the key.     Digital Signature ( Bitdefender SRL )
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Bitdefender has identified over 220 ransomware families mrtrout 0 320 05-06-2024 , 07:27 PM
Last Post: mrtrout
  Kaspersky Anti-Ransomware Tool for Home 6.4.0.378.0 FREEWARE mrtrout 0 491 10-01-2023 , 05:28 AM
Last Post: mrtrout
  Kaspersky Anti-Ransomware Tool for Business 6.4.0.378.0 FREEWARE mrtrout 0 512 09-29-2023 , 06:09 AM
Last Post: mrtrout
  Avast Ransomware Decryption Tools 1.0.0.662 New Released mrtrout 0 607 08-21-2023 , 09:05 PM
Last Post: mrtrout
  Free Ransomware Decryption ToolsHit by ransomware? Don’t pay the ransom! (AVAST) mrtrout 0 873 12-01-2021 , 09:50 AM
Last Post: mrtrout



Users browsing this thread: 1 Guest(s)