QazLocker Ransomware: Flaws in Encryption Allow for Data Recovery

In the cybercriminal domain, a new variant of ransomware named QazLocker is gaining momentum. It’s being used in a multitude of attacks to target companies across various business sectors in different countries. However, there’s a particularly intriguing aspect to the operation of this malicious software.

Experts at Acronis have conducted a thorough analysis of this threat and uncovered significant vulnerabilities in its file encryption algorithms. These flaws allow for the recovery of encrypted data without succumbing to the cybercriminals’ demands for ransom.

Unlike well-known hacker groups specializing in ransomware, the creators of QazLocker seem to possess a lower level of technical expertise. For intelligence gathering and lateral movement across a victim’s local network, they employ widely known compromised utilities such as Mimikatz, NirSoft, and Advanced Port Scanner.

Ransomware GUI showing the log of encrypted files along with input filed for a decryption key | Image: Acronis

The encryptor itself is written in AutoIt language and packed using the standard UPX tool. The program recursively traverses all drives in the system, encrypting files using the AES algorithm in CBC mode with a null initialization vector.

However, in generating the AES key, QazLocker’s developers made several serious errors. Firstly, the victim’s identifier, LOCK-ID, is calculated by concatenating the network adapter’s MAC address with the month’s number in hexadecimal format. Secondly, the last five bytes of this identifier are used to generate an RC4 encryption key, which in turn is used to protect the AES key seed.

The approach used by the hackers allows for easy recovery of encryption keys and decryption of files for affected companies. This requires just the knowledge of the victim’s MAC address and the month in which the attack occurred.

Acronis specialists have already developed a decryptor in the form of a Python script, aiding victims of QazLocker in independently restoring their files, eliminating the need to yield to extortionists.

Regrettably, the majority of other types of ransomware still pose a significant threat to businesses. Their authors meticulously disguise their code, utilize robust cryptographic primitives without vulnerabilities, and regularly modify their operational algorithms. In such cases, the recovery of encrypted data is extremely difficult or virtually impossible.