{"id":85918,"date":"2018-03-06T17:19:53","date_gmt":"2018-03-06T11:49:53","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85918"},"modified":"2018-03-06T17:33:12","modified_gmt":"2018-03-06T12:03:12","slug":"beware-new-net-ransomware-encrypting-files-lime","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-new-net-ransomware-encrypting-files-lime\/","title":{"rendered":"Beware! A new .Net Ransomware is encrypting files with .Lime"},"content":{"rendered":"

Cases of the \u201cLime ransomware\u201d<\/strong> have been recently reported to Quick Heal Security Labs. Our research team has analyzed these cases deeply and found some useful information. This post shares this information to help users stay safe from ransomware attacks.<\/p>\n

\u2018Lime\u2019 is a newly discovered .net ransomware; it is also known as the \u2018BigEyes\u2019 ransomware. It uses two major ways to infect user\u2019s systems, either spam emails or malicious downloads.<\/p>\n

Ransomware usually comes into the system without the user\u2019s knowledge through online activities like software bundling, spam email attachments, infected links, malvertising, by visiting unknown sites, RDP (Remote desktop protocol) and exploit kits.<\/p>\n

Infection vector<\/strong><\/p>\n

\"\"
Fig 1 Lime Ransomware attack chain<\/figcaption><\/figure>\n

Technical analysis<\/strong><\/p>\n

Encryption<\/strong> Process: in-depth description<\/strong><\/p>\n

Lime is a ransomware that encrypts your files and demands Bitcoin as a ransom to get your files restored. Files are locked with the AES-256 encryption algorithm. The Lime ransomware encrypts your files and appends the \u201c<\/strong>.Lime<\/strong>\u201d<\/strong> extension.<\/p>\n

After encryption, the Lime ransomware drops a ransom note Fig 2.<\/p>\n

\"\"
Fig 2 Ransom note<\/figcaption><\/figure>\n

The following e-mail address is used to contact the malware author to decrypt the encrypted files by paying them:<\/p>\n

\u201cr3vo@protonmail-com\u201d<\/u><\/strong><\/p>\n

Key generation<\/strong><\/p>\n

When Lime is first launched, it will call RandomString() function which will attempt to generate an AES key. It generates 50 bytes array from input string using a random index with the use of random() function to fetch one character and stores into output string as shown in Fig 3.<\/p>\n

\"\"
Fig 3 Random Key Generation code<\/figcaption><\/figure>\n

It calculates md5 of generated output string using Computehash() and then it will copy the result into the result array. It will use this result array as an AES key to encrypt the files present on the system.<\/p>\n

\"\"
Fig 4 AES Key Generation code<\/figcaption><\/figure>\n

It drops output string at path \u201cC:\\Microsoft\u201d<\/strong> by name \u201chash\u201d<\/strong>. As we know that AES is symmetric algorithm so the key used for encryption and decryption will be the same. So, the malware author uses this hash file\u2019s MD5 to decrypt the victim\u2019s files when victim pays ransom amount to him.<\/p>\n

Lime ransomware encrypts files on specific folder paths using AES-256 in ECB mode to encrypt files. Paths are as per given below:<\/p>\n