Tdt 7z 001
Yesterday, a new ransomware called TrueCrypter was discovered by AVG malware analyst Jakub Kroustek. This ransomware encrypts your data using AES-256 encryption and then demands either .2 bitcoins or $115 USD in Amazon gift cards. When encrypting your data, TrueCrypter will append the .enc extension to all encrypted files. It is unsure if the sample that we looked at is a hoax, a test ransomware, or just a buggy program as it will automatically decrypt your files by simply clicking on the Pay button.
Tdt 7z 001
As already stated, the TrueCrypter program will encrypt your data files when it is installed. On the other hand, simply clicking on the pay button will cause it to decrypt these files and then remove itself from your computer. When a victim clicks on the pay button, the program will connect to the Command & Control server and retrieve the private decryption key. This key will then be used to decrypt the victim's files.
Unfortunately, the command & control server may sometimes be unreachable and TrueCrypter will use the connection error message as the private key instead. This error message will then be used to decrypt the files, fail to do so, but still remove the files related to TrueCrypter. This means that the public key required to retrieve the decryption key will be deleted as well. Therefore, before a victim tries to decrypt their files by clicking on the Pay button, they should first make a backup of the %AppData%\Microsoft\TrueCrypter\ in case the decryption fails.
Within the same week, we have seen two ransomware programs accept Amazon Gift Cards as a ransom payment. The first one was for a screenlocker in Android and now we have TrueCrypter. This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon. This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.
When TrueCrypter is installed it will first check if the process is running under Sandboxie. If it is, it will then terminate the process and not continue. There is code to check if it is running under Vmware or VirtualBox, but it is currently not enabled. It then checks for certain processes associated with security programs. If it detects one of these processes, it will terminate it. The list of processes is searches for are:
The TrueCrypter ransomware will then connect to the page, which contains a Caesar-21 encoded string. This string when decoded will contain configuration information such as the Command & Control TOR server address, ransom payment amounts, and the bitcoin address to use. For example, the encrypted string is currently:
It will then begin encrypting the files on the victim's hard drives with AES-256 encryption. When it encrypts a file it will encrypt it with a unique AES key and then encrypt that key using RSA. This RSA encrypted AES decryption key is then stored at the end of the encrypted file. TrueCrypter will then append the .enc extension to the encrypted file and store the filename in the %AppData%\Microsoft\TrueCrypter\encrypted.dat file.
Last, but not least it will store configuration information in the %AppData%\Microsoft\TrueCrypter\TrueCrypter.xml file. This information is whether the computer was encrypted, if the key was sent to the Command & Control server, and the public RSA key used to encrypt the AES keys.
5/2/16: Updated article with information from MalwareHunterTeam. TrueCrypter includes code to check for VirtualBox and Vmware, but it is not currently used. At this time it is only checking for the existence of Sandboxie. Information about the decryption process and backing up the TrueCrypter folder first was added as well.
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
1Department of Marine Biotechnology, Stazione Zoologica Anton Dohrn, Villa Comunale, 80121 Napoli, Italy; moc.liamg@occour.aidan (N.R.); ti.nzs@onarabla.asiul (L.A.); ti.nzs@otisopse.atrebor (R.E.); ti.nzs@aronai (A.I.)
Lipoxygenases (LOXs) constitute a family of dioxygenases that catalyse the oxygenation of free and esterified polyunsaturated fatty acids containing a (1Z,4Z)-penta-1,4-diene system to produce the corresponding hydroperoxy derivatives [25]. LOXs are expressed in plants [26] and in the animal kingdom [27,28], but have not been found in bacteria and yeast [29].
Chemical analyses of mono-algal cultures has revealed strictly LOX species-specificity [30], where the most common pathway shared by different genera of diatoms rely on a 15S-LOX activity, and a minor group of oxylipins are the products of 5-LOX, 8-LOX, 9S-LOX, 11-LOX, 12-LOX and 14-LOX [19,20,22,30,31,32,33,34] activity, depending on the specific regiochemistry of carbon oxidation. Oxylipin quantification and variation in time and space has been evaluated in field studies [35,36,37,38,39,40,41]. A recent survey demonstrated that oxylipin pathways in diatoms were mostly based on the oxygenation of hexadecatrienoic, eicosapentaenoic (EPA) and docosahexaenoic (DHA) acids, and, within phytoplankton communities, these secondary metabolites largely derived from diatoms [42]. Moreover, daily fluctuations of PUAs were more correlated to the cellular physiological state of diatoms than exclusively to the taxonomical composition of phytoplankton communities [43].
Interestingly, terrestrial plants also produce oxylipins in response to pathogen infections but differently from those described in marine diatoms. LOX substrates mostly consist of linoleic acid, α-Linolenic acid and hexadecatrienoic acid [44,45,46,47]. In analogy to plants, the production of oxylipins in diatoms was considered as a chemical defence against grazers. In fact, diatom-based diets or treatments with pure molecules induced a detrimental effect on gamete viability, embryogenesis and larval fitness of marine invertebrates, such as polychaetes, echinoderms, ascidians, crustaceans and molluscs [48].
Chemical structures of commercially available PUAs (a) and HEPEs (b) used in experiments evaluating harmful effects of oxylipins on invertebrate reproduction and survival. Oxylipins were designed using ChemDraw Pro v8.0 software.
As mentioned above, several studies were also conducted on HEPEs, another class of oxylipins belonging to the non-volatile oxygenated fatty acids. Varrella et al. [72] tested the impact of 5- and 15-HEPEs on the sea urchin P. lividus for the first time. Experimental data showed that both HEPEs were not able to block the first cleavage, and, compared to the effects already observed for PUAs [67], HEPEs were found to be less active even if they induced the same types of malformations in embryos and larvae. However, HEPEs caused a developmental delay still detectable at a concentration of 7 μM, which prevailed at 30 μM, where treated embryos were all at the early pluteus stage instead of pluteus stage [72]. Conversely to PUAs [67], post-recovery experiments indicated that embryos were unable to undergo normal development when eggs were washed in seawater without HEPEs after HEPE treatment [72]. Moreover, to further explore the apoptogenic capabilities of oxylipins [65], the activation of caspase 3/7 and caspase 8 genes was followed in sea urchin embryos treated with two PUAs (HD and OD) and four HEPEs (5-, 9-, 11- and 15-HEPE) [70]. In particular, both classes of compounds induced apoptosis, mostly at 9 and 24 hpf, detected by the luminometric assay and real time qPCR. Microscope observations showed that embryos subjected to PUA treatments were dead at 48 hpf, whereas HEPEs induced a developmental delay at both blastula and pluteus stages, confirming that PUAs greatly impacted sea urchin embryo development [70].
Since marine organisms are normally exposed to LOX products as a whole, very recent studies were conducted to evaluate the potentially negative effect of PUAs and HEPEs mixtures on the sea urchin P. lividus [74,76,78]. Specifically, Ruocco et al. [76] showed that, by decreasing PUAs concentrations to one third of those used in individual tests (reported in Varrella et al. [67]), both binary and ternary mixtures were able to induce malformations in a synergic way, with the highest percentage of malformed plutei achieved in the case of 0.5 μM DD plus 1.0 μM HD at 48 hpf. A similar study [74] was done with combinations of the four HEPEs already tested separately in a previous study [72]. In particular, Albarano and co-workers observed several malformations that were much more severe compared to those reported in individual tests, revealing, also in this case, a synergic effect of these natural toxins. From the molecular viewpoint, these mixtures induced an additive effect when compared to experiments with single compounds [67,72], since a greater number of genes were affected [74,76]. Interestingly, PUA mixtures affected gene expression mainly at 48 hpf [76], while HEPEs were most effective in early developmental stages (particularly at 5 hpf) [74], confirming the inability of sea urchin embryos to recover after HEPE treatment [72]. 041b061a72