Nuke ransomware, first identified in 2016, encrypts files with an AES 256-bit encryption key that is protected by asymmetrically encrypting it using 2048-bit RSA. Once a file is encrypted, Nuke changes the file name to a combination of random characters followed by a .nuclear55 extension. For example, an infected file name might be “ab0a+afbamcdEcmf.nuclear55”.
Once Nuke executes it drops two files to the desktop: !!_RECOVERY_instructions_!!.html and !!_RECOVERY_instructions_!!.txt. The files inform the victim of the infection and provide details on how to pay ransom. Nuke also changes the desktop wallpaper to alert the user to the infection.
The BlackBerry Cylance Threat Research team recently analyzed a Nuke sample as part of our ongoing effort to inform the public about modern threats. This blog details our investigation.
Technical Analysis
The Nuke sample we analyzed hides itself by using an Adobe icon and displaying itself with the file name (and description) ‘Adobe Reader’:
Figure 1: File displaying itself as Adobe Reader
The malware creates persistence by modifying registry keys to ensure it automatically runs at startup:
Figure 2: Modifying registry keys to ensure malware runs automatically at system startup
Nuke then begins the encryption process. File encryption is performed using standard AES and RSA encryption schemes. First, file bytes are symmetrically encrypted using an AES 256 key generated specifically for the victim’s machine. Next, the AES 256 key is asymmetrical encrypted using the attacker’s public RSA key and the result is appended to the encrypted file bytes. In order to decrypt the files, the RSA private key is required, which the attacker promises to supply to the victim once the ransom has been paid.
Once a file is encr ..
Support the originator by clicking the read the rest link below.
