{ "id": "270b892c-5a26-4677-a400-5d9db1b685ad", "created_at": "2026-04-06T00:13:14.182462Z", "updated_at": "2026-04-10T03:36:13.609361Z", "deleted_at": null, "sha1_hash": "06b5af5c6e08fbcc2bde490a5f7ae8c75f6f9455", "title": "Ransomware Encryption Goes Wrong", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58924, "plain_text": "Ransomware Encryption Goes Wrong\r\nBy Aaron Gdanski, Limor Kessem\r\nPublished: 2021-11-01 · Archived: 2026-04-05 21:15:18 UTC\r\nAuthor\r\nLimor Kessem\r\nX-Force Cyber Crisis Management Global Lead\r\nIBM\r\nIBM Security X-Force researchers have recently reverse-engineered Prometheus ransomware samples as part of\r\nongoing incident response operations. X-Force has found that samples that infected organizational networks\r\nfeatured flawed encryption. This allowed our team to develop a fast-acting decryptor and help customers recover\r\nfrom the attack without a decryption key.\r\nWhile rare, ransomware developers can make mistakes in the ways they implement encryption, causing\r\nunintended flaws. This is not the first time X-Force sees faulty encryption mechanisms save the day for victimized\r\norganizations. Mistakes can easily occur when malware developers use patchwork code and dabble in\r\ncryptography without appropriate expertise.\r\nMost organized cybercrime groups do use properly configured encryption, which is almost always impossible to\r\nbreak. That said, the option to examine possibilities can make a difference for victimized organizations and change\r\nthe course of negotiation and recovery.\r\nIn early 2020, a new ransomware family dubbed “Thanos” was discovered on sale in underground forums mostly\r\nfrequented by cybercriminals. At the time, Thanos was advertised as a “Ransomware Affiliate Program,” available\r\nfor anyone to buy. The malware saw regular updates and new features added over time. A closer look at its code\r\nrevealed that it was also used at the baseline in ransomware samples that were tracked as “Hakbit” and used in\r\nadditional attacks that targeted organizations in Austria, Switzerland and Germany.\r\nThanos’ developer equipped it with a bootlocker in mid-2020 and was also using a somewhat novel technique of\r\nencrypting files known as “RIPlace,” in which they weaponized research into ransomware evasion techniques\r\nbased on file characteristics.\r\nIn September 2020, Thanos was detected in attacks on government organizations in MEA. It presented the victims\r\nwith a black screen that demanded money to unlock files, and while it had a supposed capability to run a\r\ndestructive attack, that function did not work and left MBR intact.\r\nBy June 2021, more of Thanos made headlines, only this time as the base code for another ransomware,\r\nPrometheus. The latter was used in double-extortion attacks that encrypted files but also stole data and threatened\r\nto release it unless a hefty ransom was paid. Prometheus’ operators claimed to be part of the REvil group, they\r\nhttps://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nPage 1 of 5\n\neven placed a logo of sorts on their demands for ransom but provided no proof to that effect and may have wanted\r\nto use that as a pressure tactic.\r\nWhile the original Thanos is not as active, its code does not rest. In mid-2021 it was detected in further\r\nransomware attacks, this time used by a group going by the name “Haron.”\r\nThe Thanos code itself was and is being used by multiple threat actors, some of which were suspected to have\r\nnation-state sponsored ties. The Prometheus variant has died out in recent months, but other variations can\r\ncontinue to rise from the same Thanos base. What changes through each variation is customization. In\r\nPrometheus’ case, its operators used social engineering well, but were not as adept at working with encryption.\r\nWhile working on Prometheus samples that encrypted files on infected devices, IBM Security X-Force researchers\r\nuncovered a weakness in the key generation algorithm used in the encryption process. Unlike most ransomware\r\ncases, this was good news that ended up helping a victimized organization.\r\nOur analysis showed that to generate the seed for encryption, the algorithm Prometheus selected uses a hardcoded\r\ninitialization vector (IV) and the uptime of the computer. This means that the seed value is a lot easier to guess\r\nthan it should be, since certain parameters about the encrypted file and the infected device can be obtained.\r\nBased on such parameters, X-Force wrote a decryptor that ended up working quickly to decrypt file types that had\r\nknown file headers, for example: pdf, doc, xls, ppt, docx, xlsx, pptx, 7z, mp3, jpg, jpeg, zip, iso, exe, dll, sys and\r\npng. Decrypting the files was made even easier when device boot time was known. Boot times are not a parameter\r\none would have to guess, they can be obtained via the CBS.log file in the Windows directory.\r\nUsing the decryptor was a great option for the recovery process X-Force supported, but another note is important\r\nhere. Some open-source decryption tools may emerge over time and might seem like a recovery tool that can help\r\nin large-scale cases. One must consider the time it takes a decryptor to unlock each file. Some open-source tools\r\ncan take around five hours per file, or more, which would be too time consuming in cases where a lot of data is no\r\nlonger accessible. A reasonable amount of time to decrypt each file should be a few minutes or less.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nIn the Prometheus variants analyzed, there are two ways the ransomware can be configured for encryption:\r\nConfiguration 1\r\nEncryption process per file:\r\nA 32-byte string is generated using C#’s Random class. The default constructor is used, which passes\r\nEnvironment.TickCount as the seed.\r\nThe string is then encrypted using a hard-coded RSA public key. PKCS#1 v1.5 padding is used. The\r\nciphertext is then Base64 encoded.\r\nhttps://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nPage 2 of 5\n\nThe file is encrypted using a symmetric algorithm (Salsa20) with a hardcoded 8-byte array as the\r\ninitialization vector (IV).\r\nThe key is the 32-byte string described above. The ciphertext is written to the encrypted file.\r\nThe encrypted, Base64 encoded key is then appended to the end of the encrypted file, along with the string\r\n‘GotAllDone’.\r\nConfiguration 2\r\nEncryption process per file:\r\nA 32-byte string is generated using C#’s Random class. The default constructor is used, which passes\r\nEnvironment.TickCount as the seed.\r\nThe string is then encrypted using a hard-coded RSA public key. PKCS#1 v1.5 padding is used. The\r\nciphertext is then Base64 encoded.\r\nRFC2898DeriveBytes is used to generate a 32-byte key and an 8 byte IV. The Rfc2898DeriveBytes Class\r\nimplements password-based key derivation functionality, PBKDF2, by using a pseudo-random number\r\ngenerator. The string generated above is used as the password, and the salt is a hardcoded 8-byte array.\r\nThe file is encrypted using a symmetric algorithm using the parameters generated above. The ciphertext is\r\nwritten to the encrypted file.\r\nThe encrypted, Base64 encoded key is then appended to the end of the encrypted file, along with the string\r\n‘GotAllDone’.\r\nWeaknesses in this encryption methodology\r\nX-Force found this technique to be lacking in a way that allowed for finding a way to decrypt affected files.\r\nC#’s Random class will generate the exact same bytes as long as the seed is known. In this case, the seed is the\r\nEnvironment.TickCount variable, which is the number of milliseconds elapsed since a computer was last started.\r\nThat seed value can be guessed given certain parameters. Moreover, the Environment.TickCount variable is also\r\nupdated around every 16 milliseconds, so it is possible for multiple files to have the same key, which can make\r\ndecryption even faster down the line.\r\nThe hardcoded IV provided no additional security in this case, considering it can easily be obtained and appears to\r\nbe the same for every sample analyzed. To make encryption stronger, the IV should typically be random or\r\npseudorandom.\r\nCan all Prometheus samples be broken in the same way? X-Force’s analysis indicates that any Prometheus sample\r\nthat uses the C# Random class to generate keys is vulnerable. Of note, they only decrypted files that were\r\nencrypted using a Salsa20 stream cipher. Some Prometheus ransomware samples can be configured to use AES-256 and while these samples are still vulnerable, X-Force did not test the decryptor on such in their current work.\r\nRequirements\r\nTo decrypt files, we would need the following information:\r\nhttps://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nPage 3 of 5\n\nThe hardcoded IV used in the sample. In all samples observed, the IV was an 8-byte array: 1, 2, 3, 4, 5, 6,\r\n7, 8.\r\nText or bytes to search for from the decrypted file. X-Force used known file header bytes associated with\r\ncommon file extensions. For example, if the encrypted file’s original extension is .pdf, the text to search for\r\nin the file to determine success is “%PDF”.\r\nOptional data to use\r\nThe configuration of the sample: it’s better to determine which configuration is being used for the\r\nencryption. For instance, should RFC2898DeriveBytes be used to obtain the key?\r\nMtime: the file’s modification time as recorded by the infected device.\r\nThe boot time of the infected device. This can be found in the CBS.log file, which is in the Windows\r\ndirectory. This parameter may not have to be exact. Note that Prometheus will not encrypt this file. This\r\nfile also contains all boot times, meaning it is possible to obtain the boot time even if encryption happened\r\nmonths ago. If the boot time and file modification time are not provided, decryption is still possible but\r\nwill take significantly longer.\r\nFile type limitation\r\nCurrently, only files with known file headers can be decrypted. For example: pdf, doc, xls, ppt, docx, xlsx, pptx,\r\n7z, mp3, jpg, jpeg, zip, iso, exe, dll, sys and png.\r\nThe following process is what X-Force used in their current work to decrypt data encrypted by Prometheus. It\r\nfocuses on the malware’s first configuration.\r\nDecryption in configuration 1 mode\r\nExtract the encrypted text from the file intended for decryption. This can be done by removing the junk\r\nappended to the end of the file. The amount of junk is equivalent to\r\nBASE64_ENCODED_SIZE(RSA_KEY_SIZE) + ‘GotAllDone’.Length.\r\nAttempt to estimate the tick count at the time of encryption. The tick count begins at zero on system boot,\r\nis incremented every millisecond, but only updated every 10-15 milliseconds. Tick count continuously\r\nloops after hitting INT_MAX.\r\nContinuously attempt to generate a key and decrypt the ciphertext using the potential seed.\r\nDecrement the potential seed if the plaintext is not correct. In most cases, the estimated seed should be\r\nwithin 6000 values of the correct seed. It appears that each file should take around 10 seconds to decrypt,\r\nwithout any optimization considered.\r\nNote that during any decryption effort, whether custom-built or provided by ransomware actors, certain conditions\r\ncan affect the accuracy of time estimates of the decryption. If a file takes longer than desired to unlock, it is likely\r\nthat any other file from that same device will take a similar amount of time.\r\nDecrypting multiple files from the same infected device\r\nhttps://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nPage 4 of 5\n\nIf the seed value is found for the first file encrypted, that seed value can be continuously incremented in order to\r\nfind the values for every other file. This may provide a slightly faster decryption process for computers with\r\nhundreds or thousands of files to decrypt.\r\nThe decryptor tool can be run against an entire directory of files or on a per file basis.\r\nThe ransomware problem has turned into a true pandemic for organizations. Every month new attacks are\r\ndetected, and new malware families and variations arise in the commercial cybercrime arena and through closed\r\ngroups. Companies are struggling to prevent ransomware infections on the one hand and prepare for incidents on\r\nthe other. Paying cybercriminals has also turned into a high-stake negotiation where the leverage is almost always\r\non the attacker’s side.\r\nWill it ever end? With this crime being so rampant in industrialized countries, governments and law enforcement\r\nagencies are becoming increasingly involved in ransomware cases, especially in cases where multiple companies\r\nare hit.\r\nStopping attacks is hard because it only takes a small security gap for attackers to find a way in. Response goes a\r\nlonger way in detecting, containing and helping organizations recover from ransomware attacks. IBM Security X-Force can help. For any other assistance by IBM’s team of experts, explore their incident response and threat\r\nintelligence services here.\r\nSource: https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nhttps://securityintelligence.com/posts/ransomware-encryption-goes-wrong/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/" ], "report_names": [ "ransomware-encryption-goes-wrong" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434394, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06b5af5c6e08fbcc2bde490a5f7ae8c75f6f9455.pdf", "text": "https://archive.orkl.eu/06b5af5c6e08fbcc2bde490a5f7ae8c75f6f9455.txt", "img": "https://archive.orkl.eu/06b5af5c6e08fbcc2bde490a5f7ae8c75f6f9455.jpg" } }