# Cooking Up Autumn (Herbst) Ransomware **[blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware](https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware)** Threat Research June 3, 2016 By [Rommel Abraham D Joven | June 03, 2016](https://blog.fortinet.com/blog/search?author=Rommel+Abraham+D+Joven) Fortiguard’s behavior-based system designed to identify new malware has detected a German targeted ransomware. We named it Herbst, a German word which in English means Autumn. ## Ransom Note The Herbst ransom note appears in German in a dedicated window from its own running process. It demands that a ransom be paid in bitcoin. We have also been able to determine the bitcoin address. Ransome note details are listed below: ----- File encryption: AES 256 bit Ransom Price: 0.1 Bitcoin or approximately USD $53.80 as of today. Bitcoin Address: 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq _Figure 01: Ransom Note_ ## Key Preparation The key is prepared by concatenating two random numbers from 0 to 99999999. Next, it concatenates strings in random positions from the text variable, text.length times, as seen below. This key is hashed later and used as the AES key. ----- _Figure 02: Key Preparation Function_ ## Targeted Directories After preparing the key, Herbst proceeds to enumerate files from the StartupPath. It encrypts all kinds of files in this directory, as shown by “*.*”. It encrypts file in the following special folders: Desktop, MyPictures, MyMusic, and Personal Figure 03: File Enumeration ## Encrypted File The ransomware encrypts files and appends the extension to .herbst. ----- _Figure 04: Encrypted File Sample_ ## File Encryption The encryption starts by reading the file and calling the function AES_Encrypt. _Figure 05: Encryption Function_ The malware then proceeds to hash the key generated from the previous function, and this is used as the AES key for encrypting the files. After the file is encrypted with AES 256 bit, the malware then converts it to Base64String. _Figure 06: AES Encryption Function_ ----- _Figure 07: File Structure Before and After Encryption_ ## Unfinished Business This malware, written in C#, shows it’s unfinished because it has the following functions, but never calls them in the main function: _Encrypt – believed to be the function in encrypting the AES key used before sending to_ the Command and Control (C&C.) _Unlock – believed to be the decryption of the incoming traffic from the C&C._ _Http – believed to be used to send and receive encrypted messages to the C&C._ ----- _Figure 08: Malware Functions_ Yes, the malware encrypts files and shows the decryption note; however,it doesn’t send the AES key used to its C&C, and doesn’t verify the transaction ID when used in the ransom window, making this an unfinished ransomware. ## Conclusion Our analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. From the analysis, we conclude that Herbst is a beta version which is still under development. The malware doesn’t provide any details on its C&Cs because it doesn’t call the HTTP function. We speculate that this version could just be a test to check AV vendors’ ability to detect it without giving away their C&C. Fortiguard will continue to monitor Herbst future activities and developments. File detection: W32/Herbst.A!tr SHA256: 18605f7a5a47ac16f722e3ec8a42121035bb95f731aaad5090c5e11104fc3185 -=FortiGuard Lion Team= ## Related Posts Copyright © 2022 Fortinet, Inc. All Rights Reserved [Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html) | Cookie Settings -----