{
	"id": "ce07aafc-c38c-4304-898d-68fa0970ad7e",
	"created_at": "2026-05-05T02:45:01.404345Z",
	"updated_at": "2026-05-05T02:46:36.872826Z",
	"deleted_at": null,
	"sha1_hash": "e8b1a0188ea2596cfdd3f02cf4117a7207c15f5a",
	"title": "Offline Ransomware Encrypts Your Data without C\u0026C Comms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74399,
	"plain_text": "Offline Ransomware Encrypts Your Data without C\u0026C Comms\r\nBy bferrite\r\nPublished: 2015-11-04 · Archived: 2026-05-05 02:11:29 UTC\r\nEarly in September, Check Point obtained a sample of a ransomware. When the sample was run, the following\r\nmessage, written in Russian, appeared:\r\nTranslation:\r\n“Your files are encrypted, if you wish to retrieve them, send 1 encrypted file to the following mail address:\r\nSeven_Legion2@aol.com\r\nATTENTION!!! You have 1 week to mail me,\r\nafter which the decryption will become impossible!!!!”\r\nAll personal files were indeed encrypted, with each file renamed to the following format:\r\nemail-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date \u0026 Time][Random\r\ndigits].randomname-[Random name given to the encrypted file].cbf\r\nExample:\r\nemail-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19 AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf\r\nWhen running, the ransomware does not interact with the user, other than changing the wallpaper. Furthermore,\r\nwhile most known ransomware requires Internet connection and successful communication to their C\u0026C servers\r\nbefore initiating the encryption, this sample does not need Internet connection to encrypt files and display the\r\nransom message. This means that there is no key exchange between the infected machine and the attacker, which\r\neliminates one option of stopping the attack.\r\nCheck Point reached out anonymously to the attacker’s email, and received a reply requesting a payment of\r\n20,000 Russian Ruble (approx. $300) on the same day or 25,000 (approx. $380) on the following day, to receive a\r\ndecryption program and key.\r\nAs the behavior is quite different from most known samples, we decided to explore the ransomware in greater\r\ndepth, in both the intelligence and technical aspects.\r\nIntelligence Analysis\r\nDuring our research, we found many online references to this ransomware, especially in Russian language forums.\r\nThis ransomware family appears to have been around for over a year, with the first reference in June 2014 to the\r\nhttps://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/\r\nPage 1 of 4\n\noriginal version (no associated version number). Since then, 11 new versions have been reported. The chart below\r\nshows the version history (dates according to first appearance in forums or reports online):\r\nNote:  Between March and April 2015, the file version schema changed. A “CL” prefix was added and the version\r\nnumbers were restarted. A parallel change was also made to the format of the encrypted file name. The older\r\nformat (pre-April 2015) is as follows:\r\n[original file name].id-{[Machine identifier]-[Date]-[Time][Random digits]}-email-[address to contact]-ver-[\r\nRansomware internal version].cbf\r\nExample:\r\nexcel4.xls.id-{AHMSYEKQVBHMSYEJPVAGMSXDJOUAGLRWCHNT-11@09@2014 00@47@473042530}-\r\nemail-ivanivanov34@aol.com-ver-4.0.0.0.cbf\r\n*For the original version, which did not have a specific version number, the format was identical to the older\r\nformat, except for the lack of the version section at the end of the file name. For example:\r\n001.jpg.id-{NKYVGVEZRTCYMVENMHRALUDMXGPKJSBXWFAJ-03.09.2014 1@45@403928355}-email-sishelp100@gmail.com.cbf\r\nDifferences between the two formats:\r\nThe older encrypted file name includes the name of the original file. In the current format, the file is given\r\na random name.\r\nThe older format has the email address and the version at the end. The current format has them at the\r\nbeginning.\r\nMany email addresses, mainly AOL and Gmail accounts (but also others) have been associated with this\r\nransomware:\r\nNote the email address madeled@mail.ru, which is the only one found to be associated with a Russian email\r\nprovider, and was also one of the email addresses associated with the original version of this ransomware. It has\r\nnot appeared after version 4.0.0.0.\r\nThis ransomware (at least specific versions of it) has been given unique names by different vendors:\r\nRansomcrypt.U (Symantec) – See https://www.symantec.com/security_response/writeup.jsp?docid=2015-\r\n092211-0927-99\u0026tabid=2\r\nThis includes a comprehensive analysis of the ransomware behavior on the machine (not including the encryption\r\nmechanism).\r\nWin32.VBKryjetor.wfa (Kaspersky) – Refers to version CL 1.0.0.0 (for the specific sample we analyzed)\r\nNinja Ransomware (Enigma Software) – Refers to the email gaiver@aol.com, although there is no\r\napparent difference from other emails.\r\nTroj/Agent-AOTR (Sophos) – Refers to version CL 1.0.0.0\r\nhttps://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/\r\nPage 2 of 4\n\nTroj/Drop-HQ (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/Ransom-AZT (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/Ransom-BGX (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/Ransom-BJQ (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/Ransom-BJV (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/Agent-ANBL (Sophos) – Refers to version CL 0.0.1.0\r\nTroj/Ruftar-H (Sophos) – Refers to version CL 1.0.0.0\r\nTroj/VB-IHK (Sophos) – Refers to version 6.1.0.0.b\r\nMal/Delp-AI (Sophos) – Refers to version 4.0.0.0\r\nTechnical Analysis (Encryption)\r\nRansomware Details\r\nThe ransomware sample investigated by Check Point was from version CL 1.0.0.0 (as can be seen in the encrypted\r\nfile name). It uses a protector that was written in Visual Basic compiled language. To unpack the payload, the\r\nransomware restarts its own process using section mapping and overwrites four times. The payload that is\r\nresponsible for file encryption is most likely written in Delphi language using some additional Pascal modules\r\n(for example, FGInt that is used to represent large numbers). We mention this fact as it is not usual for\r\nransomware to utilize Pascal-based languages. The ransomware does not contain much functionality except for\r\nthe file encryption capability.\r\nEncryption Functionality\r\nThe encryption functionality is built with several layers of encoding and encryption, including two separate levels\r\nof RSA:\r\n1. The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are\r\nrandomly generated on the infected machine. The encryption process includes taking each original byte\r\nalong with one byte from each of the randomly generated buffers and performing mathematical operations\r\non them.\r\n2. The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly\r\ngenerated on the infected machine, along with the matching local RSA private key required for decryption\r\nof the data.\r\n3. The randomly generated buffers and the local RSA private key that are required for decryption are added as\r\nmetadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that\r\nthe offender created in advance (“remote”). The matching remote RSA private keys required to unlock the\r\nmetadata are located on the attacker’s side.\r\nDue to this functionality, the ransomware is able to encrypt all files locally without connecting to a C\u0026C server.\r\nOnce the attacker receives a file from the infected machine, he can easily decrypt the metadata using his remote\r\nRSA private keys, and find the buffers and local RSA private key that were randomly generated on the infected\r\nmachine which can be used to decrypt the file.\r\nhttps://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/\r\nPage 3 of 4\n\nIt is not feasible to try to decrypt the remote RSA encryption without the remote private key. The necessary time\r\nframe would be approximately 2 years and would involve using many computers. Therefore, paying the ransom to\r\nget the decryption application and the decryption keys from the attacker seems to be the only way to recover the\r\nencrypted files.\r\nFor More Details Read: Check Point Technical Report\r\nSource: https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/\r\nhttps://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/"
	],
	"report_names": [
		"offline-ransomware-encrypts-your-data-without-cc-communication"
	],
	"threat_actors": [],
	"ts_created_at": 1777949101,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8b1a0188ea2596cfdd3f02cf4117a7207c15f5a.pdf",
		"text": "https://archive.orkl.eu/e8b1a0188ea2596cfdd3f02cf4117a7207c15f5a.txt",
		"img": "https://archive.orkl.eu/e8b1a0188ea2596cfdd3f02cf4117a7207c15f5a.jpg"
	}
}