The fatal flaw means that any computer infected by Power Worm won’t ever be able to be decrypted, even if the user does pay the hackers behind it. With no key to undo the work of the encryption engine, the files will stay locked up forever even as the software should be decrypting them.
As the BBC reports, the ransomware originally only targeted Microsoft Word and Excel files but a recent upgrade sent it after several other kinds of data commonly found on computers. The updated edition has a fatal flaw though: the creator cut a corner while coding it and inadvertently broke the decryption mechanism altogether.
Malware researchers ‘White Hat Mike’ and Nathan Scott of BleepingComputer discovered the variant of Power Worm and came across the mistake in the source. The creator appears to have tried to simplify the way in which files are decrypted but broken the function responsible for creating encryption keys in the process. It never keeps a record of how it encrypted the data so it isn’t possible to ever return it to a normal state.
Needless to say, anybody targeted by this ransomware shouldn’t pay the ransom. The creator is demanding two bitcoins (around $500) before the files are unlocked but it’s now clear the computer’s owner will never get to see them again even if the money is handed over.
The bug is caused by a single character in Power Worm’s source. The developer had intended to use the same encryption key on all of his victims to simplify decrypting. However, he failed to properly pad this key so it was recognised by the encryption engine, causing it to generate a random key each time. The creator had typed “=” instead of “==”.
BleepingComputer’s Lawrence Abrams helped with the analysis of the ransomware and its flaws. He wrote: “As the developer thought that he knew the key that was being used, this random key was never saved and there is no way to recover it in the future. That one little missing ‘=’ character irretrievably destroyed a victim’s data. If the malware dev had simply tested (what a crazy concept) his infection then this mess wouldn’t have happened.”
Abrams said the site will be making an exception from its usual policy of not disclosing bugs in malware to help the software’s creator fix the issue. He explained: “At BleepingComputer we never disclose bugs in a ransomware infection that will just alert the developer and cause them to fix the weakness. In this particular case, though, we are going to tell the developer how to fix his mistake so that he doesn’t continue to destroy his victim’s data going forward. In our opinion, if a person becomes infected, we would rather they have a fighting chance of recovering their files rather than no chance at all.”
Ransomware attacks are becoming an increasingly popular tool with cybercriminals. If the right machines are targeted then it is possible to cause large-scale damage to critical systems, eventually forcing the owner to pay up much larger sums of money than can be obtained from card theft or email phishing.
