Saturday, September 3, 2016

Posted by Paulos Yibelo
2 comments | 3:56 AM
In this Vigilante series, we will take-down a ransomware C&C called Rush/Sanction. As many of you may know, I usually give time to patch vulnerabilities before posting them, but this series is like a "pro bono" because I don't really like things that steal from people & ransomewares in general (as my earlier project zerorose is suppose to help with)

So I recently got access to their C&C (Command and control) source code (written in PHP) and discovered 3 SQL-injections. I am also blogging this without giving them a chance to patch  (as a 0day) because they don't deserve it. infact, I recommend people to hack all their C&C's, takeover their servers and steal all their bitcoins and return them to the victim's accounts. (no pressure)

The Sanction Ransomware is a threat that con-artists use to encrypt files on the victims' computers. The Sanction Ransomware uses an AES algorithm to encrypt the victim's files and changes the extension of every file the Sanction Ransomware encrypts. Like other encryption ransomware infections, the Sanction Ransomware demands the payment of a ransom to provide the decryption key. PC security researchers strongly advise against paying the Sanction Ransomware ransom unless there is no other choice. Computer users have no way to be sure that the people responsible for the Sanction Ransomware will restore the encrypted files once the ransom is paid. Furthermore, paying the Sanction Ransomware ransom enables the creators of the Sanction Ransomware to continue producing and distributing threats. As long as encryption ransomware remains financially viable because computer users fail to back up their files and agree to pay the ransoms included in these threats, additional infections like the Sanction Ransomware will continue to appear.

When the Sanction Ransomware encrypts the victim's files, it displays various types of ransom notes on the victim's computer. The Sanction Ransomware will display this ransom note in the form of text, image, and HTML files dropped in directories containing the encrypted files. The Sanction Ransomware will also cause pop-up messages and change the victim's Desktop image to demand the payment of its ransom. The Sanction Ransomware demands the payment of its ransom using BitCoins, an anonymous cyber-currency that allows con artists to profit from their attacks while remaining anonymous.

The Sanction Ransomware is very similar to a variety of other encryption ransomware threats, in particular TeslaCrypt. Most of these attacks are very similar to each other, both in their tactics and implementation. In fact, they may be reskinned versions of the same basic threat, sharing nearly all of their code. PC security researchers strongly advise computer users to backup all files that they would not want to become inaccessible. The Sanction Ransomware and similar threats scan the victim's computer for files with specific extensions, encrypting all files matching that description. This allows the Sanction Ransomware to carry out its attack while still being able to demand ransom and make threats on the victim's computer. The following are some of the file extensions that the Sanction Ransomware and similar ransomware Trojans target:

.gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet...

1. In Sanction/config.php: 29

$del = $_GET["delete"];
if(!empty($del)) {
   $ques = "DELETE FROM `logs` WHERE `GUID` = '$del'";
   header('location: view.php');

As you can clearly see, the delete parameter sent through GET is put inside an SQL statement without no sanitizaiton. you can disable redirections on your end with plugins like NoRedirect to ignore the constant redirect whenever you sent the `delete` parameter.

2. In Sanction/write.php: 13

$tlc = $_POST["tlc"];
 if(!empty($tlc )) {
    $que = "UPDATE `logs`SET totallocked = '$tlc' WHERE `ip` = '$ip'";

3. In Sanction/write.php: 20

$mai = $_POST["firstname"];
$gui = $_POST["guid"];
   $qs = "UPDATE `logs`SET mail = '$mai' WHERE `GUID` = '$gui'";


Good luck! :)


  1. This comment has been removed by the author.

  2. Well done here Paulos, doing it for the people! Thanks for sharing.

    Fred H |