Black Claw Ransomware | Jigsaw Evolved?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to the PC security channel today we'll be taking a look at a brand new ransomware called black claw which is quite destructive even though at first sight it does resemble something like jigsaw now interestingly when I first came across the sample it was already picked by 17 engines out of 71 and Microsoft was one of them and as of 5th of June they've even added it to their threat encyclopedia looks like Microsoft is finally up against game when it comes to recognizing ransomware and categorizing it early hey maybe my Windows Defender and ransomware test videos help but coming back to our sample as you can see this is a fairly small file it's only 80 2.5 kilobytes looks fairly benign to the untrained eye we'll try to open it up in peace studio and get some more info let's see what we got here so the fall description says it's service host pretty common name for malware since it is a legitimate Windows process that's running all the time and resting Lee it's coated in visual c-sharp the reason it's interesting is because this should be really easy to identify and disassemble to some extent if we go into the strings I'm pretty sure we'll already notice some things like we've got a lot of blacklisted strings already c-sharp scripter that's what the file name is and if we go into the actual pdb name we can see that well Scott Visual Studio 2017 projects ransomware nice they're better projects you can do but anyway from the miter perspective we've got obfuscation and execution dynamic library linking diagnostic and cryptography most of which are benign other than maybe obfuscation but let's take a look now apart from the first few it doesn't look like there's a lot of identifiable strings here so we should probably just move on oh wait there's more this thing is loaded but you know what there's probably a better way to do this let's open it up Indian spy and see what we can find and for those of you waiting for the ransom or execution don't worry we'll be doing it let's build it up first okay so we're gonna try and decompile this c-sharp scripter and let's see what it is up to so let's go into the actual main form I guess that would be interesting so protected override void bull disposing now there's an interesting flag a lot of switch statements and it's funny that most of this code is just readable because usually it's not you know we've got Ridge and Dale that's a common encryption method for those of you unfamiliar with cryptography Ridge in Dallas basically just a yes not exactly if you're talking technical terms I think it's a superset of AES but usually when people are using the ridge and L managed function in their program they're trying to implement AES and we've got crypto stream right there's a local variable of an array that they're likely using to store stuff now wall does still seem fairly easy to read and therefore you might compare it with something like jigsaw but as far as I'm aware I don't think it's decrypted unless you actually intercept and store it the network traffic while it executes so keep an eye on the process activity as we go ahead and do that so our ransomware is ready it's hungry we've got the forest backdrop to go with it do you hear the howling in the distance maybe some wolves with a black claw I'm scared guys do we do this okay let's go for it as you can see we've got the process running already I'll serve as host and it should take action relatively fast we're seeing a lot of my CPU usage as you would expect from around somewhere encrypting our files and after a few minutes our desktop goes black I guess that's the I guess that's the ransomware equivalent of the lights going off in a horror movie but let's go ahead and take a look at our files and see what might be going on so if we go to documents we've got this weird file name let the be claw extension we've also got a recovery or false HTML application we've also got one on the desktop over on pictures same story so let's go ahead and run this and see what it says and as you can see we have two ransom note all your faults have been encrypted with AES plus RSA do you do a security problem with your PC I like how ransomware authors are slowly transitioning into tech support now maybe the fake India and Microsoft Tech Support maybe it's the same guys maybe they just learned encryption now if you want to restore them write us an email and attach one of your encrypted files less than one megabyte to be claw out okay I'm not gonna read this name or send a message to our telegram account include this ID in your message or email you have only 48 hours to contact us when this time ends the price will be twice as much and we've got the count down similar to jigsaw and then it says free decryption ask guarantee before paying you can send up to one file for free decryption well what do you mean up to one file like can I send half a file quarter of a file is that how it works as usual you've got instructions on how to obtain Bitcoin I guess if you're new attention do not rename the file son that sounds interesting so I'm going to try to do just that so quick alt f4 out of that let's see what happens if we try and rename one of these hmm well I mean I don't know if you guys can see this but my house didn't just break down collapse the world hasn't ended I don't see a nuclear explosion anywhere in the horizon the sun's still in the sky this guy didn't just go black like my desktop screen okay maybe that was just an empty threat let's go ahead and open the file does this help us no so unfortunately it does look like the encryption is actually functional for a second there you might have gotten your hopes of thinking hey what did they say don't rename your false' maybe just maybe that's all they do is rename the files but no honestly I wouldn't be surprised since there's a lot of similar c-sharp ransomware though we'll just rename your files or do something funny but not this one at least as far as I can tell so I guess beware the black claw if you use Windows Defender make sure that it is up to date because as I pointed out early on this is detected by Windows Defender so if you have it active and updated you should be okay it's still early days for this threat I think we could see people getting infected and attacked so share the video and hit the like button if you enjoyed it don't forget to subscribe to the PC security channel by the way if you're interested in our cool summer desktop backgrounds we've got quite a few of them I'm just gonna show some of them to you right now so let's go to shared folders cpsc wallpapers auch they're encrypted of course I guess I'll just do it on my host so as you can see we've got some really nice wallpapers and we're gonna do something experimental so we're gonna set up like patreon subscription where you get all the latest small papers that I ever make and I'll make sure to regularly update that so if you're interested you can support the channel and join us on patreon the link will be on the description or you can just go to patreon.com/scishow there's a lot of exciting stuff coming up so stay tuned thank you so much for watching I really appreciate it and as always stay informed stay secure you
Info
Channel: The PC Security Channel
Views: 27,999
Rating: 4.9607844 out of 5
Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, EDR, SIEM, best EDR, AI, Black Claw Ransomware, Jigsaw, Worst Ransomware ever, new ransomware, decrypt ransomware, trojan.ransom, trojan.ransom.blackclaw, Claw Ransomware
Id: YWVTFvI-EDU
Channel Id: undefined
Length: 8min 16sec (496 seconds)
Published: Mon Jun 08 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.