Cryptorbit Decryptor Ransomware Website PHP Source Code Leak

After reading about the Cryptorbit Decryptor malware on BleepingComputer.com I did a bit of investigating of the .onion domain (http://4sfxctgp53imlvzk.onion)

Let me just say I think these malware authors are the scum of the earth. More so than regular malware authors because they have, and continue to, put honest businesses out of work due to loss of important files. It’s a sickening practice and I hope you all get caught and charged with the full weight of your crimes.

Quick note: Tools are available to aid in decryption of these files. Click here for more information.

That being said, here is what the website looks like:

Doesn't get scummier

Doesn’t get scummier

Nice little ransom note on an anonymous .onion domain with anonymous ways to pay them. Great.

So naturally I poked around with various odd inputs but got very little out of it. That is until I visited this URL: http://4sfxctgp53imlvzk.onion/robots.txt

Why? Old habit. But what I found makes me smile.

Full PHP source anyone?

<?php
session_start();
define('DBHOST', 'localhost');
define('DBUSER', 'site');
define('DBPASS', 'Be6mybCWhpFpgG4u');//Dostep do sql zamiana!!!
define('DBNAME', 'site');
mysql_connect(DBHOST, DBUSER, DBPASS);
mysql_select_db(DBNAME);
$errors = $success = "";
if(isset($_GET['captcha']) && $_GET['captcha'] == 1){
	include('kcaptcha6791/kcaptcha.php');
	$captcha = new KCAPTCHA();
	if($_REQUEST[session_name()]){
		$_SESSION['captcha_keystring'] = $captcha->getKeyString();
	}
	exit();
}
if(isset($_GET['page']) && !in_array($_GET['page'], array('ukash','paysafecard','moneypack','faq','support')))
	exit();
if(isset($_POST['check_code'])){
	if(!preg_match('/^([a-f0-9]){8}-([a-f0-9]){8}$/i',$_POST['check_code'])){
		$errors .= 'Incorrect Code<br />';
	}else{
		list($temp,$code) = explode('-',$_POST['check_code']);
		$result = mysql_query('SELECT `Country` FROM `names` WHERE `NameId`="'.$code.'" LIMIT 1');
		if($result && mysql_num_rows($result)){
			$country = mysql_result($result,0,'Country');
			$result = mysql_query('SELECT `Price` FROM `price` WHERE `Country`="'.$country.'" LIMIT 1');
			if($result && mysql_num_rows($result)){
				$price = mysql_result($result,0,'Price');
			}
		}
	}
}else if(isset($_POST['code']) && (isset($_POST['purse']) || isset($_POST['moneypack']) || isset($_POST['paysafecard']) || isset($_POST['ukash'])) && isset($_POST['email']) && isset($_POST['keystring'])){
	if(isset($_SESSION['captcha_keystring']) && $_SESSION['captcha_keystring'] != $_POST['keystring']){
		$errors .= 'Incorrect Captcha<br />';
	}
	if(!preg_match('/^([a-f0-9]){8}-([a-f0-9]){8}$/i',$_POST['code'])){
		$errors .= 'Incorrect Code<br />';
	}
	$query = '';
	if(isset($_POST['purse']) && !preg_match('/^([a-z0-9]){20,100}$/i',$_POST['purse'])){
		$errors .= 'Incorrect Transaction ID<br />';
	}
	if(isset($_POST['moneypack']) && !preg_match('/^([0-9]){14}$/i',$_POST['moneypack'])){
		$errors .= 'Incorrect MoneyPack<br />';
	}
	if(isset($_POST['paysafecard']) && !preg_match('/^([0-9]){16}$/i',$_POST['paysafecard'])){
		$errors .= 'Incorrect PaySafeCard<br />';
	}
	if(isset($_POST['ukash']) && !preg_match('/^([0-9]){19}$/i',$_POST['ukash'])){
		$errors .= 'Incorrect Ukash<br />';
	}
	if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
        $errors .= 'Incorrect Email<br />';
	}
	if(!$errors){
		if(isset($_POST['purse'])){
			$purse = $_POST['purse'];
			$type = 0;
		}else if(isset($_POST['moneypack'])){
			$purse = $_POST['moneypack'];
			$type = 1;
		}else if(isset($_POST['paysafecard'])){
			$purse = $_POST['paysafecard'];
			$type = 2;
		}else if(isset($_POST['ukash'])){
			$purse = $_POST['ukash'];
			$type = 3;
		}else{
			exit();
		}

		$country = '';
		list($temp,$code) = explode('-',$_POST['code']);
		$result = mysql_query('SELECT `Country` FROM `names` WHERE `NameId`="'.$code.'" LIMIT 1');
		if($result && mysql_num_rows($result)){
			$country = mysql_result($result,0,'Country');
		}

		mysql_query('INSERT INTO `codes` SET `time`='.time().', `type`='.$type.', `purse`="'.mysql_real_escape_string(strip_tags($purse)).'", `code`="'.strtoupper(mysql_real_escape_string(strip_tags($_POST['code']))).'", `email`="'.mysql_real_escape_string(strip_tags($_POST['email'])).'", `country`="'.mysql_real_escape_string(strip_tags($country)).'"');
		if(($error = mysql_error()) && preg_match('/Duplicate entry(.*)for key \'purse\'/', $error)){
			$errors .= 'Transaction already exists';
		}else{
			$success = 'You request was send';
		}
	}
}else if(isset($_POST['code']) && isset($_POST['email']) && isset($_POST['message']) && isset($_POST['keystring'])){
	if(isset($_SESSION['captcha_keystring']) && $_SESSION['captcha_keystring'] != $_POST['keystring']){
		$errors .= 'Incorrect Captcha<br />';
	}
	if(!preg_match('/^([a-f0-9]){8}-([a-f0-9]){8}$/i',$_POST['code'])){
		$errors .= 'Incorrect Code<br />';
	}
	if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
		$errors .= 'Incorrect Email<br />';
	}
	if(strlen($_POST['message']) > 300){
		$errors .= 'Message text must be less than 300 symb.<br />';
	}
	if(!preg_match('/^([a-zA-Z0-9,\.\?\:\;\- ])+$/i',$_POST['message'])){
		$errors .= 'Message must contains only a-z, 0-9, punctuation marks and spaces.<br />';
	}
	if(!$errors){
		$code = strtoupper(mysql_real_escape_string(strip_tags($_POST['code'])));
		$email = mysql_real_escape_string(strip_tags($_POST['email']));
		$message = mysql_real_escape_string(strip_tags($_POST['message']));
		mysql_query('INSERT INTO `dec_support` SET `time`='.time().', `code`="'.$code.'", `email`="'.$email.'", `message`="'.$message.'"');
		if($error = mysql_error()){
			$errors = 'Error sending message';
		}else{
			$success = 'Message was send';
		}
	}
}
$purse = mysql_query('SELECT `purse` FROM `codes` WHERE `code`="admin" ORDER BY RAND() LIMIT 1');
?>
<!DOCTYPE html><html><head><title>index</title></head><body style="background-color:#f4f4f6;" style="margin:20px">
<hr>
<p>We are present a special software - CRYPTORBIT DECRYPTER - which is allow to decrypt and return control to all your encrypted files.</p>
<hr>
<p>We accept payment in Bitcoin. Please enter in form below your Personal Code (you can find it in HOWDECRYPT.txt file) to get price for decryptor:</p>
<form action="index.php<?php echo isset($_GET['page'])?'?page='.$_GET['page']:''?>" method="post">
<table cellspacing="3" cellpadding="3">
<tr><td>Personal Code:</td><td><input type="text" name="check_code" style="width:200px" value="<?php echo ($errors && isset($_POST['check_code']))?$_POST['check_code']:''?>"></td><td><input type="submit" value="Check"></td></tr>
</table>
</form>
<?php if(!$errors && isset($_POST['check_code'])):?>
<?php if(isset($price)):?>
Price: <?php echo $price?> BTC<br />
<?php else:?>
Price: 0,8BTC<br />
<?php endif;?>
<?php endif;?>
<br />
<p><b>How to buy CRYPTORBIT decryptor?</b></p>
<p>1. First, you should register Bitcon wallet (<a href="http://www.wikihow.com/Create-an-Online-Bitcoin-Wallet" target="_blank">click here for more information with pictures</a>) </p>
<p>2. Purchasing Bitcoins - Although it's not yet easy to buy bitcoins, it's getting simpler every day.  Here are our recommendations:</p>
<ul>
<li><a href="https://localbitcoins.com/" target="_blank">LocalBitcoins.com</a> - This fantastic service allows you to search for people in your community willing to sell bitcoins to you directly.</li>
<li><a href="http://howtobuybitcoins.info/" target="_blank">How To Buy Bitcoins</a>  -  An international directory of bitcoin exchanges.</li>
<li><a href="https://cashintocoins.com" target="_blank">Cash Into Coins</a> - Recommended for fast, simple service.</li>
<li><a href="https://coinbase.com/" target="_blank">Coinbase</a> - Bitcoin exchange based in the United States.  (Highly rated).</li>
<li><a href="https://www.bitstamp.net/" target="_blank">BitStamp</a> - A multi currency bitcoin exchange based in Slovenia.  (Highly rated).</li>
<li><a href="https://www.mtgox.com/" target="_blank">MtGox</a> - A multi currency bitcoin exchange based in Japan</li>
<li><a href="https://www.coinjar.com/buy_bitcoins" target="_blank">CoinJar</a>  -  CoinJar allows direct bitcoin purchases on their site.  They're based in Australia but serve an international clientele.</li>
</ul>
<p>3. Transfer <?php echo $price?> BTC to our wallet: <?php echo ($purse && mysql_num_rows($purse))?mysql_result($purse,0,'purse'):''?> </p>
<p>4. Complete the form below and click Submit.</p>
<p>5. Within 24 hours you will receive email containing archive with CRYPTORBIT decryptor. Simply run decrypter and wait until decryption proccess finished. After this operation is finished all your files will be decrypted.</p>
<p><a href="http://www.youtube.com/watch?v=WV3wzN3OV2I">Here</a> you can see video about our decrypter.</p>
<b>Please, submit this form only after successful payment.</b><br />
<b>Note: Personal Code - you can find in HOWDECRYPT.txt file.</b><br />
<b>Note: Yahoo don't accept our email, so use another service</b><br />
<b>Note: Transaction ID - you can find in detailed info about transaction you made. Check it twice. We can't verify your payment if you fill it with incorrect transaction id.</b><br />
<p><hr>

<div style="float:left;padding:15px;<?php echo !isset($_GET['page'])?'border:#333 1px solid':''?>"><a href="index.php">Pay by BTC</a></div>
<div style="float:left;padding:15px;<?php echo isset($_GET['page']) && $_GET['page'] == 'faq'?'border:#333 1px solid':''?>"><a href="index.php?page=faq">FAQ</a></div>
<div style="float:left;padding:15px;<?php echo isset($_GET['page']) && $_GET['page'] == 'support'?'border:#333 1px solid':''?>"><a href="index.php?page=support">Support</a></div>
<div style="clear:both;margin-bottom:10px"></div>
<div style="color:red;margin-bottom:10px"><?php echo $errors?></div>
<div style="color:green;margin-bottom:10px"><?php echo $success?></div>
<?php if(isset($_GET['page']) && $_GET['page'] == 'faq'):?>
<b>Frequenly Asked Questions</b><br /><br />
Question: How can I decrypt my files after payment? <br /><br />
Answer: We will send you special CRYPTORBIT decrypter that decrypts all your files. We guarantee that all your files will be decrypted. <br /><br /><br />
Question: What did I have to fill in form "Transaction ID" <br /><br />
Answer:  Fill this form with bitcoin transaction address wich are you payed(example 33166efca56ef039386ddb929c40bf34f09a27c42f07f5cf3e2aa08114c4d1f5) <br /><br /><br />
Question: How long should I wait program after payment. <br /><br />
Answer: Within 24 hours you will receive an email with decryptor.  If you don't receive it, please submit a form again. And you can report a problem to our support center. <br /><br /><br />
Question: I paid on the last week but i dont get the decrypter software. why??? <br /><br />
Answer: It means that you specify not correct transaction id, so we cant identify your transaction. Check it and fill the form one more time. Also, you should to check junk and spam folders, some services put our mails there<br /><br /><br />
Question: I bought 0.5 BTC, and it took 1 week, now I was willing to pay your decrypter and now the price is 1 BTC. How much will be the price next week.? <br /><br />
Answer:  Price is depends of bitcoins rate. Week ago 1btc rate was 850$, now it cost 300, because of that week ago decrypter costed 0.5btc, but now 1btc  <br /><br /><br />
Question: My files was infected more then month ago, can i still recrypt it with your software? <br /><br />
Answer:  Yes, we can encrypt any files crypted by cryptorbit. There no time limits.<br /><br /><br />
Question: I had to reformat and reinstall windows on my c drive, will I still be able to decrypt the files on my other connected drives?/ Can i ran the decrypter from another computer\windows\vmware? <br /><br />
Answer:  Yes you can.<br /><br /><br />
Question: Can i get decrypter before paying? <br /><br />
Answer:  Yes you can. But money first <br /><br /><br />
<?php elseif(isset($_GET['page']) && $_GET['page'] == 'support'):?>
<b>Support</b><br /><br />
Please use this form only in case of technical difficulties.<br />
<form action="index.php<?php echo isset($_GET['page'])?'?page='.$_GET['page']:''?>" method="post">
<table cellspacing="3" cellpadding="3">
<tr><td>Personal Code:</td><td><input type="text" name="code" style="width:200px" value="<?php echo ($errors && isset($_POST['code']))?$_POST['code']:''?>"></td></tr>
<tr><td>Email:</td><td><input type="text" name="email" style="width:200px" value="<?php echo ($errors && isset($_POST['email']))?$_POST['email']:''?>"></td></tr>
<tr><td>Message:</td><td><textarea name="message" style="width:500px"><?php echo ($errors && isset($_POST['message']))?$_POST['message']:''?></textarea></td></tr>
<tr><td>Captcha:</td><td><input type="text" name="keystring" style="width:100px;margin-top:30px;margin-right:10px;float:left"> <img style="width:160px;height:80px;float:left" alt="Captcha" src="?captcha=1&<?php echo session_name()?>=<?php echo session_id()?>&rand=<?php echo rand(100000,999999)?>"></td></tr>
<tr><td></td><td><input type="submit" value="Submit"></td></tr>
</table>
</form>
<?php else:?>
<form action="index.php<?php echo isset($_GET['page'])?'?page='.$_GET['page']:''?>" method="post">
<table cellspacing="3" cellpadding="3">
<tr><td>Personal Code:</td><td><input type="text" name="code" style="width:500px" value="<?php echo ($errors && isset($_POST['code']))?$_POST['code']:''?>"></td></tr>
<?php if(!isset($_GET['page'])):?>
<tr><td>Transaction ID:</td><td><input type="text" name="purse" style="width:500px" value="<?php echo ($errors && isset($_POST['purse']))?$_POST['purse']:''?>"></td></tr>
<?php endif;?>
<tr><td>Email:</td><td><input type="text" name="email" style="width:500px" value="<?php echo ($errors && isset($_POST['email']))?$_POST['email']:''?>"></td></tr>
<tr><td>Captcha:</td><td><input type="text" name="keystring" style="width:100px;margin-top:30px;margin-right:10px;float:left"> <img style="width:160px;height:80px;float:left" alt="Captcha" src="?captcha=1&<?php echo session_name()?>=<?php echo session_id()?>&rand=<?php echo rand(100000,999999)?>"></td></tr>
<tr><td></td><td><input type="submit" value="Submit"></td></tr>
<tr><td> </td></tr>
<?php if(!isset($_GET['page'])):?>
<?php endif;?>
</table>
</form>
<?php endif;?>
</body></html>
<?php if(!isset($_COOKIE['PageVisited'])){
	setcookie("PageVisited", '1', time()+86400);
	mysql_query('INSERT INTO `visitors` SET `Date`="'.date('Y-m-d').'",`Visitors`=1 ON DUPLICATE KEY UPDATE `Visitors`=`Visitors`+1');
}?>

Sadly after looking through the source I don’t see any obvious vulnerabilities (if there were some, would it be unethical to exploit them?).

The pastebin found here: http://pastebin.com/gj7sH8am

Oops just found out that someone else found this too: https://twitter.com/runasand/status/414179101721636864

Oh well, least here it will be more easily searchable if someone is interested.

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.