June 2016: The Month in Ransomware

Image

Last month, we covered ransomware in the month of May. Now, we will provide you with a roundup on the state of the ransomware industry as of June 2016. The article contains reports on all the new ransomware samples, the updates made to existing crypto threats, and free decryption solutions created by security enthusiasts.

CryptXXX Becomes UltraCrypter

The strain of crypto malware called CryptXXX went through several upgrades in June. First, the criminals modified the name of the paid decryption tool to UltraDeCrypter, which allowed researchers to conclude that the new edition could be referred to as UltraCrypter. The updated version originally appended the .crypt, .cryp1, .cryptz and .crypz extensions to filenames. In late June, the infection started concatenating a random string of five hexadecimal symbols to files instead. Another new feature that makes a big difference is that CryptXXX targets data stored on unmapped network shares along with local HDD volumes, removable drives, and mapped network repositories.

Jigsaw Ransomware Spinoffs

The Jigsaw family of ransom Trojans is known for the display of notorious movie character images in the background of the alert messages. Another unique trait of these offending programs is that they erase an incremental number of files every hour until the victim submits the ransom. The warning page of the first variant released in June had an NSFW background. This sample added the .paybtc extension to encrypted objects. Several successors used the .pays, .paymrss, .payms, .paymts, and .paymst extensions. The Jigsaw version circulating since June 17th features the Anonymous theme instead. This one adds the .epic string to files and won’t provide the decryption service unless the infected user pays a Bitcoin equivalent of $5,000, which is an unusually large amount compared to other ransomware plagues.

Ransomware Targeting Russian-Speaking Audience

Many crypto-viruses typically terminate their attacks if they identify that one of the languages on the contaminated system is Russian. This characteristic probably reflects the unwillingness of extortionists, most of whom reside in Russia, to infect their fellow citizens. The trend has changed, though. Several ransomware programs emerged in June that specifically target computer users in that country or attacks Russians along with other nationalities.

• A file-encrypting Trojan that appends the .cripttt or .criptokod extension to scrambled files was spotted on June 5th. Going after Russian users only, this offending program tells victims to shoot an email to dsuoufygfdt(at)ro.ru for recovery instructions.
• The RAA ransomware is distributed via a booby-trapped JavaScript file which, when opened, triggers a rogue Microsoft Word document with Russian content that pretends to be corrupted. This maneuver aims at distracting the victims from the malicious code injection process that takes place in the background. RAA uses AES (Advanced Encryption Standard) to encrypt the user’s personal data and concatenates the .locked string to files. The RTF ransom note is in Russian. It requires 0.39 Bitcoins to decrypt files. RAA is not a run-of-the-mill sample because, aside from infecting Russian users, it also installs a password-stealer known as the Pony Trojan. This way, the malefactors try to monetize the installations of their pest regardless of whether or not the victims pay up. Furthermore, it is one of the few ransomware programs written in JavaScript.
• Ded Cryptor is another offending entity that’s indiscriminate about the geographic location of its victims. Its code is based on the open source EDA program by Turkish researcher Utku Sen. This sample uses a mix of the symmetric AES and asymmetric RSA cryptosystems and appends the .ded string to ciphered files. It also replaces the desktop wallpaper with an image that demands 2 Bitcoins for decryption and provides the ne’er-do-wells’ email address, dedcrypt(at)sigaint.org. According to the alert message, the decryption key is only valid for 24 hours.
• A piece of crypto malware that targets Russian users and assigns the Crypt38 string as the new file extension was discovered on June 17th. This infection displays a popup window with ransom demands, according to which the victim has to pay 1000 rubles, or about $15, to unlock their data. It skips files under Windows, Program Files, and MSOCache directories and encrypts the rest using the AES algorithm.
• jozy is a weird name for another ransomware that targets the Russian-speaking audience. It substitutes the original desktop wallpaper with an alert stating that all files were encrypted with the RSA-2048 cryptosystem. The victim is supposed to send one of the encrypted objects to kozy.jozy(at)yahoo.com or selectedkozy.jozy(at)yahoo.com. The criminals use a total of 20 RSA keys for this campaign. By asking the infected users to submit one ciphered file, they can leverage the specific file extension to determine which of those keys will restore data on a particular computer.
• The ransomware dubbed Unlock92 scrambles files using a combo of AES and RSA standards and tells the victim to send one affected file along with a file named Key.bin to unlock92(at)india.com. The latter item is dropped on the desktop and contains the public RSA key. This sample appends files with the .crrrt extension.

Bart Ransomware Locks Files by Archiving Them

The new Trojan called Bart mimics a number of screens used by the Locky ransomware. In fact, analysts discovered that these two hail from the same family. The way Bart locks data, however, is completely different. It adds one’s personal files to a ZIP archive protected by a strong password rather than encrypt them with a cryptosystem. The name of each file becomes appended with the .bar.zip string. The extortionists will only provide the password on condition that the victim pays 3 Bitcoins, or about $2000. To avoid this ransomware, users should abstain from opening catchy files received from unknown senders over email.

The Comeback of Locky and the Necurs Botnet

The strain dubbed Locky virtually vanished from malware analysts' radar at the beginning of June. Security analysts drew a parallel between its decline and the concurrent shutdown of the botnet called Necurs, which most likely served as a primary means of distribution for the sample in question. Unfortunately, the two reappeared on the ransomware arena around June 20th. The perpetrators are using the same botnet to generate thousands of spam emails daily. These messages contain the malicious loader masqueraded as a ZIP archive or Microsoft Office document that prompts users to enable macros. The updated Locky Trojan leverages an anti-virtualization technique that prevents researchers from installing it on a virtual machine and reverse engineering its code. The file-naming format, the extension added to encoded items, and the names of ransom notes underwent a significant change. The ransomware now appends the .zepto extension to files and replaces filenames proper with 32 hexadecimal characters. The ransom instructions are available in two formats: _HELP_instructions.html and _HELP_instructions.bmp. The Zepto variant demands 0.5 Bitcoins for data recovery.

MicroCop Demands an Unthinkable Ransom

The threat actors in charge of the new MicroCop campaign don’t seem to be very good at marketing. They configured their malign product to extort 48.48 BTC for data recovery, which is an enormous amount of money (more than $32,000). Obviously, not many end users put that much value in their data. Moreover, researchers succeeded in cracking this one.

Satana Bootkit Goes Beyond File Encryption

Not only does Satana encode its victims’ personal data, but it also keeps them from logging into the operating system. To this end, it installs a boot locker component along with the file encryptor proper. Effectively, this offending entity affects the Master Boot Record on the machine. It demands 0.5 Bitcoins in exchange for the fix.

Shade Ransomware

The main distinguishing trait of this plague is the use of .windows10 extension to mark the affected data. It displays an alert that tells victims to open Readme.txt recovery avenue and follow directions in it. The compromised users are encouraged to contact the developer over email.

EduCrypt, an Instructive Ransomware Specimen

This is one of the multiple programs created with the Hidden Tear open source code, which was never intended to be malicious. In fact, EduCrypt does not pose a direct risk to users either. Instead, it demonstrates what can happen when people download junk on the Internet. While encrypting files for real, it instructs the infected person to find the ransom note in TXT format and use the password in it to restore all the data for free.

KratosCrypt Built with Open Source Ransomware Code

Ransomware distributors keep using the above-mentioned Hidden Tear educational project to launch their real-world threats. This time, they came up with KratosCrypt, an infection that denies the availability of one’s files using the AES crypto and tells victims to pay 0.03 Bitcoins otherwise the data will stay inaccessible for good. The file extension for this campaign is .kratos, hence the name of the Trojan.

Ransom Trojan Hits Zimbra Message Store

One of the latest ransomware strains was found to target Zimbra, a popular open source enterprise email platform. This Python-based infection locates and encrypts all data inside Zimbra email directory, effectively locking all of the breached company’s email messages. The ransom note named “how.txt” tells the victim that they must pay 3 Bitcoins to restore the information.

ApocalypseVM Features Anti-Analysis Properties

A version of the Apocalypse ransomware emerged that accommodates techniques preventing security experts from dissecting its code. The perpetrators incorporated VMProtect module into the Trojan, which is a popular piece of anti-cracking software. However, researchers were able to get around these obstacles. ApocalypseVM appends the .locked and .encrypted extensions to affected data.

CryptoRoger

The ransomware dubbed CryptoRoger employs the AES-256 algorithm concatenates the .crptrgr extension to one’s filenames and displays ransom notes titled “!Where_are_my_files!.html”. The recovery fee is 0.5 BTC.

CryptoShocker Ransomware

This one is a commonplace sample as well. It uses the symmetric AES cryptosystem to scramble its victims’ personal files, appends the .locked extension and creates a desktop shortcut to the recovery page titled “Attention.url”. The Tor site recommends users to reach the threat actors over cryptoshocker(at)tutanota.com email. The buyout presupposes making a payment of $200.

FLocker Ransomware Can Infect SmartTV

FLocker was designed to attack Android devices. It locks the screen of the infected gadget and demands a ransom of $200, which is payable in iTunes gift cards. According to the analysis by TrendMicro, this malicious program can infect virtually any device running Android, and there are no obstacles for it to compromise Android-based SmartTV appliances.

Nemucod Arrives with JavaScript Attachments

The makers of the Nemucod ransomware didn’t reinvent the wheel to serve their infection. The malicious JavaScript loader accompanies phishing emails that look enticing enough for numerous users to end up opening the attachment. Having completed the encryption process, the Trojan puts the .crypted string at the end of filenames and displays Decrypt.txt ransom note. To redeem their personal information, victims are supposed to submit 0.39 BTC, or around $270, to the Bitcoin address specified in the instructions.

Upswing in the Crysis Ransomware Circulation

June was a lucrative month for the operators of the Crysis Ransomware. A spike in its distribution is powered by a mass spam campaign that disseminates contagious files with double extensions. This trick makes the malicious executable look like a benign one. The new edition encrypts data on local, removable and network drives and appends the .centurion_legion(at)aol.com.xtbl extension. The perpetrators want 1-2 Bitcoins in exchange for recovery assistance.

Herbst Ransomware, a Threat to German Users

Herbst, which is a German word for “autumn”, denotes a fairly well-designed piece of ransomware detected on June 3rd. According to the contents of the ransom note written in German, Herbst employs 256-bit AES encryption to render files inaccessible and then demands 0.1 Bitcoins, or about $70, for decryption. It’s easy to tell which files are affected as the program adds the .herbst string to each.

JuicyLemon Ransomware Doesn’t ‘Taste’ So Good

The JuicyLemon ransomware instructs those infected to reach the developer over support(at)juicylemon.biz so that they can get further recovery advice in response. Files are appended with a long string consisting of the victim’s unique ID, several email addresses, and Bitmessage details to contact the malware operator. The cost of decryption reportedly amounts to $1,000. Unfortunately, there is no way to retrieve files for free at this point.

Black Shades Trojan Makes Fun of Security Analysts

This strain surfaced in early June and proved to be quite unusual. It adds the .silent extension to ciphered items and asks for $30 to decrypt the data. The ransom is payable in PayPal or Bitcoins. The interesting fact is that its creators hid some mocking messages in the ransomware executable, which experts can see in the course of reverse engineering. Furthermore, the hackers threaten the victims to erase their private RSA keys after the deadline of 96 hours expires. Black Shades is likely to have been created by script kiddies who don’t care about the possibility of tracking the PayPal payments.

Decryptors Released

Fabian Wosar, a ransomware researcher from Emsisoft, was able to create free decrypt tools for multiple families of file-encrypting Trojans. In particular, he released decryptors for the following samples during June alone: Apocalypse, ApocalypseVM, and the updated Nemucod. Michael Gillespie, another security guru better known in the IT circles as ‘demonslay335,' contributed to anti-ransomware initiatives by devising multiple free decrypt solutions as well. The samples he was able to get around last month include the Unlock92 and Crypt38 ransomware, MicroCop, KratosCrypt, and Jigsaw. It’s great to know that there are people dedicated and professional enough to contest the growing ransomware plague. However, counting on free decryptors is a lame protection strategy because only a small fraction of samples is covered. A much better idea is to maintain backups of the most valuable data, stay away from those enticing attachments in spam email, and keep security software up to date.  

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.