The shortest month of 2017 was relatively slow in terms of ransomware activity, but it gave rise to several disconcerting tendencies in the cybercrime ecosystem. Crypto infections that steal sensitive information along the way, top-notch Android ransomware utilizing dropper techniques, low-cost Ransomware-as-a-Service platforms – all of these took root in February. Overall, 26 new strains emerged and 15 old ones were updated. Security experts released five free decryption tools. Go ahead and peruse the timeline below to learn more.
FEBRUARY 1, 2017
Samas ransomware keeps mutating A new edition of Samas, or SamSam, ransomware emerges in the wild. It blemishes encrypted files with the .letmetrydecfiles extension and leaves a data recovery how-to called LET-ME-TRY-DEC-FILES.html.
FEBRUARY 2, 2017
Avast upsets online extortionists again Avast research team devises free decryptors for three widespread ransomware families including Hidden Tear, Jigsaw, and Stampado. Another battle won by Avast is a small, yet important, milestone in the war against this segment of cybercrime.
FEBRUARY 3, 2017
U.S. County falls victim to ransomware An undisclosed strain of file-encrypting malware attacks the IT network of all government offices in Licking County, Ohio. The compromise cripples the County’s computer systems and phone network, including 911 emergency services. Arrests over a defiant ransomware attack The United Kingdom’s National Crime Agency apprehends a British man and a Swedish woman in London on suspicion of infecting the CCTV system of Washington D.C. with ransomware. Both suspects are 50 years old. This attack had rendered U.S. capital’s video surveillance network inoperable a week before the inauguration of Donald Trump. Ranion, a new RaaS out there A Ransomware-as-a-Service system called Ranion is advertised on darknet sites as a platform built strictly for educational purposes. Is this true? Of course not. The proprietors of this RaaS provide wannabe fraudsters with a perfectly viable extortion model. The fee for using the service amounts to 0.95 BTC (about $1,200) per year or 0.6 BTC ($760) for six months. Ransomware prank that isn’t funny YourRansom crypto infection is first spotted. It concatenates the apropos .yourransom extension to encrypted files and drops README.txt ransom manual. The interesting thing is that the attacker asks victims whether they like this joke and instructs them to contact him at [email protected] for free decryption. New LambdaLocker strain written in Python This one uses a combo of AES-256 and SHA-256 ciphers, adds the .lambda_l0cked suffix to encoded files, and creates a ransom note called READ_IT.hTmL. The size of the ransom is 0.5 BTC.
FEBRUARY 4, 2017
PadCrypt backed by an affiliate platform Researchers discover that the PadCrypt ransomware is available on a RaaS basis. Therefore, anyone who wants to break bad can join the affiliate network, get their custom build of the infection, and use a tracking mechanism when conducting an extortion campaign of their own. Details of YourRansom sample It turns out that the above-mentioned strain called YourRansom is based on an open-source project by a Chinese enthusiast nicknamed popu125. The original code was posted on GitHub and is currently unavailable.
FEBRUARY 6, 2017
Spora ransomware keeps impressing Operators of the Spora ransomware have a tech support system that not every legitimate online service can boast. The support agents respond to victims’ requests amazingly fast and offer them an odd deal: provide positive feedback and get a discount for the ransom. Android ransomware gets smarter The latest spinoff of the ransom trojan called Android.Lockdroid.E uses a dropper to adapt to the configuration of a specific Android device that got infected. Online malefactors used to apply this technique on Windows-based machines only, so the sample in question is a game changer in a way.
FEBRUARY 7, 2017
CryptoShield update A new variant of the CryptoShield ransomware is out. Its version number is 1.1. The pest uses an updated set of email addresses to interact with victims, namely [email protected], [email protected], and [email protected]. Erebus ransomware is a tricky one The crypto malware called Erebus is capable of obtaining elevated privileges on a target computer without user consent via User Account Control prompt. It simply circumvents UAC authorization. The size of the ransom is comparatively low, amounting to a Bitcoin equivalent of $90. The comeback of JobCrypter Ransomware watchers spot a new sample of the JobCrypter ransomware in the wild. This strain had been inactive since late May 2016. The discovered variant leaves ransom notes in French and demands 500 EUR for data decryption. Aw3s0m3Sc0t7 sample isn’t that awesome Judging by the name of this ransomware, its developer is probably someone named Scott who really likes himself. Having scrambled one’s files, the infection concatenates the .enc extension to each one. A kleptomania-stricken ransom trojan An unnamed ransomware specimen is discovered that pilfers a victim’s sensitive data, including private keys and Base64 encoded certificates, and then demands 1 Bitcoin for not disclosing this data.
FEBRUARY 8, 2017
New sample targeting Portuguese-speaking audience Another CryptoLocker copycat starts infecting computers with Portuguese language locales. It adds the “.id-[random digits][email protected]_” string to the names of encrypted files and drops a ransom note called COMO_ABRIR_ARQUIVOS.txt. One more milestone reached by ID Ransomware MalwareHunterTeam’s ID Ransomware is one of the most helpful online resources aimed at identifying different file-encrypting infections. At this point, it can detect a whopping 300 ransomware families.
FEBRUARY 9, 2017
The poisonous Serpent ransomware A fresh data-scrambling specimen called Serpent ransomware is discovered. It appears to be a successor of the infamous WildFire Locker and Hades Locker strains. It appends files with the .serpent extension and creates recovery how-to’s named HOW_TO_DECRYPT_YOUR_FILES_[3 random characters].html/txt. Similarly to its forerunners, Serpent targets Danish users. DynA-Crypt isn’t a commonplace threat The perpetrating program called DynA-Crypt is an explosive fusion of crypto malware and a data-stealing infection. So the impact is twofold: on the one hand, it locks down a victim’s important files and stains them with the .crypt extension; on the other, it harvests keystrokes, furtively takes screenshots, and collects information related to a variety of applications. Another Hidden Tear spinoff Hidden Tear is a proof-of-concept ransomware created by Turkish coder Utku Sen. Unfortunately, cybercrooks have used it to cook up multiple real-life crypto infections. The new Digisom ransomware is one of these derivatives. It demands a fairly low ransom of 0.05 Bitcoin, or about $60. Details of the Fadesoft trojan Fadesoft displays a Resident Evil movie themed warning screen containing a logo of the fictional Umbrella Corporation. The size of the ransom is 0.33 Bitcoin (about $400).
FEBRUARY 10, 2017
SerbRansom 2017, a new sample on the table The offending entity called SerbRansom 2017 creates a recovery manual with the flag of Serbia depicted in the center. It appends the .velikasrbija string to filenames and requests a $500 worth of Bitcoin for decryption. Wcry ransomware spotted This crypto infection is nothing out of the ordinary. It uses the .wcry extension to scar encrypted files, hence the name. The trojan demands 0.1 Bitcoin for decryption. Ransomware attacks via RDP on the rise Researchers at TrendMicro discover a considerable spike in the number of Remote Desktop Protocol brute force attacks depositing the Crysis ransomware on computers. A particularly unsettling fact is that the threat actors are actively employing this technique to target healthcare organizations in the United States.
FEBRUARY 11, 2017
SerbRansom 2017 campaign attribution Based on the analysis of the recently discovered SerbRansom infection, its author hails from Serbia and displays hatred towards Kosovo and Croatia in his other felonious activities. The crook also created an app for SQL injection targeting Croatian sites. Ransomware employing RAR Ransom trojans don’t necessarily leverage cryptographic algorithms to lock down one’s files. Some strains move their victims’ data to a password-protected RAR archive instead. A new sample from the latter category is spotted. To unlock the archive called All_Your_Documents.rar, those infected have to cough up 0.35 Bitcoin.
FEBRUARY 13, 2017
Samas ransomware updated again The latest edition of the Samas ransomware appends scrambled files with the .encryptedyourfiles extension and provides a recovery how-to named 001-READ-FOR-DECRYPT-FILES.html. New CyberSplitter variant emerges Also referred to as CyberSplitterVBS, this ransomware family spawns another version displaying a FBI themed warning screen with a “Your computer has been locked!” message. It provides a 72-hour deadline to submit 0.5 Bitcoin for decryption. Otherwise, the data will allegedly become irrecoverable.
FEBRUARY 14, 2017
Ransomware for Industrial Control Systems David Formby, Srikar Durbha, and Raheem Beyah, researchers from the Georgia Institute of Technology, tailor a proof-of-concept ransomware that targets programmable logic controllers in ICS and SCADA systems. Alarming ransomware stats hit the headlines According to Kaspersky Lab, 47 out of 62 ransomware specimens propagating in 2016 were created by Russian-speaking cybercriminals. This means that 75% of online extortion campaigns originate from Russia and possibly other former Soviet Union countries. CyberSplitter devs are more active than ever Two more variants of the CyberSplitter ransomware are discovered. One of them displays an image of Saher Blue Eagle in its ransom note. This term denotes an infamous Remote Access Trojan (RAT), so the crooks pay homage to black hat hacking tools in a way. Minor tweak of the JobCrypter ransomware A new build of the JobCrypter strain instructs victims to send a message to one of the following email addresses for decryption steps: [email protected], [email protected], or [email protected]. Other than this updated list, the infection didn’t undergo any changes.
FEBRUARY 15, 2017
An interesting move by Cerber makers The infamous ransomware called Cerber, which has been active for a year now, adopts an offbeat strategy. When running a scan for data to be encrypted, its most recent version ignores files used by security solutions, including firewalls, antivirus, and antispyware tools. Perhaps the malefactors are thus trying to demonstrate that the routine computer defenses don’t pose a hurdle to their filthy business. N1N1N1 ransomware update Not much has been modified in the latest edition of the N1N1N1 ransom trojan. The noteworthy changes include a new file marker of 333333333333 and a different Tor site for the Command and Control server.
FEBRUARY 16, 2017
A ransomware decryption masterclass Fabian Wosar, CTO and Head of Malware Research Lab at Emsisoft, demonstrates the process of ransomware analysis in a live video. During the streaming session, he reverses a new sample called Hermes and proves that its encryption can be cracked. Fine-tuning of PrincessLocker The perpetrating program in question now drops a recovery manual called @_USE_TO_FIX_JJnY.txt and uses a new Tor link to communicate with its C2 server. The onset of Kasiski ransomware Judging by the text in its ransom note, the Kasiski sample targets Spanish-speaking users. It creates the INSTRUCCIONES.txt decryption walkthrough and uses the [KASISKI] prefix to label crippled files.
FEBRUARY 20, 2017
XYZWare is nothing out of the ordinary A Hidden Tear POC spinoff called XYZWare is discovered. It was crafted by an Indonesian coder. The pest creates a ransom note called README.txt. A change to CryptConsole The only tweak made to CryptConsole as part of a recent update is the new email address [email protected] used for communication with victims. Merry X-Mas ransomware decryptor updated Emsisoft releases a new build of the decryption tool for Merry X-Mas, or MRCR, ransomware. The application can now handle the latest version of this crypto infection that concatenates the .merry extension to files and leaves Merry_I_Love_You_Bruce.hta ransom note.
FEBRUARY 21, 2017
Android ransomware evolution dissected Analysts at ESET publish a whitepaper named “Trends in Android Ransomware”. They singled out the main evolutionary vectors of Android lockers’ activity observed during the past year. According to the report, these threats increasingly leverage spam as the entry point, focus more on the Asian market, use encrypted payloads, and often impersonate adult applications hosted on unofficial app stores. Sage ransomware upgraded to version 2.2 Sage 2.2 ransomware takes after its predecessor in many ways. It still affixes the .sage extension to filenames and uses the same cryptographic routine. The only alteration is that it has switched to using the !HELP_SOS.hta ransom note. Another day, another Samas version released The latest build of the Samas ransom trojan adds the .weencedufiles string to encoded entries and uses READ-READ-READ.html file with restoration steps. Avast vs. CryptoMix ransomware A new free tool by Avast decrypts data mutilated by one of the CryptoMix ransomware variants. In particular, it supports the edition that operates in offline mode, uses AES-256 algorithm, and appends files with the .cryptoshield, .lesli, .rscl, .scl, .code, .rmd, or .rdmk extension. This offending program also drops ransom notes called HELP_DECRYPT_YOUR_FILES.html and “# RESTORING FILES #.txt”.
FEBRUARY 22, 2017
Trump Locker ransomware discovered The new Trump Locker isn’t an independently developed sample. Its authors borrowed the code from the Venus Locker specimen. Interestingly, it appends the most widespread types of files with .TheTrumpLockerf extension and uses .TheTrumpLockerp suffix for less popular ones. The ransom note is named “What happen [sic] to my files.txt”. The decryptable Crypt888 strain The trojan called Crypt888 puts the “Lock.” prefix before original filenames and displays a picturesque sea view instead of ransom demands. A free decryptor by Avast can take care of this one. Details of the PyL33T ransomware PyL33T is the conventional name of a new Python based crypto ransomware. It concatenates the .d4nk extension to one’s skewed files. Patcher plague targeting Macs Although file-encrypting threats designed for Mac OS X aren’t very common, new samples do pop up once in a while. The latest infection from this category is camouflaged as patchers for different Mac apps, including Adobe Premier Pro CC 2017 and Office 2016. Referred to as the Patcher ransomware, it uses the .crypt file extension and a README!.txt ransom note. Unfortunately, its buggy crypto routine may render data irrecoverable.
FEBRUARY 23, 2017
Unlock26 virus gives victims a math lesson The ransomware called Unlock26 isn’t run-of-the-mill because it requires that infected users solve a math problem before they can get to the payment phase. No contact details of the attacker are indicated in the warning window or elsewhere. Android ransomware with voice input A unique infection known as Android.Lockdroid.E instructs its victims to use the QQ instant messenger for contacting the threat actors. What is more, after paying the ransom, an infected Android user is supposed to press a specified button and speak the obtained unlock code. This means that the attackers are starting to use voice recognition technology in their extortion schemes. Pickles ransomware isn’t a joke This is another sample coded in Python. It replaces filenames with random hexadecimal strings followed by the .EnCrYpTeD extension and drops a decryption how-to called READ_ME_TO_DECRYPT.txt. A new sample written in Go The Vanguard ransomware is the first one coded in Google’s Go language (golang) in a long time. It arrives with a rogue email attachment named MSOffice. Other than that, Vanguard is poorly explored at this point because the C2 server is not functioning.
FEBRUARY 24, 2017
CryptoMix starts using a new file extension Another update of the CryptoMix pest has brought about a small tweak. The ransomware now stains encrypted files with the .cryptoshiel string, which is obviously a misspelling.
FEBRUARY 25, 2017
Crooks zero in on MySQL servers Extortionists targeted MongoDB, ElasticSearch, CouchDB, and several more server types heavily during the past two months. Hundreds of recent ransomware incidents demonstrate that it’s MySQL databases’ turn to undergo similar attacks. The threat actors take the content of these servers hostage and demand 0.2 Bitcoin for recovery. The self-explanatory Damage ransomware Researchers spot a new file-encrypting infection that uses the .damage extension to stain scrambled files. The ransom note is called [email protected][random].txt. BarRax, another Hidden Tear derivative This is one of the numerous spinoffs of the controversial open-source ransomware called Hidden Tear. It appends the .BarRax suffix to encrypted files. Interestingly, its authors set up a publicly accessible support forum, which is a rare thing for the extortion underground. Unlock26 operators launch a RaaS The architects of the Unlock26 trojan create a Ransomware-as-a-Service platform of their own. It’s called Dot-Ransomware and allows crooks to build their custom payloads. The configurable values include the list of targeted file formats, ransom sizes based on country, and the type of encryption. The authors’ cut is 50% of all ransoms paid.
FEBRUARY 26, 2017
Sardoninir ransomware emerges The sample called Sardoninir concatenates the .enc extension to locked files. It goes with a hard-coded list of about 100 email accounts that it uses to submit the encryption code to the attacker’s email address [email protected]. New Crypt0L0cker details uncovered Italian ransomware researchers provide an in-depth analysis of the spam wave involved in the new iteration of the Crypt0L0cker strain. In particular, the researchers dwell on the abuse of the “Posta Elettronica Certificata” system to sign rogue emails with the ransomware on board.
FEBRUARY 28, 2017
Expert’s thoughts on the future of ransomware Renowned cryptographer Matthew Green publishes an article where he expresses his viewpoint about crypto implementation tactics that ransomware developers may start employing in the near future. Ransomware attacking Czech users A new strain called FileLocker propagates in the Czech Republic. Its payload is hosted on several local websites compromised by the threat actors. FileLocker adds the .ENCR string to mutilated files and demands 0.8 Bitcoin for decryption. Good news for Patcher ransomware victims Malwarebytes analysts come up with a way to restore data affected by the Patcher, or Findzip, ransomware. This sample targets Mac OS X machines, and it was originally believed to distort files beyond recovery. Fortunately, the researchers tailored a workaround to get data back using the PkCrack app and a number of Xcode commands.
SUMMARY
The evolution of ransomware is underway. Threat actors are starting to add quality tech support to their foul play, so marketing is becoming part of the malicious equation. Aside from home users, the targets also include educational establishments, local governments, and closed-circuit television systems. To top it all off, Android ransomware is shaping up to be a major concern, with voice recognition features now complementing its extortion toolset. The only way to stay on the safe side in this environment of ubiquitous perils is to take effective precautions. The best plan B imaginable is to have a data backup in store, while proper online hygiene works wonders in terms of prevention.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
