January 2017: The Month in Ransomware

Image

The year of 2017 isn’t shaping up to be a game changer in combatting ransomware so far. On the contrary, crypto infections are becoming increasingly toxic in terms of their impact and attack surface. Online extortionists keep hitting police departments, healthcare organizations, public libraries, schools, hotels, and unprotected servers around the globe. The quantitative statistics for January are as follows: 37 new ransomware variants appeared, updates were released for 22 old samples, and security analysts created eight free decryptors.

JANUARY 1, 2017

Samas ransomware update Researchers discover a new edition of the Samas, or SamSam, ransomware. The newcomer appends the .helpmeencedfiles extension to victims’ encoded data entries. The new ransom note is called HELP-ME-ENCED-FILES.html. Globe ransomware migrates to C/C++ A growing trend with online extortionists revolves around experimenting with programming languages for their malicious code. A new Globe family spinoff, for instance, is compiled in C/C++. This sample concatenates the .locked string to affected files. The ransom amounts to 0.55 Bitcoin. FirstRansomware featuring a scary warning screen The computer threat landscape gets a replenishment. A fresh strain runs the firstransomware.exe process on an infected machine, hence its denomination. This one adds the .locked extension to mutilated files and leaves a ransom note called READ_IT.txt. The ransom Trojan generates a screen titled “Death Bitches” with skeletons depicted in it. Victims are supposed to submit 1.5 Bitcoin for decryption. The Red Alert crypto virus surfaces This specimen is a derivative of Hidden Tear, an open source proof-of-concept whose Turkish author Utku Sen had inconsiderately posted the code on GitHub. The crooks behind the Red Alert ransomware adjusted the original source code to their real-world extortion campaign. This is one of the multiple adverse use cases related to educational ransomware.

JANUARY 2, 2017

N-Splitter, another Hidden Tear spinoff Unfortunately, the above-mentioned Hidden Tear POC ended up becoming a godsend for cyber racketeers. It turned into a foothold for creating N-Splitter, a ransomware strain which uses the Cyrillic string “.кибер разветвитель” as an extension for all scrambled files. The size of the ransom for data decryption is 0.5 BTC. EDA2 isn’t as educational as intended Researchers spotted a ransomware sample whose code is based on EDA2, another notorious proof-of-concept. Instead of demonstrating the modus operandi of file-encrypting ransomware to analysts, though, this project gave rise to several real-world infections. The new offending program concatenates the .L0CKED extension to skewed filenames and drops DecryptFile.txt recovery how-tonote. Koolova ransomware lineage expands The Koolova family of crypto threats gets a new member called Cyber Hub. It appears to be a replica of N-Splitter, displaying an almost identical warning screen and using the same Cyrillic extension for encrypted files.

JANUARY 3, 2017

Criminals taking MongoDB databases hostage A threat actor who goes by the alias Harak1r1 has been compromising poorly protected MongoDB servers around the globe. The malefactor hijacks database content and replaces it with a ransom demand. Victims are instructed to pay 0.2 BTC (about $200) for recovery. Obviously, server owners should apply software patches as soon as they are rolled out. FSociety ransomware on the rise There is an increasing number of ransomware samples that display a ransom screen featuring the FSociety logo from Mr. Robot series. The latest perpetrating program is crafted quite professionally and explicates its demands in Portuguese.

JANUARY 4, 2017

Merry X-Mas ransomware is underway A new file-encrypting strain displays a warning window titled Merry X-Mas. Its first edition appends the .MRCR1, .PEGS1, or .RARE1 extension to encrypted files and creates YOUR_FILES_ARE_DEAD.hta ransom note. Pseudo-Darkleech cybercrime group banking on ransomware distribution The notorious malware deployment network dubbed pseudo-Darkleech has been reportedly involved in multiple ransomware campaigns during 2016. The primary distribution methods include booby-trapped spam and exploit kits. Globe ransomware version 3 cracked Fabian Wosar, a well-known security analyst working for Emsisoft, succeeds in finding a workaround to decrypt files locked down by the third iteration of the Globe ransomware. The automatic decryptor restores files appended with the .decrypt2017 or .hnumkhotep extension. FireCrypt infection goes equipped with a DDoS feature This crypto malware concatenates the .firecrypt extension to filenames and leaves [random]-READ_ME.html ransom manual. In addition to encoding a victim’s data, it also deploys a fairly weak DDoS attack targeting a hard-coded URL. CryptoMix details unveiled Analysts working on the CERT Polska team publish a comprehensive report dissecting the CryptoMix/CryptFile2 ransomware campaign.

JANUARY 5, 2017

A Californian legislation breakthrough A law passed in the state of California identifies the use of ransomware as a standalone felony. This will facilitate the prosecution of ransomware distributors because the investigation of these cases no longer needs to revolve around money laundering charges. KillDisk malware now goes with extortion features The KillDisk infection isn’t a new one. Cybercriminals originally created it as an instrument to disrupt the activity of targeted organizations as it would simply erase data in a haphazard fashion. The new variant, however, has a different impact. It zeroes in on Linux systems, encrypts important files, and demands a big ransom for decryption. The amount may reach hundreds of Bitcoins. iLock ransomware update A brand-new version of the iLock ransom Trojan drops a recovery how-to called WARNING OPEN-ME.txt and provides a live chat option to reach the attackers. Communication with the C2 server can only be established via The Onion Router tool. SkyName strain spotted This one is an umpteenth derivative of educational Hidden Tear. It targets Czech users and demands 1000 Koruna ($40) for decryption. New Depsex ransomware The Depsex infection is also referred to as MafiaWare because it uses the .Locked-by-Mafia file extension. The ransom note is called READ_ME.txt. It is one more spinoff of the controversial Hidden Tear project.

JANUARY 6, 2016

Ransomware wreaking havoc with victim’s desktop An interesting sample has been discovered that crams up the desktop of an infected system with numerous shortcuts pointing to ransomware payloads. The author of this virus who goes by the handle L0NEw0lf dubbed his infection the BatzBack.HDFill. Hidden Tear proof-of-concept abused again Researchers spot a new ransom Trojan whose developers borrowed the code from Hidden Tear, a questionably useful educational ransomware. The real-world sample in question concatenates the .locked extension to files and leaves README.txt ransom note.

JANUARY 7, 2017

Ocelot ransomware tries to teach users a lesson Fortunately, this program is instructive rather than harmful. It does attack computers but simply displays a screen saying, “This could have been real.” As a bonus, the pseudo warning window provides several helpful links to download security software. The number of infected MongoDB databases skyrockets More than 10,000 MongoDB servers are being held for ransom worldwide. This amounts to a quarter of all online-accessible MongoDB databases. A social engineering campaign targets UK schools Threat actors have been cold-calling staff at different schools across the United Kingdom. The crooks’ goal is to dupe employees into installing ransomware. CryptoRansomware, a new in-dev sample Researchers discover another ransom Trojan prepping for real-world proliferation. Its warning window is full of curse words and has spelling errors. VBRansom version 7 isn’t run-of-the-mill The specificity of the offending program called VBRansom 7 is that it’s written in Visual Basic .NET programming language. It appends the .VBRANSOM string to files. The deadline for paying up is one day.

JANUARY 9, 2017

The MongoDB issue gets worse Members of an infamous cybercrime ring known as Kraken end up trying their hand at hijacking MongoDB databases, which turned out a low-hanging fruit for attackers. The number of infected servers went up from 10,500 to about 28,000 in a couple of days. Ransomeer contagion being created This sample is a replica of the Dumb ransomware, as its authors denominated it. Ransomeer demands 0.3169 BTC and provides victims with a 48-hour payment deadline. Merry X-Mas ransomware evolves into a bigger threat An update of the Merry X-Mas crypto malady brought about some adverse enhancements. Along with affecting victims’ important data, the new edition also executes malware called DiamondFox. The opportunistic infection harvests users’ personal information, including passwords and sensitive documents. Evil Ransomware surfaces Written in JavaScript, this one uses the .file0cked extension to label affected data entries. Its ransom manual provides a victim’s unique ID and instructs them to send this string to [email protected] for further recovery steps.

JANUARY 10, 2017

Cerber ransomware tweak The authors of the Cerber plague release an updated variant that leaves ransom notes called _HELP_DECRYPT_[random_chars]_.hta/jpg. A college in LA falls victim to ransomware An unidentified strain of ransomware attacks the Los Angeles Valley College, impacting email servers and other critical components of the IT infrastructure. In the long run, the college district paid $28,000 worth of Bitcoins, which is one of the biggest reported ransoms among organizations hit by crypto viruses. Spora ransomware discovered The first edition of the Spora ransomware propagates in Russia and a few more former Soviet states. However, its high sophistication level is a giveaway suggesting that the proliferation geography is going to expand. Spora uses strong encryption algorithms flawlessly, so there is no way to decrypt hostage data for free. Furthermore, it functions offline and boasts a payment site that looks just as professional as dashboards for top-notch affiliate platforms.

JANUARY 11, 2017

Criminals selling script for compromising MongoDB The Kraken cybercrime syndicate offers wannabe online malefactors the ability to purchase the MongoDB ransomware C# source code for $200.

JANUARY 12, 2017

Merry X-Mas ransomware encryption defeated The Emsisoft security firm releases an automatic free decryptor that restores .MRCR1, .PEGS1, .RARE1, and .RMCM1 files locked by the Merry X-Mas ransomware. Marlboro ransomware launched and cracked, all within 24 hours Security analysts spot a new sample in the wild called the Marlboro ransomware, which uses XOR encryption algorithm, appends the .oops extension to enciphered files, and drops _HELP_Recover_Files_.html ransom note. Thankfully, Emsisoft’s Fabian Wosar creates an effective decryption tool in less than a day since the infection was discovered.

JANUARY 13, 2017

Server attackers switch from MongoDB to ElasticSearch As the MongoDB hijacking campaign suffered a decline, the same ne’er-do-wells shifted their focus over to ElasticSearch servers. The size of the ransom to recover an affected database is 0.2 BTC. ODCODC ransomware decryptor updated A new edition of the automatic decryptor has been released that supports the newest variant of the ODCODC ransom Trojan. Thumbs up to the efforts of the researcher nicknamed BloodDolly. A buggy Kaandsona infection Also referred to as RansomTroll, this one uses the .kencf string to stain affected files. At this point, though, the ransomware fails to complete the encryption job. Cerber’s C2 server breached Analysts find a loophole in the security of a server involved in Cerber ransomware campaign. This flaw allows them to access logs related to infection statistics, including victim’s location details and IP addresses. According to the leaked information, most victims are in Europe and the United States.

JANUARY 14, 2017

New Samas version starts circulating The updated threat appends the .powerfulldecrypt extension to files and creates WE-MUST-DEC-FILES.html ransom help file.

JANUARY 15, 2017

CryptoSearch tool that helps ransomware victims The gist of the CryptoSearch application is to facilitate ransomware troubleshooting rather than decrypt data. It identifies files affected by crypto malware on a computer and allows the victim to back them up to a separate location. This way, users can preserve the scrambled items so that they can be decrypted later on when an appropriate tool is available.

JANUARY 17, 2017

Drastic decline of the Locky ransomware campaign Some good news hits the headlines regarding Locky, one of last year’s most widespread crypto infections. Its distribution reportedly dropped by 81% during Christmas and New Year holidays. Cerber ransomware fine-tuned again This time, the makers of Cerber have introduced a new set of ransom notes called _HELP_HELP_HELP_[random].hta and _HELP_HELP_HELP_[random].jpg. The campaign also engages new IP ranges for UDP stats, namely 90.2.1.0/27, 90.3.1.0/27, and 91.239.24.0/23. Spora ransomware takes over Cerber in a way According to some reports, part of the well-orchestrated online infrastructure previously used for distributing Cerber is now delivering Spora ransomware payloads. This fact suggests that the two campaigns are interrelated.

JANUARY 18, 2017

Online extortionists get cynical to the bone The cancer services agency Little Red Door of East Central Indiana undergoes a cyber attack. An anonymous hacker nicknamed The Dark Overlord claims to have stolen the organization’s records and erased data on its server, then demanding a ransom of 50 Bitcoin (about $49,000) for not disclosing this fact to the public. Here comes another Samas version The updated Samas/SamSam strain adds the .noproblemwedecfiles string to encoded files and creates a recovery manual named 000-No-PROBLEM-WE-DEC-FILES.html. More server types exposed to ransomware Following the notorious incidents where MongoDB and ElasticSearch databases were hacked and held for ransom, cybercrooks started targeting unprotected CouchDB and Hadoop servers as well. The Spora plague acting like a worm Security experts raise red flags on a unique contamination vector leveraged by the relatively new Spora ransomware. This perpetrating program can be executed on computers through the use of .LNK files that look like regular Windows shortcuts. Once an unsuspecting user opens one of these booby-trapped files, an obfuscated malicious code will fire the crypto ransomware process. Merry X-Mas ransomware decryptor updated Owing to another tweak of the MRCR decryptor by Emsisoft, Merry X-Mas ransomware victims whose files are appended with the .merry extension can restore these scrambled items for free. Close ties between Locky and the Necurs botnet According to Cisco Talos, a recent sharp decrease in the number of Locky ransomware infections is an outcome of current inactivity of the botnet called Necurs. The volume of Locky spam dropped dramatically once Necurs went offline during winter holidays. Ransomware sample targeting Brazilian users A new strain has the potential to become a scourge to Windows users in Brazil. It uses the .id-[victim_ID][email protected] file extension and HOW_OPEN_FILES.html ransom note.

JANUARY 19, 2017

Cerber ransom notes change again The updated Cerber ransomware uses a new combo of files providing a walkthrough for data decryption. These are _HOW_TO_DECRYPT_[random]_.hta/jpg. New Russian Android ransomware is quite a nuisance This malicious app locks an Android device’s screen rather than encrypts anything. It persistently displays a screen demanding a ransom of 545,000 rubles, which is the equivalent of about $9,100. This sample’s payload lurks inside legit-looking applications and obtains admin privileges on a targeted gadget. Onset of the Satan RaaS Experts discover a brand-new Ransomware as a Service platform propping the activity of the crypto infection called Satan. The Tor-based online resource allows anyone interested to generate their personalized variant of the Satan ransomware. The offending program concatenates the .stn string to scrambled files and leaves HELP_DECRYPT_FILES.html ransom note. New Turkish ransomware in development Analysts stumble upon a fairly raw file-encrypting virus sample configured to target Turkish users. It stains encrypted files with the .sifreli extension. Yet another Hidden Tear based threat goes live The strain called CryptoShadow is one more spinoff of the open-source educational Hidden Tear ransomware. It uses the .doomed file extension and drops LEER_INMEDIATAMENTE.txt decryption how-to document.

JANUARY 20, 2017

Saint Louis public libraries under attack Ransomware compromises the computer network of the Saint Louis Public Library. The hack disrupted the operation of the organization’s 16 branches, paralyzing book checkouts and public Internet access. The sleazeballs behind the attack demand $35,000 for recovery. GlobeImposter ransomware is no longer an issue Emsisoft researcher Fabian Wosar succeeds in defeating the encryption by a Globe ransomware copycat called GlobeImposter. This strain uses the .crypt extension and HOW_OPEN_FILES.hta recovery manual. DNRansomware appears in the wild The new DNRansomware claims to utilize the Rijndael block cipher to lock down victims’ files. It concatenates the .f..ked extension to encrypted data entries. Having reverse engineered this sample, IT experts found that the unlock code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT. “Jhon Woddy” ransomware tweak This specimen has a common codebase with the above DNRansomware. It adds the .killedXXX string to mutilated files. The size of the ransom is 0.1 Bitcoin, and the deadline for submitting it is five days.

JANUARY 21, 2017

CloudSword, another emerging threat This perpetrating entity wrongfully states that it has blocked a victim’s important files because of violation of the Digital Millennium Copyright Act. That’s nothing but a bluff, of course. CloudSword drops a ransom note called Warning??.html.

JANUARY 22, 2017

Apocalypse ransomware update The Apocalypse strain, also known as Al-Namrood, switches to using a new email address [email protected] for communication with victims. No other noteworthy changes have been made during this update.

JANUARY 23, 2017

Sage 2.0 distribution gaining momentum This is a new cyber malady that proliferates via a massive spam wave. According to in-depth research of this campaign, the felons at the helm of Sage 2.0 have also been involved in spreading such notorious strains as Locky and Cerber. This fact is particularly unsettling because it suggests a likely large-scale propagation of the pest in the near future. Samas devs keep coining updates Yet another variant of the Samas ransomware appends the ironic .weareyourfriends extension to files and leaves TRY-READ-ME-TO-DEC.html ransom note on an infected machine. Jigsaw ransomware undergoes a modification The Jigsaw strain authors hadn’t released new versions for quite a while. The fresh sample labels every encoded file with the .paytounlock extension. A minor change made to CryptoMix The latest edition of CryptoMix ransomware renames victims’ files according to the following pattern: [original_filename].email[email_address]_id[victim_ID].rdmk. The ransom how-to is still called INSTRUCTION RESTORE FILE.txt.

JANUARY 24, 2017

Spora ransomware goes international Whereas Spora used to propagate only in Russia and a few neighboring countries, its reach broadens considerably. The plague is now ubiquitous across the globe. RussianRoulette ransomware spotted This one is a derivative of the Philadelphia ransomware, which has been around since early September 2016. The RussianRoulette sample demands 0.3 BTC for decryption. The vxLock ransomware is nothing out of the ordinary The name stems from the .vxLock extension being affixed to every scrambled file. The antivirus detection rate is very low across the board.

JANUARY 25, 2017

Android ransomware called Charger The Charger lineage of Android malware is reaching devices via an intricate tactic. It is camouflaged as a battery optimization applet called EnergyRescue. When installed, this app pilfers a victim’s text messages and contacts, subsequently locking the infected gadget. What’s interesting is that users could download EnergyRescue from the official Google Play Store for a while. The ransomware discontinues the attack if it discovers that the device is located in Ukraine, Belarus, or Russia. A clever security move by Gmail Google’s Gmail service is going to start blocking attachments in JS format for security reasons as of February 13. This is reasonable, given the influx of ransomware attacks harnessing JavaScript files to infect email recipients’ machines. Samas ransomware is more prolific than ever Researchers discover one more iteration of the Samas, or SamSam, ransomware. It uses the .otherinformation suffix to brand affected files. The new name of the ransom note is 000-IF-YOU-WANT-DEC-FILES.html. Potato ransomware, a new sample on the table The file extension used by this new strain is .potato, and the ransom help files are README.png and README.html. The vegetable theme is something new in this domain of cybercrime. The threat actors are either running out of creativity or trying to be funny.

JANUARY 26, 2017

Another police department suffers a ransomware compromise Ironically enough, law enforcement agencies aren’t bulletproof against crypto malware at all. The Cockrell Hill police department in Texas fell victim to file-encrypting ransomware, losing a huge amount of evidence and invaluable records. The strain to blame for this incident is the latest OSIRIS variant of Locky. CryptConsole messes with filenames only The sample called CryptConsole simply jumbles filenames and does not encrypt files themselves. It prepends distorted filenames with one of the following email address strings: [email protected] or [email protected]. The ransom note is called “How decrypt files.hta.” Infamous VirLocker in the wild again After a while of inactivity, the VirLocker ransomware reappears as an advanced crypto menace. It encrypts a victim’s sensitive files and repackages them as EXEs, which is an uncommon routine for ransom Trojans. However, analysts discover that the current variant can be decrypted by entering a string of 64 zeros in the Transfer ID field on VirLocker screen. Merry X-Mas ransomware on the rise The Merry X-Mas, or MRCR1, crypto baddie shows a rapid increase in distribution. Apparently, a new massive propagation campaign is underway. CryptConsole decrypted Researcher Michael Gillespie, also known in IT security circles as @demonslay335, creates a free decryptor for the relatively new CryptConsole ransomware described above.

JANUARY 27, 2017

MRCR decryptor updated Emsisoft decryptor for the Merry X-Mas ransomware undergoes some fine-tuning in response to the emergence of a new variant of the infection. The latest supported edition creates a ransom note named MERRY_I_LOVE_YOU_BRUCE.hta. Jigsaw ransomware update A new edition concatenates the [email protected] string to scrambled files, thus indicating contact details to reach the attacker and negotiate the terms of decryption. The automatic Jigsaw decryption tool can handle this version.

JANUARY 28, 2017

The Hitler ransomware refined This bizarre strain is several months old, but it’s not until now that its final variant went live. At least, that’s what its dictator-themed warning screen says, “You’re infected with the FINAL version of Hitler Ransomware!” RansomPlus sample spotted The new RansomPlus contagion uses the .encrypted extension to blemish encrypted files and leaves YOUR_FILES_ARE_ENCRYPTED!!!.txt ransom note. It instructs victims to send an email to [email protected] for recovery steps.

JANUARY 29, 2017

Austrian hotel falls victim to ransomware Romantic Seehotel Jaegerwirt, a popular 111-year-old Austrian hotel, suffers the consequences of a ransomware attack. The worst part is that the threat actors paralyzed the digital key lock system, asking for 1,500 EUR worth of Bitcoins to restore the affected services. New XCrypt targets Russian-speaking users The specificity of the fresh XCrypt ransom Trojan is that its ransom note Xhelp.jpg contains Cyrillic text. Another offbeat property of this strain is that it instructs victims to use the ICQ instant messaging client to contact the attacker.

JANUARY 30, 2017

Ransomware distributors’ revenge Shortly after the Emsisoft security firm released an updated variant of the MRCR (Merry X-Mas) ransomware decryptor, their website underwent a massive DDoS attack. The predicament lasted for eight hours, taking the company’s site down. Another security software vendor Dr.Web was hit around the same time. Sage 2.0 campaign dissected Analysts from the Swiss CERT (Computer Emergency Response Team) publish a report on the sophisticated Sage 2.0 ransomware. In particular, the research provides insight into the implementation of asymmetric cryptographic standard and the use of IP Generation Algorithm by the infection. New Zyka sample spotted This ransomware uses AES-1024 crypto algorithm, concatenates the .locked extension to encoded files, and demands $170 worth of Bitcoins.

JANUARY 31, 2017

The intricate Netix ransomware The uniqueness of this strain revolves around the fact that it impersonates an application called Netflix Login Generator v1.1, which allegedly provides access to compromised Netflix accounts. Meanwhile, though, the offending code encrypts the user’s data in the background and asks for $100 for decryption. Rogue Chrome popups link to Spora plague Security experts discover an interesting campaign where deceptive popups in Google Chrome point to a pseudo font pack update for the browser. This booby-trapped file ends up executing the Spora ransomware on a computer. CryptoShield 1.0 features high-profile distribution This spinoff of the CryptoMix ransomware arrives at computers via the RIG exploit kit. Before a would-be victim hits the exploit kit’s page, their traffic is forcibly redirected by malicious JavaScript code called EITest, which resides on malicious or compromised websites. Another day, another Jigsaw update A new specimen in the Jigsaw ransomware lineage adds the .gefickt suffix to scrambled files. Fortunately, it is decryptable for free. New variant of Evil-JS surfaces Another offspring of the Evil-JS ransom Trojan uses the .evillock file extension and provides a three-day deadline to submit the ransom of 0.3 BTC. Locky Bart ransomware details revealed Malwarebytes experts manage to access the backend server of the Locky Bart infection. They provide all their findings in a must-read blog post.

SUMMARY

A number of disconcerting trends took root last month. Android ransomware is becoming increasingly popular in the cybercriminal circles. The new Spora infection outperforms most of its file-encrypting counterparts in terms of propagation efficiency and cryptography implementation. Extortionists are heavily targeting MongoDB, ElasticSearch, CouchDB, and Hadoop databases. Compared to these tendencies, the considerable downturn in the infamous Locky ransomware campaign looks like cold comfort. With the abundance of different strains floating around the Internet, the precautions are timeless and invariable. End users and organizations should maintain backups, use effective security software, and treat spam as a potential means for contamination rather than simply a nuisance.

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.