May 2017: The Month in Ransomware

Image

May 2017 shaped up to be the busiest ransomware month to date. The bare statistics speak for themselves: a total of 79 new strains came out and 38 existing ones received updates. Extortion-based cybercrime is obviously more prolific and ubiquitous than ever. Last month, the world confronted the unprecedented WannaCry ransomware epidemic employing NSA exploits. In fact, the aftermath of this outbreak remained a major issue weeks afterward. To top it off, a slew of junk ransomware samples and quite a few sophisticated ones went on a rampage. To their credit, security analysts were able to release 19 free decryptors. Read this timeline to stay on top of all ransomware records for May.

MAY 1, 2017

CryptoMix update tangles ransomware identification A new variant of CryptoMix switches to using the following extension to label encrypted files: .[attacker’s email].ID[victim ID].wallet. This would be a banal update if it weren’t for the fact that a couple of other strains also append the .wallet suffix to data entries, including Dharma and Sanctions. So it may now be problematic to differentiate between the three samples. Mikoyan specimen is on its way Researchers come across a new in-dev sample called Mikoyan. While currently in development, this one stains filenames with the .mikoyan string and uses the [email protected] email address to interact with victims. Extractor ransomware surfaces The strain in question concatenates the .xxx extension to hostage files, drops a ransom how-to document called ReadMe_XXX.txt ,and instructs victims to contact [email protected] after submitting the ransom. Meet Ruby, a new crypto baddie Predictably enough, the new Ruby family blemishes encoded files with the .ruby extension. It also drops a ransom note named rubyLeza.html. Other than these indicators of compromise, there is hardly anything else worth mentioning about this commonplace infection. Troldesh family replenished with a new offspring A fresh edition of Troldesh, or Shade, ransomware starts circulating in the wild. The only tweak is the .crypted000007 extension added to filenames on a target computer. It still uses the README[random number].txt ransom note and displays its warning messages in English and Russian. Maykolin is out A new one called Maykolin displays a Dharma style warning screen, subjoins the .[maykolin1234]@aol.com string to affected files, and creates a ransom note named [email protected]. The felons’ email address isn’t hard to figure out. Amnesia starts making the rounds The specimen called Amnesia concatenates the apropos .amnesia suffix to locked-down files and leaves a plaintext recovery instruction called HOW TO RECOVER ENCRYPTED FILES.txt. Victims are supposed to send their personal ID, which is indicated in the help file, to [email protected]. FileFrozr utilizes extra anti-recovery mechanism The new FileFrozr sample is available for wannabe crooks on a Ransomware-as-a-Service basis. It provides decryption steps in a document named READ_ME.txt. An interesting hallmark sign of this infection is that it goes equipped with a Windows command-line tool called Cipher.exe to manage free space on the hard drive so that forensic methods of data recovery become inefficient. Cry128 cracked Emsisoft creates a cure for Cry128, the latest spinoff of the CryptON lineage. The decryption tool allows those infected to restore their important data for free. Amnesia family gives birth to a new variant It took the makers of the Amnesia ransomware literally one day to come up with a fresh build of their pest. The newcomer replaces original filenames with gibberish character strings and concatenates the .cryptboss suffix to each one.

MAY 2, 2017

Some sarcasm from ransomware devs A Globe copycat called GlobeImposter undergoes an upgrade. The most recent iteration adds the .keepcalm extension to ransomed files. To add insult to injury, the bad guys behind this sample instruct plagued users to reach them via [email protected]. New F*ckTheSystem offspring appears Security analysts spot another edition of the technically crude F*ckTheSystem ransom Trojan. The perpetrating program now uses the .anon extension to label scrambled files. Fortunately, the tool called StupidDecryptor, which was created by researcher Michael Gillespie, can handle this version and restore all data for free. vCrypt zeroes in on Russian users This sample affixes the .vCrypt1 string to filenames as part of the data scrambling workflow and adds a ransom how-to named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt. It targets users with Russian localization of the Windows operating system. PEC 2017, another geo-restricted strain The new ransom Trojan called PEC 2017 doesn’t proliferate outside Italy. It appends victims’ files with the .pec extension and drops a ransom manual called AIUTO_COMO_DECIFRARE_FILE.html. Haters is spotted in the wild The file-encrypting threat under consideration got its name from the .haters string concatenated to hostage data entries. It appears to be from the same family as the above-mentioned .anon file virus. One of the things they have in common is that the StupidDecryptor utility can restore files encoded by both. Xncrypt, another lame sample on the table Michael Gillespie’s StupidDecryptor tool is getting more popular as one more supported ransomware shows up. This time it’s a crude strain appending the .xncrypt string to encoded files. In addition to scrambling data, it also locks a victim’s screen. Fortunately, researchers were able to obtain the hard-coded password for disarming the screen locker component – it’s 20faf12b60854f462c8725b18614deac for the current variant. Crypto threat with a spying module on board Analysts from G Data come across an in-development ransom Trojan that’s coded to implement a fusion of data encryption and identity theft.

MAY 3, 2017

Cerber reaches version 6 A new variant of the dominating Cerber family is out. One of the significant tweaks is an enhanced AV evasion module that thwarts detection by quite a few security suites. Furthermore, the updated infection accommodates anti-debugging features to prevent analysts from scrutinizing its code. Another nontrivial modification is that Cerber is capable of circumventing UAC (User Account Control) to run with elevated privileges. BTCWare update introduces no major changes The latest version of the BTCWare ransom Trojan is basically the same as its forerunner except that it now appends the .cryptowin extension to filenames. New screen locker starts propagating Malware analysts at G Data spot a primitive screen locker that uses an anime-themed background and instructs victims to pay with Visa card. The white hats didn’t find it difficult to retrieve the unlock password, which is KUrdS12@!#. X0LZS3C demands way too much money A data-encrypting sample called X0LZS3C is reportedly another variant of ShellLocker, which has been around since November 2016. It uses the .x0lzs3c extension to stain enciphered files and requests an unusually high ransom of 2 BTC. The deadline to pay up is 48 hours. BTCWare is no big deal anymore Michael Gillespie, the creator of the ID Ransomware portal, teams up with another researcher to cook up a fix for the BTCWare infection, and it all works out. The free tool called BTCWareDecrypter restores locked files with the .cryptobyte or .btcware extension. Clouded ransomware floating around This aggressive strain concatenates the .cloud extension to mutilated data items and claims to delete any new files copied or moved to the infected computer. It demands 0.1 BTC (about $180) for decryption. GlobeImposter changes its propagation tactic The fairly widespread Globe lookalike referred to as GlobeImposter starts leveraging the infamous “Blank Slate” malicious spam campaign to propagate. This variant subjoins the .crypt string at the end of filenames and provides recovery steps in How_to_back_files.html document.

MAY 4, 2017

Rans0mLocked is a hard nut to crack Although this specimen doesn’t look very sophisticated on the outside, it implements crypto immaculately and therefore cannot be decrypted for free at this point. Rans0mLocked uses the .owned file extension, interacts with its C2 over Tor, and demands 0.1 BTC for recovery. New Portuguese ransomware spotted This one arrives as Anti-DDoS.exe file and displays a rogue Windows update screen to obfuscate the payload execution process. It is based on crude open-source ransomware code. Luckily, the StupidDecryptor tool by Michael Gillespie can handle it and restore files.

MAY 5, 2017

CTB-Locker replica spreading on a RaaS basis A Russian RaaS platform called Fatboy is discovered that supports the distribution of a crypto infection resembling the notorious CTB-Locker or Critroni. Perhaps the most offbeat feature of this ransom Trojan is that it grabs a victim’s IP address to determine their geographic location and then adjusts the ransom size based on the Big Mac Index. Unexpected incarnation of Jigsaw The most recent variant of Jigsaw mimics a credit card generator called “CCgen 2017” as it’s trespassing on a computer. Having done the encryption job, it concatenates the .fun extension to files. NewHT pest is underway The name of this offending program suggests that it may be a derivative of Hidden Tear, a proof-of-concept ransomware that originally pursued academic goals but ended up becoming weaponized by real-life cybercrooks. NewHT uses the .htrs string to mark affected files and the readme.txt ransom how-to. A ZipLocker spinoff is on the loose This malicious entity transfers one’s personal files into a ZIP archive protected by a password. A byproduct of this routine is that files are renamed according to the following pattern: [filename]+locked.zip. The ransom note is called UnlockMe.txt. When reversing this Trojan’s code, researchers figured out that the hard-coded unlock password is “Destroy”.

MAY 6, 2017

Enjey update The only change that makes the latest Enjey edition different from its precursor is a new token attached at the end of a victim’s filenames. The string is [email protected]. A fix for Amnesia now available No, it’s not about a human disease. It’s about Amnesia ransomware that uses a symmetric AES-256 cipher to lock one’s files down. Emsisoft creates a free decryptor that restores data with the .amnesia extension. Jigsaw switches to using a new extension Yet another variant of Jigsaw is out. It concatenates the .pay extension to scrambled files. Fortunately, it’s still decryptable courtesy of researcher Michael Gillespie, who updated his free tool called Jigsaw Decrypter. Bizarre marketing for FrozrLock RaaS Malefactors behind the FileFrozr infection adopt an interesting tactic to advertise their abominable product on the Dark Web. Its distribution is propped by a RaaS system called FrozrLock, which praises the pest as a “great security tool that encrypts most of your files in several minutes.” What a derision of the bad guys! Would-be crooks can use this service to launch an extortion campaign of their own for $220, which is lower than the average ransom size across the board.

MAY 7, 2017

Fleeting success of Crypto-Blocker This file-encrypting malware allows victims to choose their preferred currency for payment out of dollars, euros or pounds, the amount being 10. It also provides a 5-hour deadline to pay up. The good news is that security enthusiasts got hold of the decrypt code, which is 01001. ThunderCrypt propagates via a compromised website The distributors of this ransomware chose to go a different route than most of their ill-disposed colleagues. They were able to inject the malicious script into a Taiwan forum. In the upshot, people visiting this page see a rogue Flash update screen. If they click to trigger this camouflaged payload, ThunderCrypt contaminates the target computer behind the scenes.

MAY 8, 2017

First insurance precedent over crypto-malware Having fallen victim to a ransomware infection, an unnamed law firm from Rhode Island filed a lawsuit against their insurance company to get a compensation for the losses. The firm in question had reportedly paid $25,000 worth of Bitcoin to get their proprietary data back. The amount demanded as the reimbursement is $700,000. BitKangoroo causes some extra damage The file-encrypting Trojan under consideration uses the .bitkangoroo suffix to stain ransomed data entries. The worst part about this attack is that the infection deletes one file very hour until the ransom is submitted. Luckily, the creator of ID Ransomware service quickly contrived a free decryption tool for this strain, so victims should hurry up and use it before their files start vanishing beyond recovery.

MAY 9, 2017

GruxEr is out of the ordinary The reason why this new sample stands out from the rest is because it goes equipped with a combo of a screen locker, a Hidden Tear PoC spinoff that encrypts data, and a component that wreaks havoc with files stored in JPG format. BTCWare keeps changing Another variant of the BTCWare strain is discovered. It appends victims’ files with the .[[email protected]].theva extension. Ties between PadCrypt and the NemeS1S RaaS New RaaS platform called NemeS1S pops up in the cybercrime underground. It turns out to be currently supporting a PadCrypt distribution wave, so crooks can spread the perpetrating program on an affiliate basis while sharing a cut of their revenue with the developers. RSAUtil executed on PCs manually The indicators of compromise in the RSAUtil attack scenario include the [email protected][8 random digits] file extension as well as a ransom note named How_return_files.txt, sprinkled across a plagued system. The criminals execute this Delphi-based threat on computers via hacked remote desktop services.

MAY 10, 2017

vCrypt is on its way There are very few strains out there attacking Russian users only. The sample called vCrypt is one of them. It appends hostage files with the .vCrypt1 extension and leaves a ransom how-to document called КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt, which is the English for “How to decrypt files”. As opposed to the overwhelming majority of its counterparts, it only targets 19 file formats. Screen locker with a hue of politics A new low-impact sample appears that only locks the victim’s screen without encrypting any data. The only noteworthy trait of it is that it displays photos of South Korean presidential election candidates. New Locky edition might be out Security enthusiasts come across a strain whose ransom notes and victim interaction components resemble Locky’s. It uses the .loptr file extension and loptr-[4 random characters].htm recovery how-to. In Norse mythology, Loptr is a god of chaos, so it looks like the threat actors are sticking with the theme that started with the Thor and Aesir variants. Amnesia decryptor enhanced Emsisoft CTO Fabian Wosar releases an updated edition of his decryptor for Amnesia. The tool can handle all known variants of the said crypto infection.

MAY 11, 2017

Jaff, a Locky lookalike The reason why researchers put Locky and the new Jaff ransomware in the same basket is that they share an identical payment site. The newcomer, which is most likely a copycat of the infamous extortion predator, concatenates the .jaff string to locked files, drops ReadMe.html ransom note, and demands 2 BTC (about $3,600) for recovery. Expert thoughts on the Jaff pest A fresh write-up published on Emsisoft blog provides in-depth analysis of the above-mentioned Jaff ransomware and its possible ties to Locky. While both rely on the Necurs botnet to propagate and appear similar on the outside, the verdict is that the former is less technically complex. So the payment site design is probably nothing but a red herring. SLocker returns with a hefty army of spinoffs Android crypto-malware called SLocker, which had been barely active for about a year, spawns hundreds of new derivatives. The updated code of these multiple variants features better AV evasion techniques and enhanced malicious functionality to make the impact on an infected device more severe and tangle the troubleshooting.

MAY 12, 2017

GruxEr gets a revamped look and feel The desktop wallpaper displayed by GruxEr now has a matrix effect, with multiple green 1s and 0s vertically lined up on a dark background. It demands $250 worth of Bitcoin for recovery. Primitive evolution of vCrypt vCrypt went through some shirt-sleeve change over a two-day span that it has been around. First, it was renamed to aCrypt and then to bCrypt. Nothing else has been modified, so it’s still an unsophisticated threat zeroing in on Russian users. Wana Decrypt0r 2.0 making the rounds on a huge scale This successor of WannaCry ended up becoming much more toxic. The first reports about the new propagation wave started coming in from Spain, where a large telco provider called Telefonica got hit and was forced to shut down part of its operations because of the onslaught. Shortly, it made many more victims in other countries, including Deutsche Bahn in Germany, various organizations in Ukraine, England, Hungary, China, and Russia. The updated Trojan appends the .WNCRY, .WCRY, .WNRY or .WNCRYPT extension to encrypted files and drops a ransom note named @[email protected]. High-profile actors behind WNCRY malware Cybercrooks responsible for the Wana Decrypt0r outbreak are harnessing NSA exploits dubbed Eternalblue and Doublepulsar to deposit their bad code onto machines all over the world. In other words, the threat actors are exploiting vulnerabilities in Microsoft Server Message Block 1.0 (SMBv1) protocol to pull off the attack without user involvement. The aforementioned exploits were leaked in mid-April by a group of black hat hackers calling themselves The Shadow Brokers. Additional details on WannaCry attack anatomy Unlike commonplace ransomware samples, WannaCry (also referred to as Wana Decrypt0r, WannaCrypt, Wana Cryptor, or WNCRY) doesn’t need a would-be victim to open any email attachments or click on anything. Instead, it traverses the Internet in search of servers with open TCP ports 445. When an accessible port is found, the contagion uses the SMB vulnerability to plant the payload onto the target machine. This scheme basically takes the user out of the equation, so the only way to avoid the plague is by patching this gaping hole in the security of Server Message Block 1.0. Microsoft had released the ad hoc patch back in March, but obviously, not everyone applied it. WannaCry heat map Based on data aggregated by security researchers, The New York Times provides an animated map reflecting the current proliferation status of the WannaCry plague.

MAY 13, 2017

The “kill switch” for Wana Decrypt0r It turns out that this vicious ransom Trojan leverages an offbeat trigger for its attacks. Before the compromise enters its active phase, the infection tries to reach a predefined domain. The original URL was iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If this domain is unregistered, the attack moves on. Otherwise, it discontinues. A security expert nicknamed MalwareTech was able to stop WannaCry proliferation temporarily by sinkholing this domain, reportedly by accident. Urgent anti-WannaCry countermeasures by Microsoft In light of the ongoing WannaCry epidemic, Microsoft releases additional SMBv1 vulnerability patches for Windows XP, Windows 8, and Windows Server 2003. The company also recommends disabling the old Server Message Block 1.0 protocol to stay on the safe side. The forthcoming Tdelf Researchers from MalwareHunterTeam (MHT) spot a new crypto malady before it started propagating in the wild. This in-development strain is configured to append the .tdelf suffix to ransomed files. Hopefully, it will never go live. Unsophisticated SecretSystem sample A ransom Trojan is released whose warning screen reads, “All your files are encrypted by SecretSystem,” hence its name. It uses the .slvpawned extension to blemish encoded files. It appears to be based on crude open-source ransomware code available on darknet resources. Luckily, the StupidDecryptor app referenced above can take care of this one. Another questionable remake of vCrypt A new derivative of vCrypt surfaces. The only conspicuous change is that it got renamed to xCrypt. Stampado spinoff in the wild The Stampado family spawns a fresh offspring dubbed Zelta. It affixes the .locked suffix to no-longer-accessible data entries and deletes a random file every six hours until a victim pays up.

MAY 14, 2017

WannaCry keeps showing its teeth Malware researchers demonstrate how massive the WannaCry ransomware wave is. An analyst from France known in security circles as Benkow set up a honeypot server with SMB (Server Message Block) vulnerability that this strain exploits to contaminate computers. It took the Internet-borne infection less than three minutes to infect this server. Microsoft reprimands NSA for WannaCry outbreak Brad Smith, Chief Legal Officer at Microsoft, publishes a post on the company’s corporate blog, where he reproaches the National Security Agency for handling cataloged exploits inconsiderately. As a result of these poor security practices, The Shadow Brokers cybercrime group stole critical exploits, including one dubbed EternalBlue that was used in the WannaCry campaign. A lame Jigsaw copycat pops up Security analysts come across a Jigsaw lookalike that appends encrypted files with the .fun extension. Since its crypto isn’t professional enough, the experts were able to get hold of the decrypt code, which is “FAKEJIGSAWRansomware”. GlobeImposter edition resembling Dharma strain The new iteration of the GlobeImposter Trojan appears feels like Dharma in a way. The common ground is that it stains encrypted files with the .wallet suffix. The data decryption manual is named how_to_back_files.html. GruxEr update featuring hardly any enhancements GruxEr no longer uses a Matrix style background for its warning window. Other than that, it is still the same infection with buggy crypto. The file extension token is .grux.

MAY 15, 2017

WannaCry starts spawning copycats The newsmaking onset of WannaCry has obviously inspired other wannabes to follow suit. Some of these not-so-sophisticated spinoffs include DarkoderCrypt0r, Aron Wanacrypt0r 2.0 Generator v1.0, Wanna Crypt v2.5, WannaCrypt 4.0, and Wana Decrypt0r 2.0. New kill switch for WannaCry pest The architects of this extortion campaign set up a different kill switch domain after the original one was registered by researchers, which temporarily halted the global onslaught. Fortunately, the new one was quickly identified and sinkholed as well. The bulletproof WannaCry version coming up? Security analysts discover someone’s attempt to cook up a WannaCry edition that goes without the kill switch principle in its modus operandi. This strain is currently in development and will hopefully stay that way. Toxic combo distributed by RIG EK The exploit kit called RIG is currently propping a new malware propagation wave. Specifically, it is employing software vulnerabilities to deposit the Pony malware onto computers, which in its turn installs Philadelphia ransomware. OnyonLock representing known lineage New ransom Trojan called OnyonLock appears to be a BTCWare derivative. It concatenates the .onyon string to scrambled files and sprinkles “!#_DECRYPT_#!.inf” ransom notes all over the plagued computer. The timely May Ransomware The authors of the May Ransomware have evidently picked an apropos name for their extortion tool, given the month of its release. It blemishes enciphered files with the .locked or .maysomware extension and drops a ransom how-to called Restore_your_files.txt. Kee is the lowest of the low The sample called Kee locks down one’s important files but provides absolutely no possibility of restoring them. Therefore, victims simply end up losing data. The almost funny FartPlz This Python-based strain concatenates the .FartPlz extension to ransomed files. What kind of a recommendation is that? Go figure. This one drops a ransom note called ReadME_Decrypt_Help_.html.

MAY 16, 2017

Cryptocurrency miner that helps avoid WannaCry A malicious program called Adylkuzz, which mines for the Monero digital cash, turns out to be a cure for WannaCry, no matter how bizarre it may sound. Just like said ransom Trojan, it harnesses the EternalBlue and DoublePulsar exploits to contaminate computers. It disables SMB ports on an infected host when performing its malicious reconnaissance, thus eliminating the main entry point for WannaCry. Prevalence of WannaCry becomes an Internet meme Enthusiasts with a sense of humor use image-editing software to tailor pictures of various devices, including old mobile phones, microwave ovens, washing machines, and watches, with a WannaCry ransom warning on their screens. BTCWare is no longer an issue Somebody, presumably the developer of BTCWare, posted the Master Decryption Key for this strain on a security forum. Researchers use this data to come up with a free decryptor. Wanna Subscribe 1.0, another WannaCry lookalike The Java-based sample in question stands out from the pack as it allows victims to get their data back after they subscribe to a specified YouTube channel. Xorist lineage gets refreshed A hallmark sign of the latest Xorist edition is the .SaMsUnG extension subjoined to encrypted data entries. New version of Jigsaw doesn’t wish victims well The only noteworthy change that took effect with the latest Jigsaw update is the .die extension affixed to hostage files. Lockout unleashed This one labels encrypted files with the .Lockout extension and drops Payment-Instructions.txt help document. An interesting trait of the Trojan is that it provides data decryption options on a screen preceding Windows logon. According to this message, the attacker’s email address is [email protected]. The ransom doubles unless a three-day payment deadline is met. Joy over ostensible Spora decline is premature According to MalwareHunterTeam, Spora is regaining momentum after a significant downturn that lasted about a month.

MAY 17, 2017

Experts shed light on WannaCry attribution Based on comparative analysis of MD5 hashes, a number of security companies speculate on likely ties between WannaCry and the Contopee backdoor malware distributed by a North Korean cybercriminal ring dubbed the Lazarus Group. Another remake of GlobeImposter Researchers spot a fresh variant of GlobeImposter. It subjoins the .nCrypt or .hNcrypt extension to locked files.

MAY 18, 2017

Uiwix strain spreading like WannaCry A file-encrypting baddie called Uiwix is making the rounds via the much-spoken-of NSA exploit called EternalBlue. Victims’ files get suffixed with the .UIWIX extension and a ransom how-to called _DECODE_FILES.txt appears on the desktop and inside folders with scrambled data. Unexpected turn of events with the Wallet ransomware Someone nicknamed “lightsentinelone” posted a Pastebin link on BleepingComputer forums that leads to Master Decryption Keys for Wallet. Later on, Avast updated its automatic CrySiS Decryptor to support the infection and restore .wallet extension files for free. Haters ransomware gets new look and feel The latest iteration of the Haters ransom Trojan features an all-new warning screen that resembles that of WannaCry. It demands $500 for file decryption and includes a PayPal payment option, which is really bad OPSEC, obviously. Malware analysts interviewed on WannaCry campaign Emsisoft posts an article on their blog where security researchers Fabian Wosar and ‘xXToffeeXx’ answer questions regarding fundamental details of the WannaCry epidemic. Crooks still busy coining WannaCry copycats A sample called WannaCry Decryptor v0.2 is one of the numerous imitations of the notorious prototype. Unfortunately, there is absolutely no way to unencrypt files in this case, not even through ransom payment. Small breakthrough in combatting WannaCry Security experts create an application named WanaKiwi that may be able to decrypt .WNCRY files as long as certain conditions are met. This tool is applicable in the following scenarios: a victim has not restarted the infected machine, and the ransomware process has not been forcibly stopped.

MAY 19, 2017

New type of targets for WannaCry This nasty Trojan expands its reach. It has reportedly contaminated various Windows-based medical devices by Siemens as well as radiology equipment by Bayer. The most likely entry point was the SMBv1 protocol. XData making lots of victims in Ukraine The propagation of this strain is mostly restricted to Ukraine (95% of all victims), with the rest of the contamination incidents occurring in Germany, Estonia, and Russia. Xdata keeps original filenames unaltered, appends the .~xdata~ extension to each one, and drops a ransom note named HOW_CAN_I_DECRYPT_MY_FILES.txt. BTCWare decryption tool made more effective Researcher Michael Gillespie teams up with colleagues to update his free decryptor for BTCWare. The tool can now restore mutilated files with the following extensions: .cryptobyte, .btcware, .onyon, .cryptowin, .and .theva. Screen locker that’s nothing but scareware The malware in question locks one’s screen and displays a message reading “Hacked by Yuriz MA” at the top. The rest of the warning is available in English and French. Fortunately, it doesn’t do any crypto and can be bypassed by hitting Alt+F4, as simple as that. An umpteenth WannaCry knockoff surfaces The new junk replica is called Wana Decrypt0r 3.0. Although it does not encrypt anything at all, it still demands $600 worth of Bitcoin. VisionCrypt 2.0, a garden-variety strain Predictably enough, this one appends scrambled files with the .VisionCrypt extension. It displays a countdown clock to pressure victims into submitting the ransom that amounts to a Bitcoin equivalent of $25.

MAY 20, 2017

Ransomware stealing images A sample is discovered that only zeroes in on victims’ image files. It sends them to the attacker’s email address and, when done, erases the original ones.

MAY 21, 2017

Crooks keep sticking with WannaCry theme Yet another WannaCry copycat surfaces. Just like the original strain, it’s called Wana Decrypt0r 2.0. Fortunately, this one doesn’t do crypto, so it’s not much of an issue. Decryption Assistant ransomware This sample is currently in development. It uses the .pwned string to label encrypted files and threatens to destroy the decryption key in 60 minutes unless paid. D2+D ransomware The warning screen displayed by this infection says it’s “harmless after purchase”. D2+D also claims to provide a discount of up to 90% for poor people, whatever that means. Screen locker with a strange name Researchers discover new screen-locking malware named Unidentified created by someone named Subham Dasgupta. It demands $1,000 worth of Bitcoin to unlock. BTCWare decryptor updated The latest edition of this free decryption tool by Michael Gillespie partially addresses hurdles with retrieving private key for the .onyon extension variant of this Trojan. Due to the enhancement, it can still unencrypt some of these files.

MAY 22, 2017

North Korea claims it has nothing to do with WannaCry outbreak Kim In Ryong, North Korean representative at the United Nations, makes an official statement regarding his country’s imputed involvement with WannaCry creation and distribution. He calls these claims “ridiculous”. Rogue WannaCry spinoffs keep coming Another one called Wana DecryptOr 2.0 pops up. Its ransom warning is pretty much a replica of the one generated by the prototype. New crypto-malware hunt kicks off The creator of ID Ransomware service encourages fellow-researchers to team up on hunting down the VMola strain. This sample concatenates the (Encrypted_By_VMola.com) extension to locked files and leaves a how-to document called Ransom.rtf.

MAY 23, 2017

Jaff update The indicator of compromise that has been modified as part of new Jaff version release is the .WLU extension that’s affixed to filenames. The look and feel of the infection have changed as well – the ransom notes now look more professionally tailored. CVLocker baddie spotted Since the development of this perpetrating program is still in progress, it has limited functionality. Most importantly, it doesn’t implement crypto at this point. Widia screen locker on the table Although Widia claims to encrypt all documents, photos, databases and other important files on the infected computer, that’s nothing but a bluff. All it does is display a lock screen with some text in Romanian. The Alt+F4 combo will do the unlock trick. MemeWare, another junk screen locker This in-dev sample displays an “FBI Anti-Piracy Warning” to pressure victims into submitting $200 via MoneyPak. Luckily, security analysts got hold of the unlock password, which is 290134884.

MAY 24, 2017

Elmer’s Glue Locker v1.0 The lock screen displayed by the Trojan in question reads, “Your computer has been locked with very sticky Elmer’s Glue”. It asks for a whopping 16 Bitcoins, or about $38,000. Hey crooks, better luck next time – all it takes to fix the issue is boot into Safe Mode with Networking and remove the pest with a regular AV suite. Deos spotted The sample called Deos is just a commonplace derivative of the open-source Hidden Tear, which was originally created as a proof-of-concept. Russian clone of CryptoWall A .NET edition of the newsmaking CryptoWall ransom Trojan surfaces. This copycat isn’t even close to its prototype in terms of the sophistication, though. It displays a warning screen with some Russian text and concatenates the .wtdi suffix to every scrambled file. Scammers harnessing WannaCry plague as a lure A new wave of tech support scams is underway in the UK. This time, the fraudsters use the apprehension aura around the recent WannaCry onslaughts in order to dupe victims into calling rogue technical support. MoWare infection released Cybercriminals keep abusing academic ransomware code to launch real-life extortion campaigns. A new offspring of the Hidden Tear PoC called MoWare H.F.D. is spotted in the wild. It uses the .H_F_D_locked string to blemish encrypted files. New BTCWare decryption tool is out Avast creates a free decryptor for the BTCWare strain. The utility can restore ransomed files with the following extensions: .theva, .cryptobyte, .cryptowin, .btcware, and .onyon. Xorist edition resembling XData A fresh version of Xorist appends files with the .xdata extension, which is the one used in the recent XData outbreak in Ukraine. The bluff of Adonis The sample called Adonis is written in AutoIT scripting language. It claims to encode a victim’s data but doesn’t utilize any type of cipher for real. The size of the ransom is 0.1 Bitcoins, or $240. Thor that’s not a Locky variant Although the new Thor sounds reminiscent of an old and mostly deceased Locky virus that used the .thor file extension, it was developed independently. It encrypts data, replaces the desktop background with a warning image, and requests 0.5 Bitcoins for decryption. “Mother of All Viruses” doing a lot of damage Analysts spot a Trojan that uses the “mother of all viruses.exe” payload to infect computers. Whereas its ransom note says the victim’s files have been encrypted, the actual effect is different. The pest launches a batch command that tries to format hard drive volumes. 4rw5w mimics WannaCry quite well The strain under consideration is one of the fairly successful WannaCry clones. It uses similar names for its components and, most importantly, relies on the so-called “kill switch” principle to start the active phase of the assault. The extension it appends to filenames is .4rwcry4w.

MAY 25, 2017

AES-NI is now decryptable The developer of the highly aggressive AES-NI chose to bring his extortion wave to an end. This unidentified individual reached out to security researchers to provide master decryption keys for different variants of the family. Clues about WannaCry attribution Analysts at Flashpoint scrutinized WannaCry from a linguistic perspective. The verdict is that the offensive program is likely to have been tailored by a Chinese-speaking individual or individuals. LightningCrypt, another crypto malady The new strain called LightningCrypt threatens to delete some files every time the victim tries to remove the malicious program from their computer. It subjoins the .lightning extension to hostage files and demands 0.17 BTC for decryption. CrystalCrypt, a LightningCrypt successor According to experts’ insight, these two infections have common roots. As opposed to its predecessor, CrystalCrypt uses the .blocked suffix to label encoded files. Low-impact Mancros+AI4939 Trojan This one is a screen locker that doesn’t encrypt any files, although its warning message says it does. It demands $50 worth of Bitcoin to unlock. New extension used by BTCWare This ransomware now stains victims’ data entries with the .xfile extension. Courtesy of analysts, the previously created free decryption tool already supports this edition. DMALocker 3 pops up This fresh incarnation of the old DMALocker tells victims to reach the attacker via [email protected] email address in order to receive the recovery how-tos. The ransom amounts to 1 Bitcoin.

MAY 26, 2017

AES-NI automatic decryptor available Avast adds a new free decryption tool to its collection. The company’s research team used the previously dumped master decryption keys for AES-NI to create an automatic recovery solution. The not-so-optimistic WanaDie WanaDie appends the names of encrypted files with the .WINDIE extension. Its warning message contains a bunch of swear words. Fortunately, it is decryptable beyond the ransom. StupidDecryptor made more powerful The remarkable StupidDecryptor solution, which cracks multiple junk ransom Trojans, undergoes an enhancement. Its latest version also decrypts files with the .f**king and .WINDIE extensions. Crying, another crypto sadness This Hidden Tear derivative concatenates the .crying string to enciphered files and leaves a ransom message named READ_IT.txt. Roblocker X configured to target a single type of files According to its warning screen, the in-dev Roblocker X zeroes in on Roblox game files found inside an infected host. However, its impact is currently restricted to displaying a lock screen with an image of a kid on it. The code to unlock is PooPoo. GlobeImposter variant featuring a verbose file extension The brand new edition of GlobeImposter couldn’t possibly get any more comprehensive as far as its file extension token is concerned. It affixes the .write_us_on_email extension to scrambled files and drops a ransom note named how_to_back_files.html.

MAY 27, 2017

Primitive-looking yet harmful Dviide Perhaps the creators of this sample meant to name it “divide”, which would make much more sense. Anyway, the ransomware concatenates the .dviide suffix to encoded files and implements crypto quite robustly. New Chinese screen locker spotted The lock screen used by this Trojan contains some warning text in Chinese. An interesting feature is that it also provides a QR code to enhance the extortion functionality.

MAY 28, 2017

LockedByte using XOR cipher The sample called LockedByte appends encrypted files with random extensions. It replaces one’s desktop wallpaper with a black image containing hardly discernible blue text. The ransom amounts to $1,000 worth of Bitcoin.

MAY 29, 2017

Houdini RAT and MoWare distribution boost A crook named Mohammed Raad, who goes by an online handle “vicswors baghdad”, is reportedly responsible for spreading the Remote Access Trojan dubbed Houdini. According to researchers, this individual’s recent occupation revolves around the MoWare H.F.D. propagation campaign. BlackSheep with some mystical undertone The strain called BlackSheep subjoins the .666 extension to scrambled files. It requests a Bitcoin equivalent of $500 for recovery and provides a 54-hour deadline for payment. Fortunately, it is crackable with the StupidDecryptor tool. 1337-Locker pest is out The new 1337-Locker randomizes victims’ filenames and blemishes them with the .adr extension. The ransom note instructs plagued users to click the Contact Me button for decryption steps. DolphinTear, another run-of-the-mill baddie Cybercriminals continue harnessing the educational HiddenTear to coin real-world strains. The new derivative called DolphinTear uses the .dolphin string to label affected data. Sample leveraging WinRAR A new in-dev perpetrating program surfaces that moves a plagued user’s personal files to a password-protected WinRAR archive rather than encrypt each one individually. Its code suggests that the author’s name is Tuan Linh. SintaLocker representing a known family According to results of reverse-engineering, the sample called SintaLocker is a spinoff of CryPy. It provides a ransom how-to named README_FOR_DECRYPT.txt and instructs victims to contact the extortionist via [email protected]. New unnamed strain being created Malware analysts come across an in-development ransomware strain that displays a ransom note window titled “Your files have been blocked”. It is configured to demand $50 worth of Bitcoin. Jigsaw iteration featuring a scary clown theme The latest edition of Jigsaw replaces a victim’s desktop wallpaper with a picture of a hair-raising clown. The free Jigsaw Decrypter solution by Michael Gillespie supports this variant. Im Sorry – oh really? The sample called Im Sorry sounds almost compassionate. Its ransom note includes several apologies from the crook. It’s amazing how sarcastic the bad guys can get. This one concatenates the .imsorry extension to locked files and leaves a ransom note named “Read me for help thanks.txt”. Yet another milestone for ID Ransomware Architects of the ID Ransomware service declare that it can now identify more than 400 different crypto-malware lineages. Three new decryptors available The tandem of Avast Software and CERT Polska makes another substantial breakthrough in defeating ransomware. The fresh decryption tools support the Mole, AES-NI, and BTCWare strains. R3store making the rounds The offensive program called R3store is one of the dozens of HiddenTear PoC knockoffs circulating in the wild. It concatenates the .r3store extension to ransomed files and leaves a data decryption manual called READ_IT.txt. Crooks pilfering each other’s code A new DMA Locker lookalike is discovered. Researchers believe its makers stole the code from their fellow-extortionists. Whereas the ransom notes and other components look identical and the public encryption key is the same, there are no references to the old name. Criminals are criminals, and there is obviously room for piracy even within this cybercrime ecosystem.

MAY 30, 2017

Fresh facts on WannaCry campaign According to experts from the Kryptos Logic company, WannaCry made most victims in China, while it was previously believed that the epidemic mainly targeted Russian users. XData isn’t a problem anymore Someone, most likely the dev of XData, joined a dedicated thread at Bleeping Computer forums and provided the Master Decryption Keys for the infection. A number of security vendors, including Avast and ESET, uses this leaked information to contrive free decryption tools. The crude Bloopers Encrypter 1.0 screen locker While this one tries to persuade victims that it has encrypted their valuable files, that’s just bluff. The fix is as simple as closing the warning window and removing the Trojan with an antimalware suite. Andonio is nothing special One more derivate of Hidden Tear is almost underway. The in-development sample called Andonio is coded to append the apropos .andonio suffix to enciphered files and drop the READ ME.txt help document. GrodexCrypt, a remake of old ransomware The strain called GrodexCrypt is based off of Crypt888, or Mircop, which has been around for about a year. As opposed to its forerunner, the revamped edition now uses a GUI asking for $50 worth of Bitcoin for decryption. OoPS spotted OoPS Ramenware doesn’t do any crypto. Instead, its extortion model implies moving a victim’s files to a ZIP archive with the .ramen extension. Unlocking this archive is only doable with the right password. Amnesia update The latest Amnesia version concatenates the .TRMT string to encrypted data entries uses the [email protected] contact email address and drops a decryption how-to named HOW TO RECOVER ENCRYPTED FILES.txt. BrickR underway BrickR is a new commonplace file-encrypting threat with the following indicators of compromise: the .brickr file extension and READ_DECRYPT_FILES.txt ransom manual. The melodic Resurrection-Ransomware Aside from appending the .resurrection extension to locked files and dropping Readme.html ransom note, the Resurrection-Ransomware also plays some fairy talish tunes in the background during the attack.

MAY 31, 2017

In-dev KillSwitch Probably paying homage to the theme of WannaCry plague’s peculiar attack trigger principle, the in-development KillSwitch appears. It is configured to add the .switch suffix to encoded files. Luxnut, a PoC offspring The new sample called Luxnut is a derivative of EDA2, open-source crypto-malware created by Turkish researcher Utku Sen. By the way, the more notorious Hidden Tear code is the work of the same questionably judicious enthusiast. Luxnut stains encoded files with the .locked extension. Ransomware disguised as Microsoft Security Essentials The strain in question generates a warning screen titled “Microsoft Security Essentials”. Functionality-wise, it takes after the WannaCry infection. Fortunately, it is currently in development and does not utilize any cipher. Although the scourge of ransomware keeps assuming new characteristics, the defenses are invariable for the most part. As before, nothing beats data backups as a damage mitigation strategy. No prevention tactic works better than proper online hygiene. Steer clear of shady websites and fishy email attachments, don’t linger with applying security patches for the operating system and third-party software, and you’ll be good to go. Learn more about how Tripwire can help protect your systems against Ransomware, click here.

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.