October 2016: The Month in Ransomware

Image

Just like in September, the cyber extortion epidemic keeps mutating. The crooks at the helm of ransomware campaigns are constantly experimenting with the geography of their attacks, intimidation tactics, data locking mechanisms, and payment channels. Learn how this underground ecosystem evolved last month and whether the security industry is ready to take up the gauntlet.

OCTOBER 1, 2016

The Globe Ransomware decrypted The file-encrypting Trojan dubbed Globe has been in rotation since August. It is infamous for using the Purge film series theme as the desktop background that replaces a victim’s preferred wallpaper. This ransomware leverages the Blowfish block cipher to encrypt one’s data; appends the .purge, .globe, or [email protected] extension to files; and creates ransom notes in HTA format. Thankfully, a free tool created by Emsisoft can restore Globe-encrypted data as long as the user provides a scrambled file and its unencrypted version. KillerLocker Ransomware is friends with a blood-curdling clown This malady ‘welcomes’ its victims with an image of a spooky clown that supersedes the original desktop wallpaper. KillerLocker encrypts files with the AES-256 algorithm and concatenates the .rip extension to every crippled entry. The warning message is in Portuguese. The infected users have 48 hours to pay up, otherwise the AES decryption key will purportedly be erased.

OCTOBER 2, 2016

Fsociety L0ck3r increases its ransom on a daily basis The Python-based strain called Fsociety (or Fs0ci3ty) L0ck3r adds the [email protected] extension to files, sprinkles help manuals called fsociety.html all over the infected system, and imposes a buyout scheme where the ransom increases by 1 Bitcoin daily after the ‘grace period’ of 24 hours expires.

OCTOBER 3, 2016

CryptoLocker 5.1 targets Italian users This replica of the notorious CryptoLocker baddie is based on Hidden Tear, a project which originally pursued benign, educational goals. Once cybercrooks have the code, they got busy adjusting it to real-world extortion campaigns like this one. CryptoLocker 5.1 user interfaces are in Italian. It appends the .locked extension and demands 130 EUR for data decryption.

OCTOBER 4, 2016

Cerber ransomware version 4 released The latest edition of the Cerber ransomware has a new take on twisting filenames. Rather than use the .cerber3 extension to stain encrypted objects, it has started to append a random four-character string that’s unique to every victim. Furthermore, Cerber v4 drops the Readme.hta file to provide decryption instructions, abandoning the routine of creating manuals in HTML, BMP, and VBS formats. To top it off, the updated Trojan now terminates multiple processes running on the system so that it can encrypt the associated data.

OCTOBER 5, 2016

Hades Locker, a reincarnation of an obsolete Trojan One month after the Dutch National Hi-Tech Crime Unit took down the WildFire Locker ransomware by seizing its command and control servers, the cybercriminal ring behind this campaign came up with a successor. Their new brainchild called Hades Locker appends the .~HL[random] extension to AES-encrypted files and creates ransom notes named Readme_Recover_Files_[16-char ID].txt (.html, .png). The size of the ransom is 1 Bitcoin or about 700 USD at the time of writing. This infection is currently not decryptable for free.

OCTOBER 6, 2016

Multiple spinoffs of the Globe Ransomware discovered Globe Ransomware authors spawned at least four new variants of their extortion code in one hit. The editions spotted by researchers append one of the following extensions to locked files: .blt, .raid10, .encrypted, and .[[email protected]]. The ransom typically amounts to 1 BTC. Fortunately, those infected can use the Emsisoft Decrypter for Globe2 to restore their data for free.

OCTOBER 7, 2016

Kostya Ransomware vs. Czech users Geo-targeting seems to be an increasingly popular trend in the cyber extortion ecosystem. The Kostya Ransomware is one of the crypto pests operating mostly within a particular country. The text in its warning screen and the decryption instructions are in Czech. This strain concatenates the .kostya extension to files that it encrypted. It demands 2000 CZK (Czech Koruna), or about 80 USD, for decryption. The ransom is payable in PaySafeCard. After the period of 12 hours expires, the original amount will increase by another 2000 CZK. The data will be completely lost if a victim doesn’t submit the money during 24 hours.

OCTOBER 8, 2016

New ransomware forges a Windows Update screen Comrade Circle is a replica of an older ransomware specimen called Fantom. Just like its precursor, the plague displays a fake Windows Update screen while encrypting its victims’ data. Aside from leveraging this tricky obfuscation technique, the Trojan adds the .comrade extension to files and creates a decryption manual named Restore-Files![random number].txt.

OCTOBER 10, 2016

Enigma Ransomware update Discovered in early May this year, this infection was one of the few that targeted the Russian-speaking audience. The latest variant of Enigma Ransomware appends the .1txt string to every encrypted entity. As opposed to the previous .hta ransom note, the current iteration has switched to enigma_info.txt document. File encryption? Maybe next year The sample that says “Deadly for a good purpose” on its warning screen isn’t run-of-the-mill because it is currently configured to encrypt victims’ data in 2017. In other words, if this ransomware compromises your computer, it won’t lock down your important information until sometime next year. The whys and wherefores of such an unusual attack routine aren’t clear at this point.

OCTOBER 11, 2016

VenisRansomware is double trouble At first sight, this strain may appear fairly commonplace. It encrypts files, replaces the desktop wallpaper with a warning image, and instructs a victim to reach the attacker at [email protected]. It turns out, however, that VenisRansomware also installs extra components that are bundled in its payload. One of these concomitant modules is intended to enable Remote Desktop Host support and thus provide the threat actor with direct access to the infected machine.

OCTOBER 13, 2016

Experts defeat a unique ransom Trojan Trojan.Encoder.6491 sounds like just one of thousands of lookalike file-encrypting infections. In fact, though, it is one of a kind because never before had ransomware makers used the open-source Go programming language to create their products. The pest in question uses the AES-256 encryption standard, concatenates the .enc extension to one’s personal files, and asks for 25 USD worth of Bitcoins as the ransom. Luckily, researchers at Doctor Web came up with a method that helps victims restore their data. DXXD ransomware v2 cracked The ‘dxxd’ file extension and Readme.TxT help file are some of the attributes that DXXD ransomware victims are definitely familiar with. Michael Gillespie, a security analyst, also known as demonslay335, crafted a free tool that decrypts files locked by the latest variant of this Trojan. New edition of Nuke ransomware surfaces A rebranded variant of the PadCrypt ransomware called Nuke underwent a number of tweaks. The new file extension is .nuclear55. The perpetrators also changed the look and feel of the ransom note, which tells victims to submit 2 Bitcoins to a specified wallet. The warning image contains a “NUCLEAR #55” inscription.

OCTOBER 14, 2016

Automation of the Locky ransomware analysis The Talos Security Intelligence and Research Group created LockyDump, a tool that streamlines the process of dissecting all known versions of the Locky ransomware. In particular, this command line utility provides a virtualized environment to run Locky’s spinoffs, including .locky, .zepto, .odin and .thor extension variants, and extract configuration data from memory. Exotic Ransomware isn’t picky about file types From the standpoint of a ransomware author, it’s questionably wise to encrypt all data on infected computers. Doing so will require additional time and resources. Moreover, it may render the operating system unstable. The Exotic Ransomware created by an individual or group nicknamed EvilTwin encrypts executables along with one’s personal files for some reason, thus making it impossible to run multiple programs. This strain appends files with the .exotic extension and instructs victims to pay 50 USD in Bitcoins during 72 hours.

OCTOBER 15, 2016

A cure for the latest DMA Locker variant available DMA Locker relies on the use of AES cryptographic standard in ECB (Electronic Code Book) mode to lock one’s files. Fortunately, researchers at Malwarebytes were able to devise a technique that decrypts !XPTLOCK5.0 extension files scrambled by the most recent edition of this ransomware. NoobCrypt Trojan update This one is interesting because the ransomware operators opted for using a name that one of AVG analysts gave to the sample. The criminals even included a few words of gratitude to the researcher on their warning screen, saying “Thanks to: @JakubKroustek.” NoobCrypt got a minor update released mid-October. New Anubis ransomware spotted in the wild This newcomer to the digital extortion environment concatenates the .coded extension to victims’ encrypted files and creates a ransom note called Decryption Instructions. The attackers provide email addresses ([email protected] or [email protected]) to reach them for recovery steps. Anubis is based on EDA2, open-source ransomware code written by Turkish researcher Utku Sen for educational purposes. Unfortunately, this isn’t the first incident where cybercriminals have used proof-of-concept projects to coin actual ransomware.

OCTOBER 17, 2016

Low-severity screen locker goes live A new piece of malware started attacking computers without actually encrypting anything. All it does is prevent victims from accessing their Windows interface. The lock screen instructs users to submit a code for 10 EUR worth PaySafeCard. The good news is that pests like this one are fairly easy to remove using Safe Mode with Networking.

OCTOBER 18, 2016

7ev3n ransomware is no longer an issue A Polish programmer and malware analyst who goes by the handle ‘hasherezade’ created a number of automatic decoders for different versions of the 7ev3n ransomware. This sample renames files to numeric values followed by the .R5A extension.

OCTOBER 19, 2016

New ransomware disguised as a funny game Some ransomware devs use primitive game scripts to obfuscate the data encryption process and distract users. One of the recent samples that go this route poses as a Click Me game. It displays an amusing screen with a Click Me button that keeps moving back and forth. While an unsuspecting user is trying to click the button, the ransom Trojan performs its data encryption in the background. This ransomware appends the .hacked extension to files.

OCTOBER 20, 2016

JapanLocker targets web servers The uncommon feature of this malware is that it affects websites rather than end users’ personal files. Written in PHP, this plague renders web pages inaccessible and displays a Site Locked message. The ne’er-do-wells behind this campaign tell webmasters to contact them using [email protected] email address for further recovery instructions. MBRFilter tool counters the nastiest ransomware Petya and Satana are the names of crypto threats that change the Master Boot Record on targeted computers, thus making troubleshooting pretty much unfeasible. Cisco’s Talos Group came up with a response to attacks of that sort. Their MBRFilter driver identifies and blocks ransomware’s attempts to overwrite the MBR.

OCTOBER 22, 2016

Bilingual Lock93 ransomware This one targets Russian- and English-speaking users alike. It adds the .lock93 suffix to encrypted files and demands 1000 RUR (Russian Rubles) for decryption. The email addresses for communication with the attackers are [email protected] and [email protected].

OCTOBER 23, 2016

Angry Duck asks for too much money Predictably enough, the unusual ransomware dubbed Angry Duck displays a duck-themed warning screen. The alert says, “Don’t mess with the ducks” and tells victims to pay 10 Bitcoins for restoring files with the .adk extension. That’s more than 7,000 USD, one of the biggest ransoms across the board.

OCTOBER 24, 2016

N1n1n1 ransomware update The new iteration drops a ransom note named Decrypt Explanations.html and uses the 999999 attribute to label the affected files. Other than that, it’s still a commonplace ransomware strain with fairly strong crypto. New Locky version appends the .shit extension The makers of Locky, one of the most professionally tailored ransomware specimens, released a new edition of their offending program. The update brought about the following changes: filenames are replaced with 32 hexadecimal characters plus the .shit string at the end; the ransom manuals are called _WHAT_is.html (.bmp); and the infection leverages offline encryption principle. Bart ransomware’s new file extension Rather than affixing the .bart value to enciphered data, the latest spinoff of a Locky lookalike called the Bart ransomware switched to the .perl extension instead. The other characteristics haven’t changed.

OCTOBER 25, 2016

Locky’s Thor edition surfaces The above-mentioned .shit file extension variant of Locky didn’t even exist one day. A new build that appends .thor to one’s jumbled data elements shortly replaced its predecessor. The offline “autopilot” encryption, file renaming format ,and ransom notes didn’t undergo any changes. A Hungarian copycat of Locky A sample dubbed Hucky takes after the infamous Locky ransomware in many ways, including the design of user interaction modules and the crypto algorithms applied. This one, however, appears to be only targeting Hungarian users.

OCTOBER 26, 2016

Ransomware author suggests a pathetic deal Emsisoft’s researcher Fabian Wosar published his conversation with Fsociety ransomware maker, where the latter tried to sell him about 200 valid decryption keys for 10 BTC. Of course, Fabian declined the offer. Moreover, he had already come up with a method to restore victims’ data for free.

OCTOBER 27, 2016

Screen locker with a survey feature under the hood Researchers spotted an interesting screen locker sample that asks its victims to complete a brief survey before they can regain access to their system. Once a user answers several funny questions like “Snickers or Butterfinger?,” a Notepad document named ThxForYurTyme.txt becomes available. The current in-development version only expresses a few words of gratitude in this file, but it will probably provide an unlock code when the malware becomes fully functional. Another lame screen locker discovered Screen lockers that prevent victims from accessing their computers typically aren’t nearly as sophisticated as file-encrypting Trojans. This applies to the piece of malware that blocks PCs and instructs users to contact the crook at [email protected]. Thankfully, security analysts reverse-engineered this one and obtained the unlock code. New CryptoWire ransomware emerges According to researchers’ verdict, CryptoWire is most likely based on readily available educational ransomware code. Its warning screen instructs victims to send 200 USD worth of Bitcoins for decryption of the locked data. This incident demonstrates once again that proof-of-concept ransom Trojans might have adverse effects in the long run. Onyx ransomware goes after Georgian users The strain called Onyx produces a ransom alert containing an image of No-Face, a character from the Japanese “Spirited Away” anime fantasy film. The warning message is in Georgian. Onyx demands 100 USD for data decryption. IFN643 Ransomware is underway This new sample mainly targets Microsoft Office documents, drops the IFN643_Malware_Readme ransom note, and won’t decrypt data unless a victim submits 1000 USD worth of Bitcoins. The weirdness of Jack.Pot strain When confronted with the Jack.Pot ransomware, users face a dilemma of coughing up 3 Bitcoins or losing their critical data. However, even if a victim decides to pay, it’s not clear how exactly to submit the ransom. The pest doesn’t provide any contact details to reach the attacker. To add insult to injury, the ransom note provides a Litecoin rather than Bitcoin address. Obviously, Jack.Pot is a buggy infection at this point.

SUMMARY

Some of the file-encrypting strains that surfaced in October demonstrated a shift toward geo-targeting, where the infections proliferate within specific countries. Surprisingly enough, quite a few screen lockers emerged that don’t actually encode anything. Some ransomware devs began opting for payment methods based on prepaid card services rather than Bitcoin. Although security analysts are getting better at cracking these threats, it’s strongly recommended to have a plan B in store – data backups should do the trick.  

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.