MARCH 1, 2017The comeback of Crypt0L0cker A new wave of the Crypt0L0cker, or TorrentLocker, ransomware campaign breaks out after a lengthy standstill since mid-2015. The updated strain primarily zeroes in on European countries. Clever AV evasion by Locky According to Microsoft Malware Protection Center (MMPC), the latest Osiris edition of the notorious Locky program is signed with a valid digital certificate. This trick allows the infection to fly under the radar of most security suites. A gesture of goodwill to help Dharma victims In an unexpected move, someone nicknamed ‘gektar’ provides a link on Bleeping Computer's forums supposedly pointing to a Pastebin-hosted repository of master decryption keys for the Dharma ransomware. In-dev KRider strain spotted MalwareHunterTeam, a well-known group of security analysts specializing in combating crypto ransomware, discovers a somewhat crude sample called KRider. It is configured to append victims’ files with the .kr3 extension. Nontrivial ransomware identification puzzle A file-encrypting malware specimen gets out. It concatenates the .SN-[victim_ID][email protected][email protected] string to encrypted files. Although reminiscent of CrySiS, quite a few properties don’t match. So it’s unclear which family it is. Prominent researcher provides anti-ransomware tips Michael Gillespie, the architect of ID Ransomware service, participates in the Fight Ransomware Podcast by Carbonite to express his viewpoint on ways to beat the epidemic. Tricky distribution vector for ASN1 ransomware The ransom Trojan called ASN1 turns out to be proliferating via a rogue ad server pointing to the RIG exploit kit. This sample does not affix any extra strings to scrambled files and drops a ransom how-to called “!!!!!readme!!!!!.htm”.
MARCH 2, 2017Dharma ransomware cracked Following the newsmaking leak of master decryption keys for Dharma, Kaspersky Lab updates the RakhniDecryptor tool so that it supports the infection. ESET and Avast craft the apropos free decryption solutions shortly afterwards, as well. Cerber stepping into Android environment? Analysts at ESET locate Cerber’s README.hta ransom note within the source code of several Android apps distributed on Google Play. This may suggest that threat actors are trying their hand at expanding their campaign to the mobile platform in question. Double exploitation of PoC ransomware A new file-encrypting Trojan surfaces whose code is based on the MafiaWare infection, which was discovered in early January this year. The interesting thing about this interrelation is that MafiaWare, in its turn, is a spinoff of the open-source proof-of-concept strain known as Hidden Tear.
MARCH 3, 2017One more Hidden Tear derivative spotted Security experts stumble upon a perpetrating program called FabSysCrypto, which appears to be an offspring of the above-mentioned Hidden Tear PoC. Furthermore, its data recovery manual is a replica of the ransom note created by Locky.
MARCH 5, 2017Jigsaw ransomware reaches version 4.6 Jigsaw ransomware version 4.6 features a new alert screen with different wording than before. It demands $150 worth of Bitcoin for decryption and pressures victims into paying up within 24 hours.
MARCH 6, 2017Pennsylvania Senate Democrats under ransomware attack An unidentified ransomware infection hits the computer network of the Pennsylvania Senate Democratic Caucus. The compromise causes a shutdown of the organization’s IT infrastructure and makes proprietary data inaccessible. FadeSoft ransomware update Researchers bump into a fresh variant of the FadeSoft ransomware. The only noteworthy change is the new ransom note design. The threat actors demand 0.1 BTC and provide a seven-day deadline to pay up. New Spanish ransomware appears ESET spots a file-encrypting sample called CryptoJacky. It targets Spanish-speaking users and comes equipped with Aescrypt.exe application that does the data encryption job.
MARCH 7, 2017Unexpected incarnation of Shamoon malware The disk-wiping infection known as Shamoon, or Disttrack, has been around since 2012. But it’s not until recently that it started propagating with a ransomware module on board. According to Kaspersky, the latest version dubbed StoneDrill encrypts files, circumvents sandboxing mechanisms, and affects 32-bit and 64-bit systems alike. Enjey ransomware surfaces The authors of the new ransom Trojan called Enjey borrowed their code from the older RemindMe strain. The infection instructs victims to send their personal identifier to [email protected] in order to receive further decryption steps and learn the size of the ransom. Minor tweak of the Unlock92 ransomware The only conspicuous change made to the Unlock92 Trojan as part of the latest update is a new name of the ransom note. The how-to file is now called READ_ME_!.txt. The destructive Nhtnwcuf sample While featuring a really unusual name, Nhtnwcuf is also offbeat in terms of the way it handles a victim’s data. The pest wreaks havoc with files to an extent where they cannot be restored even if an infected person meets the attackers’ demands. It drops one of the following ransom notes: HELP_ME_PLEASE.txt or !_RECOVERY_HELP_!.txt.
MARCH 8, 2017Meet Paul, a wannabe cybercrook Security analysts discover an in-development French strain whose code contains a name attribute “Paul”, which is most likely the creator’s name. It is a spinoff of the educational Hidden Tear project. CryptON ransomware defeated Fabian Wosar, the chief technology officer at Emsisoft, cooks up a free decryptor for the CryptON ransomware. This crypto malady is also known as Nemesis and leverages a fusion of AES-256, RSA, and SHA-256 algorithms to scramble victims’ data. Latest Crypt0L0cker campaign dissected Cisco’s Talos Intelligence Group publishes a comprehensive report regarding the totality of characteristics of the current Crypt0L0cker variant. CryptoLocker 1.0.0 shaping up to be a serious problem MalwareHunterTeam stumbles upon the new CryptoLocker 1.0.0 threat, which is just a replica of its infamous prototype. This propagation of this sample is mostly isolated to Turkey. It uses asymmetric RSA-2048 cryptosystem to lock files.
MARCH 9, 2017RanRan strain is unique in a few ways There are several things that make RanRan stand out of the rest. First off, it is employed in targeted attacks against Middle Eastern government institutions. Furthermore, it prevents victims from opening Task Manager, terminates database processes, leverages different encryption keys for files with different size, and displays zXz.html ransom note with a political message in it. Cerber ransomware update The most recent iteration of Cerber does not alter the original filenames, whereas its forerunners replaced them with 10 random hexadecimal characters. However, it still appends files with a four-character extension that matches the plagued PC’s MachineGuid parameter. Vortex ransomware spotted This new perpetrating program zeroes in on Polish victims. It concatenates the .aes suffix to encoded files and leaves a ransom note in Polish named ODZSZYFRUJ-DANE.txt. VapeLauncher, another PoC derivative Researchers come across a file-encrypting infection called VapeLauncher, which requests a Bitcoin equivalent of $200 for decryption. Its AutoIt code is based on the CryptoWire proof-of-concept that was uploaded by a security enthusiast to GitHub in late May 2016. Ties between Spora and HTA email attachments According to RSA Security, the architects of the Spora campaign are heavily relying on the use of HTA files attached to malspam emails. This vector allows the ransom Trojan to fulfill the contamination process without requesting any additional data from a Command and Control server. PadCrypt version 3.4.0 is out PadCrypt, a ransomware sample that gained notoriety for providing live support chat to its victims, gets some fine-tuning. Its current version number is 3.4.0. Other than that, hardly anything else has changed. Samas ransomware distribution specificity It turns out that the crooks behind Samas, or SamSam, exploit Active Directory service in order to infiltrate and traverse big networks. The cybercrime ring in question reportedly defrauded organizations of about $450,000 during the past 12 months.
MARCH 10, 2017A great write-up on Spora Malwarebytes publishes an article encompassing the ins and outs of Spora. The analysis includes main attack vectors, encryption routine, and extortion cycle. One group behind ransomware and a data stealer The latest variant of the Sage ransomware (version 2.2) is distributed by the same threat actors as those responsible for depositing the August Stealer malware onto computers. Both of these campaigns appear to serve payloads from the same file path. Android ransomware used in a targeted attack According to Check Point, 36 new smartphones purchased by two big technology companies arrived with Android malware on board. In particular, the devices had a sample of Slocker ransomware and Loki adware pre-installed on them.
MARCH 11, 2017ID Ransomware enhancement Due to an important update made to MalwareHunterTeam’s ID Ransomware service, victims of Spora can determine which strain they are confronted with and continue the troubleshooting accordingly. Another day, another Samas update A fresh edition of Samas concatenates the .iaufkakfhsaraf string to encrypted files. It also adds a new ransom note called IF_ WANT_FILES_BACK_PLS_READ.html. Damage ransomware decrypted Emsisoft CTO Fabian Wosar runs a streaming video session where he analyses the Damage ransomware and creates an ad hoc automatic decryption tool in real time. Russian RozaLocker ransomware The RozaLocker sample takes root in the Russian online segment. It uses the .ENC extension to blemish affected files and demands 10,000 Rubles (about $180) for decryption.
MARCH 12, 2017Another French ransomware spotted The Trojan in question displays a ransom warning in French and asks for 0.1 BTC to decrypt files. Overall, this one is fairly run-of-the-mill.
MARCH 13, 2017Extortionist’s payback hits the headlines The maker of the Enjey malware fires a series of distributed denial-of-service attacks against the ID Ransomware resource. Prior to this predicament, the author of ID Ransomware had crafted a free decryption tool for said infection. Flotera ransomware emerges This abominable specimen appears to be part of the same family as the Polski and Vortex infections. Its propagation involves a remote access Trojan (RAT) called vjw0rm. One more PadCrypt update The developers of PadCrypt stay busy coining new variants of their cyber offspring. The latest one, PadCrypt 3.4.1, introduces hardly any novelty aside from the version number. Hunting down the Project34 baddie Michael Gillespie asks his security community colleagues to combine efforts in analyzing the Project34 ransomware. This sample prepends the “[email protected]*” string to filenames and leaves a TXT ransom note.
MARCH 14, 2017PetrWrap, a Petya ransomware spinoff Kaspersky Lab spots a strain called PetrWrap, which is based on the infamous Petya ransomware. Just like its predecessor, the Trojan in question uses the Salsa20 cryptosystem to scramble the Master File Table of NTFS partitions, thus rendering the plagued machines inoperable until the ransom is paid. PetrWrap is used in targeted attacks against specific companies. White hats upset the makers of a RaaS Analysts working on the Malwarebytes team hack into the C2 server of an in-dev Ransomware-as-a-Service (RaaS) platform called FileCrypter Shop. New domain used by Spora Researchers discover that the operators of Spora registered and started using a new domain for their campaign. It’s at torifyme.com. Jigsaw ransomware update The latest incarnation of Jigsaw uses the .nemo-hacks.at.sigaint.org extension to label encrypted data. Nothing else has been modified. Hermes reaches version 2.0 Malefactors release Hermes ransomware v2.0. This update includes a fix for the crypto flaw that allowed Emsisoft’s Fabian Wosar to devise a free decryptor. Updated Hermes still decryptable Michael Gillespie, alias demonslay335, teams up with Emsisoft researcher Fabian Wosar to create a viable decryption tool for the Hermes ransomware. Apparently, the recent crypto bug fix rolled out by the threat actors didn’t do the trick. An instructive ransomware sample spotted A new Russian screen locker displays a warning that recommends the victim to exercise more caution with fishy downloads online. The unlock password is indicated in the ransom note. The Karmen RaaS appears A Ransomware-as-a-Service portal called Karmen is intended to make the ransomware business as easy as ABC for wannabe criminals. The suggested malicious build displays a ransom warning in English and German.
MARCH 15, 2017Revenge ransomware, a new one on the table Quite predictably, the strain called Revenge appends the .revenge extension to enciphered files. It proliferates through the use of the RIG exploit kit. The ransom note is called # !!!HELP_FILE!!! #.txt. Turkish CTB-Locker copycat found Avast researchers spot a replica of the notorious CTB-Locker that displays all of its warning messages in Turkish. The infection stains files with the .encrypted suffix and leaves the “Beni Oku.txt” decryption how-to, which is the Turkish for “Read Me”. A crook obsessed with social networking Experts from GData discover a Hidden Tear based ransom Trojan whose conceited author instructs victims to post the phrase “I’ve been hacked by anony” on their Facebook wall in order to obtain the decryption key.
MARCH 16, 2017Attack vector engaging NSIS installers According to MMPC, ransomware deployers have come to leverage advanced distribution techniques that revolve around exploiting the Nullsoft Scriptable Install System (NSIS). This way, the threat actors make sure their code evades security systems. The unusual Kirk ransomware A Star Trek themed data-encrypting infection called the Kirk ransomware quickly becomes a buzzword in the IT security community. It concatenates the .Kirked extension to files and drops a recovery manual called RANSOM_NOTE.txt. Interestingly, this sample accepts Monero cryptocurrency rather than Bitcoin and uses a decryptor called Spock. The Lick ransomware pops up This one is almost identical to the aforementioned Kirk pest. It uses the exact same name for the ransom note. As opposed to its forerunner, though, this sample appends the .Licked string to jumbled files and uploads victim-specific data to Pastebin. CryptoDevil screen locker turns out rather lame The malware called CryptoDevil does not actually encrypt anything but locks an infected PC with a bright-red screen instead. Researchers manage to obtain the unlock code, which is “kjkszpj”. RoshaLock 2.0 isn’t about crypto Security analysts discover a ransom Trojan dubbed RoshaLock 2.0, which moves a victim’s files to a password-protected RAR archive. It drops a ransom note called “All Your Files in Archive!.txt”. Decryptor for CryptON gets fine-tuned Emsisoft updates the free CryptON decryption tool, which now supports the latest version of this ransomware.
MARCH 17, 2017ZinoCrypt makes an appearance A file-encrypting threat called “ZinoCrypt Ransomware – 2017 Edition” is discovered. It affixes the .ZINO extension to encoded data entries and leaves the ZINO_NOTE.txt ransom manual. Crptxxx, another commonplace ransomware The conventional name of this strain was derived from the .crptxxx extension that it concatenates to one’s mutilated files. It adds a decryption how-to file named HOW_TO_FIX_!.txt. Jigsaw malady gets a new look and feel Researchers stumble upon a new variant of Jigsaw that uses the .fun extension. The most conspicuous tweak made to the infection is the new background of its ransom note. Courtesy of Avast, this Trojan is decryptable for free. New ransomware builder spotted IT experts come across a utility that automates the process of generating custom builds of the DH File Locker ransomware. It allows criminals to define the folder that the executable should be dropped into, the text of the ransom demand, and quite a few more values. Trident File Locker infection builder found A primitive-looking builder for the Trident File Locker ransomware is uncovered. Its graphical user interface contains configurable fields for the targeted file extensions, the name and contents of the ransom note, as well as the unlock password. One more Hidden Tear offspring discovered The perpetrating program in question is called the MacAndChess Ransomware. Similarly to another infection spotted two days before, it tells victims to post the phrase “I’ve been hacked by anony” on their Facebook walls.
MARCH 18, 2017BrainCrypt is no longer an issue Michael Gillespie creates an automatic free decryptor for the BrainCrypt ransomware, which uses the “.[[email protected]].braincrypt” extension to label victims’ scrambled files. MOTD baddie comes into researchers’ sight A fairly simplistic crypto plague called MOTD is spotted in the wild. Its warning message reads, “You are infected with the most cryptographic advanced ransomware,” which is a somewhat exaggerated statement. It is a commonplace strain appending files with the .enc extension.
MARCH 19, 2017CryptoDevil starts encoding data This one originally acted as a screen locker, but the crooks in charge have begun distributing an edition that actually applies crypto. CryptoDevil affixes the .devil string to locked files. Jigsaw variant built to attack Vietnamese users A new in-dev file-encoding pest from the Jigsaw ransomware family generates warnings in Vietnamese, which makes it clear which geographic location is going to be targeted once the infection becomes fully functional.
MARCH 20, 2017The decline of Locky Locky, which was one of the top crypto threats in 2016, appears to be losing momentum. Security experts speculate this is due to a dramatic drop in the volume of Locky spam generated by the powerful Necurs botnet. Legislation addressing ransomware A new bill proposed in Indiana is going to make ransomware distribution a felony that will ensue a jail sentence of up to six years or a $10,000 fine. PadCrypt devs are busier than ever Security analysts keep discovering new versions of PadCrypt. This is quite strange because the campaign isn’t large-scale at all and doesn’t hit many users. The latest version 3.4.4 didn’t introduce any noteworthy modifications compared to the previous one. Another Samas update The indicators of compromise inherent to the new variant of the Samas, or SamSam, ransom Trojan include the .cifgksaffsfyghd file extension as well as the READ_READ_DEC_FILES.html ransom note.
MARCH 21, 2017Connection between LLTP ransomware and Venus Locker At first sight, the LLTP ransomware looks like a brand new, independently coded sample targeting Spanish-speaking audience. Some expert insight, though, reveals that it’s a remake of the existing Venus Locker malady. SAP vulnerability uncovered According to ERPScan, a well-known business application security provider's endpoint devices running SAP GUI application are susceptible to ransomware attacks due to a remote command execution vulnerability.
MARCH 22, 2017User-centered ransomware on the rise Analysts predict that crypto malware designs are going to become increasingly intuitive. This trend is exemplified by the relatively new Spora variant, which features easy-to-access customer support and multiple UI components contributing to a better user experience. Ransomware devs inspired by the Zorro character A malicious program called Zorro is discovered. It blemishes encrypted files with the .zorro extension and drops a ransom manual called “Take_Seriously (Your saving grace).txt”. AngleWare, another Hidden Tear offspring A new infection has replenished the list of countless ransom Trojans harnessing the code of the open-source Hidden Tear proof-of-concept. It uses the .AngleWare extension to label scrambled data entries, hence its name. An unusual Jigsaw version emerges A spinoff of the prolific Jigsaw referred to as Monument stealthily spreads alongside the Imminent Monitor RAT (remote access tool). Its main peculiarity, though, is that it appends every encrypted file with a string containing the entirety of ransom payment instructions. Onset of the Meteoritan ransomware The Meteoritan extortion campaign is mainly isolated to Poland. It leaves a combo of the following ransom notes: readme_your_files_have_been_encrypted.txt and where_are_your_files.txt. Globe3 decryptor updated Emsisoft researchers update their free decryptor for the Globe3 ransomware. The tool can now restore files jumbled by the latest variant of this crypto infection.
MARCH 23, 2017Jigsaw spinoff featuring a compound extortion mechanism Not only does the updated Monument iteration of the Jigsaw ransomware encode victims’ data, but it also goes bundled with an aggressive screen locker. A fraction of Spora statistics revealed Based on Spora victims’ submissions to the ID Ransomware service, 646 plagued users got a total of 48,466,020 personal files encrypted. LK Encrypter sample discovered Cybercrooks have once again used the source code of educational ransomware to create a real-life infection. ]LK Encrypter is based on the Hidden Tear PoC. It uses the .locked extension for ciphered files and drops the READ_IT.txt ransom note.
MARCH 24, 2017BTCWare spreading in the wild A new crypto threat called BTCWare is in fact a Crptxxx derivative. It demands 0.5 BTC for data decryption and uses the Telegram messenger to interact with those infected. SADStory ransomware The SADStory pest is nothing out of the ordinary. It is most likely an offspring of the CryPy ransomware. The Trojan claims to delete one file permanently every six hours until the victim coughs up the requested amount of Bitcoin.
MARCH 25, 2017Enhancement made to CryptoSearch tool The utility called CryptoSearch was designed to detect ransomware-locked files and move them to a new place, which should make recovery easier if researchers release a free decryptor. The tool is now capable of identifying and handling data affected by Spora. WCry ransomware updated New WCry variant is out that instructs victims to pay for the “Wanna Decryptor” application. This edition provides a workaround in case one’s anti-malware removes the core ransomware components. A tricky Spanish strain surfaces The authors of the ransom Trojan in question employ Smart Install Maker app to deposit their bad code on computers. When encrypting one’s valuable data, the infection displays a bogus Windows update screen to obfuscate the adverse process running behind the scenes. Primitive MemeLocker is underway Malware watchers spot a brand new sample dubbed MemeLocker. While still in development, it features an acrid red warning screen that reads, “You just got memed by MemeLocker.”
MARCH 28, 2017A ransomware syndicate exposed It turns out that a group of cybercriminals identifying themselves as “Mafia Malware Indonesia” is behind a series of not-so-professional extortion campaigns. In particular, these individuals are liable for creating and distributing the following crypto threats: SADStory, CryPy, L0CK3R74H4T, MafiaWare and MireWare. Safari ransomware issue addressed The latest iOS 10.3 update has added countermeasures for a massive extortion wave, where so-called police ransomware would lock Safari Mobile browser, display a spoof warning, and demand $100 worth of iTunes gift cards. PyCL Trojan backed by high-profile distribution The operators of the new Python-based PyCL appear to be employing the RIG exploit kit to plant their harmful code on computers. Such a mechanism ensures an obscure contamination workflow that isn’t likely to raise any red flags. The prosaic R ransomware MalwareHunterTeam comes across a file-scrambling sample called R, which adds the Ransomware.txt restoration how-to and demands 2 BTC to decrypt data. The crooks are apparently running out of creativity when it comes to naming their threats. AnDROid ransomware spotted A new offending program dubbed AnDROid stains one’s files with the .android suffix and displays an animated skull image on its warning screen. Another ransomware hunt kicks off Michael Gillespie, aka demonslay335, starts a new hunt for the strain that concatenates the .pr0tect extension to encrypted entries and leaves “READ ME ABOUT DECRYPTION.txt” ransom note.
MARCH 29, 2017Sage ransomware scrutinized Malwarebytes Labs experts do a great write-up on Sage. As per this analysis, the current 2.2 edition of this infection performs its encryption job in offline, or autopilot, mode. It also employs a combination of elliptic curve cryptography and the ChaCha20 stream cipher to lock one’s data down. HappyDayzz ransomware is ironic to the bone The infection called HappyDayzz sure makes its victims sad rather than happy. Its encryption routine is unique because the Command and Control server instructs the malware to utilize one of seven different cryptographic standards selected randomly. The self-explanatory DoNotChange ransomware This ransom note for this new strain contains a line saying, “Changing the file name makes the restore process impossible!” It requests a ransom of $250 for recovery. File Frozr RaaS pops up The Ransomware-as-a-Service platform called File Frozr allows ill-minded beginners to join and use it for 0.09 BTC (about $100) per month. The first month discount is $50. That’s quite a promotion in action, isn’t it?
MARCH 30, 2017DoNotChange ransomware decrypted Security analysts release a free decryptor for the above-mentioned DoNotChange. It took the white hats as little as one day to craft the tool. A comforting statement by Google According to Google’s Android Security team, only one in 10 million apps downloaded from the official Play Store turns out to be ransomware. However, the number is 1,000 times higher when it comes to applications downloaded from uncertified resources. CryptoSearch solution updated The remarkable CryptoSearch tool is now capable of spotting data entries scrambled by the FadeSoft ransomware. Another ID Ransomware enhancement The ID Ransomware portal has been updated to support the FadeSoft ransom Trojan. Those who fell victim to this strain should simply upload a sample encrypted file or ransom note to find out what adversary they are dealing with.
MARCH 31, 2017Elusive Android ransomware A malicious Android locker disguised as a popular Russian social networking app called OK is quite tricky as it bypasses detection mechanisms of mobile security solutions. Another adverse hallmark sign of this ransomware is that the hostage data may be impossible to decrypt because of buggy cryptographic routine. The abominable LanRan infection Whereas all ransomware is definitely disagreeable, the LanRan sample evokes extra disgust because it displays a distasteful turquoise warning window. It demands 0.5 BTC and tells victims to contact the crooks via [email protected] New Fantom ransomware version is out The latest build appends files with an extension derived from the timestamp of the contamination event. Furthermore, it discontinues the attack if it detects that the localization of the victim’s operating system is Russian. CrypVault is back A fresh variant of the CrypVault ransomware surfaces. It arrives at computers via malspam delivering a .chm attachment camouflaged as a CV. The threat actors’ contact email address is [email protected] Ransomware hunt becomes a good tradition Michael Gillespie launches one more hunt. This time, the target is the Cradle ransomware, which subjoins the .cradle suffix to files and leaves the _HOW_TO_UNLOCK_FILES_.html ransom note. The eccentric Sanctions ransomware The makers of this crypto threat choose to add some politics to the conventional blackmail mix. This ransomware ridicules the United States' sanctions against Russia by displaying a big USSR-styled bear and a small figure of a person resembling a former U.S. President. On top of that, the infection demands a whopping ransom of 6 BTC, which is the equivalent of about $7,000.
Summary of Ransomware in March 2017When it comes to ransomware prevention, the importance of following safe online practices is hard to overestimate. Most of these threats are still spam-borne, so users should never open any suspicious email attachments, period. File backups pose another invaluable layer of defense – no doubt about it. The countermeasures have hardly changed since the dawn of the crypto ransomware era back in 2013. So use this fact to advantage and stay safe. To learn more about protecting yourself from Ransomare, click here.