October 2017: The Month in Ransomware

Image

Ransomware activity didn’t skyrocket last month, but there was definitely a substantial increase compared to September. Perhaps the most serious wake-up call was the onset of BadRabbit, a Petya-like culprit going on a rampage in Eastern Europe. A likely successor of the Cerber ransomware dubbed Magniber started making the rounds via the Magnitude exploit kit. A Halloween-themed Trick-or-Treat blackmail malware demonstrated that cybercriminals follow the traditions too – in their own way, though. Overall, 28 new strains emerged, 18 existing ones underwent updates, and only one free decryptor was released.

OCTOBER 3, 2017

BTCWare edition using a self-explanatory extension A new variant of the BTCWare blackmail virus is discovered. It appends the .payday extension to hostage files and drops a ransom note named !! RETURN FILES !!.txt. Victims are instructed to contact the attackers via email for detailed decryption steps.

OCTOBER 5, 2017

Browser scam revolving around ransomware Cybercriminals launch a tech support scam campaign where users bump into rogue browser alerts stating ‘Ransomware Detected’. The deceptive popups recommend would-be victims to call a toll free phone number for assistance. The self-proclaimed support agents will then try to defraud the unsuspecting users of a fee to fix the purported security issue. Samas ransomware updated Researchers come across an uncatalogued Samas/SamSam ransomware version that blemishes encoded data with the .loveransisgood string. Ransomware attacks a U.S. city All internal information systems of the City of Englewood, Colorado, are knocked offline due to a ransomware incursion. No details regarding the trouble-making strain are available at this point. Fortunately, sensitive information belonging to employees or residents has not been obtained via this infection. Another crypto onslaught against a healthcare facility reported According to a recent press release, the computer network of Arkansas Oral & Facial Surgery Center was affected by file-encrypting ransomware on July 26, 2017. While the facility’s patient information database reportedly remained intact, some documents and imaging files, including x-rays files, were encrypted.

OCTOBER 6, 2017

Ender Ransomware wave didn’t pan out A new screen locker called Ender Ransomware displays a poorly designed warning screen with hardly intelligible text. Courtesy of security analysts, the unlock code has been revealed – it’s ‘aRmLgk8wboWK5q7’. Better luck next time, script kiddies.

OCTOBER 8, 2017

GlobeImposter authors diversify their distribution portfolio A new wave of malicious spam disseminating GlobeImposter ransomware payloads is detected. The shenanigans now revolve around phony website job applications with a booby-trapped resume on board. The attached Word file instructs a recipient to enable macros, which in turn leads to the Trojan being downloaded onto the host.

OCTOBER 9, 2017

LockOn ransomware, not in the wild yet Analysts stumble upon a new in-development sample called LockOn. It is presumably a variant of the Hidden Tear proof-of-concept that currently targets data in a hard-coded ‘Test’ path. Files are appended with the .lockon extension.

OCTOBER 10, 2017

BugWare, a new one on the table This one does with a GUI in Portuguese and targets Brazilian users. It concatenates the .[[email protected]].bugware extension to enciphered data entries. The deadline for payment is 72 hours. Locky gets a buggy facelift The latest variant of the much-spoken-of Locky ransomware changes its behavior by using the new .asasin extension for encrypted files along with asasin.htm/bmp rescue notes. The original malspam wave spreading this edition is crude, though – recipients see a disorderly string of base64 encoded text instead of the trojanized email attachment. Another screen locker in the wild The prolific screen locking Trojan featuring “Your Windows Has Been Banned” message is updated with a new version. It instructs victims to call or email pseudo tech support for steps to fix the issue. Predictably enough, the unlocking routine boils down to submitting a ransom. New Hidden Tear iteration takes root An uncatalogued spinoff of the Hidden Tear proof-of-concept ransomware called AnonCrack is spotted. It uses the .crack string to label hostage files and displays ransom demands in Spanish. Plus one sample for RotorCrypt lineage A fresh specimen representing the RotorCrypt ransomware family is released. It affixes the “[email protected]___.biz” extension to encoded files. The recovery-through-payment steps are provided in a how-to file named DOCTOR. Atchbo ransomware pops up This brand new sample blemishes data with the .ExoLock or .Exo extension and leaves a ransom note named UnlockYourFiles[0-49].txt. The size of the ransom ranges from 0.007 to 0.01 Bitcoin.

OCTOBER 11, 2017

The soaring ransomware economy According to a report released by IT security firm Carbon Black, the dark web marketplace for ransomware has expanded by about 2,500% in 2017 over 2016. Some of the statistics are as follows: ransomware is sold via more than 6,000 underground sites, and some developers earn on the order of $100,000 per year by simply retailing their malicious products. BTCWare authors can’t wait for payday to come Another edition of the BTCWare pest switches to the .[[email protected]]-id-[victim ID].payday extension for enciphered files. As before, the infection is making the rounds by abusing unsecured remote desktop services.

OCTOBER 12, 2017

New BugWare variant hastily released Just two days after discovery of the Brazilian BugWare blackmail virus, its new build goes live. It features some GUI tweaks and a different extension being subjoined to ransomed files, namely .[[email protected]].criptografado. Also, the culprit now goes with a list of countries to target.

OCTOBER 13, 2017

The groundbreaking DoubleLocker ransomware An Android ransom Trojan code-named DoubleLocker is discovered. Unlike run-of-the-mill mobile ransomware samples that simply lock the screen of a targeted device, this one also encrypts all files on the primary storage and appends them with the .cryeye extension. Furthermore, it exploits the Accessibility service of the host operating system in order to maintain persistence. New CryptoMix spinoff surfaces The updated perpetrating program concatenates the .x1881 suffix to encrypted items and drops a decryption manual named _HELP_INSTRUCTION.txt. There are no other noteworthy changes compared to the precursor. Anubi ransomware pops up This fresh blackmail infection adds the .[[email protected]].anubi extension to files and provides a recovery walkthrough in __READ_ME__.txt document. The contact email address may vary. The vague gist of CCord SystemLocker The offending entity in question is a Windows screen locker that might reportedly be a crackme challenge. The unlock code can be obtained by visiting a specific website. At this point, it is ‘cracked:cracked’.

OCTOBER 14, 2017

WannaCry theme used in an online scam A new wave of tech support scams is gaining momentum. When victims are redirected to the deceptive landing page, they see a popup warning stating that their computer is infected with WannaCry, one of the most sophisticated ransomware strains to date. A write-up on Sage 2.2 ransomware is released Bart Blaze, the threat intelligence analyst at PwC, publishes an informative technical summary on Sage 2.2, a widespread file-encrypting infection that has been in the wild since February 2017. The post includes exhaustive behavioral characteristics of the culprit and illustrations of all victim interaction modules.

OCTOBER 15, 2017

Yet another proof-of-concept abuse case Researchers spot a fresh in-development spinoff of Hidden Tear, a ransomware codebase originally devised for educational purposes. It’s called ViiperWare. While this would-be pest currently only targets Test path on its creator’s machine, it concatenates the .viiper string to locked data. CryptoDemo isn’t as prosaic as it appears The sample in question imitates the interface of CryptoLocker, the notorious prototype of most present-day blackmail viruses. The interesting discovery about it is that it appears to be an EICAR test file, that is, an entity intended to check the response of anti-malware suites.

OCTOBER 16, 2017

Crypto Tyrant ransomware This one presumably hails from the so-called DUMB ransomware family. Its warning window contains text in Farsi (Persian language). Crypto Tyrant provides a 24-hour deadline for a ransom payment. Thought-extinct ransom Trojan updated An existing e-blackmail strain called Vortex gets a facelift after many months of hiatus. Just like the original build, the newcomer zeroes in on Polish users. It drops a ransom how-to file named #$# JAK-ODZYSKAC-PLIIKI.txt. New screen locker shows up Ne’er-do-wells responsible for the new screen locking ransomware campaign leverage a fairly banal social engineering technique. When a victim’s screen gets locked up, the following message appears on it, “Your computer is running a pirated version of Windows.” Interestingly, the infection demands $100 worth of Ethereum, not Bitcoin. After the payment, users are also supposed to send 20 nude pictures of themselves to the pranksters.

OCTOBER 17, 2017

Ransomware-related distraction maneuver by hackers Threat actors from North Korea reportedly pulled off a large-scale heist in early October targeting Taiwan-based Far Eastern International Bank (FEIB). Interestingly, the criminals used ransomware called Hermes as a smokescreen to avert the attention of the commercial firm’s officials and law enforcement from the theft. Blind ransomware spotted Judging by the ransom note, this one appears to be a variant of the prolific CrySiS/Dharma ransomware. It subjoins the .blind extension to ransomed files and leaves a rescue note named How_Decrypt_Files.hta. The Magic ransomware surfaces The sample called The Magic is a derivative of the Hidden Tear PoC that targets Italian users. It appends the .locked suffix to encoded data items and demands €100 worth of Bitcoin. RotorCrypt strain fine-tuned The latest edition of the RotorCrypt ransomware blemishes encrypted files with the “[email protected]_.rar” extension.

OCTOBER 18, 2017

Possible heir of Cerber appears A new crypto culprit is discovered that bears a close resemblance to Cerber, a real ransomware heavyweight of the last two years. Dubbed Magniber, this infection is making the rounds via the Magnitude exploit kit, which is one thing it has in common with the likely prototype. Another similarity is that the two share an almost identical Tor-based payment system. Magniber isn’t a worldwide threat, so far According to researchers at Malwarebytes, the newsmaking Magniber pest currently zeroes in on South Korean users. Having encrypted files, it appends them with a victim-specific five-character extension and drops a rescue note named READ_ME_FOR_DECRYPT_[random]_.txt. If Magniber determines that the victim’s operating system language is different than Korean, it automatically deletes itself from the machine Workaround for some Magniber victims Analysts at Zimperium security firm came up with a way to recover data ransomed by Magniber. The method has got some restrictions, though. It only applies to scenarios where files got locked down with a hard-coded crypto key. The stars align only in case a computer was hit from an IP address other than Korean or if the ransomware failed to establish a connection with its C2 servers.

OCTOBER 19, 2017

WhatsApp spam delivering ransomware A new spam campaign is making the rounds in Brazil. It targets WhatsApp users, serving a payload of the Bugware ransomware edition that stains encrypted files with the .[[email protected]].criptografado extension. Saher Blue Eagle ransomware update The not-so-widespread blackmail malware called Saher Blue Eagle undergoes some refreshing. The most recent version affixes the .SaherBlueEagleRansomware string to hostage files.

OCTOBER 20, 2017

Ransomware pretending to come from the FBI An umpteenth FBI-themed ransom Trojan is spotted in the wild. Its ransom notification includes the Bureau’s logo and threatens to delete all data in 72 hours unless a ransom of €50 is paid. The infection subjoins the .XmdXtazX string to locked files. Hidden Tear offshoot called LordOfShadow Yet another derivative of the academic Hidden Tear ransomware surfaces. It spreads mainly in Brazil, appends the .lordofshadow suffix to a victim’s personal files, and adds a rescue note named LEIA_ME.txt (“READ_ME” in Portuguese) to the desktop.

OCTOBER 21, 2017

Run-of-the-mill Ordinal ransomware Cybercriminals won’t seem to stop abusing the controversial Hidden Tear PoC. This time, a group of threat actors created a new spinoff called Ordinal ransomware. It subjoins the .Ordinal extension to hostage data items and drops a recovery how-to file named READ Me To Get Your Files Back.txt.Ordinal. Handy tool released to assist ransomware victims McAfee software vendor contrives a solution called McAfee Ransomware Recover (Mr²) for 32- and 64-bit Windows editions. It is a framework that includes all available free ransomware decryptors created by security researchers.

OCTOBER 22, 2017

One more milestone of ID Ransomware portal ID Ransomware, an online service devised by MalwareHunterTeam, is now capable of identifying 500 different families of blackmail viruses.

OCTOBER 23, 2017

Windows 10 anti-ransomware feature goes live The feature called “Controlled Folder Access”, which was previously announced by Microsoft, has been rolled out to computers running Windows 10 as part of the latest Fall Creators Update. It allows users to restrict software access to certain folders in order to prevent malicious code like ransomware from making changes to data. Allcry ransomware surfaces Another data-encrypting baddie called Allcry ransomware is detected in the wild. It adds the .allcry string to filenames, leaves ReadMe.dic rescue note, and demands 1 Bitcoin for recovery. Felons prepping for Halloween Security analysts spot a new specimen called Trick or Treat. It is currently in development and doesn’t do any real damage. Jigsaw ransomware updated A fresh Halloween-themed iteration of the Jigsaw lineage begins making the rounds. It features an image of the Pennywise character on its warning screen and concatenates the .beep suffix to files. Comrade ransomware makes an appearance The Comrade cyber pest is nothing but one more offshoot of Hidden Tear. It uses an apropos .Comrade extension to stain encrypted files and drops a decryption how-to document named DECRYPT_FILES.txt. The ransom amounts to $480 worth of Bitcoin.

OCTOBER 24, 2017

BadRabbit infection going on a rampage in Europe A devastating ransomware sample called BadRabbit is unleashed to hit users, businesses, and government institutions in Eastern European countries including Ukraine, Bulgaria, the Netherlands, and Russia. The culprit is reminiscent of the NotPetya ransomware in that it encodes victims’ data and replaces the Master Boot Record with a custom bootloader. BadRabbit arrives with rogue Flash updates, demands 0.05 Bitcoin for decryption, and provides a 40-hour deadline to pay up.

OCTOBER 25, 2017

BadRabbit’s connection to NotPetya confirmed Different security companies and researchers state that the BadRabbit ransomware does share a great deal of its code with the infamous NotPetya. There are also clues linking the two campaigns with the same cybercriminal crew dubbed TeleBots. The reach of BadRabbit expands The perpetrating program in question has reportedly also hit some users outside Europe. Specifically, around 1% of the victims are in the United States, and researchers expect this quantity to grow. The likely entry point is an SMB (Server Message Block) vulnerability. Most organizations infected in the U.S. share some of their IT infrastructure with affected companies in the targeted countries. Broad coverage of the BadRabbit predicament A growing number of security firms are publishing technical write-ups on the BadRabbit ransomware campaign. The report by Malwarebytes is particularly informative. Crypto Tyrant ransomware wreaking havoc in Iran The Computer Emergency Response Team Coordination Center of Iran alerts local users about the increased activity of the recently discovered Crypto Tyrant ransomware. Perpetrators continue to take advantage of NSA exploits According to Cisco’s Talos Intelligence Group, the threat actors behind the newsmaking BadRabbit ransomware used an exploit codenamed EternalRomance to deposit the infection onto machines. This is another case of hackers using tools contrived by the NSA for surveillance following the NotPetya campaign. A bevy of these exploits was dumped by The Shadow Brokers cybercriminal crew in April 2017. WannaBeHappy ransomware being created Malware analysts stumble upon an in-development file-encrypting pest called WannaBeHappy, whose denomination is obviously a tribute to the infamous WannaCry culprit. It adds the .encrypted suffix to hostage files and demands $500 worth of Bitcoin. New strain with Greek roots A ransomware sample called Kerkoporta (“Backdoor” in English) starts making victims. The contagion turns out to be a bundle of a blackmail virus and a remote access tool. Fortunately, its impact is restricted to simply renaming files and locking the screen. Researchers trying to hunt down another crypto baddie MalwareHunterTeam’s Michael Gillespie (@demonslay335) announces a hunt for samples of an uncatalogued ransom Trojan that victims have been submitting to ID Ransomware portal. The elusive specimen subjoins the .rubina5 string to encoded data and leaves a recovery manual named HOW_TO_DECRYPT_FILES.txt. The Losers ransomware representing an existing family The Cry36/Nemesis ransomware lineage gets a new bullet in its gun barrel. Its latest variant concatenates the .losers extension to ciphered files and provides recovery tips via a ransom notification named HOWTODECRYPTFILES.html. A tweak of blackmailers’ tactics According to security experts’ observations, a group of malefactors has been applying a novel technique to make database owners cough up money. They compromise servers, move data to password-protected ZIP archives, and demand a ransom for the security key. The ‘Unzip your ZIP files.txt’ rescue note instructs victims to contact the ne’er-do-wells at [email protected].

OCTOBER 27, 2017

Matrix strain undergoes a distribution tweak Almost a year after the Matrix ransomware campaign was launched, its operators change their tactic to a tangible extent. They start leveraging the stealthy RIG exploit kit to serve the payload when a user visits a hacked website. XiaoBa blackmail malware The Chinese sample in question affixes the .XiaoBa[number 1-34] extension to locked files and drops a rescue note named _@[email protected]. xRansom appears to be a guinea pig in a way This in-development specimen is too buggy to do much real damage, at this point at least. It zeroes in on four data formats only, doesn’t mark files with any extra extensions, and doesn’t drop ransom notifications at all. YYTO ransomware updated A fresh edition of the YYTO cyber-culprit is spotted that instructs a victim to send several encrypted files and their personal key to [email protected]. The ransom note is named Help.txt. Some hope for BadRabbit victims It turns out that the BadRabbit ransomware differs from the rest in that it does not erase shadow copies of victims’ data. Those infected may, therefore, be able to use this imperfection to their advantage and restore previous versions of hostage files. Another potential recovery vector revolves around a buggy encryption key handling routine employed by the Trojan.

OCTOBER 28, 2017

Tweak made to the Xorist ransomware A brand new version of the Xorist crypto infection switches to using the .error[victim ID] extension for ransomed files. The payment deadline is set to 48 hours. The attacker’s email address is [email protected].

OCTOBER 30, 2017

GlobeImposter fine-tuned Although the GlobeImposter ransomware family isn’t expanding nearly as fast as it used to, it is still on the go. A new edition is discovered that stains encrypted files with the .apk string. Trick or Treat ransomware assumes a new look and feel A week after the original Trick or Treat ransom Trojan variant went live, a successor started making victims. It uses a modified background for the warning screen and demands a Bitcoin equivalent of $20.

OCTOBER 31, 2017

ONI ransomware hits Japanese enterprises The ONI strain is quite tricky, as it is part of a well-orchestrated campaign targeting Japanese medium and large companies. It appends the .oni extension to encoded files and drops !!!README!!!.html ransom how-to. Some deeper insight unearthed that the plagued organizations had been contaminated with a remote access tool called Ammyy Admin RAT for months prior to the ransomware onslaught. The ransomware was therefore just a component of the elaborate, persistent compromise. RansWare sample surfaces Despite the fact that RansWare is nothing but a garden-variety infection that doesn’t even complete the encryption properly, it demands an unthinkable ransom of 100 Bitcoin (about $740,000). The timeframe for payment is one month.

SUMMARY

Ransomware architects didn’t come up with anything truly groundbreaking in October, which is good news. However, the rising curve of the extortion economy demonstrates that blackmail infections continue to be the mainstay of the present-day cybercrime. No matter what new techniques the crooks may have up their sleeve, nothing beats data backups when it comes to risk mitigation in a ransomware scenario. Keep that in mind and stay on the safe side. To learn more about how Tripwire can help can you secure, click here.  

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.