Crypto ransomware ran rampant in August. Despite commendable efforts on security analysts’ end, only few viable decryptors were released to assist victims in recovering their data. One of the prominent events was the takedown of WildFire Locker campaign by the Dutch National Hi-Tech Crime Unit in collaboration with McAfee and Kaspersky, which demonstrates how effective a partnership of law enforcement and private companies can be in this realm.
To get an even bigger picture of how ransomware is evolving over time, please read the other ransomware news for the month of August 2016 I’ve included below.
AUGUST 1, 2016
Zepto ransomware distribution tweak
Zepto infection, the latest spinoff of the Locky ransom Trojan, takes after its predecessor in many ways. Both of them share the same Command and Control infrastructure and use a combo of RSA-2048 and AES-128 cryptosystems to lock victims’ data. The unique attributes of the newcomer, however, include the .zepto extension appended to encoded files and different names of decryption notes. The most recent change has to do with the use of WSF (Windows Script File) email attachments to infect computers, as opposed to the previously exploited JS objects enclosed in ZIP archives. As a result, users should be on the lookout for rogue emails with WSF files disguised as invoices, CVs, or delivery reports.
AUGUST 3, 2016
ShinoLocker proof-of-concept – Another questionably useful project
Educational ransomware became a buzzword in the security community with the emergence of the Hidden Tear and EDA2 projects in late January this year. While originally pursuing the benign goal of demonstrating crypto malware attack workflow to everyone interested, the open source code for these POCs got heavily abused by cybercrooks to coin real-world ransom Trojans. This incident, apparently, didn’t teach security enthusiasts a lesson – Japanese researcher named Shota Shinogi came up with ShinoLocker, an easily customizable ransomware simulator. There have been no reports of abuse cases at the time of writing, but the past predicaments suggest a likely unfavorable outcome of such an initiative.
Astonishing results of ransomware-related survey
According to a research published in August by Malwarebytes, a total of 39% of surveyed organizations experienced ransomware attacks over the course of the last 12 months. The industries most targeted by these infections include healthcare, banking and insurance. The attack incidents were most common in the United Kingdom (54% of organizations) and least common in Germany (18% of surveyed companies).
AUGUST 4, 2016
Cerber ransomware update rolled out
Researchers discovered a new edition of Cerber ransomware, which is known to implement a unique text-to-speech feature via a VBScript file for intimidating victims. The latest variant has code-level changes under the hood and concatenates the new .cerber2 extension to encrypted files.
VenusLocker starts hitting the headlines
The above-mentioned educational ransomware dubbed EDA2, which was created by Turkish researcher Utku Sen, became the basis for contriving VenusLocker, a new crypto threat that uses a mix of AES and RSA algorithms to encrypt one’s data. This offending program appends the .Venusf or .Venusp extension to files, drops ReadMe.txt ransom instructions on the desktop, and extorts the Bitcoin equivalent of $100 for recovery. The deadline for payment is 72 hours.
AUGUST 8, 2016
Hitler-Ransomware – Buggy yet hazardous
Not only does the offbeat Hitler-Ransomware encrypt its victims’ personal files, but it also threatens to delete the data unless the ransom is paid within one hour. Researchers have concluded that this sample was most likely devised by script kiddies because it simply obliterates file extensions rather than actually encode files. Furthermore, in case the infected user restarts his computer, the malicious code erases everything stored in the UserProfile directory. The attacker demands that the victim enter a cash code for a 25 Euros worth Vodafone Card in the ransomware interface.
AUGUST 9, 2016
RektLocker, another POC-based infection
When it comes to crypto malware, there is a thin line between proofs of concept and real world. Utku Sen’s Hidden Tear open-source project ended up spawning a number of baddies that actually extort money. The newest one called RektLocker employs the Advanced Encryption Standard to make one’s files inaccessible, appends the .rekt string at the end of every ciphered object, and creates a document named Readme.txt on the desktop in order to provide the restoration roadmap, which includes the Bitcoin address to submit the ransom but doesn’t indicate a way to reach the attacker after the fact. Ultimately, there is a negligible chance that the data will be decrypted even if the payment is sent.
AUGUST 10, 2016
Thermostat Ransomware breaks new ground
With the numerous indisputable benefits of IoT (the Internet of Things) in place, there are serious challenges that users should be prepared for. Ransomware on smart devices is the new big thing. At the recent DEF CON security conference, researchers with the Pen Test Partners organization presented a proof of concept where they hacked a smart thermostat. Andrew Tierney and Ken Munro were able to compromise the connected device by inserting an SD card into it with booby-trapped firmware on it. Having obtained root on the thermostat, they cranked the heat up to 99 degrees Fahrenheit and caused the appliance to display an alert demanding 1 Bitcoin to get control back.
AUGUST 11, 2016
The cyber plague in question appears to be a new copycat of the notorious CryptoWall ransomware. Interestingly, this sample dubbed Smrss32 is deposited onto Windows computers through a remote access technique, which means that the perpetrators literally hack into a targeted machine and manually execute the ransomware. Having encrypted all non-system files on the hard drive, the infection concatenates the .encrypted extension to the locked entries and drops the _HOW_TO_Decrypt.bmp recovery avenue. In order to reinstate data, the victim is supposed to submit 1 Bitcoin to the extortionists and then send a message to firstname.lastname@example.org so as to obtain the private decryption key.
AUGUST 12, 2016
PizzaCrypts and JuicyLemon ransomware decrypted
A researcher nicknamed BloodDolly was able to create a free decryptor for ransomware strains named PizzaCrypts and JuicyLemon. The former sample is distributed through the use of the Neutrino exploit kit and appends the .email@example.com extension to skewed files. The latter one concatenates a long string containing the victim’s unique ID as well as the attacker’s email address or BitMessage details. JuicyLemon asks for about $1000 to restore data, so the free decrypt tool can definitely make any infected person’s day.
PokemonGo Ransomware targets Arabic users
There is a new strain on the loose pretending to be a Windows-based edition of the extremely popular PokemonGo game. It was found to target a specific user audience as the name and contents of the ransom notes are in Arabic. This ransomware applies the AES symmetric cryptographic algorithm to encode data, adds the .locked extension to hostage files, and tells the victim to shoot an email to firstname.lastname@example.org for a recovery walkthrough.
AUGUST 14, 2016
Social engineering is, by far, the prevalent ransomware propagation vector. The operators of the infamous infection called TorrentLocker, also known as Crypt0L0cker, have recently launched a campaign targeting Italian victims. Unsuspecting users have been receiving emails masquerading as energy bills from Enel, a well-known Italian distributor of electricity and gas. Once the rogue email attachment is downloaded, the ransomware payload hops into a computer, encrypts the victim’s personal data, and extorts a ransom in Bitcoin in exchange for the decryption key. This sample appends the .enc extension to files ciphered during the compromise.
AUGUST 15, 2016
Shark, a new Ransomware as a Service
RaaS, which stands for “Ransomware as a Service”, is a thriving model aimed at creating and spreading crypto infections on an affiliate basis. The new platform called the Shark Ransomware Project allows wannabe cybercrooks to get a ransomware sample of their own without investing any effort, customize it in several clicks, and distribute the pest to end users. The authors of the code get a 20% share of the sales and the ill-minded affiliates get the rest.
AUGUST 16, 2016
Cerber ransomware decryptor didn’t last long
The Check Point software vendor was able to develop a viable free recovery tool that took advantage of a flaw in the Cerber ransomware encryption routine. The application allowed victims to upload an arbitrary encoded .cerber or .cerber2 file and get the decryption key along with the automatic decryptor. However, the developers of this nasty ransom Trojan promptly took action to fix the bug in their encryption process, which eventually rendered the decoder inefficient. Thumbs up to Check Point experts for the efforts, though.
Cerber campaign revenue leaked
The aforementioned Check Point company, in collaboration with the Intsights cyber intelligence firm, published a report on the financial facet of the Cerber Ransomware as a Service platform. In a nutshell, the gross income generated by this RaaS during July alone amounted to $195,000. The ransomware author’s share being set to 40%, they made $78,000 in one month. A rough estimate of the malware developer’s annual earnings, therefore, can be somewhere around $1 million. So much for the profitability of this disgusting business.
New infection targeting Korean audience
Another spinoff of the Hidden Tear educational ransomware was discovered that goes after Korean users. It drops ReadMe.txt ransom note that tells victims to visit a Tor page also used by another threat dubbed CryptMIC. This offending program, however, appears to be unprofessional and buggy, which suggests that the makers are script kiddies.
Apocalypse ransomware decrypted over and over again
Fabian Wosar, a well-known ransomware researcher from Germany, has been playing cat and mouse with cybercriminals in charge of the Apocalypse campaign. He invariably keeps updating his tool named the Emsisoft Decrypter for Apocalypse to address all the new tweaks and improvements that the malefactors make to their code. The criminals are apparently so frustrated over the experts’ successful endeavors that they have started taunting him. For instance, one of the email addresses that the ransomware devs are using for interacting with victims is email@example.com. Needless to say, Mr. Wosar has nothing to do with the infection and the malicious infrastructure.
AUGUST 17, 2016
Smrss32 baddie cracked
Smrss32, a strain mentioned above that surfaced on August 11, is not uncrackable anymore. Courtesy of analysts focusing on in-depth ransomware analysis, this infection has been decrypted. Those who fell victim to the plague in question can now use the free recovery tool to decrypt their files. All it takes is for them to upload a random mutilated image or Microsoft Office file with the .encrypted extension to the dedicated thread on Bleeping Computer forums. The researchers will send the private decryption key in response.
AUGUST 18, 2016
FSociety Ransomware from Mr. Robot fans
The operators of the new FSociety Ransomware appear to have been inspired by Mr. Robot, a popular cybersecurity-related television series. The conventional name of this threat stems from the image on the desktop wallpaper that it displays on an infected machine. It’s the logo of FSociety, a hacking ring from the above-mentioned show. This offending app is based on EDA2 code posted by a security researcher on GitHub. Once again, this incident raises another red flag regarding the questionable usefulness of educational ransomware projects.
Bart Ransomware changes its tactic
This malware had not been a typical sample until recently because it would move its victim’s files to password-protected ZIP archives rather than encrypt them. Filenames used to be appended with .bart.zip extension. The shift in the threat actors’ modus operandi involves actual encoding and concatenation of the .bart string. This approach poses a more serious hurdle for recovering ransomed data.
AUGUST 19, 2016
DetoxCrypto pest impersonating PokemonGo
There are two versions of the ransomware in question. The first one takes a snapshot of its victim’s screen and uploads it to the attacker. It also plays an audio alert in order to appear a more high-profile threat. Another edition is masqueraded as the PokemonGo game for Windows and displays a warning screen that says, “We are all Pokemons.” DetoxCrypto demands two Bitcoins to decrypt the locked data.
AUGUST 22, 2016
Alma Locker ransomware
This strain leverages AES-128 crypto to encrypt data that’s valuable to an infected user and appends a victim-specific string of five hexadecimal characters to every file. The sample file renaming format is as follows: agenda.docx.c3vsm. It provides five days for the user to redeem their files by submitting one Bitcoin. When this period expires, the secret decryption key will be purportedly erased from the criminals’ server. Owing to a cybersecurity services firm called PhishLabs that conducted extensive analysis of this plague, the infected users can restore their hostage files without paying the ransom.
AUGUST 23, 2016
CTB-Locker copycat discovered
A new ransom Trojan that bears a resemblance to the infamous CTB-Locker has been detected in the wild. It uses a similar color scheme of user interaction components and creates an almost identical TXT ransom note. This variant extorts 0.5 Bitcoin for data recovery and allows victims to decrypt two random files for free as long as their size doesn’t exceed 1 MB.
AUGUST 24, 2016
Globe Ransomware, another movie-themed threat
The authors of the Globe Ransomware chose to stick with the increasingly popular trend of using movie themes for extortion campaigns (or maybe it’s just one group of hackers.) Its warning screens contain images from the Purge film series. Furthermore, Globe appends the .purge extension to files that got ciphered in the course of the attack. Victims are supposed to send an email to firstname.lastname@example.org for recovery directions.
WildFire Locker taken down
The Dutch National Hi-Tech Crime Unit (NHTCU) succeeded in terminating the operation of the cybercriminal ring responsible for distributing the WildFire Locker ransomware. By seizing the C2 servers that sustained this campaign, the law enforcement agency also obtained almost 6,000 private decryption keys. Courtesy of Kaspersky Lab and McAfee, these keys were used to contrive free decrypt tools for Windows users who had fallen victim to the WildFire Locker fraud since late June.
AUGUST 25, 2016
Fantom ransomware uses a rogue Windows update screen
Fantom ransomware uses the AES algorithm to scramble a victim’s files and then encrypts the 128-bit secret key with asymmetric RSA cryptosystem. Files get the .fantom extension concatenated to them. This is yet another sample based on EDA2 open-source code by Utku Sen. Whereas this is a fairly commonplace tactic, it is accompanied by an offbeat routine where the data encoding process is veiled behind a bogus Windows update screen that looks realistic enough for users to fall for it. At the time of this writing, there is no way to decrypt .fantom files for free.
AUGUST 26, 2016
Domino ransomware disguised as an OS crack
Running an unofficial build of Windows or Microsoft Office can get people infected with crypto malware. In search of ways to activate the software, lots of users end up installing crack tools like KMSpico. Corrupted copies of this application are being leveraged by cybercrooks to furtively install Domino, one more ransomware program based on the educational Hidden Tear. The perpetrators demand 1 Bitcoin for data decryption.
Locky and Zepto devs enhance obfuscation of their code
One of the prevalent ransomware specimens dubbed Locky and its recent spinoff Zepto are now being distributed in a trickier way than before. Rather than leverage JS files as phishing email attachments, the malefactors have started using a DLL entity for this purpose. By dropping a rogue Rundll32 Windows host process, the infection is able to fly under the radar of antiviruses that typically don’t raise red flags on these types of executables.
Phishing involved in Smrss32 Ransomware circulation
When the crypto threat dubbed Smrss32 was discovered, the only known entry point for its attacks was hacking into computers over Remote Desktop services. It turned out, though, that the threat actors in charge also engage in social engineering to deposit the bad code onto systems. According to a recent research, the ransomware operators are also using spam emails with booby-trapped executables attached to them. Most of these emails are disguised as U.S. election news.
Another DetoxCrypto spinoff discovered
Security experts detected a new variant of the above-mentioned DetoxCrypto ransomware. As per the name of the associated folder created on an infected machine, this version is dubbed Serpico. Based on the language of the interface, it primarily targets the Croatian and Serbian audience. Interestingly, Serpico does not scramble filenames, nor does it append any extensions to the encrypted data elements.
AUGUST 31, 2016
Cerber3 edition of notorious ransomware surfaces
The third iteration of the Cerber crypto threat closed the summer season for online extortionists. Changes made to the updated infection include the .cerber3 extension being appended to every mutilated file, as well as the # HELP DECRYPT #.html (.url, .txt) ransom instructions. The ransom amounts to 0.7 Bitcoins. A victim has a five-day deadline for paying it, otherwise, the size will double. Unfortunately, this variant is still uncrackable.
One of the key takeaways from this review is that security researchers should think twice before releasing open-source code for proof-of-concept ransomware. The Hidden Tear and EDA2 projects demonstrate that such initiatives can be slippery slopes. Regarding the prevention of these nasty crypto assaults and damage mitigation, they are invariable: refrain from opening fishy email attachments, keep antivirus software up to date, and maintain secure data backups.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.