Online extortionists closed 2016 with a spike in ransomware activity. The statistics for December were alarming: 32 new samples emerged and 33 existing strains got updated. The fact that security researchers released nine decryption tools is quite promising, but it is still a weak countervailing factor. The report below explores the ins and outs of the crypto threat landscape for December 2016.
DECEMBER 1, 2016
New Matrix ransomware leverages GnuPG cryptosystem
Researchers spotted a ransom Trojan called Matrix in the wild. It uses the open source GnuPG cryptosystem to deny access to one’s personal data. The sample leaves a ransom note named matrix-readme.rtf and instructs victims to contact the threat actors at firstname.lastname@example.org or email@example.com.
Decryption breakthrough by Avast
Security analysts at Avast developed free decryption tools for the following ransomware families: CrySiS, Globe, Alcatraz Locker, and NoobCrypt. Those who fell victim to one of these strains can download the appropriate decryptor on a dedicated web page.
DECEMBER 2, 2016
Alpha Locker ransomware for sale
Wannabe online extortionists can unleash their evil potential by purchasing a build of the Alpha Locker ransomware on darknet forums. This perpetrating program is written in C#. The payload is only 50 KB in size. The turnkey infection kit costs $65.
Ransomware author sends a secret message to a researcher
The creator of NMoreira ransom Trojan, also referred to as XPan, used an interesting tactic to leave a message for Emsisoft’s Fabian Wosar, a prominent security analyst who has cracked dozens of crypto threats. An individual calling himself NMoreira Core Dev embedded some text in the code of his latest extortion product. Here’s an interesting phrase from the message, “Hope you can break this, too.” Mr. Wosar commented on the occurrence this way, “At least they are polite idiots this time. Still idiots, though.”
New Phoenix ransomware on the table
While still in development, Phoenix crypto-malware has the potential to become a major security concern. It concatenates the .R.i.P extension to encrypted files and drops a decryption manual called Important!.txt.
DECEMBER 3, 2016
A fresh edition of PadCrypt surfaced. Other than the new 3.1.2 version name, this build features hardly any noteworthy tweaks.
DECEMBER 4, 2016
Russian ransomware maker apprehended
A 40-year-old cyber crook who goes by the handle Pornopoker got arrested by the Russian police at an airport near Moscow. The authorities charged this individual with developing and distributing an aggressive screen locker called Ransomlock.P, which impersonated law enforcement agencies of different countries to defraud victims out of money.
Emsisoft creates another free decryptor
Fabian Wosar, the above-mentioned researcher at Emsisoft, released an application that dencrypts files locked by the latest variant of Nemucod.
Apocalypse ransomware update
A new version of the Apocalypse ransom Trojan went live. It scrambles file names according to the following pattern: [original_filename].ID-*[random_8_chars + country_code][firstname.lastname@example.org].[random_7_chars].
New variant of the Globe ransomware
This one appends one’s encrypted files with the .lovewindows extension and tells victims to reach the attacker at email@example.com.
DECEMBER 5, 2016
Botnet-backed distribution of the Shade ransomware
The notorious botnet known as Kelihos was found to sustain the proliferation of Shade, or Troldesh, ransomware. The newest build of this offending program adds the .no_more_ransom extension to locked files.
Screen locker with crypto features
Researchers spotted a new screen locker that’s supposed to implement a data encryption routine. However, the early edition of this complex infection didn’t function correctly, with no actual crypto activity observed. A victim’s files get the .encrypted string appended to them. The ransom amounts to 0.3 Bitcoin.
Locky ransomware tweak
Another iteration of the infamous Locky ransomware is out. It features an Egyptian mythology theme, concatenating the .osiris extension to scrambled files. The ransom notes are named OSIRIS-[4_hexadecimal_chars].htm.
DECEMBER 6, 2016
The GoldenEye ransomware surfaces
This sample appears to be a successor of Petya, which was in active rotation as of late spring 2016. Just like its prototype, GoldenEye replaces a computer’s master boot record (MBR) with a rogue one and encrypts the master file table (MFT), thus preventing the victim from accessing the system altogether. As opposed to Petya, though, this strain encodes one’s important files before denying access to the OS.
DECEMBER 8, 2016
Cybercriminals come up with a cynical extortion scheme
The authors of a strain dubbed Popcorn Time urge their victims choose the lesser of two evils, so to speak. Those who are infected can get their files back by coughing up one Bitcoin, or they can get their decryption key for free. The latter route, though, presupposes that the user send a custom ransomware downloader to two more people and get them infected.
Another Jigsaw ransomware variant goes live
The updated threat displays a warning screen with the word HACKED in the center. It instructs victims to submit 0.25 Bitcoin within 24 hours. Otherwise, the ransom goes up to 0.35 Bitcoin. Fortunately, this one is decryptable for free, courtesy of Michael Gillespie (@demonslay335).
SamSam ransomware emerges
This crypto infection strain encrypts files with the .VforVendetta extension and drops a ransom note named 000-PLEASE-READ-WE-HELP.html.
One more spinoff of educational ransomware
Security analysts discovered a new ransomware strain based off of the controversial educational project called EDA2/Hidden Tear. While using the open source code as the core, the sample in question has significant code tweaks under the hood. Cyber crooks can buy the readily available infection on darknet sites.
DECEMBER 9, 2016
The CryptoWire POC abused
Threat actors took advantage of the new open-source CryptoWire ransomware to build real-world infections called Lomix and UltraLocker. The code of the proof-of-concept project under consideration was available on GitHub, so online crooks didn’t fail to abuse it and launch their own extortion campaigns.
UltraLocker distribution tactic revealed
The above-mentioned UltraLocker spinoff of the educational CryptoWire ransomware was found to spread via a spam wave involving booby-trapped .doc files.
Cyber SpLiTTer Vbs ransomware 2.0
This breed of file-encrypting malware is based on Hidden Tear, a proof of concept project by Turkish security enthusiast Utku Sen. The updated infection asks for 0.5 Bitcoin for data decryption. If a victim doesn’t pay up within a 76-hour deadline, the ransomware claims to delete all files beyond recovery.
The Locked-In ransomware is underway
The new strain in question uses the AES-256 symmetric cryptographic standard to lock one’s files. It leaves a ransom note named RESTORE_CORRUPTED_FILES.html. The deadline for decryption key buyout is 15 days.
DECEMBER 10, 2016
The ‘cartoonish’ CHIP ransomware
A fresh edition of the CHIP ransomware appends files with the .DALE extension and drops DALE_FILES.txt ransom notes. The updated list of email addresses to reach the attackers is as follows: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, and email@example.com.
Deadly_60 screen locker in rotation
Although the sample called Deadly_60 only locks one’s screen and doesn’t encrypt any personal data, it is quite a drag due to an obnoxious animation displayed in the background.
PadCrypt 3.1.5 goes live
Just like the previous edition of PadCrypt, this one doesn’t feature any conspicuous changes except for the 3.1.5 version indication.
M4N1F3STO screen locker
The new low-impact infection locks the screen rather than perform file encryption. It demands 0.3 Bitcoin to recover from the attack. Fortunately, researchers were able to figure out the unlock code.
DECEMBER 12, 2016
Samas cybercrime ring’s earnings leaked
Having analyzed the operations of the group behind the Samas ransomware, researchers at Palo Alto Networks calculated the syndicate’s revenue. The extortionists made more than $450,000 in 2016. The attacks mostly zero in on large organizations.
PayDay ransomware spotted
A new breed dubbed PayDay targets Windows computers with Portuguese language pack installed. It appends the .sexy extension to files and drops !!!!! ATENÇÃO!!!!!.html ransom notes. It is another Hidden Tear variant.
You Have Been Hacked!!! ransomware
The warning message displayed by this sample reads, “You Have Been Hacked!!!” It concatenates the .Locked extension to crippled files and also tries to steal victims’ login credentials for various online accounts. The size of the ransom is 0.25 Bitcoin.
Victims’ files are suffixed with the .kraken string, and file names get base64-encoded. The ransom notes are called _HELP_YOUR_FILES.html.
DECEMBER 13, 2016
Another screen locker released
CryptoMix ransomware update
The new edition of CryptoMix uses a long, complex extension to label all files that underwent encryption. Its format is as follows: .email[firstname.lastname@example.org]id[unique_victim_ID].lesli. The ransom notes are called INSTRUCTION RESTORE FILE.txt.
Locked-In ransomware cracked
Michael Gillespie (@demonslay335) creates a free decryptor for the Locked-In strain. The ransomware uses the .novalid file extension.
DECEMBER 14, 2016
New spam wave propping Cerber distribution
The operators of Cerber ransomware launched a new social engineering campaign. It revolves around rogue credit card reports sent over email. The misleading messages state that the recipients will be billed a certain amount of money and recommend them to open the attached Microsoft Word document to cancel the transaction. Once the file is loaded, macro scripts will complete the contamination part.
Xorist ransomware tweak
The latest edition of the Xorist ransom Trojan adds the .antihacker2017 extension to locked files and instructs victims to contact the attacker at email@example.com. Fortunately, Emsisoft’s Decrypter for Xorist can restore these files for free.
New Globe ransomware version is out
The most recent edition concatenates the firstname.lastname@example.org extension to encrypted data objects. The ransom amounts to 1.5 Bitcoin.
Screen locker called CIA Special Agent 767
This one is a M4N1F3STO ransomware spinoff that features a different lock screen design. It originally demanded $100 worth of Bitcoin, but the price increased to $250 in five days.
The new ransom notes are called “Help to decrypt.txt.” Victims are told to shoot an email to email@example.com for recovery steps.
Koolova ransomware being developed
Security analysts were able to get a copy of an in-development ransomware dubbed Koolova. The warning message is written in Italian. The infection provides a 48-hour deadline for payment. Otherwise, the ransom will increase.
DECEMBER 15, 2016
Achievements of the No More Ransom Project
The No More Ransom Project is a unique initiative that aggregates data on numerous ransomware families, facilitates analysis thereof, and provides victims with free decryption tools. As of mid-December, the project had brought on 34 new partners to combat the ransomware plague.
Distribution specificity of the BandarChor ransomware
This strain was found to propagate via contagious ads displayed on adult online resources and an e-commerce websites selling drones.
Meet Chris, another wannabe cybercriminal
Researchers got ahold of the code for an in-dev ransomware based on Hidden Tear. The lines of code contain the name “Chris” here and there, so that’s probably a new threat actor trying his hand at online extortion.
Cryptorium, a new ransomware on the loose
The sample under scrutiny is somewhat buggy as it simply renames its victims’ files rather than encrypt them. Cryptorium appends the .ENC extension to all affected data entries.
DECEMBER 16, 2016
A Globe ransomware lookalike surfaces
This unnamed specimen is a replica of the Globe ransomware. It concatenates the .crypt extension to every scrambled file and drops the HOW_OPEN_FILES.hta ransom note. Victims are told to reach out to the extortionists at firstname.lastname@example.org for instructions.
Changes made to the Cerber ransomware campaign
The operators of Cerber modified the set of IPs that are used for statistical purposes. The new ranges are as follows: 18.104.22.168/27, 22.214.171.124/27, and 126.96.36.199/23.
New Globe variant goes live
The only significant change in the updated build of Globe is the file extension format. Data items are now appended with the .email@example.comYAn548QZeUf.lock suffix.
DECEMBER 18, 2016
New Dharma spinoff appears
A fresh version of Dharma tells infected users to send an email to firstname.lastname@example.org for detailed data recovery steps.
CryptoBlock is on its way
Researchers discovered an in-dev strain called CryptoBlock. It utilizes an asymmetric RSA-2048 cryptographic algorithm and demands 0.3 Bitcoin for decryption.
DECEMBER 19, 2016
Evolution of Android banking malware
It turns out that some of the present-day Android banking Trojans accommodate device-locking features. Some samples may even encode users’ data.
RansomFree, a new solution preventing ransomware
Developed by the Cybereason security firm, the app called RansomFree thwarts ransomware attacks on different versions of Windows.
A new iteration of Apocalypse drops a TXT ransom note and instructs users to shoot an email to email@example.com for payment directions.
M4N1F3STO pest adds crypto to its arsenal
The “Jhon Woddy” version of the M4N1F3STO screen locker now comes equipped with a file encryption module, so it’s now double trouble. This sample masks its data encoding process with a fake Windows Update message within an old school application interface.
MNS CryptoLocker surfaces
This new strain uses RESTORE_YOUR_FILES.txt ransom notes and tells infected users to reach the crooks at firstname.lastname@example.org.
DECEMBER 20, 2016
Kaspersky’s tool handles CryptXXX
Kaspersky Lab updated their RannohDecryptor solution, which can now restore data locked by CryptXXX. In particular, the tool decrypts files with the .cryp1, .crypt and .crypz extensions.
New Samas version spotted
Also known as SamSam, this ransomware now subjoins .theworldisyours to enciphered files. The decryption manual is named CHECK-IT-HELP-FILES.html.
The Go language getting popular with cyber crooks
Researchers discovered a new ransomware specimen written in the Go programming language. It adds the .braincrypt extension to mutilated files and leaves a ransom note called “!!! HOW TO DECRYPT FILES !!!.txt”. The contact email address is email@example.com.
Indonesian users targeted by EnkripsiPC ransomware
EnkripsiPC, also referred to as IDRANSOMv3, derives the decryption key from the name of the infected computer. The circulation of this sample is localized to Indonesia. Michael Gillespie, a well-known security researcher, found a way to decrypt the files.
DECEMBER 21, 2016
The new Manifestus ransomware
This sample appears to be a variant of the M4N1F3STO pest, which locks the screen and encodes data. The parasite demands 0.2 Bitcoin for decryption.
ProposalCrypt, a new sample at large
This infection concatenates the .crypted extension to skewed files. The size of the ransom is 1 Bitcoin.
Padlock screen locker isn’t that dangerous
The Padlock malware displays a lock screen saying, “Your files have been deleted and your PC has been locked.” This is a bluff, though – it doesn’t actually erase anything. The unlock code is ajVr/G\RJz0R.
The warning window displayed by this sample says it was coded by a 13-year-old boy. Fortunately, Free-Freedom doesn’t do any crypto for real – it wreaks havoc with file permissions instead. Analysts were able to determine that the unlock code is ‘adam,’ which is probably the kid’s name.
DECEMBER 22, 2016
Cerber ransomware adopts a new tactic
As opposed to all the earlier variants, the latest edition of Cerber no longer deletes Shadow Copies of files. Furthermore, it skips quite a few directories that used to be targeted. The threat actors also chose to capitalize on locking Microsoft Office documents in the first place.
Winnix Cryptor details revealed
This strain appends files with the .wnx extension and creates YOUR FILES ARE ENCRYPTED!.txt ransom note. The attackers were found to access servers remotely and execute a batch file inside the targeted environment. The ransomware leverages GPG (GNU Privacy Guard) cryptosystem to encode data.
Cerber starts using new IP ranges
In order to get around blacklisting when obtaining accurate UDP statistics, Cerber now switches to using the following IP ranges: 188.8.131.52/23, 184.108.40.206/27, and 220.127.116.11/27.
The abominable Guster ransomware
The new Guster sample affixes the .locked extension to scrambled data entries and generates a very obnoxious warning screen featuring animation effects and audio.
Free-Freedom ransomware tweak
Unlike the original variant of the Free-Freedom infection, the newest one has been renamed “Roga.” It uses the .madebyadam file extension. As per the analysis of this sample, the decryption password is ‘adamdude9’.
DECEMBER 23, 2016
Koolova ransomware gets instructive
There is an interesting way for users infected with the fresh version of the Koolova ransomware to get their personal files back. The program decrypts data for free on condition that the victim reads a few articles on methods to avoid ransomware.
A CryptoLocker copycat discovered
The perpetrating program in question is camouflaged as CryptoLocker but actually doesn’t have much in common with its infamous prototype. The impostor uses the .cryptolocker extension to stain encoded files.
Cerber devs looking forward to Christmas
According to MalwareHunterTeam, some of the new domains used by the operators of the Cerber ransomware have the word “Christmas” in their URLs.
The enduring VenusLocker ransomware
Although the cyber parasite called VenusLocker seemed to have gone extinct for good, it reemerged in a new campaign. This ransomware asks for one Bitcoin and sets a 72-hour deadline for paying up.
Details of the Alphabet ransomware
The in-dev malady called Alphabet is supposed to combine screen-locking mechanisms and data encryption – at least, that’s what its warning screen says. However, the current version doesn’t encode files and provides the unlock code.
DECEMBER 24, 2016
GlobeImposter is a replica of the Globe ransomware, borrowing its prototype’s ransom notes, the extension being appended to files, as well as the general look and feel. It uses the .crypt string to label encrypted data entries and leaves a ransom note named HOW_OPEN_FILES.hta. Fortunately, Emsisoft’s Fabian Wosar was able to create a free decryptor for GlobeImposter.
DeriaLock ransomware hitting the headlines
The uniqueness of the new DeriaLock ransom Trojan is that its author can unlock all infected computers in a few keystrokes. That’s what the analysis of its code reveals. Having locked a victim’s screen, the program demands $30. Those infected are supposed to contact a specified Skype account for payment details.
Another Cerber update
Cerber ransomware makers released a new edition featuring an updated range of IP addresses for UDP statistics. Another change is that the ransom notes are now called _[random]_README.hta and _[random]_README.jpg.
DECEMBER 25, 2016
BadEncript authors should work on their spelling
The new sample called BadEncript concatenates the .bript extension to one’s locked files and drops the More.html ransom manual on the desktop. The quality of the ransomware name spelling, however, leaves a lot to be desired.
New extension used by the Jigsaw infection
Jigsaw ransomware operators updated their tool on Christmas day. The new iteration appends the .hush extension to encrypted objects while keeping the original file names intact.
Latest NMoreira variant defeated
Courtesy of Fabian Wosar, Windows users hit by the .maktub file extension version of NMoreira (XPan or XRatTeam) can get their files back for free. The tool called Emsisoft Decrypter for NMoreira can decrypt most file types scrambled by this offending program. Be advised the recovery process can be time-consuming, though.
DECEMBER 27, 2016
The comeback of ODCODC ransomware
Researchers spotted a fresh sample of the ODCODC ransom Trojan that creates HOW_TO_RESTORE_FILES.txt help file and scrambles file names according to the following pattern: C-email-[attacker’s_email_address]-[original_filename].odcodc.
DECEMBER 28, 2016
Ransomware on Smart TVs
An Android screen locker was discovered that targets LG Smart TVs. The infection displays a fake FBI warning and demands $500 for unlocking the compromised device.
New sample appending files with an email address
Another crypto ransomware surfaced that concatenates the -firstname.lastname@example.org string to one’s locked files and leaves “!!!.txt” ransom note.
DECEMBER 29, 2016
KillDisk virus starts exhibiting ransomware behavior
The new version of the malicious software called KillDisk has got extortion properties under the hood. Rather than simply erase its victims’ files, now it encrypts them and asks for a whopping ransom of 222 Bitcoin.
Ransomware disguised as popular security suites
Security analysts stumbled upon an instance of the GoldenEye disk-encrypting ransomware whose payload is camouflaged as ESET antivirus installer. Another sample called Stampado was found to arrive at PCs as a rogue AVG product.
Dharma ransomware opts for using HTA ransom manual
As part of the recent update, Dharma ransomware authors have adopted a new victim interaction principle where the ransom note is in HTA format. It is now called Info.hta.
DECEMBER 30, 2016
Samas ransomware tweak
The latest edition of the Samas, or SamSam, ransomware uses the .whereisyourfiles extension and WHERE-YOUR-FILES.html ransom note.
The open source ransomware issue dissected
An article published on MalwareTech explains on the ins and outs of proof-of-concept ransomware projects, emphasizing that they are more beneficial to cyber criminals than researchers.
The main takeaway remains the same: users and organizations are much better off having a plan B in ransomware attack scenarios than dealing with the aftermath of such compromises. The countermeasures should revolve around safe online practices and reliable data backups. Hopefully, 2017 is going to become a game changer in favor of the security industry when it comes to defeating ransomware.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.