The year of 2017 isn’t shaping up to be a game changer in combatting ransomware so far. On the contrary, crypto infections are becoming increasingly toxic in terms of their impact and attack surface. Online extortionists keep hitting police departments, healthcare organizations, public libraries, schools, hotels, and unprotected servers around the globe.
The quantitative statistics for January are as follows: 37 new ransomware variants appeared, updates were released for 22 old samples, and security analysts created eight free decryptors.
JANUARY 1, 2017
Samas ransomware update
Researchers discover a new edition of the Samas, or SamSam, ransomware. The newcomer appends the .helpmeencedfiles extension to victims’ encoded data entries. The new ransom note is called HELP-ME-ENCED-FILES.html.
Globe ransomware migrates to C/C++
A growing trend with online extortionists revolves around experimenting with programming languages for their malicious code. A new Globe family spinoff, for instance, is compiled in C/C++. This sample concatenates the .locked string to affected files. The ransom amounts to 0.55 Bitcoin.
FirstRansomware featuring a scary warning screen
The computer threat landscape gets a replenishment. A fresh strain runs the firstransomware.exe process on an infected machine, hence its denomination. This one adds the .locked extension to mutilated files and leaves a ransom note called READ_IT.txt. The ransom Trojan generates a screen titled “Death Bitches” with skeletons depicted in it. Victims are supposed to submit 1.5 Bitcoin for decryption.
The Red Alert crypto virus surfaces
This specimen is a derivative of Hidden Tear, an open source proof-of-concept whose Turkish author Utku Sen had inconsiderately posted the code on GitHub. The crooks behind the Red Alert ransomware adjusted the original source code to their real-world extortion campaign. This is one of the multiple adverse use cases related to educational ransomware.
JANUARY 2, 2017
N-Splitter, another Hidden Tear spinoff
Unfortunately, the above-mentioned Hidden Tear POC ended up becoming a godsend for cyber racketeers. It turned into a foothold for creating N-Splitter, a ransomware strain which uses the Cyrillic string “.кибер разветвитель” as an extension for all scrambled files. The size of the ransom for data decryption is 0.5 BTC.
EDA2 isn’t as educational as intended
Researchers spotted a ransomware sample whose code is based on EDA2, another notorious proof-of-concept. Instead of demonstrating the modus operandi of file-encrypting ransomware to analysts, though, this project gave rise to several real-world infections. The new offending program concatenates the .L0CKED extension to skewed filenames and drops DecryptFile.txt recovery how-tonote.
Koolova ransomware lineage expands
The Koolova family of crypto threats gets a new member called Cyber Hub. It appears to be a replica of N-Splitter, displaying an almost identical warning screen and using the same Cyrillic extension for encrypted files.
JANUARY 3, 2017
Criminals taking MongoDB databases hostage
A threat actor who goes by the alias Harak1r1 has been compromising poorly protected MongoDB servers around the globe. The malefactor hijacks database content and replaces it with a ransom demand. Victims are instructed to pay 0.2 BTC (about $200) for recovery. Obviously, server owners should apply software patches as soon as they are rolled out.
FSociety ransomware on the rise
There is an increasing number of ransomware samples that display a ransom screen featuring the FSociety logo from Mr. Robot series. The latest perpetrating program is crafted quite professionally and explicates its demands in Portuguese.
JANUARY 4, 2017
Merry X-Mas ransomware is underway
A new file-encrypting strain displays a warning window titled Merry X-Mas. Its first edition appends the .MRCR1, .PEGS1, or .RARE1 extension to encrypted files and creates YOUR_FILES_ARE_DEAD.hta ransom note.
Pseudo-Darkleech cybercrime group banking on ransomware distribution
The notorious malware deployment network dubbed pseudo-Darkleech has been reportedly involved in multiple ransomware campaigns during 2016. The primary distribution methods include booby-trapped spam and exploit kits.
Globe ransomware version 3 cracked
Fabian Wosar, a well-known security analyst working for Emsisoft, succeeds in finding a workaround to decrypt files locked down by the third iteration of the Globe ransomware. The automatic decryptor restores files appended with the .decrypt2017 or .hnumkhotep extension.
FireCrypt infection goes equipped with a DDoS feature
This crypto malware concatenates the .firecrypt extension to filenames and leaves [random]-READ_ME.html ransom manual. In addition to encoding a victim’s data, it also deploys a fairly weak DDoS attack targeting a hard-coded URL.
CryptoMix details unveiled
Analysts working on the CERT Polska team publish a comprehensive report dissecting the CryptoMix/CryptFile2 ransomware campaign.
JANUARY 5, 2017
A Californian legislation breakthrough
A law passed in the state of California identifies the use of ransomware as a standalone felony. This will facilitate the prosecution of ransomware distributors because the investigation of these cases no longer needs to revolve around money laundering charges.
KillDisk malware now goes with extortion features
The KillDisk infection isn’t a new one. Cybercriminals originally created it as an instrument to disrupt the activity of targeted organizations as it would simply erase data in a haphazard fashion. The new variant, however, has a different impact. It zeroes in on Linux systems, encrypts important files, and demands a big ransom for decryption. The amount may reach hundreds of Bitcoins.
iLock ransomware update
A brand-new version of the iLock ransom Trojan drops a recovery how-to called WARNING OPEN-ME.txt and provides a live chat option to reach the attackers. Communication with the C2 server can only be established via The Onion Router tool.
SkyName strain spotted
This one is an umpteenth derivative of educational Hidden Tear. It targets Czech users and demands 1000 Koruna ($40) for decryption.
New Depsex ransomware
The Depsex infection is also referred to as MafiaWare because it uses the .Locked-by-Mafia file extension. The ransom note is called READ_ME.txt. It is one more spinoff of the controversial Hidden Tear project.
JANUARY 6, 2016
Ransomware wreaking havoc with victim’s desktop
An interesting sample has been discovered that crams up the desktop of an infected system with numerous shortcuts pointing to ransomware payloads. The author of this virus who goes by the handle L0NEw0lf dubbed his infection the BatzBack.HDFill.
Hidden Tear proof-of-concept abused again
Researchers spot a new ransom Trojan whose developers borrowed the code from Hidden Tear, a questionably useful educational ransomware. The real-world sample in question concatenates the .locked extension to files and leaves README.txt ransom note.
JANUARY 7, 2017
Ocelot ransomware tries to teach users a lesson
Fortunately, this program is instructive rather than harmful. It does attack computers but simply displays a screen saying, “This could have been real.” As a bonus, the pseudo warning window provides several helpful links to download security software.
The number of infected MongoDB databases skyrockets
More than 10,000 MongoDB servers are being held for ransom worldwide. This amounts to a quarter of all online-accessible MongoDB databases.
A social engineering campaign targets UK schools
Threat actors have been cold-calling staff at different schools across the United Kingdom. The crooks’ goal is to dupe employees into installing ransomware.
CryptoRansomware, a new in-dev sample
Researchers discover another ransom Trojan prepping for real-world proliferation. Its warning window is full of curse words and has spelling errors.
VBRansom version 7 isn’t run-of-the-mill
The specificity of the offending program called VBRansom 7 is that it’s written in Visual Basic .NET programming language. It appends the .VBRANSOM string to files. The deadline for paying up is one day.
JANUARY 9, 2017
The MongoDB issue gets worse
Members of an infamous cybercrime ring known as Kraken end up trying their hand at hijacking MongoDB databases, which turned out a low-hanging fruit for attackers. The number of infected servers went up from 10,500 to about 28,000 in a couple of days.
Ransomeer contagion being created
This sample is a replica of the Dumb ransomware, as its authors denominated it. Ransomeer demands 0.3169 BTC and provides victims with a 48-hour payment deadline.
Merry X-Mas ransomware evolves into a bigger threat
An update of the Merry X-Mas crypto malady brought about some adverse enhancements. Along with affecting victims’ important data, the new edition also executes malware called DiamondFox. The opportunistic infection harvests users’ personal information, including passwords and sensitive documents.
Evil Ransomware surfaces
JANUARY 10, 2017
Cerber ransomware tweak
The authors of the Cerber plague release an updated variant that leaves ransom notes called _HELP_DECRYPT_[random_chars]_.hta/jpg.
A college in LA falls victim to ransomware
An unidentified strain of ransomware attacks the Los Angeles Valley College, impacting email servers and other critical components of the IT infrastructure. In the long run, the college district paid $28,000 worth of Bitcoins, which is one of the biggest reported ransoms among organizations hit by crypto viruses.
Spora ransomware discovered
The first edition of the Spora ransomware propagates in Russia and a few more former Soviet states. However, its high sophistication level is a giveaway suggesting that the proliferation geography is going to expand. Spora uses strong encryption algorithms flawlessly, so there is no way to decrypt hostage data for free. Furthermore, it functions offline and boasts a payment site that looks just as professional as dashboards for top-notch affiliate platforms.
JANUARY 11, 2017
Criminals selling script for compromising MongoDB
The Kraken cybercrime syndicate offers wannabe online malefactors the ability to purchase the MongoDB ransomware C# source code for $200.
JANUARY 12, 2017
Merry X-Mas ransomware encryption defeated
The Emsisoft security firm releases an automatic free decryptor that restores .MRCR1, .PEGS1, .RARE1, and .RMCM1 files locked by the Merry X-Mas ransomware.
Marlboro ransomware launched and cracked, all within 24 hours
Security analysts spot a new sample in the wild called the Marlboro ransomware, which uses XOR encryption algorithm, appends the .oops extension to enciphered files, and drops _HELP_Recover_Files_.html ransom note. Thankfully, Emsisoft’s Fabian Wosar creates an effective decryption tool in less than a day since the infection was discovered.
JANUARY 13, 2017
Server attackers switch from MongoDB to ElasticSearch
As the MongoDB hijacking campaign suffered a decline, the same ne’er-do-wells shifted their focus over to ElasticSearch servers. The size of the ransom to recover an affected database is 0.2 BTC.
ODCODC ransomware decryptor updated
A new edition of the automatic decryptor has been released that supports the newest variant of the ODCODC ransom Trojan. Thumbs up to the efforts of the researcher nicknamed BloodDolly.
A buggy Kaandsona infection
Also referred to as RansomTroll, this one uses the .kencf string to stain affected files. At this point, though, the ransomware fails to complete the encryption job.
Cerber’s C2 server breached
Analysts find a loophole in the security of a server involved in Cerber ransomware campaign. This flaw allows them to access logs related to infection statistics, including victim’s location details and IP addresses. According to the leaked information, most victims are in Europe and the United States.
JANUARY 14, 2017
New Samas version starts circulating
The updated threat appends the .powerfulldecrypt extension to files and creates WE-MUST-DEC-FILES.html ransom help file.
JANUARY 15, 2017
CryptoSearch tool that helps ransomware victims
The gist of the CryptoSearch application is to facilitate ransomware troubleshooting rather than decrypt data. It identifies files affected by crypto malware on a computer and allows the victim to back them up to a separate location. This way, users can preserve the scrambled items so that they can be decrypted later on when an appropriate tool is available.
JANUARY 17, 2017
Drastic decline of the Locky ransomware campaign
Some good news hits the headlines regarding Locky, one of last year’s most widespread crypto infections. Its distribution reportedly dropped by 81% during Christmas and New Year holidays.
Cerber ransomware fine-tuned again
This time, the makers of Cerber have introduced a new set of ransom notes called _HELP_HELP_HELP_[random].hta and _HELP_HELP_HELP_[random].jpg. The campaign also engages new IP ranges for UDP stats, namely 184.108.40.206/27, 220.127.116.11/27, and 18.104.22.168/23.
Spora ransomware takes over Cerber in a way
According to some reports, part of the well-orchestrated online infrastructure previously used for distributing Cerber is now delivering Spora ransomware payloads. This fact suggests that the two campaigns are interrelated.
JANUARY 18, 2017
Online extortionists get cynical to the bone
The cancer services agency Little Red Door of East Central Indiana undergoes a cyber attack. An anonymous hacker nicknamed The Dark Overlord claims to have stolen the organization’s records and erased data on its server, then demanding a ransom of 50 Bitcoin (about $49,000) for not disclosing this fact to the public.
Here comes another Samas version
The updated Samas/SamSam strain adds the .noproblemwedecfiles string to encoded files and creates a recovery manual named 000-No-PROBLEM-WE-DEC-FILES.html.
More server types exposed to ransomware
Following the notorious incidents where MongoDB and ElasticSearch databases were hacked and held for ransom, cybercrooks started targeting unprotected CouchDB and Hadoop servers as well.
The Spora plague acting like a worm
Security experts raise red flags on a unique contamination vector leveraged by the relatively new Spora ransomware. This perpetrating program can be executed on computers through the use of .LNK files that look like regular Windows shortcuts. Once an unsuspecting user opens one of these booby-trapped files, an obfuscated malicious code will fire the crypto ransomware process.
Merry X-Mas ransomware decryptor updated
Owing to another tweak of the MRCR decryptor by Emsisoft, Merry X-Mas ransomware victims whose files are appended with the .merry extension can restore these scrambled items for free.
Close ties between Locky and the Necurs botnet
According to Cisco Talos, a recent sharp decrease in the number of Locky ransomware infections is an outcome of current inactivity of the botnet called Necurs. The volume of Locky spam dropped dramatically once Necurs went offline during winter holidays.
Ransomware sample targeting Brazilian users
A new strain has the potential to become a scourge to Windows users in Brazil. It uses the .id-[victim_ID]email@example.com file extension and HOW_OPEN_FILES.html ransom note.
JANUARY 19, 2017
Cerber ransom notes change again
The updated Cerber ransomware uses a new combo of files providing a walkthrough for data decryption. These are _HOW_TO_DECRYPT_[random]_.hta/jpg.
New Russian Android ransomware is quite a nuisance
This malicious app locks an Android device’s screen rather than encrypts anything. It persistently displays a screen demanding a ransom of 545,000 rubles, which is the equivalent of about $9,100. This sample’s payload lurks inside legit-looking applications and obtains admin privileges on a targeted gadget.
Onset of the Satan RaaS
Experts discover a brand-new Ransomware as a Service platform propping the activity of the crypto infection called Satan. The Tor-based online resource allows anyone interested to generate their personalized variant of the Satan ransomware. The offending program concatenates the .stn string to scrambled files and leaves HELP_DECRYPT_FILES.html ransom note.
New Turkish ransomware in development
Analysts stumble upon a fairly raw file-encrypting virus sample configured to target Turkish users. It stains encrypted files with the .sifreli extension.
Yet another Hidden Tear based threat goes live
The strain called CryptoShadow is one more spinoff of the open-source educational Hidden Tear ransomware. It uses the .doomed file extension and drops LEER_INMEDIATAMENTE.txt decryption how-to document.
JANUARY 20, 2017
Saint Louis public libraries under attack
Ransomware compromises the computer network of the Saint Louis Public Library. The hack disrupted the operation of the organization’s 16 branches, paralyzing book checkouts and public Internet access. The sleazeballs behind the attack demand $35,000 for recovery.
GlobeImposter ransomware is no longer an issue
Emsisoft researcher Fabian Wosar succeeds in defeating the encryption by a Globe ransomware copycat called GlobeImposter. This strain uses the .crypt extension and HOW_OPEN_FILES.hta recovery manual.
DNRansomware appears in the wild
The new DNRansomware claims to utilize the Rijndael block cipher to lock down victims’ files. It concatenates the .f..ked extension to encrypted data entries. Having reverse engineered this sample, IT experts found that the unlock code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.
“Jhon Woddy” ransomware tweak
This specimen has a common codebase with the above DNRansomware. It adds the .killedXXX string to mutilated files. The size of the ransom is 0.1 Bitcoin, and the deadline for submitting it is five days.
JANUARY 21, 2017
CloudSword, another emerging threat
This perpetrating entity wrongfully states that it has blocked a victim’s important files because of violation of the Digital Millennium Copyright Act. That’s nothing but a bluff, of course. CloudSword drops a ransom note called Warning??.html.
JANUARY 22, 2017
Apocalypse ransomware update
The Apocalypse strain, also known as Al-Namrood, switches to using a new email address firstname.lastname@example.org for communication with victims. No other noteworthy changes have been made during this update.
JANUARY 23, 2017
Sage 2.0 distribution gaining momentum
This is a new cyber malady that proliferates via a massive spam wave. According to in-depth research of this campaign, the felons at the helm of Sage 2.0 have also been involved in spreading such notorious strains as Locky and Cerber. This fact is particularly unsettling because it suggests a likely large-scale propagation of the pest in the near future.
Samas devs keep coining updates
Yet another variant of the Samas ransomware appends the ironic .weareyourfriends extension to files and leaves TRY-READ-ME-TO-DEC.html ransom note on an infected machine.
Jigsaw ransomware undergoes a modification
The Jigsaw strain authors hadn’t released new versions for quite a while. The fresh sample labels every encoded file with the .paytounlock extension.
A minor change made to CryptoMix
The latest edition of CryptoMix ransomware renames victims’ files according to the following pattern: [original_filename].email[email_address]_id[victim_ID].rdmk. The ransom how-to is still called INSTRUCTION RESTORE FILE.txt.
JANUARY 24, 2017
Spora ransomware goes international
Whereas Spora used to propagate only in Russia and a few neighboring countries, its reach broadens considerably. The plague is now ubiquitous across the globe.
RussianRoulette ransomware spotted
This one is a derivative of the Philadelphia ransomware, which has been around since early September 2016. The RussianRoulette sample demands 0.3 BTC for decryption.
The vxLock ransomware is nothing out of the ordinary
The name stems from the .vxLock extension being affixed to every scrambled file. The antivirus detection rate is very low across the board.
JANUARY 25, 2017
Android ransomware called Charger
The Charger lineage of Android malware is reaching devices via an intricate tactic. It is camouflaged as a battery optimization applet called EnergyRescue. When installed, this app pilfers a victim’s text messages and contacts, subsequently locking the infected gadget. What’s interesting is that users could download EnergyRescue from the official Google Play Store for a while. The ransomware discontinues the attack if it discovers that the device is located in Ukraine, Belarus, or Russia.
A clever security move by Gmail
Samas ransomware is more prolific than ever
Researchers discover one more iteration of the Samas, or SamSam, ransomware. It uses the .otherinformation suffix to brand affected files. The new name of the ransom note is 000-IF-YOU-WANT-DEC-FILES.html.
Potato ransomware, a new sample on the table
The file extension used by this new strain is .potato, and the ransom help files are README.png and README.html. The vegetable theme is something new in this domain of cybercrime. The threat actors are either running out of creativity or trying to be funny.
JANUARY 26, 2017
Another police department suffers a ransomware compromise
Ironically enough, law enforcement agencies aren’t bulletproof against crypto malware at all. The Cockrell Hill police department in Texas fell victim to file-encrypting ransomware, losing a huge amount of evidence and invaluable records. The strain to blame for this incident is the latest OSIRIS variant of Locky.
CryptConsole messes with filenames only
The sample called CryptConsole simply jumbles filenames and does not encrypt files themselves. It prepends distorted filenames with one of the following email address strings: unCrypte@outlook.com or email@example.com. The ransom note is called “How decrypt files.hta.”
Infamous VirLocker in the wild again
After a while of inactivity, the VirLocker ransomware reappears as an advanced crypto menace. It encrypts a victim’s sensitive files and repackages them as EXEs, which is an uncommon routine for ransom Trojans. However, analysts discover that the current variant can be decrypted by entering a string of 64 zeros in the Transfer ID field on VirLocker screen.
Merry X-Mas ransomware on the rise
The Merry X-Mas, or MRCR1, crypto baddie shows a rapid increase in distribution. Apparently, a new massive propagation campaign is underway.
Researcher Michael Gillespie, also known in IT security circles as @demonslay335, creates a free decryptor for the relatively new CryptConsole ransomware described above.
JANUARY 27, 2017
MRCR decryptor updated
Emsisoft decryptor for the Merry X-Mas ransomware undergoes some fine-tuning in response to the emergence of a new variant of the infection. The latest supported edition creates a ransom note named MERRY_I_LOVE_YOU_BRUCE.hta.
Jigsaw ransomware update
A new edition concatenates the .firstname.lastname@example.org string to scrambled files, thus indicating contact details to reach the attacker and negotiate the terms of decryption. The automatic Jigsaw decryption tool can handle this version.
JANUARY 28, 2017
The Hitler ransomware refined
This bizarre strain is several months old, but it’s not until now that its final variant went live. At least, that’s what its dictator-themed warning screen says, “You’re infected with the FINAL version of Hitler Ransomware!”
RansomPlus sample spotted
The new RansomPlus contagion uses the .encrypted extension to blemish encrypted files and leaves YOUR_FILES_ARE_ENCRYPTED!!!.txt ransom note. It instructs victims to send an email to email@example.com for recovery steps.
JANUARY 29, 2017
Austrian hotel falls victim to ransomware
Romantic Seehotel Jaegerwirt, a popular 111-year-old Austrian hotel, suffers the consequences of a ransomware attack. The worst part is that the threat actors paralyzed the digital key lock system, asking for 1,500 EUR worth of Bitcoins to restore the affected services.
New XCrypt targets Russian-speaking users
The specificity of the fresh XCrypt ransom Trojan is that its ransom note Xhelp.jpg contains Cyrillic text. Another offbeat property of this strain is that it instructs victims to use the ICQ instant messaging client to contact the attacker.
JANUARY 30, 2017
Ransomware distributors’ revenge
Shortly after the Emsisoft security firm released an updated variant of the MRCR (Merry X-Mas) ransomware decryptor, their website underwent a massive DDoS attack. The predicament lasted for eight hours, taking the company’s site down. Another security software vendor Dr.Web was hit around the same time.
Sage 2.0 campaign dissected
Analysts from the Swiss CERT (Computer Emergency Response Team) publish a report on the sophisticated Sage 2.0 ransomware. In particular, the research provides insight into the implementation of asymmetric cryptographic standard and the use of IP Generation Algorithm by the infection.
New Zyka sample spotted
This ransomware uses AES-1024 crypto algorithm, concatenates the .locked extension to encoded files, and demands $170 worth of Bitcoins.
JANUARY 31, 2017
The intricate Netix ransomware
The uniqueness of this strain revolves around the fact that it impersonates an application called Netflix Login Generator v1.1, which allegedly provides access to compromised Netflix accounts. Meanwhile, though, the offending code encrypts the user’s data in the background and asks for $100 for decryption.
Rogue Chrome popups link to Spora plague
Security experts discover an interesting campaign where deceptive popups in Google Chrome point to a pseudo font pack update for the browser. This booby-trapped file ends up executing the Spora ransomware on a computer.
CryptoShield 1.0 features high-profile distribution
Another day, another Jigsaw update
A new specimen in the Jigsaw ransomware lineage adds the .gefickt suffix to scrambled files. Fortunately, it is decryptable for free.
New variant of Evil-JS surfaces
Another offspring of the Evil-JS ransom Trojan uses the .evillock file extension and provides a three-day deadline to submit the ransom of 0.3 BTC.
Locky Bart ransomware details revealed
Malwarebytes experts manage to access the backend server of the Locky Bart infection. They provide all their findings in a must-read blog post.
A number of disconcerting trends took root last month. Android ransomware is becoming increasingly popular in the cybercriminal circles. The new Spora infection outperforms most of its file-encrypting counterparts in terms of propagation efficiency and cryptography implementation. Extortionists are heavily targeting MongoDB, ElasticSearch, CouchDB, and Hadoop databases. Compared to these tendencies, the considerable downturn in the infamous Locky ransomware campaign looks like cold comfort.
With the abundance of different strains floating around the Internet, the precautions are timeless and invariable. End users and organizations should maintain backups, use effective security software, and treat spam as a potential means for contamination rather than simply a nuisance.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.