Ransomware authors kept trying to break new ground with their attacks last month, just like they did in October. One of the cybercriminal rings blatantly compromised San Francisco Municipal Transit Agency, demonstrating that critical infrastructure isn’t much of a moving target. Also, a slew of low-impact screen lockers and .NET-based ransomware surfaced. Peruse this report for November to learn more.
NOVEMBER 1, 2016
Cerber now brings the version number out in the open
As part of a new update, Cerber ransomware has started to indicate its version number on the warning wallpaper that replaces the victim’s original one. This change applies to Cerber v4.1.0 and onward. The ransom note is still called Readme.hta.
NOVEMBER 3, 2016
The low-impact Smash ransomware
The infection displays a window with a funny image of Super Mushroom from the Super Mario game. As opposed to its prototype, this character holds a knife in this case, so it doesn’t look as cute. Fortunately, there is a great deal of bluff about the Smash ransomware. It simply locks the screen and doesn’t actually encrypt or delete anything.
DummyEncrypter, aka DummyLocker
Some ransomware programs lock one’s screen. Some encrypt data. The hybrid sample called DummyEncrypter, or DummyLocker, does both. It leverages the AES-256 cryptographic standard to scramble files and appends them with the .dCrypt extension. The payload is disguised as the CCleaner installer.
The hateful zScreenLocker ransomware
This one encrypts its victim’s files and displays a “Ban Islam” message in the desktop background of an infected computer. The unlock password is fairly weak, so it can be brute-forced.
EncryptoJJS isn’t as bad as it appears
The new ransomware specimen called EncryptoJJS appends the .enc extension to every encrypted file and leaves the “How to recover.enc.txt” ransom note. It’s not very professionally designed, hence potentially decryptable.
NOVEMBER 4, 2016
The old school look and feel of PayDOS
The PayDOS sample displays its warning message and ransom demands within the command prompt window. It requests 0.33 Bitcoin for decryption. Strangely enough, it instructs victims to reach the attacker via a nonexistent email address – firstname.lastname@example.org. Looks like an in-development ransomware.
Nothing special about the Gremit Ransomware
The strain appears to be buggy as it only encodes data inside one predefined directory that may even be missing on a contaminated machine. If the encryption is successful, it appends files with the .rnsmwr extension.
RSA dissects new Cerber ransomware editions
Experts at RSA publish an article titled “The Evolution of Cerber… v4.1.x”, with a detailed analysis of the recent Cerber iterations that display the version number on the desktop wallpaper. The research touches upon the proliferation vectors and the ransomware’s Command and Control infrastructure.
NOVEMBER 5, 2016
Fortunately, a new perpetrating program called CLock doesn’t actually implement cryptography. All it does is intimidate victims with a red screen that asks for 20 USD payable through PayPal. The attacker’s email address indicated on the alert window is email@example.com.
NOVEMBER 7, 2016
Cerber ransomware v4.1.4 is underway
The distribution channel exploited by this variant of Cerber involves emails pretending to deliver invoices. The attached ZIP files contain Microsoft Word documents that display a rogue macros activation popup when opened.
NoobCrypt featuring buggy obfuscation
The new edition of NoobCrypt relies on an evaluation build of an obfuscator that has been non-functional since October 5, 2016. Luckily, files can be decrypted with an arbitrary unlock key.
The emergence of a Cerber copycat
A sample impersonating the Cerber ransomware was discovered. Dubbed CerberTear, this one is based on the open-source code of Hidden Tear, a notorious educational project that gave rise to numerous real-world ransom Trojans.
Jigsaw Ransomware variant targeting French users
Security analyst Michael Gillespie (@demonslay335) spotted a new edition of the Jigsaw Ransomware that leaves a ransom note in French. The infection concatenates the .encrypted extension to locked entries. Due to a flaw in the crypto, files can be decrypted for free.
NOVEMBER 8, 2016
FSociety ransomware claiming to use RSA-4096 crypto
The code of the FSociety ransomware is based on another strain called RemindMe, which has been in rotation since April 2016. The infection uses the .dll extension to label all encrypted files and drops ransom notes called Decrypt_Your_Files.html.
Ransomware disguised as a PaySafeCard generator
This sample definitely stands out from the crowd because it pretends to be a PaySafeCard PIN code generator. While an unsuspecting victim is busy trying to generate their code, the ransomware encrypts data behind the scenes. It prepends the original file extensions with the “.cry_” string. This infection can render the system unstable as it encrypts executables along with personal files.
New AiraCrop ransomware on the table
The name stems from the ._AiraCropEncrypted extension being added to encrypted objects. The ransomware leaves the “How to decrypt your files.txt” manual that provides victims with a recovery avenue. A Brazilian cybercriminal ring called TeamXRat is the one presumably responsible for distributing this sample.
The iRansom pest for sale
Wannabe online extortionists can purchase a readily available ransom Trojan called iRansom on darknet resources. This turnkey infection concatenates the .Locked extension to crippled files, demands a rather low ransom of about 0.15 BTC, and instructs victims to shoot an email to firstname.lastname@example.org afterward.
NOVEMBER 9, 2016
Experimental PHP ransomware called Heimdall
A programmer from Brazil created open-source PHP-based ransomware that targets web servers. Dubbed Heimdall, this proof-of-concept code is available on the author’s GitHub page. Hopefully, the outcome of this project won’t be similar to that of EDA2 and Hidden Tear POCs, which spawned actual threats propagating in the wild.
Telecrypt ransomware targeting Russian users
This offending program uses the Telegram API to interact with its Command and Control servers. The interface is in Russian. It demands a ransom of 5,000 Rubles (about 80 USD), which is payable via QIWI Wallet or Yandex.Money.
The “Kolobok” fairy tale themed ransomware
Researchers discovered another ransom Trojan that zeroes in on Russian victims. It features a colorful desktop background based on the “Kolobok” fairy tale, which is popular in the countries of Eastern Europe. Fortunately, this almost cute sample is no longer in the real-world rotation.
NOVEMBER 10, 2016
Rogue bank fraud alerts spreading Locky
NOVEMBER 14, 2016
The fall of the CrySiS ransomware
The developer of the CrySiS ransom Trojan joins a support thread at Bleeping Computer forums and provides a Pastebin link to a page with Master Decryption Keys for their infection. Whatever the threat actor’s motivation was, he made it possible for CrySiS victims to restore their data. Kaspersky Lab updated their RakhniDecryptor tool to support the ransomware. Therefore, everyone infected can use the app to decrypt hostage files for free.
Karma ransomware mimicking a system optimizer
This new sample pretends to be a performance optimization utility called Windows-TuneUp. Rather than enhance system productivity, though, Karma ransomware encrypts files using the AES standard, appends them with the .karma extension, and leaves # DECRYPT MY FILES #.html/txt ransom notes. The rogue optimizer propagates via a pay-per-install scheme and freeware bundling.
PadCrypt 3.0 added an affiliate platform
The cybercrooks behind the PadCrypt ransomware launch an affiliate system. It allows interested parties to distribute version 3.0 of the infection and share their revenue with the developers.
The Angela Merkel ransomware
One of the ransomware deployment rings decided to play politics, creating the Angela Merkel ransomware. The perpetrating program’s main window is titled “Angela Merkel has infected you” in German and displays a photo of the current Chancellor of Germany. Victims’ files are appended with the .angelamerkel extension.
NOVEMBER 15, 2016
The bluff of the Ransoc ransomware
The strain in question is scareware rather than a regular ransom Trojan. It locks its victim’s desktop and displays a “Penalty Notice” screen claiming that some prohibited content was spotted on the PC. The pest tells the user to pay a fee of 100 USD within 3 hours otherwise the case allegedly goes to court.
CryptoLuck devs use an exploit kit for distribution
The malefactors in charge of the CryptoLuck ransomware campaign use a network of compromised websites and the infamous RIG-E exploit kit to deposit their code onto Windows computers. The infection uses a combo of AES-256 and RSA cryptographic algorithms and concatenates the .[victim_ID]_luck extension to encrypted files. The size of the ransom is 2.1 BTC.
The German “demo” ransomware spotted
This offending program is unusual because it only targets .jpg objects on an infected computer. It adds the .encrypted extension to each. The ransom note called HELP_YOUR_FILES.txt contains text in German. It tells the victim to submit 0.5 BTC for recovery.
NOVEMBER 16, 2016
Ransomware author seeks assistance from a security analyst
An individual claiming to be the Apocalypse ransomware developer contacts Emsisoft researcher Fabian Wosar. The ne’er-do-well asks Mr. Wosar to help fix an imperfection in the encryption routine. Successful troubleshooting would purportedly prevent the ransomware from corrupting victims’ files. Wosar doesn’t comply and instead develops a decryption tool.
The comeback of PClock
The PClock ransomware, which resembles the notorious CryptoLocker, reappears on the computer threat landscape after months of inactivity. Distributed via spam, this strain extorts about 0.5 BTC and sets a payment deadline of 120 hours.
Princess Locker decryptor is underway
A member of the Malwarebytes research team nicknamed ‘hasherezade’ manages to crack the Princess Locker ransomware. The automatic free decrypt tool development is in progress.
NOVEMBER 17, 2016
Globe ransomware decryptor updated
Emsisoft’s Fabian Wosar releases an updated decryptor for Globe2, the newest variant of the Globe ransomware that appends the .blt, .raid10, .zendr4, and several other extensions to scrambled files.
Locky distributors opt for more social engineering
The latest iteration of the Locky ransomware proliferates via rogue Adobe Flash Player update websites. Would-be victims are redirected to pages stating that their current version of Flash Player is out of date. These sites trigger the malicious executable automatically.
The new Crypton ransomware
This one represents the array of crypto threats coded in the .NET programming language. It uses a generic malware dropper to infect PCs, encrypts one’s data using a mix of AES and RSA ciphers, and appends the “_crypt” string to filenames while keeping the extension unaltered. The ransom size ranges from 0.2 BTC to 2 BTC.
ShellLocker demands 100 USD in Bitcoins
ShellLocker is another .NET-based ransomware. The use of this programming language is evidently on the rise with online extortionists. This sample adds the .L0cked extension to files and requests a Bitcoin equivalent of 100 USD for decryption.
Dharma ransomware, a new CrySiS heir
A few days after the CrySiS authors released their Master Decryption Keys, a very similar strain surfaced. Referred to as “Dharma,” the revamped threat appends the attackers’ email address and the .wallet extension to filenames. Victims are supposed to contact the crooks over email. The addresses include email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and a few more. The ransom notes are called README.txt and README.jpg.
NOVEMBER 18, 2016
The success of ID Ransomware
The ID Ransomware project by MalwareHunterTeam went live in April 2016. It helps ransomware victims identify the particular maliware strain that hit them. To this end, users must upload a ransom note or a sample encrypted file to the service. By determining the name and version of the infection, victims can apply for researchers’ assistance in decrypting their data. As of mid-November, the service could detect 238 different ransomware families.
CHIP propagation backed by an exploit kit
A new ransomware strain surfaced that leverages the RIG-E exploit kit for proliferation. Users get infected when visiting malicious or compromised sites. The program leaves the CHIP_FILES.txt ransom note to provide victims with a data decryption walkthrough.
The Deadly ransomware causing side effects
The sample called Deadly poses a major problem because there is a critical flaw in the way it handles encrypted files. It fails to save the decryption key. Consequently, victims’ data is irrecoverable.
NOVEMBER 19, 2016
PadCrypt 3.0 gets trickier
The distributors of PadCrypt version 3.0 adopt a new contamination tactic. The ransomware masquerades as a Visa Credit Card generator. While a targeted user fills out the fields within this phony applet’s interface, the infection scours their computer for personal files and encrypts them.
NOVEMBER 21, 2016
Locky ransomware spreading via Facebook spam
The threat actors behind Locky contrived a new distribution scheme. It relies on a Facebook spam campaign that spawns a disguised ransomware payload over Facebook’s instant messaging platform. The contagious file looks like a photo and has the .svg extension. When a recipient opens the file, an obfuscated XML script redirects them to a bogus YouTube page that pushes a malicious Chrome extension. This way, the malware downloader called Nemucod ends up inside the PC and executes Locky.
Crypt888 ransomware update
Crypt888 prepends the “Lock.” string to filenames. The ransom notes are in Portuguese. The pest demands a Bitcoin equivalent of 2000 USD for decryption. Owing to a tool by Avast, it’s possible to decrypt the files.
Locky switches to the .aesir extension
A new version of the Locky ransomware emerges. It concatenates the .aesir extension to encrypted files and drops the _[random_number]-INSTRUCTION.html/bmp ransom notes. The infection continues to propagate via spam.
Vindows Locker devs should work on their spelling
The new strain called Vindows Locker encrypts files and appends the .vindows extension to them. It recommends victims give a phone call to a purported Microsoft support technician and thus get their files back for a one-time charge of 349.99 USD.
NOVEMBER 22, 2016
Princess Locker decrypted
The above-mentioned Malwarebytes researcher ‘hasherezade’ finally releases a free decryptor for Princess Locker.
NOVEMBER 23, 2016
Telecrypt ransomware is no longer an issue
The Malwarebytes team keeps finding ways to get around the crypto of some ransomware families. This time, an analyst named Nathan Scott discovered and exploited a flaw in the Telecrypt ransomware data scrambling routine. The decryption tool allows infected users to restore their data for free.
A likely future change in the Locky spam
Experts from the Cisco Talos Group stumbled upon a new Locky spam campaign involving a file format that the crooks hadn’t used before. Masqueraded as bill payment advice messages from the HSBC financial services company, the rogue emails contain MHT file attachments. Once opened, these files trigger the contamination chain.
The Thanksgiving ransomware found
Although this one displays an image of a turkey on infected users’ desktop, it isn’t likely to evoke any holiday sensations. Dubbed the Thanksgiving ransomware, the sample is most likely still in development. The ransom note indicates the attacker’s email address, firstname.lastname@example.org.
OzozaLocker spotted and promptly decrypted
Having completed the encryption process, OzozaLocker affixes the .Locked extension to every affected file and requests 1 BTC for decryption. The ransomware instructs a victim to reach the author at Santa_helper@protonmail.com. When a user double-clicks on a random encrypted file, a VBS script goes off and displays a popup with decryption steps.
NOVEMBER 24, 2016
Locky starts using the .zzzzz extension
Shortly after the Aesir variant of Locky went live, the criminals released a new edition that concatenates the .zzzzz string to encoded entries. Other than that, the newbie and its precursor appear to be identical.
Cerber ransomware 5.0 surfaces
The newest build of the Cerber plague propagates via the RIG-V exploit kit. Similarly to its forerunner, it displays the version number on the desktop wallpaper and appends files with a victim-specific 4-character extension that matches the GUID of the infected machine.
Another strain based on proof-of-concept code
A new crypto infection heated up experts’ discussion regarding the controversy of open-source educational ransomware. Researchers discovered a sample based on the Hidden Tear proof-of-concept project. The ransomware features a Jigsaw movie-themed background
Open-source origin of the Lomix ransomware
Lomix is another offending program based on open-source code. Malware researchers should definitely think twice before making their POCs available to the public. In this case, the project called CryptoWire became the prototype of the real-world sample in question. The Lomix ransomware extorts a Bitcoin equivalent of 500 USD for decryption.
The new CockBlocker pest
CockBlocker, also referred to as RansomwareDisplay, adds the .hannah extension to scrambled files. It appears to be in development, with no in-the-wild distribution spotted thus far.
NOVEMBER 25, 2016
Cerber update introduces a minor modification
The only noteworthy change that took effect as part of the new Cerber ransomware update has to do with the ransom note. The infection now drops the “_README_.hta” recovery manual instead of “REAME.hta” file used earlier.
NOVEMBER 26, 2016
A screen locker that’s easy to defeat
A new non-crypto ransomware surfaced that locks its victim’s screen, states that viruses were detected on the PC, and recommends contacting a technician over the telephone. Having analyzed this sample, researchers were able to retrieve the unlock password – 01548764GHEZG784.
The Crypter ransomware targeting Brazilian users
Crypter is a low-impact ransom Trojan that renames one’s files rather than encrypting them. The ransom note is in Portuguese. The ransom amounts to 1 BTC.
Another screen locker is full of bluff
The sample displays a lock saying, “Your Windows Has Been Banned.” It wrongfully states that unusual activity was detected on the computer and instructs the victim to contact the nearest Microsoft technician for troubleshooting. The unlock code is 123456 – as simple as that.
NOVEMBER 28, 2016
Kangaroo ransomware is double trouble
The offending code under consideration encrypts one’s personal files and generates a lock screen each time the victim tries to log into Windows. Those infected are told to contact the threat actor at email@example.com for recovery advice.
Security analysts were able to create a free decryptor for VindowsLocker, which employs tech support scam tactics to make victims cough up 349.99 USD. It turns out that the attackers’ own decryption model is buggy and doesn’t function right.
HDDCryptor ransomware attacks San Francisco Muni
A piece of ransomware that overwrites the Master Boot Record of an infected machine compromised the IT infrastructure of the San Francisco Municipal Transit Agency (SFMTA), also known as Muni. This attack paralyzed the faring system and other IT network components for several days. The threat actors demanded 100 BTC, or about 73,000 USD, for recovery.
PowerShell-based ransomware spotted
A new sample of PowerShell-based ransomware overwrites one’s original files and requests a ransom to fix the problem. It appears to be a demo variant at this point.
HTCryptor ransomware based on a POC
This strain appears to be another spinoff of the Hidden Tear open-source code. As part of the attack workflow, it attempts to disable Windows firewall in order to evade detection.
NOVEMBER 29, 2016
SFMTA stops rumors about data theft
San Francisco Muni officials deny that HDDCryptor operators stole over 30 GB of corporate data in the course of the recent breach.
Emsisoft keeps upsetting ransomware devs
Fabian Wosar from Emsisoft releases a decryptor for the NMoreira ransomware, also referred to as XPan. The free tool allows victims to restore files with the .maktub and ._AiraCropEncrypted! extensions.
Ransomware hits Carleton University
Carleton University in Canada suffers the consequences of a ransomware attack. An unidentified file-encrypting strain impacted the institution’s email servers and a number of other IT services. The adversary demands 39 Bitcoins.
NOVEMBER 30, 2016
Jigsaw ransomware trickery
A new edition of Jigsaw uses a phony Electrum Coin Adder tool to obfuscate its installation and the data encryption process.
Zeta ransomware update
The latest variant of the file-encrypting plague called Zeta switches to using the .rmd extension for scrambled data objects. This extension is prepended with the attacker’s email address, firstname.lastname@example.org.
The new look and feel of TorrentLocker\Crypt0L0cker
The criminals behind TorrentLocker, or Crypt0L0cker, made a few tweaks to their extortion program. The most recent iteration concatenates a random 6-character extension to encrypted files and leaves the HOW_TO_RESTORE_FILES.txt/html ransom notes.
Princess Locker gets new makeup
The latest incarnation of the Princess Locker features new ransom instructions called !_HOW_TO_RESTORE_*[victim_ID]*.txt. The ID is unique for every victim and consists of 4 or 6 hexadecimal characters.
That’s it for November. One of the fundamental takeaways from this report is that the ransomware epidemic keeps assuming new shapes. The cybercrooks are focusing more on targeting organizations, including transportation companies and educational institutions. Under the circumstances, the only viable response is to maintain data backups. Hopefully, law enforcement agencies will come up with a way to track these criminals down and stop the ransomware plague in the near future.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.