November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt should be really ashamed of themselves, as their brainchild goes a scorched-earth route and simply destroys victims’ data beyond recovery. Furthermore, quite a few copycats of the infamous WannaCry ransomware popped up only to demonstrate that the original is always better than the sequel.
All in all, here’s a brief statistical breakdown of the month: 37 new ransomware species were discovered, 23 existing samples got a facelift, and three ransomware decryptors were released by the white hats.
NOVEMBER 1, 2017
Hidden Tear offshoot with French origin
Threat actors continue to abuse the proof-of-concept Hidden Tear ransomware. Its newest real-life incarnation targets French users, appends encrypted files with the .hacking extension, and instructs victims to contact the attacker at firstname.lastname@example.org.
NOVEMBER 2, 2017
Ostentatious claims regarding Hidden Tear
An umpteenth remake of the above-mentioned academic Hidden Tear goes live. It blemishes encrypted files with the .locked string, drops READ_ME.txt help manual, and displays a questionably truthful warning screen that says it’s “one of the most powerful ransomware’s around.
Magniber strain updated
Magniber, a ransomware sample that’s most likely a successor to the nasty Cerber culprit, undergoes an update within one of the multiple affiliate campaigns. The infection switches to subjoining the .skvtb extension to ransomed files.
It’s time for Jigsaw to get some fine-tuning
Cybercriminals release a new variant of the Jigsaw ransomware, a true old stager on the extortion arena. The pest now appends the .game suffix to victims’ data entries while still displaying the same movie-themed background.
Hermes ransomware remake
Hermes 2.1 Ransomware is what this perpetrating program’s current edition is called. It stains encrypted files with the .HRM extension and leverages a mix of the RSA cipher and Microsoft’s CryptGenRandom function to lock data.
New hallmarks of the Matrix ransomware
A few tweaks are made to the existing blackmail Trojan called Matrix. Its latest build labels hostage data with the _[RELOCK001@TUTA.IO].[original extension] string and provides recovery steps in a document named !OoopsYourFilesLocked!.rtf.
NOVEMBER 3, 2017
GIBON ransomware released and quickly decrypted
This one appears to be quite professionally tailored, but that’s a delusive impression in a way. It concatenates the .encrypt extension to files, leaves a ransom how-to named READ_ME_NOW.txt, and works just like garden-variety ransomware. However, malware analyst Michael Gillespie finds a way to defeat the crypto and contrives a free decryption tool shortly after GIBON’s discovery.
Sad Ransomware lives up to its name
The specimen in question drops _HELPME_DECRYPT.html rescue note and appends a victim-specific extension to locked files. When it’s done encrypting data, it generates a short beep sound. Files cannot be decrypted without meeting the ransom so far.
Ranion ransomware gets a fresh look and feel
Ranion was originally spotted in early February 2017 as a RaaS (Ransomware-as-a-Service) platform. It took the crooks nine months to come up with a fresh edition that blemishes a plagued user’s files with the .ransom extension and provides recovery tips in README_TO_DECRYPT_FILES.html manual. The ransom note is available in seven different languages.
NOVEMBER 4, 2017
Hidden Tear echoes back, once again
A new blackmail virus based on the educational Hidden Tear code appears. It’s called Curumim and targets Portuguese-speaking audience. The pest concatenates the .curumim extension to encoded files and provides a ransom payment deadline of one day.
XiaoBa ransomware updated
This strain originally surfaced on October 27, so it took the ne’er-do-wells one week to craft and release an updated edition. The infection now locks the screen of an infected PC and demands a Bitcoin equivalent of 250 RMB (Chinese Yuan), which is worth about $37.
Zika ransomware continues the HT saga
The scandalous Hidden Tear project gives rise to Zika, a ransom Trojan targeting Spanish-speaking users. It concatenates the .teamo string to locked data items.
Waffle ransomware isn’t too delicious
The new Waffle ransomware is exactly what it sounds like. Its ransom notification is named ‘Waffle’ and includes a picture of a bunch of waffles in the background. Furthermore, it appends the .waffle extension to a victim’s files. The ransom amounts to $50 worth of Bitcoin.
NOVEMBER 6, 2017
Unexpected details of the GIBON ransomware unearthed
In-depth analysis of the GIBON ransomware campaign has revealed that it’s much older than previously thought. Specifically, this turnkey ransomware kit has been marketed on Russian dark web forums since May 2017.
NOVEMBER 7, 2017
Sigma ransomware spotted
The payload of this sample is disguised as GUID Helper tool (GUID.exe.bin). Having encrypted a victim’s valuable files, Sigma stains them with a random extension and drops a ransom how-to document named ReadMe.txt. The attackers demand $1,000 worth of Bitcoin for the private key and decryptor software.
NOVEMBER 8, 2017
The premature Christmas Ransomware
Extortionists are, obviously, prepping for the holiday season with the new Christmas Ransomware. It displays a picture of a leafless forest with Christmas toys hanging on the trees. The ransom amounts to 0.03 Bitcoin (about $230). It is currently in development and does not encrypt data yet.
Another city hit by blackmail virus
The computer servers of the city of Spring Hill, TN get hijacked by an unknown strain of ransomware. The infection reportedly took root as an employee clicked on a booby-trapped email attachment. As a result, city workers are unable to use email and accept online payments. The criminals ask for $250,000 to restore the affected services.
Jhash ransomware uses a file extension familiar to many
The fresh sample called Jhash is a Hidden Tear spinoff zeroing in on Spanish-speaking computer users. It subjoins the .locky extension to encoded files and instructs victims to submit ransoms via the Payza online payment platform.
NOVEMBER 9, 2017
Ordinypt – classic ransomware or wiper?
The specimen in question is propagating in Germany. Ordinypt drops rescue notes named Wo_sind_meine_Dateien.html (“Where_are_my_files.html” in English). As opposed to commonplace crypto parasites, this one overwrites files with random values instead of encrypting them. Consequently, there is no way to restore the data.
NOVEMBER 10, 2017
LockCrypt has got a RaaS-related background
The sample called LockCrypt was originally distributed via a Ransomware-as-a-Service platform called Satan. Later on, the threat actors must have invested some money and effort to code their own ransomware operating independently from the RaaS. LockCrypt is deposited on computers and servers by brute-forcing RDP credentials.
CrySiS ransomware fine-tuned
The most recent edition of the CrySiS, or Dharma, ransomware switches to adding the .cobra extension to locked files. It also drops ‘Files encrypted!!.txt’ ransom note and instructs victims to contact the attackers at email@example.com for recovery steps.
LOL ransomware passes itself off as a keygen
The malicious binary of the C# based LOL ransomware strain is masqueraded as a keygen application for VMware products. It concatenates the .lol string to encrypted files.
NOVEMBER 11, 2017
Jigsaw strain gets slightly modified
A brand-new variant of the Jigsaw ransomware is detected in the wild. It stains hostage data with the .##encrypted_by_pabluklocker## extension token and displays an updated set of messages.
Blackmail virus pretending to come from Cyber Police
Threat actors take advantage of the Hidden Tear project to coin another real-world crypto infection. The latest incarnation sports a warning message saying, “Your computer is blocked by Cyber Police for unlicensed software’s usage.” The pest subjoins the .locked suffix to ransomed files.
GlobeImposter changes its behavior
Some of the recent editions of the fertile GlobeImposter strain feature an externally inconspicuous yet significant modification in their modus operandi. The developers have changed the culprits’ config extraction script and the technique used to encrypt configuration data.
NOVEMBER 12, 2017
Stroman ransomware resurfaces
Although the perpetrating program in question hasn’t ever been in wide distribution and pretty much vanished from the extortion arena lately, it spawned a new version out of the blue. The baddie now concatenates the .fat32 extension to files and provides recovery tips in the info.txt manual.
NOVEMBER 13, 2017
CryptoMix reaches the end of alphabet
The latest mod of the fairly professionally made CryptoMix ransomware switches to using the .XZZX extension string for scrambled files. As before, the rescue note is named _HELP_INSTRUCTION.txt.
jCandy isn’t sweet at all
Malware analysts stumble upon a fresh specimen called jCandy. It affixes the .locked-jCandy string to no-longer-accessible data. Interestingly, this one drops two different editions of the ransom how-to at the same time named READ_ME.txt and JCANDY_INSTRUCTIONS.txt.
In-dev French ransomware discovered
Once again, security experts were able to spot a blackmail infection before it went real-world. This one displays all of its warnings in French and is configured to stain files with the .lockon suffix. This would-be baddie currently doesn’t encrypt data anywhere except a directory named ‘testrw’.
Dr.Web cracks a relatively new ransom Trojan
A ransomware lineage blemishing encrypted data with the .[attacker’s email].blind or .[attacker’s email].kill extensions is now potentially decryptable courtesy of Dr.Web antivirus vendor. Those infected may be able to restore their files using the company’s Rescue Pack tool. Be advised: this service isn’t free.
Unsurprisingly, GlobeImposter gets another update
The most recent iteration of GlobeImposter brings about the following new attributes: the .kimchenyn file extension, plus a ransom notification named how_to_back_files.html.
Fresh Amnesia2 ransomware version turns out somewhat crude
The edition in question scrambles filenames beyond identification and concatenates the .am extension to each one. Its ransom how-to document, ENCRYPTED FILES.txt, contains nothing but a bunch of digits that don’t make sense. So victims have no idea how to pay the ransom even if they are up to it. This, by the way, isn’t a good idea because a free tool called Emsisoft Decrypter for Amnesia2 supports this pest.
Goofed ransomware surfaces
The silly name doesn’t make this Hidden Tear offspring any less harmful than the rest. It speckles encrypted files with the .goofed extension and provides recovery steps in YOU_DONE_GOOFED.txt document. Goofed ransomware demands $100 worth of Bitcoin for decryption.
NOVEMBER 14, 2017
GlobeImposter authors get naughty
The GlobeImposter family expands with yet another sample. This time, the culprit concatenates the .SEXY extension to ransomed data entries and instructs users to send a message to firstname.lastname@example.org for recovery steps.
NOVEMBER 15, 2017
J. Sterling Student Survey ransomware
This one zeroes in specifically on students of J. Sterling Morton school district, Illinois. Its propagation relies on a bogus student survey that looks trustworthy enough for would-be victims to go ahead and click through. The ransomware does not do any real damage in its current state.
NOVEMBER 16, 2017
RASTAKHIZ ransomware campaign underway
Cybercriminals strike again using the Hidden Tear PoC. One more spinoff labels encrypted data with the .RASTAKHIZ extension. The infection goes with a well-designed GUI.
NOVEMBER 17, 2017
CryptoMix switches to a numeric extension
One more version of the CryptoMix ransomware pops up that concatenates the .0000 string to one’s skewed files and uses an updated set of four contact email addresses. The name of the ransom note is the same (_HELP_INSTRUCTION.txt).
This one sure sounds better than the ill-famed WannaCry threat but isn’t much more promising for victims. Its ransom note ‘How to decrypt files.html’ is in Persian. The extension added to filenames is .WSmile.
CorruptCrypt is good at evading AVs
The sample called CorruptCrypt boasts a zero detection rate two days after discovery, which is a disconcerting hallmark. It uses two extensions concurrently to stain locked files, namely .corrupt and .email@example.com.
Hand of God screen locker isn’t celestial at all
The ransom Trojan in question displays an “FBI anti-piracy warning” screen and instructions in French. It coerces victims to pay 0.06 Bitcoin (about $580) for unlocking their computers.
BASS-FES proves the Hidden Tear abuse story is ongoing
Yet another derivative of the academic Hidden Tear starts making the rounds. It’s called BASS-FES, which is an acronym for BitchASS File Encryption System. This pest subjoins the .basslock suffix to encrypted items.
NOVEMBER 18, 2017
Russian imitation of WannaCry appears
The warning screen displayed by this ransomware is a close resemblance to WannaCry’s, but it is titled “Wanna die decrypt0r” and contains Russian text. While still in development, it does not encrypt files at this point.
NOVEMBER 20, 2017
CrySiS ransomware update
The latest mod of the CrySiS/Dharma ransomware strain switches to concatenating the .java extension to encrypted data entries.
NOVEMBER 21, 2017
Cryakl ransomware devs feel fairytale-ish
Cryakl is a lineage that was one of the pioneers on the extortion arena and pretty much vanished from this threat landscape. As part of the first update in many months, though, the pest starts adding the .fairytale string to encoded files.
CryptoLocker lookalike called Locket ransomware
The Locket sample goes with a GUI imitating that of the infamous CryptoLocker. Although it fails to perform encryption, it demands a ransom of 0.1424 BTC (about $1,500).
A fresh variant of the GlobeImposter crypto baddie subjoins the .Ipcrestore extension to enciphered files and continues to drop a rescue note named how_to_back_files.html.
NOVEMBER 22, 2017
The unusual qkG ransomware
As opposed to other ransomware strains, the qkG sample only targets Microsoft Office documents spotted on a contaminated computer. To add insult to injury, it also affects all new Word files that the victim opens.
Test version of IGotYou ransomware
The culprit in question appends the .iGotYou extension to encoded files. Luckily, it isn’t fully functional at this point, and it only encrypts data in a Test folder on drive C of the author’s computer. The infection demands 10,000 Indian rupees for decryption, which provides a clue about the developer’s country of residence.
Another day, another WannaCry copycat
Security analysts spot a WannaCry ransomware imitator displaying its warning messages in Portuguese. It coerces victims to submit the ransom of 0.006 BTC within seven days.
NOVEMBER 23, 2017
A similarity between the new Scarab ransomware and Locky
Just like Locky, the old stager in the extortion landscape, the Scarab ransomware is making the rounds via malicious spam generated by the Necurs botnet. It blemishes encrypted files with the .[firstname.lastname@example.org].scarab extension and leaves a ransom how-to file named “If you want to get all your files back, please read this.txt”.
Researchers unearth ransomware statistics for Africa
According to Sophos, the top ransomware lineages in Africa as of 2017 are Cerber (80% prevalence), WannaCry (17%), Locky and Jaff (1% each), and the destructive Petya (0.5%).
Cryp70n1c Army blackmail virus
This one is a Hidden Tear offshoot that stains locked data with the .cryp70n1c suffix. It threatens to delete all hostage files unless the victim coughs up the ransom in a three-day timeframe.
NOVEMBER 24, 2017
Girlsomeware appears to be a prank
The new ransom Trojan called Girlsomeware instructs those infected to click on several dozen checkboxes in order to restore allegedly encoded files. However, it doesn’t actually encrypt anything, so the trivial assignment isn’t compulsory at all.
NOVEMBER 25, 2017
ExoBuilder fails to impress
The ExoBuilder tool is being advertised on black hat hacking forums as a means to create new ransomware. It is supposed to subjoin the .exo extension to files and drop a rescue note named UnlockYourFiles.txt. However, all it does is sprinkle a slew of new files all over the computer and displays a full-screen warning to instill fear. An infected user should simply restart their machine to get rid of it.
NOVEMBER 27, 2017
StorageCrypter stands out from the crowd
The specimen codenamed StorageCrypter zeroes in on NAS (network-attached storage) devices. Having skewed one’s valuable files, it concatenates the .locked string to each one and provides recovery steps in the _READ_ME_FOR_DECRYPT.txt how-to document.
Samas ransomware refreshed
A brand-new version of the Samas/SamSam blackmail virus is different than its forerunner in that it uses the .areyoulovemyrans extension to label hostage data.
Magniber starts using a gibberish extension
Magniber, the crypto infection believed to be a successor of Cerber, undergoes fine-tuning in a way. It switches to using the .vpgvlkb extension for ransomed files, which doesn’t appear to make any sense. Another tweak is that it drops a recovery avenue named ‘read me for decrypt.txt’.
Researchers trying to hunt down a new cyber culprit
MalwareHunterTeam’s Michael Gillespie tweets with another ransomware hunt suggestion to fellow-analysts. The baddie being sought is a new French ransom Trojan someone uploaded to the ID Ransomware portal. It stains data with the .locked suffix and uses a rescue note named READ_ME_FOR_ALL_YOUR_FILES.txt. The initiative is to no avail at the time of this writing.
NOVEMBER 28, 2017
HC6 ransomware decrypted
Security experts contrive a free decryption tool supporting the HC6 ransomware. This perpetrating program appends the .fucku extension to encoded files and leaves a ransom note named recover_your_files.txt.
Known ransomware passing itself off as a keygen program
For the record, the CryptON ransomware is a .NET based sample discovered a year ago. Its latest update has introduced a fairly unusual alteration. The infection’s payload now goes camouflaged as a keygen utility for EaseUS Data Recovery, a popular file restoration suite.
Crypt12 strain updated
Security analysts were able to fine-tune the existing free decryptor for Crypt12 ransomware shortly after its new edition has been spotted in the wild. The tool now supports the variant that blemishes encrypted files with the ‘=[victim ID]=email@example.com’ extension.
MaxiCrypt ransomware discovered
This one scrambles filenames and appends them with the .[firstname.lastname@example.org].maxicrypt extension. The ransom how-to file is named ‘How to restore your data.txt’.
NOVEMBER 29, 2017
Brazilian WannaPeace ransomware spotted
Cybercrooks from Brazil calling themselves AnonymousBr must have decided to pay homage to the mega-successful WannaCry ransomware that broke out in May 2017. The copycat is called WannaPeace. It prepends the ‘_enc’ string to an original file extension. The ransom amounts to 0.08 BTC (about $900).
Crypt888 ransomware reemerges
The proprietors of the extortion campaign through Crypt888 ransomware haven’t released any fresh variants for months. This has changed with a recent update no one in the security circles really expected. The pest now instructs victims to contact the attackers via email@example.com email address.
NOVEMBER 30, 2017
HC6 strain upgraded to HC7? How prosaic
The brand new HC7 variant from the existing lineage uses the .GOTYA string to stain encrypted files. According to preliminary analysis, it infects computers via hacked RDP services.
ACCDFISA ransomware gaining momentum in Brazil
This sample is one of the oldest known ransom Trojans that has literally risen from the ashes. The name stands for ‘Anti Cyber Crime Department of Federal Internet Security Agency,’ a purported organization that doesn’t even exist. According to statistics obtained via ID Ransomware service, this infection has been increasingly targeting Brazilian users during November.
New lousy specimen out there
Analysts stumble upon a sample using a binary named REAL DANGEROUS RANSOMWARE.exe. Despite the scary executable, it turns out to be all bark but no bite. It’s nothing but a screen locker that a victim can get around by simply pressing Alt+F4.
GlobeImposter and Necurs are now in cahoots
The architects of the GlobeImposter ransomware campaign change their tactics in terms of distribution. The crypto culprit has begun making the rounds via spam generated by Necurs, one of the world’s largest botnets.
Only three new decryption tools crafted in November versus a slew of fresh ransomware strains still make an unsettling ratio. Under the circumstances, users should rely on their personal online hygiene rather than researchers’ success. Simply exercising caution with spam email attachments significantly reduces the risk of being infected. Keep that in mind, and don’t forget to back up your important files on a regular basis.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.