Just like in September, the cyber extortion epidemic keeps mutating. The crooks at the helm of ransomware campaigns are constantly experimenting with the geography of their attacks, intimidation tactics, data locking mechanisms, and payment channels. Learn how this underground ecosystem evolved last month and whether the security industry is ready to take up the gauntlet.
OCTOBER 1, 2016
The Globe Ransomware decrypted
The file-encrypting Trojan dubbed Globe has been in rotation since August. It is infamous for using the Purge film series theme as the desktop background that replaces a victim’s preferred wallpaper. This ransomware leverages the Blowfish block cipher to encrypt one’s data; appends the .purge, .globe, or .email@example.com extension to files; and creates ransom notes in HTA format. Thankfully, a free tool created by Emsisoft can restore Globe-encrypted data as long as the user provides a scrambled file and its unencrypted version.
KillerLocker Ransomware is friends with a blood-curdling clown
This malady ‘welcomes’ its victims with an image of a spooky clown that supersedes the original desktop wallpaper. KillerLocker encrypts files with the AES-256 algorithm and concatenates the .rip extension to every crippled entry. The warning message is in Portuguese. The infected users have 48 hours to pay up, otherwise the AES decryption key will purportedly be erased.
OCTOBER 2, 2016
Fsociety L0ck3r increases its ransom on a daily basis
The Python-based strain called Fsociety (or Fs0ci3ty) L0ck3r adds the .firstname.lastname@example.org extension to files, sprinkles help manuals called fsociety.html all over the infected system, and imposes a buyout scheme where the ransom increases by 1 Bitcoin daily after the ‘grace period’ of 24 hours expires.
OCTOBER 3, 2016
CryptoLocker 5.1 targets Italian users
This replica of the notorious CryptoLocker baddie is based on Hidden Tear, a project which originally pursued benign, educational goals. Once cybercrooks have the code, they got busy adjusting it to real-world extortion campaigns like this one. CryptoLocker 5.1 user interfaces are in Italian. It appends the .locked extension and demands 130 EUR for data decryption.
OCTOBER 4, 2016
Cerber ransomware version 4 released
The latest edition of the Cerber ransomware has a new take on twisting filenames. Rather than use the .cerber3 extension to stain encrypted objects, it has started to append a random four-character string that’s unique to every victim. Furthermore, Cerber v4 drops the Readme.hta file to provide decryption instructions, abandoning the routine of creating manuals in HTML, BMP, and VBS formats. To top it off, the updated Trojan now terminates multiple processes running on the system so that it can encrypt the associated data.
OCTOBER 5, 2016
Hades Locker, a reincarnation of an obsolete Trojan
One month after the Dutch National Hi-Tech Crime Unit took down the WildFire Locker ransomware by seizing its command and control servers, the cybercriminal ring behind this campaign came up with a successor. Their new brainchild called Hades Locker appends the .~HL[random] extension to AES-encrypted files and creates ransom notes named Readme_Recover_Files_[16-char ID].txt (.html, .png). The size of the ransom is 1 Bitcoin or about 700 USD at the time of writing. This infection is currently not decryptable for free.
OCTOBER 6, 2016
Multiple spinoffs of the Globe Ransomware discovered
Globe Ransomware authors spawned at least four new variants of their extortion code in one hit. The editions spotted by researchers append one of the following extensions to locked files: .blt, .raid10, .encrypted, and .[email@example.com]. The ransom typically amounts to 1 BTC. Fortunately, those infected can use the Emsisoft Decrypter for Globe2 to restore their data for free.
OCTOBER 7, 2016
Kostya Ransomware vs. Czech users
Geo-targeting seems to be an increasingly popular trend in the cyber extortion ecosystem. The Kostya Ransomware is one of the crypto pests operating mostly within a particular country. The text in its warning screen and the decryption instructions are in Czech. This strain concatenates the .kostya extension to files that it encrypted. It demands 2000 CZK (Czech Koruna), or about 80 USD, for decryption. The ransom is payable in PaySafeCard. After the period of 12 hours expires, the original amount will increase by another 2000 CZK. The data will be completely lost if a victim doesn’t submit the money during 24 hours.
OCTOBER 8, 2016
New ransomware forges a Windows Update screen
Comrade Circle is a replica of an older ransomware specimen called Fantom. Just like its precursor, the plague displays a fake Windows Update screen while encrypting its victims’ data. Aside from leveraging this tricky obfuscation technique, the Trojan adds the .comrade extension to files and creates a decryption manual named Restore-Files![random number].txt.
OCTOBER 10, 2016
Enigma Ransomware update
Discovered in early May this year, this infection was one of the few that targeted the Russian-speaking audience. The latest variant of Enigma Ransomware appends the .1txt string to every encrypted entity. As opposed to the previous .hta ransom note, the current iteration has switched to enigma_info.txt document.
File encryption? Maybe next year
The sample that says “Deadly for a good purpose” on its warning screen isn’t run-of-the-mill because it is currently configured to encrypt victims’ data in 2017. In other words, if this ransomware compromises your computer, it won’t lock down your important information until sometime next year. The whys and wherefores of such an unusual attack routine aren’t clear at this point.
OCTOBER 11, 2016
VenisRansomware is double trouble
At first sight, this strain may appear fairly commonplace. It encrypts files, replaces the desktop wallpaper with a warning image, and instructs a victim to reach the attacker at VenisRansom@protonmail.com. It turns out, however, that VenisRansomware also installs extra components that are bundled in its payload. One of these concomitant modules is intended to enable Remote Desktop Host support and thus provide the threat actor with direct access to the infected machine.
OCTOBER 13, 2016
Experts defeat a unique ransom Trojan
Trojan.Encoder.6491 sounds like just one of thousands of lookalike file-encrypting infections. In fact, though, it is one of a kind because never before had ransomware makers used the open-source Go programming language to create their products. The pest in question uses the AES-256 encryption standard, concatenates the .enc extension to one’s personal files, and asks for 25 USD worth of Bitcoins as the ransom. Luckily, researchers at Doctor Web came up with a method that helps victims restore their data.
DXXD ransomware v2 cracked
The ‘dxxd’ file extension and Readme.TxT help file are some of the attributes that DXXD ransomware victims are definitely familiar with. Michael Gillespie, a security analyst, also known as demonslay335, crafted a free tool that decrypts files locked by the latest variant of this Trojan.
New edition of Nuke ransomware surfaces
A rebranded variant of the PadCrypt ransomware called Nuke underwent a number of tweaks. The new file extension is .nuclear55. The perpetrators also changed the look and feel of the ransom note, which tells victims to submit 2 Bitcoins to a specified wallet. The warning image contains a “NUCLEAR #55” inscription.
OCTOBER 14, 2016
Automation of the Locky ransomware analysis
The Talos Security Intelligence and Research Group created LockyDump, a tool that streamlines the process of dissecting all known versions of the Locky ransomware. In particular, this command line utility provides a virtualized environment to run Locky’s spinoffs, including .locky, .zepto, .odin and .thor extension variants, and extract configuration data from memory.
Exotic Ransomware isn’t picky about file types
From the standpoint of a ransomware author, it’s questionably wise to encrypt all data on infected computers. Doing so will require additional time and resources. Moreover, it may render the operating system unstable. The Exotic Ransomware created by an individual or group nicknamed EvilTwin encrypts executables along with one’s personal files for some reason, thus making it impossible to run multiple programs. This strain appends files with the .exotic extension and instructs victims to pay 50 USD in Bitcoins during 72 hours.
OCTOBER 15, 2016
A cure for the latest DMA Locker variant available
DMA Locker relies on the use of AES cryptographic standard in ECB (Electronic Code Book) mode to lock one’s files. Fortunately, researchers at Malwarebytes were able to devise a technique that decrypts !XPTLOCK5.0 extension files scrambled by the most recent edition of this ransomware.
NoobCrypt Trojan update
This one is interesting because the ransomware operators opted for using a name that one of AVG analysts gave to the sample. The criminals even included a few words of gratitude to the researcher on their warning screen, saying “Thanks to: @JakubKroustek.” NoobCrypt got a minor update released mid-October.
New Anubis ransomware spotted in the wild
This newcomer to the digital extortion environment concatenates the .coded extension to victims’ encrypted files and creates a ransom note called Decryption Instructions. The attackers provide email addresses (firstname.lastname@example.org or email@example.com) to reach them for recovery steps. Anubis is based on EDA2, open-source ransomware code written by Turkish researcher Utku Sen for educational purposes. Unfortunately, this isn’t the first incident where cybercriminals have used proof-of-concept projects to coin actual ransomware.
OCTOBER 17, 2016
Low-severity screen locker goes live
A new piece of malware started attacking computers without actually encrypting anything. All it does is prevent victims from accessing their Windows interface. The lock screen instructs users to submit a code for 10 EUR worth PaySafeCard. The good news is that pests like this one are fairly easy to remove using Safe Mode with Networking.
OCTOBER 18, 2016
7ev3n ransomware is no longer an issue
A Polish programmer and malware analyst who goes by the handle ‘hasherezade’ created a number of automatic decoders for different versions of the 7ev3n ransomware. This sample renames files to numeric values followed by the .R5A extension.
OCTOBER 19, 2016
New ransomware disguised as a funny game
Some ransomware devs use primitive game scripts to obfuscate the data encryption process and distract users. One of the recent samples that go this route poses as a Click Me game. It displays an amusing screen with a Click Me button that keeps moving back and forth. While an unsuspecting user is trying to click the button, the ransom Trojan performs its data encryption in the background. This ransomware appends the .hacked extension to files.
OCTOBER 20, 2016
JapanLocker targets web servers
The uncommon feature of this malware is that it affects websites rather than end users’ personal files. Written in PHP, this plague renders web pages inaccessible and displays a Site Locked message. The ne’er-do-wells behind this campaign tell webmasters to contact them using firstname.lastname@example.org email address for further recovery instructions.
MBRFilter tool counters the nastiest ransomware
Petya and Satana are the names of crypto threats that change the Master Boot Record on targeted computers, thus making troubleshooting pretty much unfeasible. Cisco’s Talos Group came up with a response to attacks of that sort. Their MBRFilter driver identifies and blocks ransomware’s attempts to overwrite the MBR.
OCTOBER 22, 2016
Bilingual Lock93 ransomware
This one targets Russian- and English-speaking users alike. It adds the .lock93 suffix to encrypted files and demands 1000 RUR (Russian Rubles) for decryption. The email addresses for communication with the attackers are email@example.com and firstname.lastname@example.org.
OCTOBER 23, 2016
Angry Duck asks for too much money
Predictably enough, the unusual ransomware dubbed Angry Duck displays a duck-themed warning screen. The alert says, “Don’t mess with the ducks” and tells victims to pay 10 Bitcoins for restoring files with the .adk extension. That’s more than 7,000 USD, one of the biggest ransoms across the board.
OCTOBER 24, 2016
N1n1n1 ransomware update
The new iteration drops a ransom note named Decrypt Explanations.html and uses the 999999 attribute to label the affected files. Other than that, it’s still a commonplace ransomware strain with fairly strong crypto.
New Locky version appends the .shit extension
The makers of Locky, one of the most professionally tailored ransomware specimens, released a new edition of their offending program. The update brought about the following changes: filenames are replaced with 32 hexadecimal characters plus the .shit string at the end; the ransom manuals are called _WHAT_is.html (.bmp); and the infection leverages offline encryption principle.
Bart ransomware’s new file extension
Rather than affixing the .bart value to enciphered data, the latest spinoff of a Locky lookalike called the Bart ransomware switched to the .perl extension instead. The other characteristics haven’t changed.
OCTOBER 25, 2016
Locky’s Thor edition surfaces
The above-mentioned .shit file extension variant of Locky didn’t even exist one day. A new build that appends .thor to one’s jumbled data elements shortly replaced its predecessor. The offline “autopilot” encryption, file renaming format ,and ransom notes didn’t undergo any changes.
A Hungarian copycat of Locky
A sample dubbed Hucky takes after the infamous Locky ransomware in many ways, including the design of user interaction modules and the crypto algorithms applied. This one, however, appears to be only targeting Hungarian users.
OCTOBER 26, 2016
Ransomware author suggests a pathetic deal
Emsisoft’s researcher Fabian Wosar published his conversation with Fsociety ransomware maker, where the latter tried to sell him about 200 valid decryption keys for 10 BTC. Of course, Fabian declined the offer. Moreover, he had already come up with a method to restore victims’ data for free.
OCTOBER 27, 2016
Screen locker with a survey feature under the hood
Researchers spotted an interesting screen locker sample that asks its victims to complete a brief survey before they can regain access to their system. Once a user answers several funny questions like “Snickers or Butterfinger?,” a Notepad document named ThxForYurTyme.txt becomes available. The current in-development version only expresses a few words of gratitude in this file, but it will probably provide an unlock code when the malware becomes fully functional.
Another lame screen locker discovered
Screen lockers that prevent victims from accessing their computers typically aren’t nearly as sophisticated as file-encrypting Trojans. This applies to the piece of malware that blocks PCs and instructs users to contact the crook at email@example.com. Thankfully, security analysts reverse-engineered this one and obtained the unlock code.
New CryptoWire ransomware emerges
According to researchers’ verdict, CryptoWire is most likely based on readily available educational ransomware code. Its warning screen instructs victims to send 200 USD worth of Bitcoins for decryption of the locked data. This incident demonstrates once again that proof-of-concept ransom Trojans might have adverse effects in the long run.
Onyx ransomware goes after Georgian users
The strain called Onyx produces a ransom alert containing an image of No-Face, a character from the Japanese “Spirited Away” anime fantasy film. The warning message is in Georgian. Onyx demands 100 USD for data decryption.
IFN643 Ransomware is underway
This new sample mainly targets Microsoft Office documents, drops the IFN643_Malware_Readme ransom note, and won’t decrypt data unless a victim submits 1000 USD worth of Bitcoins.
The weirdness of Jack.Pot strain
When confronted with the Jack.Pot ransomware, users face a dilemma of coughing up 3 Bitcoins or losing their critical data. However, even if a victim decides to pay, it’s not clear how exactly to submit the ransom. The pest doesn’t provide any contact details to reach the attacker. To add insult to injury, the ransom note provides a Litecoin rather than Bitcoin address. Obviously, Jack.Pot is a buggy infection at this point.
Some of the file-encrypting strains that surfaced in October demonstrated a shift toward geo-targeting, where the infections proliferate within specific countries. Surprisingly enough, quite a few screen lockers emerged that don’t actually encode anything. Some ransomware devs began opting for payment methods based on prepaid card services rather than Bitcoin. Although security analysts are getting better at cracking these threats, it’s strongly recommended to have a plan B in store – data backups should do the trick.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.