Ransomware Timeline: Top Stories December 2017
There were hardly any massive ransomware outbreaks last month. The criminals must have been busy prepping for the holidays. The online extortion activity didn’t stand still, though. A new wave of MongoDB database hijacking for ransom got millions of voters in California nervous. To top it off, healthcare facilities and counties kept falling victim to Mac ransomware. Keep reading this chronicle for December to learn more.
Dec.1, 2017
Experts from Zscaler cybersecurity firm unveil links between two independently crafted ransomware samples called Bugware and Vortex that share common roots code-wise. Both are based on the same open-source .NET codebase. The analysts compare these strains’ payload specificity, encryption workflow and C2 infrastructure.
Dec. 2, 2017
An offbeat blackmail virus starts propagating in South Korea. Its uniqueness lies in free decryption of a victim’s data in case it spots Minecraft 1.11.2 on an infected machine. The author must be a big fan of the game. This infection appends the .RansomMine string to encoded files.
Dec. 4, 2017
The recently discovered HC7 ransomware might be decryptable for free under certain circumstances. According to researchers, victims may be able to retrieve the private RSA decryption key using RAM capture tools. There is a prerequisite to successful recovery via this forensic method. It works if the plagued computer has not been rebooted since the time of contamination.
Dec. 5, 2017
An unidentified ransomware sample infects the computer network of the Colorado Center for Reproductive Medicine. The institution’s management states that the impact may be bigger than data encryption alone. The threat actors may have obtained access to CCRM’s servers holding sensitive patient information.
Dec. 7, 2017
Part of the digital infrastructure of the Mecklenburg County (North California) gets crippled by the LockCrypt ransomware. The contaminant affects the municipal financial reporting, child support enforcement, transactions processing and a few more online services.
Dec. 8, 2017
GlobeImposter, one of the most widespread blackmail threats around, continues its well-trodden imitation trend. For the record, its initial version mimicked another strain called Globe. The most recent edition blemishes ransomed files with the .arena extension, the one used by the CrySiS/Dharma ransomware lineage.
Dec. 9, 2017
The perpetrating program codenamed Blind ransomware undergoes a tweak. Its new variant subjoins the .napoleon string to encrypted data entries. A noteworthy hallmark sign of this sample is the exploitation of IIS (Internet Information Services), which means that the payload is deposited and executed on computers manually.
Dec. 11, 2017
A brand new crypto infection called File Spider is spreading like wildfire in the Balkans. Specifically, its distribution is restricted to Croatia, Bosnia and Herzegovina, and Serbia. The pest is making the rounds via spam emails containing Microsoft Word attachments with malicious VBA macros. It concatenates the .spider extension to hostage files.
Dec. 13, 2017
Cybercriminals abuse the benign Hidden Tear ransomware project once again. This educational code becomes a basis for another real-world crypto malware. The fresh offshoot is dubbed TrOwX. It appends the .locked extension to encoded files and drops a ransom note named READ_AND_CRY.txt. Besides English speaking victims it targets users in China.
Dec. 15, 2017
A database containing confidential information of more than 18 million Californian voters gets compromised as a result of a new wave of the notorious MongoDB server breaches. The attackers exported database content and left a ransom note demanding 0.2 Bitcoin for returning the information.
Dec. 18, 2017
A new ransomware distribution campaign is discovered that stands out from the rest. It props the circulation of the WannaDecryptor infection. The harmful binary is bundled with a cryptocurrency multiplier called Bitcoin-x2 v5.1. Since users are not alerted in any way on the extra component of the download, they get their data encrypted instead of obtaining more Bitcoin. Earlier this group focused on victims from Sounth Korea.
Dec. 19, 2017
Thomas Bossert, President Trump’s homeland security adviser, makes an official statement regarding the attribution of the WannaCry ransomware outbreak from May this year. According to it, the White House has evidence of North Korean hackers’ involvement in this extortion wave.
Dec. 20, 2017
Romanian police chase down and apprehend five people on suspicion of spreading the infamous CTB-Locker and Cerber blackmail malware throughout Europe and the U.S. Whereas that’s certainly good news, the arrestees are mere distributors of the Trojans, and the authors remain unidentified.
Dec. 21, 2017
The underground ransomware business appears to be getting less profitable. At least, that’s the conclusion one can draw from the shift in the activity of the cybercriminal group behind the VenusLocker ransomware. The crooks have reportedly abandoned online extortion and started peddling Monero mining programs instead.
Dec. 28, 2017
CryptoMix, one of the oldest active ransomware strains in the wild, gets a minor facelift. Its latest variant switches to concatenating the .tastylock string to hostage files. The name of the ransom note (_HELP_INSTRUCTION.txt) remains the same, but the content has changed a bit. Now it instructs victims to send email to [email protected] for decryption steps.
The destructive ransomware plague is underway, with some ups and downs occurring once in a while. This fact should incentivize home users and organizations to adopt dependable backup strategies so that the damage from an e-blackmail attack is reduced to the minimum.
Top ransomware records for November 2017
There was a lot more ransomware activity in November compared to the previous month. The infamous ACCDFISA Trojan literally rose from the ashes after years of hiatus. A destructive specimen called Ordinypt was wreaking havoc in Germany with attacks leading to irreversible loss of data. Another city suffered the consequences of a defiant crypto onslaught. The highlights below will give you a better idea of how things went on the ransomware battlefield last month.
Nov. 30, 2017. A ransomware strain called ACCDFISA v2.0 is spreading on a large scale in Brazil. Its legendary prototype emerged at the dawn of the cyber extortion plague back in 2012. It was a screen locker and file encoder pretending to emanate from Anti Cyber Crime Department of Federal Internet Security Agency that doesn’t even exist. Present-day crooks have reanimated the culprit in this new campaign.
Nov. 27, 2017. Malware analysts come across a sample that stands out from the rest. Dubbed StorageCrypter, it targets online-accessible Western Digital My Cloud NAS (network-attached storage) devices that usually hold a plethora of data. This infection blemishes encoded files with the .locked extension and drops READ_ME_FOR_DECRYPT.txt rescue note. The size of the ransom is 0.4 Bitcoin.
Nov. 23, 2017. A blackmail virus called Scarab is being heavily distributed via a malspam wave originating from Necurs, one of the world’s most powerful botnets. For the record, this particular botnet gained notoriety for pushing the notorious Locky ransomware. The perpetrating program stains encrypted files with the .[[email protected]].scarab extension.
Nov. 22, 2017. The new qkG ransomware, or qkG Filecoder, exhibits a few quite interesting characteristics. Its activity inside an infected host resembles that of a computer worm as it utilizes a self-replication mechanism. Furthermore, it contaminates Normat.dot (Microsoft Word global template) so that every Word document opened by the victim gets encrypted.
Nov. 20, 2017. The CrySiS ransomware lineage spawns one more variant as part of its authors’ dynamic update strategy. The newcomer concatenates the .java extension to ransomed data entries and drops a combo of ransom notes named info.hta and ‘Files encrypted!!.txt’. Unlike some of the older versions, there is no free decryption tool supporting this particular edition.
Nov. 17, 2017. A widespread species of ransomware called CryptoMix undergoes another update. The latest variant adds the .0000 extension to hostage files and replaces filenames with strings consisting of 32 hexadecimal characters. This way, a victim is unable to work out which encoded entry corresponds to a specific file. The ransom notification file is named _HELP_INSTRUCTION.txt.
Nov. 15, 2017. Students of J. Sterling Morton school district, Illinois, become targets in an unordinary ransomware campaign. An uncatalogued blackmail virus has been trying to attack them via a counterfeit student survey propped by professionally tailored phishing emails. Although this piece of malicious code doesn’t go with a working crypto module thus far, it demonstrates how successful this type of infection vector can get.
Nov. 14, 2017. Security services provider Dr.Web comes up with a cure for a relatively new ransom Trojan that uses the .kill or .blind extension to speckle hostage files. The vendor’s tool called Dr.Web Rescue Pack is reportedly capable of decrypting these files so that victims don’t have to cough up the ransom. In order to use this software’s recovery feature, though, it’s necessary to pay a subscription fee.
Nov. 13, 2017. The authors of CryptoMix, one of the most prolific ransomware samples around, continue their prosaic filename tweaking routine. The most recent version of this baddie smears encrypted data items with the .XZZX extension token. This iteration invariably sticks with the same ransom note named _HELP_INSTRUCTION.txt.
Nov. 10, 2017. The evolution of the LockCrypt ransomware illustrates how dynamic this cybercriminal ecosystem is. It was originally spotted in June as part of a RaaS (Ransomware-as-a-Service) network called Satan. This type of distribution implies revenue sharing with the proprietor of the malign affiliate platform.
The crooks behind LockCrypt apparently chose to depart from this scheme. They appear to have written their own code from the ground up and no longer use the Satan RaaS for proliferation. The culprit is infecting computers via brute-forced RDP services.
Nov. 9, 2017. A new ransomware specimen dubbed Ordinypt raises a red flag as it is more dangerous than the average crypto infection. This one zeroes in on German users and organizations. The bad news for all the victims is that Ordinypt completely cripples files instead of making them inaccessible through encryption. This means that there is absolutely no way to get the hostage data back.
Nov. 7, 2017. Another ransom Trojan is discovered that exploits Microsoft Word macros to contaminate computers. It’s called Sigma. The payload arrives with a booby-trapped email attachment. Sigma appends every encrypted file with a random extension composed of four alphanumeric characters and drops a rescue note named ReadMe.txt. The ransom amounts to a Bitcoin equivalent of $1,000.
Nov. 4, 2017. Security experts unearth some details about a new high-profile ransomware species called GIBON. It turns out to have been circulating in the cybercriminal underground since May this year. It’s not until early November, though, that the pest started making the rounds via massive spam campaigns. It provides data recovery steps in a file named Read_Me_Now.txt. Shortly after the breakout, MalwareHunterTeam’s leader Michael Gillespie was able to create a free decryption tool for the infection.
Nov. 3, 2017. It’s amazing how a single email attachment can get a whole city’s payment infrastructure paralyzed. That’s what happened to Spring Hill, Tennessee. One of the employees opened a toxic file received via spam, thus unknowingly allowing a ransomware contagion to take root. The perpetrating code badly affected Spring Hill’s computer servers, effectively knocking down the online payment processing systems. The adversaries demand $250,000 worth of Bitcoin for data decryption.
Nov. 2, 2017. Magniber, a ransomware sample spreading via the Magnitude exploit kit, hit the headlines in mid-October as it resembled the abominable Cerber infection in many ways. Based on clues in its code, security analysts concluded it was a new variant of this year’s most widespread ransomware program mentioned above. Several weeks afterward, Magniber underwent the first major update. The biggest change is the new .skvtb suffix being concatenated to encrypted files.
In summary, the ransomware epidemic is still around and it’s getting nastier. Unfortunately, there is no vaccine for this cyber menace, so data backups continue to be the best thing since sliced bread when it comes to preventing the worst-case scenario. So back it all up and stay safe.
Top ransomware records for October 2017
Several incidents that took place in October have demonstrated that cybercrooks are starting to leverage ransomware as a red herring rather than an extortion entity as such. Well-coordinated attacks against the Far Eastern International Bank and numerous Japanese enterprises involved ransomware to distract victims from much more serious quandaries, such as money theft. And yet, classic extortion route continues to be the dominating modus operandi of the threat actors.
Oct. 31, 2017. According to Cybereason cybersecurity firm, a ransomware strain called ONI has been used in elaborate, persistent attacks against Japanese companies over the course of three to nine months. The infection has reportedly operated in tandem with Ammyy Admin RAT (remote access tool) and performed the function of a data wiper to cover up the hackers’ tracks.
Oct. 27, 2017. The authors of BadRabbit, a blackmail virus circulating mostly in Eastern European countries, didn’t equip their perpetrating code with one classic ransomware feature. Specifically, the pest does not erase Shadow Copies of its preys’ files. This hallmark sign means that it may be feasible to restore encrypted data by dint of commonplace file recovery solutions.
Oct. 24, 2017. A new social engineering campaign involving phony Flash updates deposits a ransomware species dubbed BadRabbit onto computers. It predominantly zeroes in on European users, with most incidents being reported in Ukraine, Bulgaria, Russia, and the Netherlands. It turns out that this offending program is affiliated with the infamous NotPetya Trojan. Both were made by the same cybercriminal group dubbed TeleBots and affect the MBR of target hosts.
Oct. 23, 2017. Microsoft finally launches the long-awaited anti-ransomware feature called Controlled Folder Access. It is included in the Windows 10 Fall Creators Update. The feature blocks programs that attempt to make unauthorized changes to data in certain default paths and custom folders.
Oct. 21, 2017. McAfee, a renowned security software vendor, contrives a free tool aimed at assisting ransomware victims in data decryption. It’s called McAfee Ransomware Recover, or Mr². The solution is an aggregate of available decryptors supporting specific ransomware families and allows infected users to get their data back without submitting ransoms.
Oct. 19, 2017. A breakthrough in cracking the Magniber ransomware species hits the headlines. Researchers at Zimperium mobile security company discovered that it may be possible to obtain the private decryption key in case a user is confronted with a so-called offline edition of Magniber. The main prerequisite to successful recovery is a hard-coded AES crypto key, which isn’t the case with all variants of this ransomware.
Oct. 18, 2017. The Cerber ransomware appears to be giving in to a derivative referred to as Magniber (acronym formed from ‘Magnitude’ and ‘Cerber’). Just like the prototype, this one uses the Magnitude exploit kit to spread. The original wave of the plague is isolated to South Korea, though.
Oct. 17, 2017. A crypto culprit called the Hermes ransomware turns out to be a component of a sophisticated bank heist targeting Taiwan-based Far Eastern International Bank (FEIB). The threat actors, most likely North Korean ‘Lazarus’ hacker group, harnessed the ransomware as a smokescreen to distract the bank’s officials from the money theft going on backstage.
Oct. 16, 2017. Iran’s Computer Emergency Response Team Coordination Center (CERTCC) issues a security alert in response to a soaring extortion campaign involving the Tyrant, or Crypto Tyrant, ransomware. The infection displays a ransom notification in Farsi (Persian language), instructing victims to redeem their files within a 24-hour timeframe.
Oct. 14, 2017. A new tech support scam is on the rise that engages the ransomware theme for intimidation. While surfing the web, a would-be victim is redirected to a deceptive site stating that the infamous WannaCry ransomware has been detected on their computer. To address the purported predicament, users are instructed to call a toll free number for assistance, with a fee payment ensuing from this routine.
Oct. 13, 2017. Security analysts discover an Android ransomware specimen dubbed DoubleLocker. In contrast to other mobile ransom Trojans that simply lock the screen of a host device, this one is unique because it additionally encodes data on the primary storage. Furthermore, DoubleLocker gains sufficient privileges on a plagued gadget to reactivate itself whenever the user taps the Home button.
Oct. 11, 2017. According to cybersecurity firm Carbon Black, the ransomware economy is continuously reaching new heights. In their latest report, the researchers state that the underground marketplace for blackmail viruses has expanded by a whopping 2,500% in 2017 versus 2016. Also, the experts spotted 6,200 dark web sites promoting different ransomware lineages via about 44,000 ads.
Oct. 10, 2017. Another persona of the Locky ransomware is discovered in the wild. It blemishes encrypted data with the .asasin extension token and adds rescue notes named asasin.htm and asasin.bmp to folders with hostage files. The first wave of malicious spam was a fail, though – the emails didn’t contain any toxic attachment.
Oct. 5, 2017. An uncatalogued ransomware sample cripples the municipal computer network of the City of Englewood, Colorado. The contagion affected numerous employees’ workstations as well as the servers of the local Wastewater Treatment Plant, Civic Center, Recreation Center, and Public Library. Fortunately, personal information of the residents and staff reportedly remained intact.
Oct. 2, 2017. Another healthcare facility fell victim to crypto ransomware. In a defiant move, cybercriminals attacked the IT infrastructure of the Arkansas Oral & Facial Surgery Center. The incursion took place on July 26, but it’s not until early October that the details of it were made public. The incident reportedly wasn’t aimed at stealing patients’ information. Instead, it rendered about 128,000 files inaccessible, including x-rays images and individual demographic data.
That’s it for October. In summary, it’s worth emphasizing for the umpteenth time that nothing beats data backups when it comes to recovering from a ransomware onslaught. Keep that in mind and be sure to stay tuned for the next monthly report.
Top ransomware records for September 2017
Whereas September was generally slow ransomware-wise, it was a month of really weird strains. One of them asked for nude pictures of the user instead of money, another one simply mutilated data without the slightest chance for decryption. Some of the noteworthy events that at least make sense include the onset of a new Locky version, another huge wave of ransom attacks targeting servers, and predictable updates of existing families like GlobeImposter and Jigsaw.
Sept. 28, 2017. Security researchers discover LaserLocker, a malicious tool designed to streamline the process of creating screen locking ransomware. All it takes to generate a custom locker is think up the ransom note and tick a few checkmarks for disabling things like System Restore and Task Manager on an infected host.
Sept. 25, 2017. A new ransomware sample called nRansom goes an entirely different route than the rest. Rather than demand cryptocurrency for data decryption, it instructs victims to send 20 nude pictures of themselves. Some extortionists, apparently, aren’t motivated by financial gain.
Sept. 23, 2017. IT analysts spot an outbreak of RedBoot, a really offbeat blackmail Trojan. Similarly to the notorious NotPetya, or ExPetr, this one cripples an infected computer’s master boot record (MBR) and partition table. The worst part is that RedBoot isn’t equipped with a viable recovery mechanism, so it appears to be either a wiper or a buggy ransomware.
Sept. 22, 2017. Another fresh strain called InfinityLock leverages quite an unusual tactic to pressure victims into coughing up Bitcoins for their data. It shows a phony Command Prompt window that’s actually an animated screen imitating commands being typed by a hacker. This specimen’s payload is disguised as Adobe Premier ‘crack’.
Sept. 21, 2017. The distribution of the latest Locky ransomware persona dubbed Ykcol is backed by several concurrent malspam waves. These campaigns are run by six different cybercriminal groups. The phishing themes include ‘new voice message in mailbox’, ‘status of invoice’, and ‘Herbalife order number’.
Sept. 21, 2017. Online extortionists stick with the Hidden Tear proof-of-concept ransomware to devise real-life samples. An umpteenth abuse case involving this educational specimen gives rise to a new blackmail virus called CyberDrill. This culprit demands a huge ransom of 5 BTC (about $26,000) for the private decryption key.
Sept. 20, 2017. Administrators of some Eastern European ‘Dark Web’ forums are reportedly disputing the idea of promoting ransomware via their shady resources. Some of their arguments for dropping this activity are as follows: ransomware attracts attention to malware in general, increases users’ overall security awareness, and relies on luck rather than intelligence.
Sept. 18, 2017. A brand new variant of the Locky ransomware is released. It stains encoded data entries with the .ykcol extension token and drops ransom how-to’s named ykcol.htm and ykcol.bmp. As before, this iteration is making the rounds through malspam spawned by Necurs, one of the biggest botnets around.
Sept. 13, 2017. An offending program called the Paradise ransomware is rapidly paving the way towards worldwide propagation. An interesting fact is that it is distributed on a Ransomware-as-a-Service (RaaS) basis, a widespread malicious affiliate model. The infection employs asymmetric RSA cryptosystem to lock files and blemishes them with the .paradise extension prepended with the attackers’ email address.
Sept. 12, 2017. The developers of GlobeImposter, one of the most frequently updated ransomware strains, pay tribute to the 40th U.S. President in their own, very special way. The most recent version of this blackmail malware appends the .reaGAN extension to enciphered data and instructs victims to reach the attackers at [email protected] for decryption clues.
Sept. 11, 2017. The Jigsaw ransomware lineage produces two new editions in one day. Both of them zero in on users in Poland, judging by the language of the ransom notes. The extensions appended to hostage files are .pablukCRYPT and .pabluk300CrYpT!. Fortunately, the previously developed free Jigsaw Decrypter tool supports these variants.
Sept. 9, 2017. One more Turkish ransomware named ApolloLocker appeared. It brings a lot more damage than just file encryption. ApolloLocker has a data theft component. It steals personal and bank data. The ransomware utilizes .locked file extension and creates ransom note named DOSYALARI-KURTAR.txt/url.
Sept. 8, 2017. DilmaLocker virus discovered. This ransomware focuses on Portuguese-speaking victims. It marks locked files with the ._dilmaV1 extension and provides restoration advice in a text file called RECUPERE_SEUS_ARQUIVOS.html.
Sept. 7, 2017. In an attempt to circumvent detection by antimalware suites, the authors of the above-mentioned GlobeImposter ransomware manage to get their newest malicious binary signed with a valid digital signature. The good news is, the Comodo CA revoked the certificate later on that day.
Sept. 6, 2017. Another ransomware with a trivial name Hacked attempts to be bilingual. The ransomware in question adds the .hacked extension to locked files. Hacked malware comes with a GUI that has English and Italian versions. The virus asks for $2,000 and puts a short deadline of just 3 days.
Sept. 5, 2017. A fresh sample called the SynAck ransomware turns out to be a serious threat to businesses. It tends to infect corporate networks via poorly secured RDP connections. The perpetrating code encrypts proprietary files and concatenates a victim-specific random 10-character string to each one. The crooks demand a ransom of $2,100 payable in Bitcoin.
Sept. 4, 2017. Cybercriminals attack about 26,000 MongoDB web servers that use weak or default authentication. The content of the hijacked databases was replaced with a ransom note asking for 0.5 Bitcoin and coercing victims to contact the threat actor at [email protected]. It’s noteworthy that a different hacker group hit approximately the same number of MongoDB databases in early January 2017.
Sept. 2, 2017.
CryptoMix, which is one of the most common types of ransomware around, gets a new variant. The infection encrypts files and ads new names consisting 32 hexadecimal characters with the .arena extension in the end. The ransom note is named _HELP_INSTRUCTION.txt.
Sept. 1, 2017. The architects of a new malspam campaign spreading the Locky ransomware start using a really intricate payload execution technique. It revolves around run-on-close macros. In a nutshell, this means that the contamination chain commences when a victim closes a trojanized Word file attached to a phishing email. Some security solutions don’t flag this type of payload delivery as malicious, so the infection sneaks inside undetected.
To recap, it’s hard to call September groundbreaking as far as the ransomware plague is concerned. It’s sort of disconcerting, though, that malware analysts didn’t release any free decryption tools during the month. Hopefully, this will change in October. Anyway, when confronted with one of these cyber culprits, the only effective way to sort things out is to restore data from an up-to-date backup.
Major ransomware events for August 2017
An aftershock of the violent WannaCry and Petya ransomware waves was still causing problems to users and companies in August, even though these campaigns broke out months ago. The Locky strain returned with its new ‘Lukitus’ persona. Cerber got a makeover and became yet more harmful due to a built-in info stealer module. Peruse the stories below to stay on top of the ongoing ransomware plague.
Aug. 31, 2017. Cybercriminals in charge of the Princess Locker ransomware campaign take their tactics a notch further by adding the RIG exploit kit to their distribution vectors. This means that users who don’t keep their operating system and third-party software up to date run the risk of getting infected – all it takes is visiting a compromised website.
Aug. 29, 2017. A file-encrypting virus dubbed BitPaymer attacks a computer network of several hospitals in Lanarkshire, Scotland. The crooks demand a whopping ransom of 53 Bitcoin (about $230,000) for data decryption. The ransomware reportedly arrived via hacked remote desktop services.
Aug. 25, 2017. The Android ransomware ecosystem may significantly expand due to the emergence of a new Trojan development kit. The solution is being promoted on Chinese hacking forums. It streamlines the process of creating custom variants of the notorious Lockdroid ransomware.
Aug. 24, 2017. Researchers discover new blackmail malware called Defray. What makes this specimen different from mainstream ransomware is that it targets large UK and US enterprises representing the following segments: manufacturing, technology, healthcare, and education. The malicious code is making the rounds via spear phishing.
Aug. 21, 2017. According to recent findings of McAfee security analysts, about 30% of all new ransomware species detected in June 2017 were derivatives of the Hidden Tear codebase. For the record, Hidden Tear is a proof-of-concept ransomware created strictly for educational purposes. Predictably enough, cybercrooks have been heavily abusing this academic open source project for real extortion.
Aug. 19, 2017. New edition of the CrySiS/Dharma ransomware surfaces. It stains hostage files with an extension in the following format: .id-[random 8 characters].[attacker’s email].cesar. The most frequently reported email attributes include [email protected], [email protected], [email protected], and [email protected]. This variant drops a rescue note named Info.hta.
Aug. 18, 2017. When it seemed that the infamous WannaCry ransomware had faded away after the newsmaking outbreak in May, it contaminates a network of LG self-service kiosks in South Korea. It’s hard to imagine how come such a high-tech company failed to patch gaping holes in their systems, ones that WannaCry is known to exploit for proliferation.
Aug. 17, 2017. Security vendor Check Point provides a statistical breakdown of malware samples distributed via spam. As per their new Global Attack Trends report, most infections that arrived with malspam in the second quarter of 2017 were ransomware. Although this vector is old-school, it works and still boasts a high success rate of payload execution.
Aug. 16, 2017. A brand-new version of the Locky ransomware is released. The updated infection switches to using the .lukitus extension to speckle hostage files and drops a combo of decryption how-to manuals named lukitus.htm and lukitus.bmp.
Aug. 16, 2017. The recently discovered SyncCrypt ransomware is capable of tricking most security suites due to a multi-layered contamination workflow. It is distributed by means of a booby-trapped WSF file that arrives with spam. When an unsuspecting recipient opens this Windows Script File, it downloads several images with the obfuscated ransomware payload inside. It’s the use of harmless-looking image files that allows the infection to fly under the radar of AV tools.
Aug. 15, 2017. As it has been mentioned above, even benign PoC ransomware is a bad idea as it can be weaponized for real-world attacks. An unscrupulous programmer from Indonesia nicknamed ‘Shor7cut’ doesn’t seem to care – he created and open sourced a ransomware project that zeroes in on PHP web servers. Online extortionists have picked up the code to create custom variants, including JapanLocker, Lalabitch, and EV ransomware.
Aug. 11, 2017. The Cyber Police of Ukraine apprehends a 51-year-old man as part of an investigation of the recent Petya ransomware campaign. The suspect is being charged with infecting several local firms with an edition of this virus called Petya.A. Perhaps the most astonishing fact in this whole story is that the contaminated companies had actually opted for such an ‘assistance’ in order to evade taxes due to the loss of accounting reports.
Aug. 11, 2017. Although the Gryphon ransomware is an offshoot of the BTCWare family, it is starting to act independently from its prototype. This sub-lineage of blackmail Trojans undergoes another update, blemishing encrypted files with the .[attacker’s email].gryphon or .[attacker’s email].crypton extension. The ransom note is named HELP.txt.
Aug. 7, 2017. The so-called GlobeImposter 2.0 ransomware strain continues to exhibit unprecedented productivity. Researchers discover multiple new blackmail Trojan variants from this family during a time span of one week. These hastily released derivatives use the following extensions to blemish locked data: .492, .725, .726, .crypt, .astra, .sea, and .coded.
Aug. 4, 2017. An updated version of the currently dominating Cerber ransomware is spotted in the wild. Aside from classic extortion, the infection now performs some reconnaissance on targeted computers. Specifically, it goes equipped with a spyware module that steals cryptocurrency wallet data and browser passwords.
Aug. 2, 2017. A new strain called Crystal ransomware turns out to be much more than a commonplace file-encrypting virus. It additionally accommodates a malware downloader that promotes other infections onto a computer behind the victim’s back. Another malicious extra is a flooder used in denial-of-service attacks.
Aug. 1, 2017. Merck, a large pharma company based in the United States, estimates the damage from Petya ransomware attack that affected its systems at the end of June. The onslaught reportedly impacted its worldwide operations, including sales, manufacturing, and research. In the aftermath of the incident, Merck is still experiencing delays in fulfilling orders and incurs significant remediation costs the size of which has yet to be evaluated.
Even powerful corporations with huge resources at their disposal are not fully protected against the ubiquitous ransomware epidemic, not to mention regular computer users. While there is no universal vaccine for this cyber threat yet, the most effective countermeasures include a well-thought-out data backup strategy and an incident response plan.
Major ransomware events for July 2017
Last month demonstrated that the scourge of ransomware has its ups and downs. Not many new blackmail viruses were released – instead, the crooks mainly focused on updating old ones. The only segment of this cybercrime environment that showed some growth was Android ransomware. Meanwhile, the successful activity of the law enforcement resulted in several arrests over online extortion.
July 27, 2017. Researchers from Google, Elie Bursztein, Kylie McRoberts and Luca Invernizzi, deliver a presentation at Black Hat USA 2017 called “Tracking desktop ransomware payments”. According to their findings, the vast majority of ransomware payouts made since 2014 were laundered via the BTC-e cryptocurrency trading platform. Following this report, Greek law enforcement apprehends the proprietor of BTC-e, Russian citizen Alexander Vinnik.
July 26, 2017. IT security analysts from Italian university Politecnico di Milano create a Windows driver and custom filesystem called ShieldFS. Its objective is to identify ransomware on early stages of the infection chain, stop the malicious processes and undo unauthorized changes to data.
July 24, 2017. Malwarebytes leveraged the recently released master decryption key for the original Petya ransomware iterations to craft an ad hoc free decryptor. The tool supports the first edition of Petya as well as the Mischa and GoldenEye spin-offs.
July 22, 2017. Cybercrooks behind the GlobeImposter ransomware lineage launch three variants of their offending program during one day. Whereas all of these derivatives create an identical rescue note named how_to_back_files.html, they use different extensions to label encrypted files, namely .crypt, .gotham, and .happ. Earlier CryptoMix was leading here quickly replacing its .MOLE extensions.
July 21, 2017. New ransomware called Bitshifter doesn’t act like the average strain out there. While it encrypts and holds victims’ data for ransom, it also goes equipped with a reconnaissance module that searches for information related to cryptocurrency wallets. If the stealth lookup for such data is successful, the pest uses WebSocket protocol to exfiltrate it to a Command & Control server. Bitshifter targets only China for now.
July 18, 2017. FedEx evaluates the damage incurred due to the recent NotPetya ransomware attack. According to the company’s officials, the computer network of Ukrainian division of TNT Express was the first one hit by said MFT-encrypting virus. The contagion subsequently propagated to a number of other subsidiaries. The impact is reportedly permanent and some systems are unlikely to be fully recovered.
July 17, 2017. Researchers discover an unusual Spanish ransomware specimen called Reyptson. Its uniqueness revolves around the fact that it tries to gain access to a victim’s Thunderbird account if any. Then, it starts spamming all Thunderbird contacts with malware-tainted emails disguised as invoices. This way, Reyptson increases the potential attack surface significantly.
July 15, 2017. The author of ID Ransomware service Michael Gillespie (@demonslay335) adds another free decryptor to his vast collection. This one automatically restores data locked by the Striked Ransomware strand that sprinkles recovery how-to’s named README_DECRYPT.html all over the plagued system.
July 12, 2017. Yet another anti-ransomware breakthrough by Emsisoft hits the headlines. The security vendor releases a decryptor for all iterations of the NemucodAES ransomware. This infection applies a combo of AES-128 and RSA cryptosystems to lock down one’s important data and provides payment instructions in DECRYPT.hta ransom note.
July 11, 2017. A 75-year-old Australian man is arrested for involvement in tech support scam leading to ransomware infections. Here’s the story: an overseas group of fraudsters called Australian users to trick them into thinking their PCs had security issues. The crooks then instructed would-be victims to provide remote access to their systems, which in turn led to the installation of crypto ransomware. According to local police, the arrested man set up several companies that received funds from victims and transferred them to the rogue tech support firm.
July 10, 2017. Researchers from McAfee expose a defiant ransomware scheme targeting Android devices. The extortion campaign relied on two trojanized apps – Wallpapers Blur HD and Booster & Cleaner Pro – distributed via Google Play. These apps included a surreptitious component that stole victims’ sensitive files and threatened to send them to everyone from the phone and email contacts list. To prevent this privacy leak, users were instructed to pay $50. Based on these findings, Google promptly removed both apps from their marketplace.
July 6, 2017. The maker of the Petya ransom Trojan dumps the master key for all offshoots of this highly destructive perpetrating entity. The dev who goes by an alias of JANUS provided the decryption key download link on his Twitter page. Security analysts confirm that the key is valid for early variants of Petya but doesn’t work for NotPetya infection unleashed last month. This suggests that the two campaigns were operated by different cybercriminal crews.
July 5, 2017. Two Chinese men get arrested by local police for spreading a WannaCry ransomware knockoff for Android. The malicious app is a remake of the infamous SLocker virus tailored for the mobile OS in question. The crooks have been spreading the infection via Chinese forums, masquerading it as a cheating tool for the King of Glory game.
July 3, 2017. German IT security institute AV-TEST publishes a report containing some unexpected statistics on the state of the ransomware industry. According to it, ransom Trojans accounted for a negligible 0.94% of all malware activity globally in 2016.
July 1, 2017. Having thoroughly analyzed the recent NotPetya ransomware outbreak in Ukraine, several reputable security firms conclude that it can be attributed to the same cybercriminal group (known as TeleBots, or BlackEnergy) that conducted attacks against Ukrainian power grid back in 2015 and instigated the XData ransomware wave in May 2017.
It appears that some ransomware is assuming the characteristics of cyber warfare presumably used in state-sponsored attacks. To add insult to injury, Android ransomware is gaining momentum and shaping up to be the next big thing. The stakes are obviously getting higher. At the same time, according to Google’s research referenced above, only 37% of users back up their data. So make sure you are in the remaining 63% to take no chances.
Major ransomware events for June 2017
Extortion via crypto ransomware continues to be the mainstay of the present-day cybercrime. Last month was a period of first ever in this malicious ecosystem. Never before had an infected company paid a one-million-dollar ransom to threat actors. We hadn’t seen a ransomware strain target a particular country until the Petya campaign took root in late June. The adversary is changing tactics and starting to pursue new goals. Read the records below to learn more.
June 29, 2017. The nasty Cerber ransomware undergoes a transformation. Its new name indicated in the ransom how-to files is CRBR Encryptor. The distribution vectors now additionally include the use of an exploit kit called Magnitude.
June 28, 2017. According to a technical write-up by Kaspersky Lab, the latest variant of the Petya ransomware does not accommodate any viable mechanisms to decrypt a plagued computer’s Master File Table (MFT) and victims’ personal files. Consequently, its goal is to destroy data and disrupt systems beyond recovery.
June 27, 2017. A Petya ransomware remake dubbed NotPetya, exPetr or PetrWrap is making victims on a huge scale. It primarily infects large state-owned organizations, SMBs and banks in Ukraine, gradually spreading over to other European countries. Researchers blame this ruinous outbreak on a malware-tainted update for accounting software called M.E.Doc.
June 23, 2017. New ransomware called Reetner uses a new technique. The malware type makes use of a modular execution routine. It creates and delivers several .exe files that are responsible for separate actions. Noter.exe just presents the ransom note. Another .exe file will later encrypt your files. This method will complicate the work of malware researchers. Dealing with numerous executables of a single virus may become a mess.
June 23, 2017. The new Internet Crime Report released by the FBI’s Internet Crime Complaint Center unveils a trend regarding the way users and organizations treat ransomware incidents they are confronted with. Most of them never call in the law enforcement to investigate these crimes, therefore there is obviously a big gap between the official and actual ransomware statistics.
June 22, 2017. The Locky ransomware is apparently going through ups and downs this year. Its latest comeback has introduced anti-debugging features that thwart analysis of the Trojan’s code. Luckily, the threat actors must have cooked up the new iteration hastily as it only executes the crypto routine on Windows XP and Vista.
June 21, 2017. WannaCry, a top-notch ransomware strain that proliferates via NSA exploits, has not faded away despite all-embracing efforts of Microsoft, security vendors and businesses. This time, it infects the computer network of Japan-based Honda car factory, forcing the management to stop production process till the cyber malady is contained.
June 20, 2017. Owners of Nayana, a South Korean company providing web hosting services, pay an unprecedented ransom of $1 million to move on with their operations. This decision was made after several weeks of negotiations with adversaries who had infected the web host’s numerous Linux web servers with the Erebus ransomware.
June 19, 2017. Although some security analysts considered the Samas ransomware lineage to be extinct due to a long period of inactivity, it returned with yet more sophisticated attacks than before. The crooks use stolen login credentials and the PsExec tool to deploy this Trojan on computers. The new iteration concatenates the .breeding123, .suppose666, or .mention9823 extension to encrypted files.
June 15, 2017. The uncatalogued strain of ransomware affects servers of University College London (UCL). The contamination chain reportedly began with a staff member inconsiderately opening a booby-trapped file that came in with a phishing email. The contagion quickly spread throughout the University’s shared and network drives without being detected by security suites.
June 14, 2017. Kaspersky Lab finds a loophole in the crypto implementation of Jaff ransomware. This fairly successful strain shares some properties with Locky, including the propagation method and payment infrastructure, and may emanate from the same cybercrime smithy. The updated RakhniDecryptor freeware can now crack the .jaff, .sVn, and .wlu extension variants of Jaff.
June 13, 2017. The Erebus ransomware gains a foothold on 153 Linux web servers of the above-mentioned Nayana web host based in South Korea. An extremely adverse side effect of this breach is that about 3,400 client websites got hit along the way.
June 9, 2017. Cybercriminals break new ground with the first known Ransomware-as-a-Service targeting Macs. This malicious affiliate platform, MacRansom, allows would-be extortionists to obtain their custom build of the Trojan. The RaaS authors get a 30% cut of paid ransoms.
June 8, 2017. According to McAfee, the WannaCry ransomware may have been originally designed as a cutting-edge infection that had nothing to do with extortion. Grounds for such speculations revolve around the fact that the ransomware is incapable of determining which victims have paid the ransom and should get their decryption keys. The threat actors must have been in a hurry repurposing their code and didn’t do it right.
June 5, 2017. Michael Gillespie, the author of ID Ransomware service, finds a way to defeat the encryption routine utilized by new variants of the Jigsaw ransomware. The updated tool called Jigsaw Decrypter supports files with the .lost, .tax and .ram extensions appended by the ransomware as part of its attack workflow.
June 5, 2017. Old and infamous Hidden Tear educational ransomware project has given birth to yet another real virus called Executioner. It is aimed at Turkish users who have to pay 150 USD in Bitcoins if they want to decrypt their files. Locked files have random extensions and the ransom note is called Sifre_Coz_Talimat.html.
June 2, 2017. Based on data retrieved with Shodan, a search engine for Internet-connected devices, the number of easily accessible Hadoop servers across the globe is somewhere around 4,500. These insecure databases have very weak or no authentication mechanisms in place and hold more than 5,000 terabytes of information. Obviously, last winter’s database hijack incidents didn’t teach server owners a lesson.
June 2, 2017. The developers of Hitler ransomware that launched their operations almost a year ago have added one more product to their lineup. It is a screen locker called CainXPii. This malware is not going to encrypt files, it just tries to lock your screen. Anyway, it is not so innocent. CainXPii will completely delete some user’s files every time he tries to block its executable. The virus asks for 20 EUR.
No one is bulletproof against ransomware these days. Home users and organizations are being constantly bombarded with malicious payloads, and some end up crypto-hijacked because of a human factor or security loopholes. In spite of this ostensible doom and gloom, it’s a bad idea to just sit back and watch your data go down the drain. Basic precautions are always worthwhile: do not open shady email attachments, apply OS updates and third-party software patches, use dependable antimalware, and of course maintain backups.
Top ransomware records for May 2017
The ransomware frenzy got much worse in May. An unidentified cybercrime group launched the WannaCry, or WanaDecrypt0r 2.0, campaign hitting numerous high-profile victims and thousands of home users via NSA exploits. The good news is, several ransomware makers ended up releasing Master Decryption Keys for their crypto threats. Read this chronicle to stay on top of the current trends in the online extortion environment.
May 30, 2017. The XData ransomware campaign stops instilling fear as its ill-minded architect provides Master Decryption Keys on Bleeping Computer forums. Avast, Kaspersky, and ESET seize upon this unexpected dump by releasing free decryption tool for all victims, most of whom are in Ukraine.
May 29, 2017. The No More Ransom Project expands its anti-ransomware coverage. Now it provides automatic free-of-charge decryptors for the following malicious crypto lineages: AES-NI, BTCWare, and Mole.
May 25, 2017. Linguists shed light on the attribution of the newsmaking WannaCry ransomware onslaught. Having scrutinized all the 28 language editions of the ransom notes, researchers from Flashpoint came to a conclusion that this wave is being operated by Chinese-speaking crooks.
May 23, 2017. Jaff ransomware, which is considered to be a successor of the nasty Locky strain, gets an upgrade. The most conspicuous modification introduced with the new version release is the .WLU extension that the Trojan concatenates to encrypted files. As before, the malady is making the rounds via malspam.
May 19, 2017. The XData sample starts spreading like wildfire in Ukraine. It managed to make more victims than the infamous WannaCry Trojan over a 24-hour span. This strain affixes the .~xdata~ extension to filenames and drops a ransom manual named HOW_CAN_I_DECRYPT_MY_FILES.txt.
May 18, 2017. Another ransomware uses EternalBlue exploit kit to penetrate victims’ computers, it is called Uiwix. Not strange at all users’ files get the .UIWIX extension. Ransom not is called _DECODE_FILES.txt. It will appear on the desktop as well inside each folder with locked files.
May 16, 2017. In an unanticipated move, the author or someone from the BTCWare ransomware crew makes the Master Decryption Key available to the security community. This invaluable data allows analysts to quickly contrive a free decryption tool.
May 16, 2017. It’s already common knowledge that the WannaCry ransomware uses NSA exploits dubbed EternalBlue and DoublePulsar to infect Windows computers via Server Message Block ports. However, a stealthy cryptocurrency miner known as Adylkuzz turns out to have leveraged the exact same exploits a couple of weeks earlier. While mining for the Monero digital cash said malware closes down SMB ports that the ransomware exploits, thus making a specific machine immune to the crypto assault in the future.
May 15, 2017. The Philadelphia ransomware campaign reaches new heights. That’s due to a smart distribution approach involving the RIG exploit kit. Interestingly, this malware propagation network first deposits the Pony downloader virus onto a target PC. Pony, in its turn, then promotes a sample of the Philadelphia Trojan behind the victim’s back.
May 13, 2017. It turns out that the WannaCry pest employs quite an offbeat trigger for its attacks. Referred to as the kill switch, this trigger engages a specific Internet domain. If the latter is unregistered at the time of an attack, the infection moves on with its extortion. If it’s registered, the intrusion stops. A security analyst from the UK nicknamed MalwareTech registered this domain by chance, which halted the plague for a while and provided a useful clue for later tactics to counter the ransomware in question.
May 12, 2017. A well-orchestrated WannaCry outbreak starts. The infection manifests itself as WanaDecrypt0r 2.0. The first reported victims are large organizations, including the United Kingdom’s National Health Service, German railways, and FedEx. One of the disconcerting facts about this campaign is that the ransomware is executed on computers without any user action. Instead, it harnesses NSA exploits (EternalBlue and DoublePulsar) to infiltrate unpatched systems via SMB port 445.
May 11, 2017. A likely Locky ransomware spinoff called Jaff is discovered in the wild. The following similarities suggest that the two strains might have a common origin: distribution through the Necurs botnet and a pretty much identical Tor payment page. The new crypto hoax blemishes victims’ files with the .jaff extension.
May 9, 2017. Researchers come across a new Ransomware-as-a-Service portal called NemeS1S. This RaaS streamlines the propagation of PadCrypt, a strain that pioneered in leveraging live chat support in the extortion activity. Although this ransomware is propped by some smart technologies, its distribution is far from being large-scale.
May 5, 2017. A new variant of the Jigsaw ransomware is spreading in a tricky way. The malicious payload is camouflaged as a credit card generator crack named CCgen 2017. This Jigsaw spinoff appends the .fun extension to encrypted files.
May 3, 2017. An improved edition of the Cerber ransomware is out. The infection now checks for antimalware engines before commencing the attack and employs an appropriate AV evasion mechanism. To top it off, the updated Cerber can also detect the WireShark or VBox virtual machine and thwarts code debugging.
May 1, 2017. Emsisoft CTO Fabian Wosar defeats the encryption utilized by Cry128 variant of the CryptON ransom Trojan. Those infected with this strain can, therefore, restore their data for free using the automatic decryption tool.
In summary, it’s worth emphasizing that no single prevention technique will make your data 100% immune to ransomware. The precautions are always about a combo of different methods and online habits. Stay away from suspicious email attachments, apply operating system patches as soon as they are available, and of course have a viable plan B revolving around backups.
Major ransomware events for April 2017
Crypto ransomware continued its progressive motion last month like an unstoppable locomotive that smashes everything in its path. Cybercrooks started leveraging NSA exploits to infect computers stealthily rather than dupe users into opening contagious malspam attachments. The Locky ransomware woke up after a three-month hibernation, and the comeback turned out nasty. All in all, April was fairly disconcerting in terms of ransomware. Peruse the following records to get the big picture.
Apr. 30, 2017. The .wallet file extension becomes a hallmark sign of one more ransomware. The CryptoMix strain has now joined a group of lookalikes that includes Dharma and the Sanctions ransom Trojans. Of course, the word “wallet” does have ties to the extortion concept as such, but using the same extension for different samples is bad taste.
Apr. 29, 2017. A hefty wave of malicious spam starts disseminating the Onion ransomware. This is a new sample that shares some activity patterns with the Dharma file encryptor. Aside from the .onion extension appended to filenames, the indicators of compromise include specific contact email addresses ([email protected], [email protected], or [email protected]) and a 72-hour deadline for payment.
Apr. 27, 2017. An updated edition of the Cerber ransomware is discovered. It leaves a new combo of ransom notes named “_!!!_README_!!!_[random characters]_.txt/hta”. Another tweak has to do with the propagation mechanism. The infection is circulating by means of malware-tainted JS or RTF files attached to so-called Blank Slate malspam emails.
Apr. 23, 2017. Users plagued by ransomware get extra benefits from using the ID Ransomware service. It used to be only possible to determine a sample by uploading the ransom note or encrypted file. After the update, victims can optionally also enter any hyperlinks or email addresses provided by the infection.
Apr. 21, 2017. The Locky ransomware makes quite a reappearance after three months of inactivity. Just like last year, it is making the rounds via spam generated by the powerful Necurs botnet. The infection chain has hardly changed, engaging Microsoft Office VBA macros to deploy the payload on computers.
Apr. 20, 2017. The developers of the AES-NI ransomware adopt an unusual tactic to deposit their aggressive code onto computers. About a week earlier, a hacker group identifying themselves as Shadow Brokers had leaked NSA exploits that could potentially allow cybercrooks to infect computers via RDP. The ransom Trojan in question uses these exploits to propagate in a large scale. The symptoms include the .aes_ni_0day string added to files and “!!! Read This – Important !!!.txt” ransom note.
Apr. 18, 2017. Ill-disposed architects of the Karmen ransomware campaign opt for a moneymaking model reminiscent of the average affiliate network. They set up a RaaS (Ransomware-as-a-Service) portal that outsources the distribution of their infection to interested third parties. The most ironic part of this story is that the code of Karmen is based on open-source educational ransomware called Hidden Tear.
Apr. 14, 2017. Malwarebytes Labs releases a report called “Cybercrime tactics and techniques Q1 2017”. One of the most unsettling facts highlighted in it is the rise and current domination of the Cerber ransomware on the extortion threat landscape. Its market share reached 86.98% in April.
Apr. 13, 2017. It turns out that the above-mentioned Ransomware-as-a-Service model isn’t the only way for extortionists to monetize their intellectual effort aside from direct distribution. A cybercrime syndicate behind the CradleCore ransomware starts selling the source code and auxiliary components of the infection on the Dark Web. The price for such an abominable kit starts with 0.35 Bitcoin, or about $600.
Apr. 12, 2017. The distributors of the Mole ransomware switch from using booby-trapped email attachments to employing a less straightforward scheme. A new wave of these attacks involves a rogue site titled Microsoft Word Online. Having visited it, would-be victims are instructed to install a fake Office plugin, which is in fact a ransomware payload. The hallmarks of this malicious program include the .mole file extension and Instruction_For_Helping_File_Recovery.txt ransom how-to.
Apr. 10, 2017. Security vendor Emsisoft updates the previously released decryptor for Cry9 ransomware, which contaminates Windows PCs by brute-forcing Remote Desktop access credentials. The enhancements made to the decryptor include improved performance and a broader scope of Cry9 editions supported.
Apr. 7, 2017. The Matrix ransomware is gaining pace. This threat adds the .bl0cked extension to hostage files. The new swing of Matrix distribution has added the EITest malicious framework to the mix. Such an infection chain engages a compromised website with the EITest script injected in it. This script leads to the RIG exploit kit, which further uses software vulnerabilities on the host computer to deliver the infection payload.
Apr. 6, 2017. A coder from Korea nicknamed Tvple Eraser begins spreading an offbeat crypto threat called Rensenware. Just like the average file-encrypting baddie, this one scrambles victims’ data using a strong cipher. However, the demands are definitely off the beaten track. The program tells plagued users to reach a 200 million score in “TH12 ~ Undefined Fantastic Object” shooter game. Having acknowledged how far this “joke” went, the crook created a free tool that emulates the required TH12 score to help those infected.
Apr. 6, 2017. A newsmaking arrest over a ransomware incident takes place in Austria. The suspect had purportedly pulled off an extortion hoax against an organization based in Linz. The apprehended 19-year-old felon had infected the company’s computer network with the Philadelphia ransomware, asking for $400 to restore the data.
Apr. 4, 2017. Bitdefender cooks up a free utility that decrypts files locked by the Bart ransomware. This crypto strain is capable of encoding data in offline mode and generates Locky ransomware style warnings. Bitdefender’s decryptor supports all known Bart variants and therefore restores scrambled files with the .bart, .bart.zip and .perl extensions.
Apr. 1, 2017. The UEFI ransomware proof-of-concept demonstrated at Black Hat Asia 2017 unveils weak links in the security architecture of Gigabyte BRIX ultra-compact PC kits. The PoC infection, which was contrived by analysts from Cylance cybersecurity firm, deploys its attack by harnessing vulnerabilities in vF2 and vF6 firmware versions of two different Gigabyte BRIX models.
Thumbs up to researchers who try to make the computer world safer by putting a spotlight on must-patch security loopholes in what seemed reliably protected. Unfortunately, the bad guys are starting to think out of the box as well. The good news is that no matter if you are confronted with a classic or novel ransomware scenario, you are good to go as long as you have a backup to restore data from.
Malicious Encryption in the Wild: Highlights from March 2017
Encryption-for-ransom went wild over the last month. This record includes over forty instances of extortion viruses, which exceeds significantly any previous monthly reports. This timeline highlights outstanding cases of malicious encryption, as well as anti-ransomware activities observed in March 2017.
Day 2
Kaspersky comes up with some adjustments to their anti-ransomware application to beat the encryption of Dharma Trojan. The ransomware adds extra string after the native extension of a file affected, typically .zzzzz or .wallet. The solution makes use the unlocking pins published by security enthusiasts.
Day 3
Malicious encryption virus hits the main legislative body of Pennsylvania, the Caucus. The FBI is going to handle the attack while keeping details of the intervention private.
Day 8
A detailed report comes up from Cisco IT researchers providing insight to the new wave of Crypt0L0cker ransomware, also known as TorrentLocker. The write-up by Talos Intelligence reveals its update featuring more elaborate GUI. The threat targets European audience.
Day 9
The Cerber threat actors start spreading updated edition of their ransomware. Compared to its counterparts, the infection abstains from encoding the file extension. Meanwhile, the viral encryptor retains its labeling for each item affected, which is a sequence of 4 symbols that follows after the original extension of a file.
Day 10
A renowned antivirus vendor from Israel reports a wave of ransomware strains tailored to infect two specific businesses. Those two companies received thirty-six Android devices from the source that remains undisclosed. The crooks pre-infected the modern equipment before its shipment with Slocker malicious encryptor, as well as another malware called Loki.
Day 11
The Emsisoft Key IT expert observes that following a strain of malicious encryptor is not a challenge for a true professional. The expert, Fabian Worsar, examines a just-surfaced sample of ransomware dubbed Damage. He also provides a decryptor and streams the entire routine to a wide public. Anyone can view and see how the ransomware examination is unfolding live.
Day 14
IT security reports PetrWrap, another malicious encryptor spotted in the wild. The ransomware targets only selected corporate victims. Observations reveal the strain originates from Petya extortion virus that used to be a major threat for German users. Those two Trojans encode data on a root level instead of the user’s personal files, hence a compromised device is totally locked.
Day 16
Another deadly ransomware takes root. The malware dubbed Kirk explicitly refers to Star Trek TV series. The ransomware also features a brand new payment method, the Monero virtual currency, while the overwhelming majority of its counterparts stick to Bitcoin.
Day 20
Facts and figures illustrate an impressive decline in the volume of Locky encryption cases, which marks a general regression in its propagation. The primary trigger inducing this downturn is the terminated liaison of Locky ransomware and Necrus infection strain.
Day 22
EROScan, a corporate software security system, spots up a vulnerability in SAP that enables threat actors to drop malware. This is an interface flaw that may lead to straightforward infiltration of any malware, including ransomware.
Day 22
The developers of Jigsaw extortion virus that exploits some popular movie characters and images come up with its new deadly variant. The ransomware immediately notifies its victims of the steps they should take to redeem the encrypted data as the victims learn the walkthrough from the string appended to any affected item.
Day 23
The MalwareHunterTeam researchers publish their report on the unfolding encryption-for-ransom attack. The statistics come from the reports sent by the users concerned to a single database. Over 600 cases submitted correspond to almost 50 million instances of items encrypted for ransom due to the intervention of Spora Trojan that runs rampant.
Day 27
Apple introduces a critical update to its iOS. This enhances the security of mobile system keeping malicious encryptors aside as the patch blocks respective malicious routines right in the Safari browser. The crooks utilized the above vulnerability to freeze Safari Mobile for ransom payable in iTunes gift vouchers.
Day 29
IT analysts release a detailed description of Sage ransomware. The research reveals certain features common for Sage and Spora ransom Trojans, indicating that both may originate from the same developers. Another point to note is that the malicious encryption by Sage 2.2 combines two ciphers (ChaCha20 and ECC) rarely used by other ransomware authors.
Day 31
Sanctions virus encrypts data for ransom. The ransomware makes a game of the sanctions actually imposed on Russia by the world’s leading countries, yet the decryptor’s price is far above the rate demanded by the counterparts. Fortunately, this strain is not distributed widely. The ransomware prompts each victim to pay 6 BTC, which is over 7k USD. The amount that large suggests the crooks aim at corporate users rather than individuals.
To avoid the malicious encryption, a reasonable discretion shall apply to your web-sessions. Even the most advanced ransomware samples cannot hit the target unless the users open a viral email attachment or click a link. Once the ransomware executes its payload, you are still on the safe side as long as reserve copies of your data remain beyond the attack.
Important ransomware events in February 2017
The chronicle below reflects all significant ransomware-related incidents that hit the headlines in February 2017. An influx of sophisticated Android lockers last month, along with defiant attacks against governmental institutions and educational establishments, were serious wake-up calls for the security industry. On the other hand, there were countervailing efforts of researchers who managed to tailor quite a few free decryption tools.
Feb. 23, 2017. The latest variant of Android.Lockdroid.E ransomware has a voice recognition feature under the hood. It requires victims to speak the unlock code received after the ransom has been submitted.
Feb. 22, 2017. ESET team spots a ransom trojan called Patcher that targets Mac OS X. Its downloaders are camouflaged as various software patches for Macs, hence the name of the infection. The crypto routine is buggy, so it may be impossible to decrypt hostage files even if the attackers’ demands are met.
Feb. 22, 2017. Offbeat ransomware called Trump Locker is spotted in the wild. It appears to have common roots with the .NET based Venus Locker sample. Trump Locker fully encrypts popular data types while scrambling only the first 1024 bytes of others. It also concatenates different extensions to files depending on the category they fall into.
Feb. 22, 2017. Python based ransomware isn’t all too widespread, so every discovered strain is potentially interesting. Researchers came across a new one dubbed PyL33T that leverages symmetric AES algorithm to encode files and appends them with the .d4nk suffix.
Feb. 21, 2017. ESET publishes a report regarding the evolution of Android ransomware. According to the research, these threats grew by 50% in 2016 versus 2015. Some of the current trends in this niche of cybercrime include the use of spam emails and unofficial app portals as primary distribution channels, as well as payload encryption techniques to thwart detection.
Feb. 21, 2017. Avast releases a decryption tool for the CryptoMix ransomware. The free utility can restore files appended with one of the following extensions: .cryptoshield, .code, .lesli, .rmd, .rdmk, .rscl, or .scl.
Feb. 16, 2017. Fabian Wosar, CTO and malware researcher at Emsisoft, sets up a live video session where he reverse-engineers and decrypts the new Hermes ransomware.
Feb. 15, 2017. New edition of the newsmaking Cerber ransomware detects antivirus, antispyware tools as well as firewalls installed on a target computer. Instead of encrypting the associated files, though, the pest ignores them and moves on with its attack. This way, Cerber developers may be demonstrating that security solutions aren’t an issue for their campaign.
Feb. 14, 2017. Researchers from the Georgia Institute of Technology create a viable proof-of-concept ransomware that targets SCADA and Industrial Control Systems.
Feb. 14, 2017. According to Kaspersky’s statistics for 2016, the overwhelming majority of ransomware authors (about 75%) represent the Russian-speaking cybercrime underground.
Feb. 9, 2017. Serpent ransomware, a new spam-borne threat propagating mostly in Denmark, arrives with booby-trapped Microsoft Word email attachments that prompt recipients to enable macros. The size of the ransom is 0.75 Bitcoin.
Feb. 9, 2017. A fresh specimen called DynA-Crypt goes equipped with a backdoor that allows the threat actors to steal victims’ personally identifiable information. Aside from going the commonplace extortion route, this one also engages in the exfiltration of passwords, snapshots of the desktop and other sensitive data.
Feb. 8, 2017. The ID Ransomware online resource can now identify 300 different crypto infections. This feature is invaluable for the troubleshooting chain. It allows victims to upload a ransom note or arbitrary encrypted file, learn which sample hit them, and proceed with data decryption if the appropriate tool is available.
Feb. 7, 2017. A new strain called Erebus leverages a tricky technique to bypass User Account Control (UAC) prompt while gaining elevated privileges on a targeted computer. As opposed to most of its counterparts, Erebus requests an unusually low ransom of 0.85 Bitcoin.
Feb. 6, 2017. Android.Lockdroid.E, an advanced ransomware sample targeting Android, starts using a malicious dropper for its extortion campaign. This way, it figures out if the device is rooted or not and then continues the compromise accordingly.
Feb. 3, 2017. The government of Licking County, Ohio, undergoes a ransomware attack. The perpetrating code affected the County’s website, computer network and phone systems, including 911 emergency line.
Feb. 3, 2017. Two hackers get arrested in London on suspicion of compromising the CCTV system of Washington, D.C., a week before President Trump’s inauguration. The ransomware attack affected 70% of surveillance cameras in the US capital.
Feb. 3, 2017. A Ransomware-as-a-Service platform called Ranion takes root. Its operators claim it pursues strictly educational goals. There is an annual sign-up fee of 0.95 Bitcoin (about $1,100). Interestingly, the ill-minded customers of this RaaS don’t have to share any subsequent revenue with the devs.
Feb. 1, 2017. Avast releases three new decryption tools that allow ransomware victims to get their hostage data back for free. The decryptors support the following ransomware families: Hidden Tear, Jigsaw, and Stampado (Philadelphia).
Obviously, ransomware authors keep exploring new niches. The Android mobile platform is being more heavily targeted than ever before, and so is the Mac OS X environment. Home users, schools, big organizations, and governments are equally vulnerable. Hopefully, the law enforcement and security companies from the private sector will shortly come up with efficient methods to contain the epidemic.
Major ransomware events for January 2017
Crypto ransomware is the dominating predator on the present-day cyber threat landscape. A slew of malicious software from this cluster is constantly prowling the Internet in search of victims. PC users, organizations and even governments are still low-hanging fruit in the face of these attacks. The plague appears to be running rampant in 2017, and adequate countermeasures have yet to be implemented. This timeline covers all noteworthy ransomware incidents that took place in January.
Jan. 31, 2017. CryptoShield 1.0, a new derivative of the CryptoMix ransomware, leverages a complex infection mechanism involving a network of compromised web pages. The contamination relies on obfuscated EITest script that engages the Rig exploit kit in the workflow. The latter takes advantage of software vulnerabilities on a target PC to install the ransomware.
Jan. 31, 2017. Spora ransomware operators opt for an interesting technique to deposit their payload onto computers. The infection process involves a phony Chrome Font Pack update popup displayed on hacked sites. The update, however, is nothing but a ransomware downloader.
Jan. 30, 2017. A ransomware specimen called Zyka is discovered. Having encrypted one’s data with AES cipher, it adds the .lock string to original filenames and asks for a Bitcoin equivalent of $170. Fortunately, this one is decryptable for free.
Jan. 27, 2017. A new version of the Jigsaw ransom trojan goes live. It concatenates the [email protected] extension to encrypted files. Michael Gillespie, a security analyst who had devised the Jigsaw decryption tool earlier, updates his solution to handle the latest variant.
Jan. 20, 2017. Researchers release a free decryptor for the GlobeImposter ransomware. This sample mimics the Globe file-encrypting strain but actually uses different code and propagation channels. GlobeImposter appends skewed files with the .crypt extension and leaves a ransom note named How_Open_Files.hta.
Jan. 19, 2017. Ransomware-as-a-Service called Satan is gaining momentum. It allows individuals who want to try their hand at online extortion to get a turnkey ransomware build for free. However, the creators of this RaaS get a 30% cut from all ransoms submitted by victims.
Jan. 18, 2017. A new edition of the above-mentioned Spora ransomware behaves like a computer worm in a way. First, the malicious code replaces arbitrary Windows shortcuts with booby-trapped .lnk files. The ransomware routine proper starts as soon as an unsuspecting user double clicks one of these innocuous-looking objects.
Jan. 17, 2017. The one-year-old Cerber ransomware and the new Spora Trojan appear to have much in common. The most striking similarity is that the two rely on the exact same malware distribution platform. The takeaway is that the operators of these campaigns are either the same people or closely connected extortion crews.
Jan. 17, 2017. The notorious Locky ransomware campaign is steadily plummeting. The amount of spam delivering this infection suffered a dramatic drop by 80% during the month. Interestingly, there is an apparent correlation between this decrease and the inactivity of the so-called Necurs botnet.
Jan. 12, 2017. Another day, another win of the white hats. The Emsisoft team created a free decryptor for different variants of the Merry X-Mas ransomware. The latest iteration, which drops a ransom note called Merry_I_Love_You_Bruce.hta, is supported as well.
Jan. 12, 2017. Emsisoft succeeds in cracking a new crypto strain called the Marlboro ransomware. This one concatenates the .oops suffix to victims’ scrambled files. To their credit, analysts found a loophole in the implementation of the XOR cipher. It took them as little as one day to release an automatic decryption tool.
Jan. 10, 2017. The Los Angeles Valley College ends up paying a huge ransom of $28,000 in a newsmaking ransomware incident. An aggressive crypto infection had rendered the school’s voicemail and email systems inoperable. Obviously, a viable data backup strategy could have saved the educational institution a pretty penny.
Jan. 10, 2017. A new file-encrypting strain called the Spora ransomware is spotted in the wild. Its crypto implementation is flawless, so it’s impossible to restore mutilated data without submitting the ransom. This perpetrating program uses a top-notch payment service with built-in tech support. The size of the ransom depends on whether the victim is a home user or an organization.
Jan. 9, 2017. Cybercrooks zero in on unprotected MongoDB servers. It took the threat actors less than one week to hijack over 28,000 MongoDB databases all over the world. To regain access to the hostage data, server owners are instructed to cough up 0.1-1 BTC.
Jan. 9, 2017. The Merry X-Mas ransom Trojan starts depositing an extra infection called DiamondFox on targeted machines. The accompanying malware steals passwords, facilitates hacking via Remote Desktop Protocol, and turns plagued computers into bots for spam generation or DDoS attacks.
Jan. 7, 2017. An unidentified group of extortionists pulls off a social engineering campaign targeting schools in the United Kingdom. Impersonating UK government officials, the criminals cold-call school staff and state that they need to send guidance forms to the head teacher. The rogue emails actually contain contagious ZIP attachments that instantly trigger the ransomware infection chain followed by a whopping £8,000 ransom demand.
Jan. 4, 2017. Security analysts at CERT Polska publish a comprehensive report on the CryptoMix/CryptFile2 ransomware. The experts discovered that the infection uses the Rig-V exploit kit to propagate, encrypts files with 256-bit AES key, disables Volume Shadow Copy Service to prevent easy recovery, and requires 5 Bitcoins to decrypt data.
Jan. 4, 2017. A new strain called the Merry X-Mas ransomware, or MRCR is discovered. It arrives with spam emails containing malicious executables disguised as PDF files. The infection displays a Christmas-themed HTA ransom note and appends one of the following extensions to mutilated files: .mrcr1, .rmcm1, .rare, .merry, or .pegs1.
Jan. 4, 2017. Emsisoft CTO and security researcher Fabian Wosar manages to defeat the encryption of Globe ransomware version 3, the newest edition in this nefarious lineage. The free automatic decryptor can restore files with the .decrypt2017 and .hnumkhotep extensions.
Jan. 3, 2017. Malware authors cook up several infections using the FSociety brand name, which stands for a high-profile hacking ring from the Mr. Robot television series. While trying to follow suit, real-world attackers have launched three ransomware families, two screen-locking Trojans, and a DDoS botnet.
The moral of the story is that the IT world is confronted with an increasingly crafty adversary. Although numerous IT experts have teamed up to tackle the menace, free decryption tools are still the exception rather than the rule. Under the circumstances, data backups are a godsend because they reduce the damage from ransomware attacks. Also, prevention through timely software patches, caution with email attachments and proper web browsing hygiene can work wonders.
About the Author
David Balaban is a frequent writer for CDM, a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.