Major ransomware events for July 2017
Last month demonstrated that the scourge of ransomware has its ups and downs. Not many new blackmail viruses were released – instead, the crooks mainly focused on updating old ones. The only segment of this cybercrime environment that showed some growth was Android ransomware. Meanwhile, the successful activity of the law enforcement resulted in several arrests over online extortion.
July 27, 2017. Researchers from Google, Elie Bursztein, Kylie McRoberts and Luca Invernizzi, deliver a presentation at Black Hat USA 2017 called “Tracking desktop ransomware payments”. According to their findings, the vast majority of ransomware payouts made since 2014 were laundered via the BTC-e cryptocurrency trading platform. Following this report, Greek law enforcement apprehends the proprietor of BTC-e, Russian citizen Alexander Vinnik.
July 26, 2017. IT security analysts from Italian university Politecnico di Milano create a Windows driver and custom filesystem called ShieldFS. Its objective is to identify ransomware on early stages of the infection chain, stop the malicious processes and undo unauthorized changes to data.
July 24, 2017. Malwarebytes leveraged the recently released master decryption key for the original Petya ransomware iterations to craft an ad hoc free decryptor. The tool supports the first edition of Petya as well as the Mischa and GoldenEye spin-offs.
July 22, 2017. Cybercrooks behind the GlobeImposter ransomware lineage launch three variants of their offending program during one day. Whereas all of these derivatives create an identical rescue note named how_to_back_files.html, they use different extensions to label encrypted files, namely .crypt, .gotham, and .happ. Earlier CryptoMix was leading here quickly replacing its .MOLE extensions.
July 21, 2017. New ransomware called Bitshifter doesn’t act like the average strain out there. While it encrypts and holds victims’ data for ransom, it also goes equipped with a reconnaissance module that searches for information related to cryptocurrency wallets. If the stealth lookup for such data is successful, the pest uses WebSocket protocol to exfiltrate it to a Command & Control server. Bitshifter targets only China for now.
July 18, 2017. FedEx evaluates the damage incurred due to the recent NotPetya ransomware attack. According to the company’s officials, the computer network of Ukrainian division of TNT Express was the first one hit by said MFT-encrypting virus. The contagion subsequently propagated to a number of other subsidiaries. The impact is reportedly permanent and some systems are unlikely to be fully recovered.
July 17, 2017. Researchers discover an unusual Spanish ransomware specimen called Reyptson. Its uniqueness revolves around the fact that it tries to gain access to a victim’s Thunderbird account if any. Then, it starts spamming all Thunderbird contacts with malware-tainted emails disguised as invoices. This way, Reyptson increases the potential attack surface significantly.
July 15, 2017. The author of ID Ransomware service Michael Gillespie (@demonslay335) adds another free decryptor to his vast collection. This one automatically restores data locked by the Striked Ransomware strand that sprinkles recovery how-to’s named README_DECRYPT.html all over the plagued system.
July 12, 2017. Yet another anti-ransomware breakthrough by Emsisoft hits the headlines. The security vendor releases a decryptor for all iterations of the NemucodAES ransomware. This infection applies a combo of AES-128 and RSA cryptosystems to lock down one’s important data and provides payment instructions in DECRYPT.hta ransom note.
July 11, 2017. A 75-year-old Australian man is arrested for involvement in tech support scam leading to ransomware infections. Here’s the story: an overseas group of fraudsters called Australian users to trick them into thinking their PCs had security issues. The crooks then instructed would-be victims to provide remote access to their systems, which in turn led to the installation of crypto ransomware. According to local police, the arrested man set up several companies that received funds from victims and transferred them to the rogue tech support firm.
July 10, 2017. Researchers from McAfee expose a defiant ransomware scheme targeting Android devices. The extortion campaign relied on two trojanized apps – Wallpapers Blur HD and Booster & Cleaner Pro – distributed via Google Play. These apps included a surreptitious component that stole victims’ sensitive files and threatened to send them to everyone from the phone and email contacts list. To prevent this privacy leak, users were instructed to pay $50. Based on these findings, Google promptly removed both apps from their marketplace.
July 6, 2017. The maker of the Petya ransom Trojan dumps the master key for all offshoots of this highly destructive perpetrating entity. The dev who goes by an alias of JANUS provided the decryption key download link on his Twitter page. Security analysts confirm that the key is valid for early variants of Petya but doesn’t work for NotPetya infection unleashed last month. This suggests that the two campaigns were operated by different cybercriminal crews.
July 5, 2017. Two Chinese men get arrested by local police for spreading a WannaCry ransomware knockoff for Android. The malicious app is a remake of the infamous SLocker virus tailored for the mobile OS in question. The crooks have been spreading the infection via Chinese forums, masquerading it as a cheating tool for the King of Glory game.
July 3, 2017. German IT security institute AV-TEST publishes a report containing some unexpected statistics on the state of the ransomware industry. According to it, ransom Trojans accounted for a negligible 0.94% of all malware activity globally in 2016.
July 1, 2017. Having thoroughly analyzed the recent NotPetya ransomware outbreak in Ukraine, several reputable security firms conclude that it can be attributed to the same cybercriminal group (known as TeleBots, or BlackEnergy) that conducted attacks against Ukrainian power grid back in 2015 and instigated the XData ransomware wave in May 2017.
It appears that some ransomware is assuming the characteristics of cyber warfare presumably used in state-sponsored attacks. To add insult to injury, Android ransomware is gaining momentum and shaping up to be the next big thing. The stakes are obviously getting higher. At the same time, according to Google’s research referenced above, only 37% of users back up their data. So make sure you are in the remaining 63% to take no chances.
Major ransomware events for June 2017
Extortion via crypto ransomware continues to be the mainstay of the present-day cybercrime. Last month was a period of first ever in this malicious ecosystem. Never before had an infected company paid a one-million-dollar ransom to threat actors. We hadn’t seen a ransomware strain target a particular country until the Petya campaign took root in late June. The adversary is changing tactics and starting to pursue new goals. Read the records below to learn more.
June 29, 2017. The nasty Cerber ransomware undergoes a transformation. Its new name indicated in the ransom how-to files is CRBR Encryptor. The distribution vectors now additionally include the use of an exploit kit called Magnitude.
June 28, 2017. According to a technical write-up by Kaspersky Lab, the latest variant of the Petya ransomware does not accommodate any viable mechanisms to decrypt a plagued computer’s Master File Table (MFT) and victims’ personal files. Consequently, its goal is to destroy data and disrupt systems beyond recovery.
June 27, 2017. A Petya ransomware remake dubbed NotPetya, exPetr or PetrWrap is making victims on a huge scale. It primarily infects large state-owned organizations, SMBs and banks in Ukraine, gradually spreading over to other European countries. Researchers blame this ruinous outbreak on a malware-tainted update for accounting software called M.E.Doc.
June 23, 2017. New ransomware called Reetner uses a new technique. The malware type makes use of a modular execution routine. It creates and delivers several .exe files that are responsible for separate actions. Noter.exe just presents the ransom note. Another .exe file will later encrypt your files. This method will complicate the work of malware researchers. Dealing with numerous executables of a single virus may become a mess.
June 23, 2017. The new Internet Crime Report released by the FBI’s Internet Crime Complaint Center unveils a trend regarding the way users and organizations treat ransomware incidents they are confronted with. Most of them never call in the law enforcement to investigate these crimes, therefore there is obviously a big gap between the official and actual ransomware statistics.
June 22, 2017. The Locky ransomware is apparently going through ups and downs this year. Its latest comeback has introduced anti-debugging features that thwart analysis of the Trojan’s code. Luckily, the threat actors must have cooked up the new iteration hastily as it only executes the crypto routine on Windows XP and Vista.
June 21, 2017. WannaCry, a top-notch ransomware strain that proliferates via NSA exploits, has not faded away despite all-embracing efforts of Microsoft, security vendors and businesses. This time, it infects the computer network of Japan-based Honda car factory, forcing the management to stop production process till the cyber malady is contained.
June 20, 2017. Owners of Nayana, a South Korean company providing web hosting services, pay an unprecedented ransom of $1 million to move on with their operations. This decision was made after several weeks of negotiations with adversaries who had infected the web host’s numerous Linux web servers with the Erebus ransomware.
June 19, 2017. Although some security analysts considered the Samas ransomware lineage to be extinct due to a long period of inactivity, it returned with yet more sophisticated attacks than before. The crooks use stolen login credentials and the PsExec tool to deploy this Trojan on computers. The new iteration concatenates the .breeding123, .suppose666, or .mention9823 extension to encrypted files.
June 15, 2017. The uncatalogued strain of ransomware affects servers of University College London (UCL). The contamination chain reportedly began with a staff member inconsiderately opening a booby-trapped file that came in with a phishing email. The contagion quickly spread throughout the University’s shared and network drives without being detected by security suites.
June 14, 2017. Kaspersky Lab finds a loophole in the crypto implementation of Jaff ransomware. This fairly successful strain shares some properties with Locky, including the propagation method and payment infrastructure, and may emanate from the same cybercrime smithy. The updated RakhniDecryptor freeware can now crack the .jaff, .sVn, and .wlu extension variants of Jaff.
June 13, 2017. The Erebus ransomware gains a foothold on 153 Linux web servers of the above-mentioned Nayana web host based in South Korea. An extremely adverse side effect of this breach is that about 3,400 client websites got hit along the way.
June 9, 2017. Cybercriminals break new ground with the first known Ransomware-as-a-Service targeting Macs. This malicious affiliate platform, MacRansom, allows would-be extortionists to obtain their custom build of the Trojan. The RaaS authors get a 30% cut of paid ransoms.
June 8, 2017. According to McAfee, the WannaCry ransomware may have been originally designed as a cutting-edge infection that had nothing to do with extortion. Grounds for such speculations revolve around the fact that the ransomware is incapable of determining which victims have paid the ransom and should get their decryption keys. The threat actors must have been in a hurry repurposing their code and didn’t do it right.
June 5, 2017. Michael Gillespie, the author of ID Ransomware service, finds a way to defeat the encryption routine utilized by new variants of the Jigsaw ransomware. The updated tool called Jigsaw Decrypter supports files with the .lost, .tax and .ram extensions appended by the ransomware as part of its attack workflow.
June 5, 2017. Old and infamous Hidden Tear educational ransomware project has given birth to yet another real virus called Executioner. It is aimed at Turkish users who have to pay 150 USD in Bitcoins if they want to decrypt their files. Locked files have random extensions and the ransom note is called Sifre_Coz_Talimat.html.
June 2, 2017. Based on data retrieved with Shodan, a search engine for Internet-connected devices, the number of easily accessible Hadoop servers across the globe is somewhere around 4,500. These insecure databases have very weak or no authentication mechanisms in place and hold more than 5,000 terabytes of information. Obviously, last winter’s database hijack incidents didn’t teach server owners a lesson.
June 2, 2017. The developers of Hitler ransomware that launched their operations almost a year ago have added one more product to their lineup. It is a screen locker called CainXPii. This malware is not going to encrypt files, it just tries to lock your screen. Anyway, it is not so innocent. CainXPii will completely delete some user’s files every time he tries to block its executable. The virus asks for 20 EUR.
No one is bulletproof against ransomware these days. Home users and organizations are being constantly bombarded with malicious payloads, and some end up crypto-hijacked because of a human factor or security loopholes. In spite of this ostensible doom and gloom, it’s a bad idea to just sit back and watch your data go down the drain. Basic precautions are always worthwhile: do not open shady email attachments, apply OS updates and third-party software patches, use dependable antimalware, and of course maintain backups.
Top ransomware records for May 2017
The ransomware frenzy got much worse in May. An unidentified cybercrime group launched the WannaCry, or WanaDecrypt0r 2.0, campaign hitting numerous high-profile victims and thousands of home users via NSA exploits. The good news is, several ransomware makers ended up releasing Master Decryption Keys for their crypto threats. Read this chronicle to stay on top of the current trends in the online extortion environment.
May 30, 2017. The XData ransomware campaign stops instilling fear as its ill-minded architect provides Master Decryption Keys on Bleeping Computer forums. Avast, Kaspersky, and ESET seize upon this unexpected dump by releasing free decryption tool for all victims, most of whom are in Ukraine.
May 29, 2017. The No More Ransom Project expands its anti-ransomware coverage. Now it provides automatic free-of-charge decryptors for the following malicious crypto lineages: AES-NI, BTCWare, and Mole.
May 25, 2017. Linguists shed light on the attribution of the newsmaking WannaCry ransomware onslaught. Having scrutinized all the 28 language editions of the ransom notes, researchers from Flashpoint came to a conclusion that this wave is being operated by Chinese-speaking crooks.
May 23, 2017. Jaff ransomware, which is considered to be a successor of the nasty Locky strain, gets an upgrade. The most conspicuous modification introduced with the new version release is the .WLU extension that the Trojan concatenates to encrypted files. As before, the malady is making the rounds via malspam.
May 19, 2017. The XData sample starts spreading like wildfire in Ukraine. It managed to make more victims than the infamous WannaCry Trojan over a 24-hour span. This strain affixes the .~xdata~ extension to filenames and drops a ransom manual named HOW_CAN_I_DECRYPT_MY_FILES.txt.
May 18, 2017. Another ransomware uses EternalBlue exploit kit to penetrate victims’ computers, it is called Uiwix. Not strange at all users’ files get the .UIWIX extension. Ransom not is called _DECODE_FILES.txt. It will appear on the desktop as well inside each folder with locked files.
May 16, 2017. In an unanticipated move, the author or someone from the BTCWare ransomware crew makes the Master Decryption Key available to the security community. This invaluable data allows analysts to quickly contrive a free decryption tool.
May 16, 2017. It’s already common knowledge that the WannaCry ransomware uses NSA exploits dubbed EternalBlue and DoublePulsar to infect Windows computers via Server Message Block ports. However, a stealthy cryptocurrency miner known as Adylkuzz turns out to have leveraged the exact same exploits a couple of weeks earlier. While mining for the Monero digital cash said malware closes down SMB ports that the ransomware exploits, thus making a specific machine immune to the crypto assault in the future.
May 15, 2017. The Philadelphia ransomware campaign reaches new heights. That’s due to a smart distribution approach involving the RIG exploit kit. Interestingly, this malware propagation network first deposits the Pony downloader virus onto a target PC. Pony, in its turn, then promotes a sample of the Philadelphia Trojan behind the victim’s back.
May 13, 2017. It turns out that the WannaCry pest employs quite an offbeat trigger for its attacks. Referred to as the kill switch, this trigger engages a specific Internet domain. If the latter is unregistered at the time of an attack, the infection moves on with its extortion. If it’s registered, the intrusion stops. A security analyst from the UK nicknamed MalwareTech registered this domain by chance, which halted the plague for a while and provided a useful clue for later tactics to counter the ransomware in question.
May 12, 2017. A well-orchestrated WannaCry outbreak starts. The infection manifests itself as WanaDecrypt0r 2.0. The first reported victims are large organizations, including the United Kingdom’s National Health Service, German railways, and FedEx. One of the disconcerting facts about this campaign is that the ransomware is executed on computers without any user action. Instead, it harnesses NSA exploits (EternalBlue and DoublePulsar) to infiltrate unpatched systems via SMB port 445.
May 11, 2017. A likely Locky ransomware spinoff called Jaff is discovered in the wild. The following similarities suggest that the two strains might have a common origin: distribution through the Necurs botnet and a pretty much identical Tor payment page. The new crypto hoax blemishes victims’ files with the .jaff extension.
May 9, 2017. Researchers come across a new Ransomware-as-a-Service portal called NemeS1S. This RaaS streamlines the propagation of PadCrypt, a strain that pioneered in leveraging live chat support in the extortion activity. Although this ransomware is propped by some smart technologies, its distribution is far from being large-scale.
May 5, 2017. A new variant of the Jigsaw ransomware is spreading in a tricky way. The malicious payload is camouflaged as a credit card generator crack named CCgen 2017. This Jigsaw spinoff appends the .fun extension to encrypted files.
May 3, 2017. An improved edition of the Cerber ransomware is out. The infection now checks for antimalware engines before commencing the attack and employs an appropriate AV evasion mechanism. To top it off, the updated Cerber can also detect the WireShark or VBox virtual machine and thwarts code debugging.
May 1, 2017. Emsisoft CTO Fabian Wosar defeats the encryption utilized by Cry128 variant of the CryptON ransom Trojan. Those infected with this strain can, therefore, restore their data for free using the automatic decryption tool.
In summary, it’s worth emphasizing that no single prevention technique will make your data 100% immune to ransomware. The precautions are always about a combo of different methods and online habits. Stay away from suspicious email attachments, apply operating system patches as soon as they are available, and of course have a viable plan B revolving around backups.
Major ransomware events for April 2017
Crypto ransomware continued its progressive motion last month like an unstoppable locomotive that smashes everything in its path. Cybercrooks started leveraging NSA exploits to infect computers stealthily rather than dupe users into opening contagious malspam attachments. The Locky ransomware woke up after a three-month hibernation, and the comeback turned out nasty. All in all, April was fairly disconcerting in terms of ransomware. Peruse the following records to get the big picture.
Apr. 30, 2017. The .wallet file extension becomes a hallmark sign of one more ransomware. The CryptoMix strain has now joined a group of lookalikes that includes Dharma and the Sanctions ransom Trojans. Of course, the word “wallet” does have ties to the extortion concept as such, but using the same extension for different samples is bad taste.
Apr. 29, 2017. A hefty wave of malicious spam starts disseminating the Onion ransomware. This is a new sample that shares some activity patterns with the Dharma file encryptor. Aside from the .onion extension appended to filenames, the indicators of compromise include specific contact email addresses (firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org) and a 72-hour deadline for payment.
Apr. 27, 2017. An updated edition of the Cerber ransomware is discovered. It leaves a new combo of ransom notes named “_!!!_README_!!!_[random characters]_.txt/hta”. Another tweak has to do with the propagation mechanism. The infection is circulating by means of malware-tainted JS or RTF files attached to so-called Blank Slate malspam emails.
Apr. 23, 2017. Users plagued by ransomware get extra benefits from using the ID Ransomware service. It used to be only possible to determine a sample by uploading the ransom note or encrypted file. After the update, victims can optionally also enter any hyperlinks or email addresses provided by the infection.
Apr. 21, 2017. The Locky ransomware makes quite a reappearance after three months of inactivity. Just like last year, it is making the rounds via spam generated by the powerful Necurs botnet. The infection chain has hardly changed, engaging Microsoft Office VBA macros to deploy the payload on computers.
Apr. 20, 2017. The developers of the AES-NI ransomware adopt an unusual tactic to deposit their aggressive code onto computers. About a week earlier, a hacker group identifying themselves as Shadow Brokers had leaked NSA exploits that could potentially allow cybercrooks to infect computers via RDP. The ransom Trojan in question uses these exploits to propagate in a large scale. The symptoms include the .aes_ni_0day string added to files and “!!! Read This – Important !!!.txt” ransom note.
Apr. 18, 2017. Ill-disposed architects of the Karmen ransomware campaign opt for a moneymaking model reminiscent of the average affiliate network. They set up a RaaS (Ransomware-as-a-Service) portal that outsources the distribution of their infection to interested third parties. The most ironic part of this story is that the code of Karmen is based on open-source educational ransomware called Hidden Tear.
Apr. 14, 2017. Malwarebytes Labs releases a report called “Cybercrime tactics and techniques Q1 2017”. One of the most unsettling facts highlighted in it is the rise and current domination of the Cerber ransomware on the extortion threat landscape. Its market share reached 86.98% in April.
Apr. 13, 2017. It turns out that the above-mentioned Ransomware-as-a-Service model isn’t the only way for extortionists to monetize their intellectual effort aside from direct distribution. A cybercrime syndicate behind the CradleCore ransomware starts selling the source code and auxiliary components of the infection on the Dark Web. The price for such an abominable kit starts with 0.35 Bitcoin, or about $600.
Apr. 12, 2017. The distributors of the Mole ransomware switch from using booby-trapped email attachments to employing a less straightforward scheme. A new wave of these attacks involves a rogue site titled Microsoft Word Online. Having visited it, would-be victims are instructed to install a fake Office plugin, which is in fact a ransomware payload. The hallmarks of this malicious program include the .mole file extension and Instruction_For_Helping_File_Recovery.txt ransom how-to.
Apr. 10, 2017. Security vendor Emsisoft updates the previously released decryptor for Cry9 ransomware, which contaminates Windows PCs by brute-forcing Remote Desktop access credentials. The enhancements made to the decryptor include improved performance and a broader scope of Cry9 editions supported.
Apr. 7, 2017. The Matrix ransomware is gaining pace. This threat adds the .bl0cked extension to hostage files. The new swing of Matrix distribution has added the EITest malicious framework to the mix. Such an infection chain engages a compromised website with the EITest script injected in it. This script leads to the RIG exploit kit, which further uses software vulnerabilities on the host computer to deliver the infection payload.
Apr. 6, 2017. A coder from Korea nicknamed Tvple Eraser begins spreading an offbeat crypto threat called Rensenware. Just like the average file-encrypting baddie, this one scrambles victims’ data using a strong cipher. However, the demands are definitely off the beaten track. The program tells plagued users to reach a 200 million score in “TH12 ~ Undefined Fantastic Object” shooter game. Having acknowledged how far this “joke” went, the crook created a free tool that emulates the required TH12 score to help those infected.
Apr. 6, 2017. A newsmaking arrest over a ransomware incident takes place in Austria. The suspect had purportedly pulled off an extortion hoax against an organization based in Linz. The apprehended 19-year-old felon had infected the company’s computer network with the Philadelphia ransomware, asking for $400 to restore the data.
Apr. 4, 2017. Bitdefender cooks up a free utility that decrypts files locked by the Bart ransomware. This crypto strain is capable of encoding data in offline mode and generates Locky ransomware style warnings. Bitdefender’s decryptor supports all known Bart variants and therefore restores scrambled files with the .bart, .bart.zip and .perl extensions.
Apr. 1, 2017. The UEFI ransomware proof-of-concept demonstrated at Black Hat Asia 2017 unveils weak links in the security architecture of Gigabyte BRIX ultra-compact PC kits. The PoC infection, which was contrived by analysts from Cylance cybersecurity firm, deploys its attack by harnessing vulnerabilities in vF2 and vF6 firmware versions of two different Gigabyte BRIX models.
Thumbs up to researchers who try to make the computer world safer by putting a spotlight on must-patch security loopholes in what seemed reliably protected. Unfortunately, the bad guys are starting to think out of the box as well. The good news is that no matter if you are confronted with a classic or novel ransomware scenario, you are good to go as long as you have a backup to restore data from.
Malicious Encryption in the Wild: Highlights from March 2017
Encryption-for-ransom went wild over the last month. This record includes over forty instances of extortion viruses, which exceeds significantly any previous monthly reports. This timeline highlights outstanding cases of malicious encryption, as well as anti-ransomware activities observed in March 2017.
Kaspersky comes up with some adjustments to their anti-ransomware application to beat the encryption of Dharma Trojan. The ransomware adds extra string after the native extension of a file affected, typically .zzzzz or .wallet. The solution makes use the unlocking pins published by security enthusiasts.
Malicious encryption virus hits the main legislative body of Pennsylvania, the Caucus. The FBI is going to handle the attack while keeping details of the intervention private.
A detailed report comes up from Cisco IT researchers providing insight to the new wave of Crypt0L0cker ransomware, also known as TorrentLocker. The write-up by Talos Intelligence reveals its update featuring more elaborate GUI. The threat targets European audience.
The Cerber threat actors start spreading updated edition of their ransomware. Compared to its counterparts, the infection abstains from encoding the file extension. Meanwhile, the viral encryptor retains its labeling for each item affected, which is a sequence of 4 symbols that follows after the original extension of a file.
A renowned antivirus vendor from Israel reports a wave of ransomware strains tailored to infect two specific businesses. Those two companies received thirty-six Android devices from the source that remains undisclosed. The crooks pre-infected the modern equipment before its shipment with Slocker malicious encryptor, as well as another malware called Loki.
The Emsisoft Key IT expert observes that following a strain of malicious encryptor is not a challenge for a true professional. The expert, Fabian Worsar, examines a just-surfaced sample of ransomware dubbed Damage. He also provides a decryptor and streams the entire routine to a wide public. Anyone can view and see how the ransomware examination is unfolding live.
IT security reports PetrWrap, another malicious encryptor spotted in the wild. The ransomware targets only selected corporate victims. Observations reveal the strain originates from Petya extortion virus that used to be a major threat for German users. Those two Trojans encode data on a root level instead of the user’s personal files, hence a compromised device is totally locked.
Another deadly ransomware takes root. The malware dubbed Kirk explicitly refers to Star Trek TV series. The ransomware also features a brand new payment method, the Monero virtual currency, while the overwhelming majority of its counterparts stick to Bitcoin.
Facts and figures illustrate an impressive decline in the volume of Locky encryption cases, which marks a general regression in its propagation. The primary trigger inducing this downturn is the terminated liaison of Locky ransomware and Necrus infection strain.
EROScan, a corporate software security system, spots up a vulnerability in SAP that enables threat actors to drop malware. This is an interface flaw that may lead to straightforward infiltration of any malware, including ransomware.
The developers of Jigsaw extortion virus that exploits some popular movie characters and images come up with its new deadly variant. The ransomware immediately notifies its victims of the steps they should take to redeem the encrypted data as the victims learn the walkthrough from the string appended to any affected item.
The MalwareHunterTeam researchers publish their report on the unfolding encryption-for-ransom attack. The statistics come from the reports sent by the users concerned to a single database. Over 600 cases submitted correspond to almost 50 million instances of items encrypted for ransom due to the intervention of Spora Trojan that runs rampant.
Apple introduces a critical update to its iOS. This enhances the security of mobile system keeping malicious encryptors aside as the patch blocks respective malicious routines right in the Safari browser. The crooks utilized the above vulnerability to freeze Safari Mobile for ransom payable in iTunes gift vouchers.
IT analysts release a detailed description of Sage ransomware. The research reveals certain features common for Sage and Spora ransom Trojans, indicating that both may originate from the same developers. Another point to note is that the malicious encryption by Sage 2.2 combines two ciphers (ChaCha20 and ECC) rarely used by other ransomware authors.
Sanctions virus encrypts data for ransom. The ransomware makes a game of the sanctions actually imposed on Russia by the world’s leading countries, yet the decryptor’s price is far above the rate demanded by the counterparts. Fortunately, this strain is not distributed widely. The ransomware prompts each victim to pay 6 BTC, which is over 7k USD. The amount that large suggests the crooks aim at corporate users rather than individuals.
To avoid the malicious encryption, a reasonable discretion shall apply to your web-sessions. Even the most advanced ransomware samples cannot hit the target unless the users open a viral email attachment or click a link. Once the ransomware executes its payload, you are still on the safe side as long as reserve copies of your data remain beyond the attack.
Important ransomware events in February 2017
The chronicle below reflects all significant ransomware-related incidents that hit the headlines in February 2017. An influx of sophisticated Android lockers last month, along with defiant attacks against governmental institutions and educational establishments, were serious wake-up calls for the security industry. On the other hand, there were countervailing efforts of researchers who managed to tailor quite a few free decryption tools.
Feb. 23, 2017. The latest variant of Android.Lockdroid.E ransomware has a voice recognition feature under the hood. It requires victims to speak the unlock code received after the ransom has been submitted.
Feb. 22, 2017. ESET team spots a ransom trojan called Patcher that targets Mac OS X. Its downloaders are camouflaged as various software patches for Macs, hence the name of the infection. The crypto routine is buggy, so it may be impossible to decrypt hostage files even if the attackers’ demands are met.
Feb. 22, 2017. Offbeat ransomware called Trump Locker is spotted in the wild. It appears to have common roots with the .NET based Venus Locker sample. Trump Locker fully encrypts popular data types while scrambling only the first 1024 bytes of others. It also concatenates different extensions to files depending on the category they fall into.
Feb. 22, 2017. Python based ransomware isn’t all too widespread, so every discovered strain is potentially interesting. Researchers came across a new one dubbed PyL33T that leverages symmetric AES algorithm to encode files and appends them with the .d4nk suffix.
Feb. 21, 2017. ESET publishes a report regarding the evolution of Android ransomware. According to the research, these threats grew by 50% in 2016 versus 2015. Some of the current trends in this niche of cybercrime include the use of spam emails and unofficial app portals as primary distribution channels, as well as payload encryption techniques to thwart detection.
Feb. 21, 2017. Avast releases a decryption tool for the CryptoMix ransomware. The free utility can restore files appended with one of the following extensions: .cryptoshield, .code, .lesli, .rmd, .rdmk, .rscl, or .scl.
Feb. 16, 2017. Fabian Wosar, CTO and malware researcher at Emsisoft, sets up a live video session where he reverse-engineers and decrypts the new Hermes ransomware.
Feb. 15, 2017. New edition of the newsmaking Cerber ransomware detects antivirus, antispyware tools as well as firewalls installed on a target computer. Instead of encrypting the associated files, though, the pest ignores them and moves on with its attack. This way, Cerber developers may be demonstrating that security solutions aren’t an issue for their campaign.
Feb. 14, 2017. Researchers from the Georgia Institute of Technology create a viable proof-of-concept ransomware that targets SCADA and Industrial Control Systems.
Feb. 14, 2017. According to Kaspersky’s statistics for 2016, the overwhelming majority of ransomware authors (about 75%) represent the Russian-speaking cybercrime underground.
Feb. 9, 2017. Serpent ransomware, a new spam-borne threat propagating mostly in Denmark, arrives with booby-trapped Microsoft Word email attachments that prompt recipients to enable macros. The size of the ransom is 0.75 Bitcoin.
Feb. 9, 2017. A fresh specimen called DynA-Crypt goes equipped with a backdoor that allows the threat actors to steal victims’ personally identifiable information. Aside from going the commonplace extortion route, this one also engages in the exfiltration of passwords, snapshots of the desktop and other sensitive data.
Feb. 8, 2017. The ID Ransomware online resource can now identify 300 different crypto infections. This feature is invaluable for the troubleshooting chain. It allows victims to upload a ransom note or arbitrary encrypted file, learn which sample hit them, and proceed with data decryption if the appropriate tool is available.
Feb. 7, 2017. A new strain called Erebus leverages a tricky technique to bypass User Account Control (UAC) prompt while gaining elevated privileges on a targeted computer. As opposed to most of its counterparts, Erebus requests an unusually low ransom of 0.85 Bitcoin.
Feb. 6, 2017. Android.Lockdroid.E, an advanced ransomware sample targeting Android, starts using a malicious dropper for its extortion campaign. This way, it figures out if the device is rooted or not and then continues the compromise accordingly.
Feb. 3, 2017. The government of Licking County, Ohio, undergoes a ransomware attack. The perpetrating code affected the County’s website, computer network and phone systems, including 911 emergency line.
Feb. 3, 2017. Two hackers get arrested in London on suspicion of compromising the CCTV system of Washington, D.C., a week before President Trump’s inauguration. The ransomware attack affected 70% of surveillance cameras in the US capital.
Feb. 3, 2017. A Ransomware-as-a-Service platform called Ranion takes root. Its operators claim it pursues strictly educational goals. There is an annual sign-up fee of 0.95 Bitcoin (about $1,100). Interestingly, the ill-minded customers of this RaaS don’t have to share any subsequent revenue with the devs.
Feb. 1, 2017. Avast releases three new decryption tools that allow ransomware victims to get their hostage data back for free. The decryptors support the following ransomware families: Hidden Tear, Jigsaw, and Stampado (Philadelphia).
Obviously, ransomware authors keep exploring new niches. The Android mobile platform is being more heavily targeted than ever before, and so is the Mac OS X environment. Home users, schools, big organizations, and governments are equally vulnerable. Hopefully, the law enforcement and security companies from the private sector will shortly come up with efficient methods to contain the epidemic.
Major ransomware events for January 2017
Crypto ransomware is the dominating predator on the present-day cyber threat landscape. A slew of malicious software from this cluster is constantly prowling the Internet in search of victims. PC users, organizations and even governments are still low-hanging fruit in the face of these attacks. The plague appears to be running rampant in 2017, and adequate countermeasures have yet to be implemented. This timeline covers all noteworthy ransomware incidents that took place in January.
Jan. 31, 2017. CryptoShield 1.0, a new derivative of the CryptoMix ransomware, leverages a complex infection mechanism involving a network of compromised web pages. The contamination relies on obfuscated EITest script that engages the Rig exploit kit in the workflow. The latter takes advantage of software vulnerabilities on a target PC to install the ransomware.
Jan. 31, 2017. Spora ransomware operators opt for an interesting technique to deposit their payload onto computers. The infection process involves a phony Chrome Font Pack update popup displayed on hacked sites. The update, however, is nothing but a ransomware downloader.
Jan. 30, 2017. A ransomware specimen called Zyka is discovered. Having encrypted one’s data with AES cipher, it adds the .lock string to original filenames and asks for a Bitcoin equivalent of $170. Fortunately, this one is decryptable for free.
Jan. 27, 2017. A new version of the Jigsaw ransom trojan goes live. It concatenates the .email@example.com extension to encrypted files. Michael Gillespie, a security analyst who had devised the Jigsaw decryption tool earlier, updates his solution to handle the latest variant.
Jan. 20, 2017. Researchers release a free decryptor for the GlobeImposter ransomware. This sample mimics the Globe file-encrypting strain but actually uses different code and propagation channels. GlobeImposter appends skewed files with the .crypt extension and leaves a ransom note named How_Open_Files.hta.
Jan. 19, 2017. Ransomware-as-a-Service called Satan is gaining momentum. It allows individuals who want to try their hand at online extortion to get a turnkey ransomware build for free. However, the creators of this RaaS get a 30% cut from all ransoms submitted by victims.
Jan. 18, 2017. A new edition of the above-mentioned Spora ransomware behaves like a computer worm in a way. First, the malicious code replaces arbitrary Windows shortcuts with booby-trapped .lnk files. The ransomware routine proper starts as soon as an unsuspecting user double clicks one of these innocuous-looking objects.
Jan. 17, 2017. The one-year-old Cerber ransomware and the new Spora Trojan appear to have much in common. The most striking similarity is that the two rely on the exact same malware distribution platform. The takeaway is that the operators of these campaigns are either the same people or closely connected extortion crews.
Jan. 17, 2017. The notorious Locky ransomware campaign is steadily plummeting. The amount of spam delivering this infection suffered a dramatic drop by 80% during the month. Interestingly, there is an apparent correlation between this decrease and the inactivity of the so-called Necurs botnet.
Jan. 12, 2017. Another day, another win of the white hats. The Emsisoft team created a free decryptor for different variants of the Merry X-Mas ransomware. The latest iteration, which drops a ransom note called Merry_I_Love_You_Bruce.hta, is supported as well.
Jan. 12, 2017. Emsisoft succeeds in cracking a new crypto strain called the Marlboro ransomware. This one concatenates the .oops suffix to victims’ scrambled files. To their credit, analysts found a loophole in the implementation of the XOR cipher. It took them as little as one day to release an automatic decryption tool.
Jan. 10, 2017. The Los Angeles Valley College ends up paying a huge ransom of $28,000 in a newsmaking ransomware incident. An aggressive crypto infection had rendered the school’s voicemail and email systems inoperable. Obviously, a viable data backup strategy could have saved the educational institution a pretty penny.
Jan. 10, 2017. A new file-encrypting strain called the Spora ransomware is spotted in the wild. Its crypto implementation is flawless, so it’s impossible to restore mutilated data without submitting the ransom. This perpetrating program uses a top-notch payment service with built-in tech support. The size of the ransom depends on whether the victim is a home user or an organization.
Jan. 9, 2017. Cybercrooks zero in on unprotected MongoDB servers. It took the threat actors less than one week to hijack over 28,000 MongoDB databases all over the world. To regain access to the hostage data, server owners are instructed to cough up 0.1-1 BTC.
Jan. 9, 2017. The Merry X-Mas ransom Trojan starts depositing an extra infection called DiamondFox on targeted machines. The accompanying malware steals passwords, facilitates hacking via Remote Desktop Protocol, and turns plagued computers into bots for spam generation or DDoS attacks.
Jan. 7, 2017. An unidentified group of extortionists pulls off a social engineering campaign targeting schools in the United Kingdom. Impersonating UK government officials, the criminals cold-call school staff and state that they need to send guidance forms to the head teacher. The rogue emails actually contain contagious ZIP attachments that instantly trigger the ransomware infection chain followed by a whopping £8,000 ransom demand.
Jan. 4, 2017. Security analysts at CERT Polska publish a comprehensive report on the CryptoMix/CryptFile2 ransomware. The experts discovered that the infection uses the Rig-V exploit kit to propagate, encrypts files with 256-bit AES key, disables Volume Shadow Copy Service to prevent easy recovery, and requires 5 Bitcoins to decrypt data.
Jan. 4, 2017. A new strain called the Merry X-Mas ransomware, or MRCR is discovered. It arrives with spam emails containing malicious executables disguised as PDF files. The infection displays a Christmas-themed HTA ransom note and appends one of the following extensions to mutilated files: .mrcr1, .rmcm1, .rare, .merry, or .pegs1.
Jan. 4, 2017. Emsisoft CTO and security researcher Fabian Wosar manages to defeat the encryption of Globe ransomware version 3, the newest edition in this nefarious lineage. The free automatic decryptor can restore files with the .decrypt2017 and .hnumkhotep extensions.
Jan. 3, 2017. Malware authors cook up several infections using the FSociety brand name, which stands for a high-profile hacking ring from the Mr. Robot television series. While trying to follow suit, real-world attackers have launched three ransomware families, two screen-locking Trojans, and a DDoS botnet.
The moral of the story is that the IT world is confronted with an increasingly crafty adversary. Although numerous IT experts have teamed up to tackle the menace, free decryption tools are still the exception rather than the rule. Under the circumstances, data backups are a godsend because they reduce the damage from ransomware attacks. Also, prevention through timely software patches, caution with email attachments and proper web browsing hygiene can work wonders.