Major ransomware events for April 2017
Crypto ransomware continued its progressive motion last month like an unstoppable locomotive that smashes everything in its path. Cybercrooks started leveraging NSA exploits to infect computers stealthily rather than dupe users into opening contagious malspam attachments. The Locky ransomware woke up after a three-month hibernation, and the comeback turned out nasty. All in all, April was fairly disconcerting in terms of ransomware. Peruse the following records to get the big picture.
Apr. 30, 2017. The .wallet file extension becomes a hallmark sign of one more ransomware. The CryptoMix strain has now joined a group of lookalikes that includes Dharma and the Sanctions ransom Trojans. Of course, the word “wallet” does have ties to the extortion concept as such, but using the same extension for different samples is bad taste.
Apr. 29, 2017. A hefty wave of malicious spam starts disseminating the Onion ransomware. This is a new sample that shares some activity patterns with the Dharma file encryptor. Aside from the .onion extension appended to filenames, the indicators of compromise include specific contact email addresses ([email protected], [email protected], or [email protected]) and a 72-hour deadline for payment.
Apr. 27, 2017. An updated edition of the Cerber ransomware is discovered. It leaves a new combo of ransom notes named “_!!!_README_!!!_[random characters]_.txt/hta”. Another tweak has to do with the propagation mechanism. The infection is circulating by means of malware-tainted JS or RTF files attached to so-called Blank Slate malspam emails.
Apr. 23, 2017. Users plagued by ransomware get extra benefits from using the ID Ransomware service. It used to be only possible to determine a sample by uploading the ransom note or encrypted file. After the update, victims can optionally also enter any hyperlinks or email addresses provided by the infection.
Apr. 21, 2017. The Locky ransomware makes quite a reappearance after three months of inactivity. Just like last year, it is making the rounds via spam generated by the powerful Necurs botnet. The infection chain has hardly changed, engaging Microsoft Office VBA macros to deploy the payload on computers.
Apr. 20, 2017. The developers of the AES-NI ransomware adopt an unusual tactic to deposit their aggressive code onto computers. About a week earlier, a hacker group identifying themselves as Shadow Brokers had leaked NSA exploits that could potentially allow cybercrooks to infect computers via RDP. The ransom Trojan in question uses these exploits to propagate in a large scale. The symptoms include the .aes_ni_0day string added to files and “!!! Read This – Important !!!.txt” ransom note.
Apr. 18, 2017. Ill-disposed architects of the Karmen ransomware campaign opt for a moneymaking model reminiscent of the average affiliate network. They set up a RaaS (Ransomware-as-a-Service) portal that outsources the distribution of their infection to interested third parties. The most ironic part of this story is that the code of Karmen is based on open-source educational ransomware called Hidden Tear.
Apr. 14, 2017. Malwarebytes Labs releases a report called “Cybercrime tactics and techniques Q1 2017”. One of the most unsettling facts highlighted in it is the rise and current domination of the Cerber ransomware on the extortion threat landscape. Its market share reached 86.98% in April.
Apr. 13, 2017. It turns out that the above-mentioned Ransomware-as-a-Service model isn’t the only way for extortionists to monetize their intellectual effort aside from direct distribution. A cybercrime syndicate behind the CradleCore ransomware starts selling the source code and auxiliary components of the infection on the Dark Web. The price for such an abominable kit starts with 0.35 Bitcoin, or about $600.
Apr. 12, 2017. The distributors of the Mole ransomware switch from using booby-trapped email attachments to employing a less straightforward scheme. A new wave of these attacks involves a rogue site titled Microsoft Word Online. Having visited it, would-be victims are instructed to install a fake Office plugin, which is in fact a ransomware payload. The hallmarks of this malicious program include the .mole file extension and Instruction_For_Helping_File_Recovery.txt ransom how-to.
Apr. 10, 2017. Security vendor Emsisoft updates the previously released decryptor for Cry9 ransomware, which contaminates Windows PCs by brute-forcing Remote Desktop access credentials. The enhancements made to the decryptor include improved performance and a broader scope of Cry9 editions supported.
Apr. 7, 2017. The Matrix ransomware is gaining pace. This threat adds the .bl0cked extension to hostage files. The new swing of Matrix distribution has added the EITest malicious framework to the mix. Such an infection chain engages a compromised website with the EITest script injected in it. This script leads to the RIG exploit kit, which further uses software vulnerabilities on the host computer to deliver the infection payload.
Apr. 6, 2017. A coder from Korea nicknamed Tvple Eraser begins spreading an offbeat crypto threat called Rensenware. Just like the average file-encrypting baddie, this one scrambles victims’ data using a strong cipher. However, the demands are definitely off the beaten track. The program tells plagued users to reach a 200 million score in “TH12 ~ Undefined Fantastic Object” shooter game. Having acknowledged how far this “joke” went, the crook created a free tool that emulates the required TH12 score to help those infected.
Apr. 6, 2017. A newsmaking arrest over a ransomware incident takes place in Austria. The suspect had purportedly pulled off an extortion hoax against an organization based in Linz. The apprehended 19-year-old felon had infected the company’s computer network with the Philadelphia ransomware, asking for $400 to restore the data.
Apr. 4, 2017. Bitdefender cooks up a free utility that decrypts files locked by the Bart ransomware. This crypto strain is capable of encoding data in offline mode and generates Locky ransomware style warnings. Bitdefender’s decryptor supports all known Bart variants and therefore restores scrambled files with the .bart, .bart.zip and .perl extensions.
Apr. 1, 2017. The UEFI ransomware proof-of-concept demonstrated at Black Hat Asia 2017 unveils weak links in the security architecture of Gigabyte BRIX ultra-compact PC kits. The PoC infection, which was contrived by analysts from Cylance cybersecurity firm, deploys its attack by harnessing vulnerabilities in vF2 and vF6 firmware versions of two different Gigabyte BRIX models.
Thumbs up to researchers who try to make the computer world safer by putting a spotlight on must-patch security loopholes in what seemed reliably protected. Unfortunately, the bad guys are starting to think out of the box as well. The good news is that no matter if you are confronted with a classic or novel ransomware scenario, you are good to go as long as you have a backup to restore data from.
Malicious Encryption in the Wild: Highlights from March 2017
Encryption-for-ransom went wild over the last month. This record includes over forty instances of extortion viruses, which exceeds significantly any previous monthly reports. This timeline highlights outstanding cases of malicious encryption, as well as anti-ransomware activities observed in March 2017.
Kaspersky comes up with some adjustments to their anti-ransomware application to beat the encryption of Dharma Trojan. The ransomware adds extra string after the native extension of a file affected, typically .zzzzz or .wallet. The solution makes use the unlocking pins published by security enthusiasts.
Malicious encryption virus hits the main legislative body of Pennsylvania, the Caucus. The FBI is going to handle the attack while keeping details of the intervention private.
A detailed report comes up from Cisco IT researchers providing insight to the new wave of Crypt0L0cker ransomware, also known as TorrentLocker. The write-up by Talos Intelligence reveals its update featuring more elaborate GUI. The threat targets European audience.
The Cerber threat actors start spreading updated edition of their ransomware. Compared to its counterparts, the infection abstains from encoding the file extension. Meanwhile, the viral encryptor retains its labeling for each item affected, which is a sequence of 4 symbols that follows after the original extension of a file.
A renowned antivirus vendor from Israel reports a wave of ransomware strains tailored to infect two specific businesses. Those two companies received thirty-six Android devices from the source that remains undisclosed. The crooks pre-infected the modern equipment before its shipment with Slocker malicious encryptor, as well as another malware called Loki.
The Emsisoft Key IT expert observes that following a strain of malicious encryptor is not a challenge for a true professional. The expert, Fabian Worsar, examines a just-surfaced sample of ransomware dubbed Damage. He also provides a decryptor and streams the entire routine to a wide public. Anyone can view and see how the ransomware examination is unfolding live.
IT security reports PetrWrap, another malicious encryptor spotted in the wild. The ransomware targets only selected corporate victims. Observations reveal the strain originates from Petya extortion virus that used to be a major threat for German users. Those two Trojans encode data on a root level instead of the user’s personal files, hence a compromised device is totally locked.
Another deadly ransomware takes root. The malware dubbed Kirk explicitly refers to Star Trek TV series. The ransomware also features a brand new payment method, the Monero virtual currency, while the overwhelming majority of its counterparts stick to Bitcoin.
Facts and figures illustrate an impressive decline in the volume of Locky encryption cases, which marks a general regression in its propagation. The primary trigger inducing this downturn is the terminated liaison of Locky ransomware and Necrus infection strain.
EROScan, a corporate software security system, spots up a vulnerability in SAP that enables threat actors to drop malware. This is an interface flaw that may lead to straightforward infiltration of any malware, including ransomware.
The developers of Jigsaw extortion virus that exploits some popular movie characters and images come up with its new deadly variant. The ransomware immediately notifies its victims of the steps they should take to redeem the encrypted data as the victims learn the walkthrough from the string appended to any affected item.
The MalwareHunterTeam researchers publish their report on the unfolding encryption-for-ransom attack. The statistics come from the reports sent by the users concerned to a single database. Over 600 cases submitted correspond to almost 50 million instances of items encrypted for ransom due to the intervention of Spora Trojan that runs rampant.
Apple introduces a critical update to its iOS. This enhances the security of mobile system keeping malicious encryptors aside as the patch blocks respective malicious routines right in the Safari browser. The crooks utilized the above vulnerability to freeze Safari Mobile for ransom payable in iTunes gift vouchers.
IT analysts release a detailed description of Sage ransomware. The research reveals certain features common for Sage and Spora ransom Trojans, indicating that both may originate from the same developers. Another point to note is that the malicious encryption by Sage 2.2 combines two ciphers (ChaCha20 and ECC) rarely used by other ransomware authors.
Sanctions virus encrypts data for ransom. The ransomware makes a game of the sanctions actually imposed on Russia by the world’s leading countries, yet the decryptor’s price is far above the rate demanded by the counterparts. Fortunately, this strain is not distributed widely. The ransomware prompts each victim to pay 6 BTC, which is over 7k USD. The amount that large suggests the crooks aim at corporate users rather than individuals.
To avoid the malicious encryption, a reasonable discretion shall apply to your web-sessions. Even the most advanced ransomware samples cannot hit the target unless the users open a viral email attachment or click a link. Once the ransomware executes its payload, you are still on the safe side as long as reserve copies of your data remain beyond the attack.
Important ransomware events in February 2017
The chronicle below reflects all significant ransomware-related incidents that hit the headlines in February 2017. An influx of sophisticated Android lockers last month, along with defiant attacks against governmental institutions and educational establishments, were serious wake-up calls for the security industry. On the other hand, there were countervailing efforts of researchers who managed to tailor quite a few free decryption tools.
Feb. 23, 2017. The latest variant of Android.Lockdroid.E ransomware has a voice recognition feature under the hood. It requires victims to speak the unlock code received after the ransom has been submitted.
Feb. 22, 2017. ESET team spots a ransom trojan called Patcher that targets Mac OS X. Its downloaders are camouflaged as various software patches for Macs, hence the name of the infection. The crypto routine is buggy, so it may be impossible to decrypt hostage files even if the attackers’ demands are met.
Feb. 22, 2017. Offbeat ransomware called Trump Locker is spotted in the wild. It appears to have common roots with the .NET based Venus Locker sample. Trump Locker fully encrypts popular data types while scrambling only the first 1024 bytes of others. It also concatenates different extensions to files depending on the category they fall into.
Feb. 22, 2017. Python based ransomware isn’t all too widespread, so every discovered strain is potentially interesting. Researchers came across a new one dubbed PyL33T that leverages symmetric AES algorithm to encode files and appends them with the .d4nk suffix.
Feb. 21, 2017. ESET publishes a report regarding the evolution of Android ransomware. According to the research, these threats grew by 50% in 2016 versus 2015. Some of the current trends in this niche of cybercrime include the use of spam emails and unofficial app portals as primary distribution channels, as well as payload encryption techniques to thwart detection.
Feb. 21, 2017. Avast releases a decryption tool for the CryptoMix ransomware. The free utility can restore files appended with one of the following extensions: .cryptoshield, .code, .lesli, .rmd, .rdmk, .rscl, or .scl.
Feb. 16, 2017. Fabian Wosar, CTO and malware researcher at Emsisoft, sets up a live video session where he reverse-engineers and decrypts the new Hermes ransomware.
Feb. 15, 2017. New edition of the newsmaking Cerber ransomware detects antivirus, antispyware tools as well as firewalls installed on a target computer. Instead of encrypting the associated files, though, the pest ignores them and moves on with its attack. This way, Cerber developers may be demonstrating that security solutions aren’t an issue for their campaign.
Feb. 14, 2017. Researchers from the Georgia Institute of Technology create a viable proof-of-concept ransomware that targets SCADA and Industrial Control Systems.
Feb. 14, 2017. According to Kaspersky’s statistics for 2016, the overwhelming majority of ransomware authors (about 75%) represent the Russian-speaking cybercrime underground.
Feb. 9, 2017. Serpent ransomware, a new spam-borne threat propagating mostly in Denmark, arrives with booby-trapped Microsoft Word email attachments that prompt recipients to enable macros. The size of the ransom is 0.75 Bitcoin.
Feb. 9, 2017. A fresh specimen called DynA-Crypt goes equipped with a backdoor that allows the threat actors to steal victims’ personally identifiable information. Aside from going the commonplace extortion route, this one also engages in the exfiltration of passwords, snapshots of the desktop and other sensitive data.
Feb. 8, 2017. The ID Ransomware online resource can now identify 300 different crypto infections. This feature is invaluable for the troubleshooting chain. It allows victims to upload a ransom note or arbitrary encrypted file, learn which sample hit them, and proceed with data decryption if the appropriate tool is available.
Feb. 7, 2017. A new strain called Erebus leverages a tricky technique to bypass User Account Control (UAC) prompt while gaining elevated privileges on a targeted computer. As opposed to most of its counterparts, Erebus requests an unusually low ransom of 0.85 Bitcoin.
Feb. 6, 2017. Android.Lockdroid.E, an advanced ransomware sample targeting Android, starts using a malicious dropper for its extortion campaign. This way, it figures out if the device is rooted or not and then continues the compromise accordingly.
Feb. 3, 2017. The government of Licking County, Ohio, undergoes a ransomware attack. The perpetrating code affected the County’s website, computer network and phone systems, including 911 emergency line.
Feb. 3, 2017. Two hackers get arrested in London on suspicion of compromising the CCTV system of Washington, D.C., a week before President Trump’s inauguration. The ransomware attack affected 70% of surveillance cameras in the US capital.
Feb. 3, 2017. A Ransomware-as-a-Service platform called Ranion takes root. Its operators claim it pursues strictly educational goals. There is an annual sign-up fee of 0.95 Bitcoin (about $1,100). Interestingly, the ill-minded customers of this RaaS don’t have to share any subsequent revenue with the devs.
Feb. 1, 2017. Avast releases three new decryption tools that allow ransomware victims to get their hostage data back for free. The decryptors support the following ransomware families: Hidden Tear, Jigsaw, and Stampado (Philadelphia).
Obviously, ransomware authors keep exploring new niches. The Android mobile platform is being more heavily targeted than ever before, and so is the Mac OS X environment. Home users, schools, big organizations, and governments are equally vulnerable. Hopefully, the law enforcement and security companies from the private sector will shortly come up with efficient methods to contain the epidemic.
Major ransomware events for January 2017
Crypto ransomware is the dominating predator on the present-day cyber threat landscape. A slew of malicious software from this cluster is constantly prowling the Internet in search of victims. PC users, organizations and even governments are still low-hanging fruit in the face of these attacks. The plague appears to be running rampant in 2017, and adequate countermeasures have yet to be implemented. This timeline covers all noteworthy ransomware incidents that took place in January.
Jan. 31, 2017. CryptoShield 1.0, a new derivative of the CryptoMix ransomware, leverages a complex infection mechanism involving a network of compromised web pages. The contamination relies on obfuscated EITest script that engages the Rig exploit kit in the workflow. The latter takes advantage of software vulnerabilities on a target PC to install the ransomware.
Jan. 31, 2017. Spora ransomware operators opt for an interesting technique to deposit their payload onto computers. The infection process involves a phony Chrome Font Pack update popup displayed on hacked sites. The update, however, is nothing but a ransomware downloader.
Jan. 30, 2017. A ransomware specimen called Zyka is discovered. Having encrypted one’s data with AES cipher, it adds the .lock string to original filenames and asks for a Bitcoin equivalent of $170. Fortunately, this one is decryptable for free.
Jan. 27, 2017. A new version of the Jigsaw ransom trojan goes live. It concatenates the .[email protected] extension to encrypted files. Michael Gillespie, a security analyst who had devised the Jigsaw decryption tool earlier, updates his solution to handle the latest variant.
Jan. 20, 2017. Researchers release a free decryptor for the GlobeImposter ransomware. This sample mimics the Globe file-encrypting strain but actually uses different code and propagation channels. GlobeImposter appends skewed files with the .crypt extension and leaves a ransom note named How_Open_Files.hta.
Jan. 19, 2017. Ransomware-as-a-Service called Satan is gaining momentum. It allows individuals who want to try their hand at online extortion to get a turnkey ransomware build for free. However, the creators of this RaaS get a 30% cut from all ransoms submitted by victims.
Jan. 18, 2017. A new edition of the above-mentioned Spora ransomware behaves like a computer worm in a way. First, the malicious code replaces arbitrary Windows shortcuts with booby-trapped .lnk files. The ransomware routine proper starts as soon as an unsuspecting user double clicks one of these innocuous-looking objects.
Jan. 17, 2017. The one-year-old Cerber ransomware and the new Spora Trojan appear to have much in common. The most striking similarity is that the two rely on the exact same malware distribution platform. The takeaway is that the operators of these campaigns are either the same people or closely connected extortion crews.
Jan. 17, 2017. The notorious Locky ransomware campaign is steadily plummeting. The amount of spam delivering this infection suffered a dramatic drop by 80% during the month. Interestingly, there is an apparent correlation between this decrease and the inactivity of the so-called Necurs botnet.
Jan. 12, 2017. Another day, another win of the white hats. The Emsisoft team created a free decryptor for different variants of the Merry X-Mas ransomware. The latest iteration, which drops a ransom note called Merry_I_Love_You_Bruce.hta, is supported as well.
Jan. 12, 2017. Emsisoft succeeds in cracking a new crypto strain called the Marlboro ransomware. This one concatenates the .oops suffix to victims’ scrambled files. To their credit, analysts found a loophole in the implementation of the XOR cipher. It took them as little as one day to release an automatic decryption tool.
Jan. 10, 2017. The Los Angeles Valley College ends up paying a huge ransom of $28,000 in a newsmaking ransomware incident. An aggressive crypto infection had rendered the school’s voicemail and email systems inoperable. Obviously, a viable data backup strategy could have saved the educational institution a pretty penny.
Jan. 10, 2017. A new file-encrypting strain called the Spora ransomware is spotted in the wild. Its crypto implementation is flawless, so it’s impossible to restore mutilated data without submitting the ransom. This perpetrating program uses a top-notch payment service with built-in tech support. The size of the ransom depends on whether the victim is a home user or an organization.
Jan. 9, 2017. Cybercrooks zero in on unprotected MongoDB servers. It took the threat actors less than one week to hijack over 28,000 MongoDB databases all over the world. To regain access to the hostage data, server owners are instructed to cough up 0.1-1 BTC.
Jan. 9, 2017. The Merry X-Mas ransom Trojan starts depositing an extra infection called DiamondFox on targeted machines. The accompanying malware steals passwords, facilitates hacking via Remote Desktop Protocol, and turns plagued computers into bots for spam generation or DDoS attacks.
Jan. 7, 2017. An unidentified group of extortionists pulls off a social engineering campaign targeting schools in the United Kingdom. Impersonating UK government officials, the criminals cold-call school staff and state that they need to send guidance forms to the head teacher. The rogue emails actually contain contagious ZIP attachments that instantly trigger the ransomware infection chain followed by a whopping £8,000 ransom demand.
Jan. 4, 2017. Security analysts at CERT Polska publish a comprehensive report on the CryptoMix/CryptFile2 ransomware. The experts discovered that the infection uses the Rig-V exploit kit to propagate, encrypts files with 256-bit AES key, disables Volume Shadow Copy Service to prevent easy recovery, and requires 5 Bitcoins to decrypt data.
Jan. 4, 2017. A new strain called the Merry X-Mas ransomware, or MRCR is discovered. It arrives with spam emails containing malicious executables disguised as PDF files. The infection displays a Christmas-themed HTA ransom note and appends one of the following extensions to mutilated files: .mrcr1, .rmcm1, .rare, .merry, or .pegs1.
Jan. 4, 2017. Emsisoft CTO and security researcher Fabian Wosar manages to defeat the encryption of Globe ransomware version 3, the newest edition in this nefarious lineage. The free automatic decryptor can restore files with the .decrypt2017 and .hnumkhotep extensions.
Jan. 3, 2017. Malware authors cook up several infections using the FSociety brand name, which stands for a high-profile hacking ring from the Mr. Robot television series. While trying to follow suit, real-world attackers have launched three ransomware families, two screen-locking Trojans, and a DDoS botnet.
The moral of the story is that the IT world is confronted with an increasingly crafty adversary. Although numerous IT experts have teamed up to tackle the menace, free decryption tools are still the exception rather than the rule. Under the circumstances, data backups are a godsend because they reduce the damage from ransomware attacks. Also, prevention through timely software patches, caution with email attachments and proper web browsing hygiene can work wonders.