Important ransomware events in February 2017
The chronicle below reflects all significant ransomware-related incidents that hit the headlines in February 2017. An influx of sophisticated Android lockers last month, along with defiant attacks against governmental institutions and educational establishments, were serious wake-up calls for the security industry. On the other hand, there were countervailing efforts of researchers who managed to tailor quite a few free decryption tools.
Feb. 23, 2017. The latest variant of Android.Lockdroid.E ransomware has a voice recognition feature under the hood. It requires victims to speak the unlock code received after the ransom has been submitted.
Feb. 22, 2017. ESET team spots a ransom trojan called Patcher that targets Mac OS X. Its downloaders are camouflaged as various software patches for Macs, hence the name of the infection. The crypto routine is buggy, so it may be impossible to decrypt hostage files even if the attackers’ demands are met.
Feb. 22, 2017. Offbeat ransomware called Trump Locker is spotted in the wild. It appears to have common roots with the .NET based Venus Locker sample. Trump Locker fully encrypts popular data types while scrambling only the first 1024 bytes of others. It also concatenates different extensions to files depending on the category they fall into.
Feb. 22, 2017. Python based ransomware isn’t all too widespread, so every discovered strain is potentially interesting. Researchers came across a new one dubbed PyL33T that leverages symmetric AES algorithm to encode files and appends them with the .d4nk suffix.
Feb. 21, 2017. ESET publishes a report regarding the evolution of Android ransomware. According to the research, these threats grew by 50% in 2016 versus 2015. Some of the current trends in this niche of cybercrime include the use of spam emails and unofficial app portals as primary distribution channels, as well as payload encryption techniques to thwart detection.
Feb. 21, 2017. Avast releases a decryption tool for the CryptoMix ransomware. The free utility can restore files appended with one of the following extensions: .cryptoshield, .code, .lesli, .rmd, .rdmk, .rscl, or .scl.
Feb. 16, 2017. Fabian Wosar, CTO and malware researcher at Emsisoft, sets up a live video session where he reverse-engineers and decrypts the new Hermes ransomware.
Feb. 15, 2017. New edition of the newsmaking Cerber ransomware detects antivirus, antispyware tools as well as firewalls installed on a target computer. Instead of encrypting the associated files, though, the pest ignores them and moves on with its attack. This way, Cerber developers may be demonstrating that security solutions aren’t an issue for their campaign.
Feb. 14, 2017. Researchers from the Georgia Institute of Technology create a viable proof-of-concept ransomware that targets SCADA and Industrial Control Systems.
Feb. 14, 2017. According to Kaspersky’s statistics for 2016, the overwhelming majority of ransomware authors (about 75%) represent the Russian-speaking cybercrime underground.
Feb. 9, 2017. Serpent ransomware, a new spam-borne threat propagating mostly in Denmark, arrives with booby-trapped Microsoft Word email attachments that prompt recipients to enable macros. The size of the ransom is 0.75 Bitcoin.
Feb. 9, 2017. A fresh specimen called DynA-Crypt goes equipped with a backdoor that allows the threat actors to steal victims’ personally identifiable information. Aside from going the commonplace extortion route, this one also engages in the exfiltration of passwords, snapshots of the desktop and other sensitive data.
Feb. 8, 2017. The ID Ransomware online resource can now identify 300 different crypto infections. This feature is invaluable for the troubleshooting chain. It allows victims to upload a ransom note or arbitrary encrypted file, learn which sample hit them, and proceed with data decryption if the appropriate tool is available.
Feb. 7, 2017. A new strain called Erebus leverages a tricky technique to bypass User Account Control (UAC) prompt while gaining elevated privileges on a targeted computer. As opposed to most of its counterparts, Erebus requests an unusually low ransom of 0.85 Bitcoin.
Feb. 6, 2017. Android.Lockdroid.E, an advanced ransomware sample targeting Android, starts using a malicious dropper for its extortion campaign. This way, it figures out if the device is rooted or not and then continues the compromise accordingly.
Feb. 3, 2017. The government of Licking County, Ohio, undergoes a ransomware attack. The perpetrating code affected the County’s website, computer network and phone systems, including 911 emergency line.
Feb. 3, 2017. Two hackers get arrested in London on suspicion of compromising the CCTV system of Washington, D.C., a week before President Trump’s inauguration. The ransomware attack affected 70% of surveillance cameras in the US capital.
Feb. 3, 2017. A Ransomware-as-a-Service platform called Ranion takes root. Its operators claim it pursues strictly educational goals. There is an annual sign-up fee of 0.95 Bitcoin (about $1,100). Interestingly, the ill-minded customers of this RaaS don’t have to share any subsequent revenue with the devs.
Feb. 1, 2017. Avast releases three new decryption tools that allow ransomware victims to get their hostage data back for free. The decryptors support the following ransomware families: Hidden Tear, Jigsaw, and Stampado (Philadelphia).
Obviously, ransomware authors keep exploring new niches. The Android mobile platform is being more heavily targeted than ever before, and so is the Mac OS X environment. Home users, schools, big organizations, and governments are equally vulnerable. Hopefully, the law enforcement and security companies from the private sector will shortly come up with efficient methods to contain the epidemic.
Major ransomware events for January 2017
Crypto ransomware is the dominating predator on the present-day cyber threat landscape. A slew of malicious software from this cluster is constantly prowling the Internet in search of victims. PC users, organizations and even governments are still low-hanging fruit in the face of these attacks. The plague appears to be running rampant in 2017, and adequate countermeasures have yet to be implemented. This timeline covers all noteworthy ransomware incidents that took place in January.
Jan. 31, 2017. CryptoShield 1.0, a new derivative of the CryptoMix ransomware, leverages a complex infection mechanism involving a network of compromised web pages. The contamination relies on obfuscated EITest script that engages the Rig exploit kit in the workflow. The latter takes advantage of software vulnerabilities on a target PC to install the ransomware.
Jan. 31, 2017. Spora ransomware operators opt for an interesting technique to deposit their payload onto computers. The infection process involves a phony Chrome Font Pack update popup displayed on hacked sites. The update, however, is nothing but a ransomware downloader.
Jan. 30, 2017. A ransomware specimen called Zyka is discovered. Having encrypted one’s data with AES cipher, it adds the .lock string to original filenames and asks for a Bitcoin equivalent of $170. Fortunately, this one is decryptable for free.
Jan. 27, 2017. A new version of the Jigsaw ransom trojan goes live. It concatenates the .[email protected] extension to encrypted files. Michael Gillespie, a security analyst who had devised the Jigsaw decryption tool earlier, updates his solution to handle the latest variant.
Jan. 20, 2017. Researchers release a free decryptor for the GlobeImposter ransomware. This sample mimics the Globe file-encrypting strain but actually uses different code and propagation channels. GlobeImposter appends skewed files with the .crypt extension and leaves a ransom note named How_Open_Files.hta.
Jan. 19, 2017. Ransomware-as-a-Service called Satan is gaining momentum. It allows individuals who want to try their hand at online extortion to get a turnkey ransomware build for free. However, the creators of this RaaS get a 30% cut from all ransoms submitted by victims.
Jan. 18, 2017. A new edition of the above-mentioned Spora ransomware behaves like a computer worm in a way. First, the malicious code replaces arbitrary Windows shortcuts with booby-trapped .lnk files. The ransomware routine proper starts as soon as an unsuspecting user double clicks one of these innocuous-looking objects.
Jan. 17, 2017. The one-year-old Cerber ransomware and the new Spora Trojan appear to have much in common. The most striking similarity is that the two rely on the exact same malware distribution platform. The takeaway is that the operators of these campaigns are either the same people or closely connected extortion crews.
Jan. 17, 2017. The notorious Locky ransomware campaign is steadily plummeting. The amount of spam delivering this infection suffered a dramatic drop by 80% during the month. Interestingly, there is an apparent correlation between this decrease and the inactivity of the so-called Necurs botnet.
Jan. 12, 2017. Another day, another win of the white hats. The Emsisoft team created a free decryptor for different variants of the Merry X-Mas ransomware. The latest iteration, which drops a ransom note called Merry_I_Love_You_Bruce.hta, is supported as well.
Jan. 12, 2017. Emsisoft succeeds in cracking a new crypto strain called the Marlboro ransomware. This one concatenates the .oops suffix to victims’ scrambled files. To their credit, analysts found a loophole in the implementation of the XOR cipher. It took them as little as one day to release an automatic decryption tool.
Jan. 10, 2017. The Los Angeles Valley College ends up paying a huge ransom of $28,000 in a newsmaking ransomware incident. An aggressive crypto infection had rendered the school’s voicemail and email systems inoperable. Obviously, a viable data backup strategy could have saved the educational institution a pretty penny.
Jan. 10, 2017. A new file-encrypting strain called the Spora ransomware is spotted in the wild. Its crypto implementation is flawless, so it’s impossible to restore mutilated data without submitting the ransom. This perpetrating program uses a top-notch payment service with built-in tech support. The size of the ransom depends on whether the victim is a home user or an organization.
Jan. 9, 2017. Cybercrooks zero in on unprotected MongoDB servers. It took the threat actors less than one week to hijack over 28,000 MongoDB databases all over the world. To regain access to the hostage data, server owners are instructed to cough up 0.1-1 BTC.
Jan. 9, 2017. The Merry X-Mas ransom Trojan starts depositing an extra infection called DiamondFox on targeted machines. The accompanying malware steals passwords, facilitates hacking via Remote Desktop Protocol, and turns plagued computers into bots for spam generation or DDoS attacks.
Jan. 7, 2017. An unidentified group of extortionists pulls off a social engineering campaign targeting schools in the United Kingdom. Impersonating UK government officials, the criminals cold-call school staff and state that they need to send guidance forms to the head teacher. The rogue emails actually contain contagious ZIP attachments that instantly trigger the ransomware infection chain followed by a whopping £8,000 ransom demand.
Jan. 4, 2017. Security analysts at CERT Polska publish a comprehensive report on the CryptoMix/CryptFile2 ransomware. The experts discovered that the infection uses the Rig-V exploit kit to propagate, encrypts files with 256-bit AES key, disables Volume Shadow Copy Service to prevent easy recovery, and requires 5 Bitcoins to decrypt data.
Jan. 4, 2017. A new strain called the Merry X-Mas ransomware, or MRCR is discovered. It arrives with spam emails containing malicious executables disguised as PDF files. The infection displays a Christmas-themed HTA ransom note and appends one of the following extensions to mutilated files: .mrcr1, .rmcm1, .rare, .merry, or .pegs1.
Jan. 4, 2017. Emsisoft CTO and security researcher Fabian Wosar manages to defeat the encryption of Globe ransomware version 3, the newest edition in this nefarious lineage. The free automatic decryptor can restore files with the .decrypt2017 and .hnumkhotep extensions.
Jan. 3, 2017. Malware authors cook up several infections using the FSociety brand name, which stands for a high-profile hacking ring from the Mr. Robot television series. While trying to follow suit, real-world attackers have launched three ransomware families, two screen-locking Trojans, and a DDoS botnet.
The moral of the story is that the IT world is confronted with an increasingly crafty adversary. Although numerous IT experts have teamed up to tackle the menace, free decryption tools are still the exception rather than the rule. Under the circumstances, data backups are a godsend because they reduce the damage from ransomware attacks. Also, prevention through timely software patches, caution with email attachments and proper web browsing hygiene can work wonders.