Top ransomware records for September 2017

Whereas September was generally slow ransomware-wise, it was a month of really weird strains. One of them asked for nude pictures of the user instead of money, another one simply mutilated data without the slightest chance for decryption. Some of the noteworthy events that at least make sense include the onset of a new Locky version, another huge wave of ransom attacks targeting servers, and predictable updates of existing families like GlobeImposter and Jigsaw.

Sept. 28, 2017. Security researchers discover LaserLocker, a malicious tool designed to streamline the process of creating screen locking ransomware. All it takes to generate a custom locker is think up the ransom note and tick a few checkmarks for disabling things like System Restore and Task Manager on an infected host.

Sept. 25, 2017. A new ransomware sample called nRansom goes an entirely different route than the rest. Rather than demand cryptocurrency for data decryption, it instructs victims to send 20 nude pictures of themselves. Some extortionists, apparently, aren’t motivated by financial gain.

Sept. 23, 2017. IT analysts spot an outbreak of RedBoot, a really offbeat blackmail Trojan. Similarly to the notorious NotPetya, or ExPetr, this one cripples an infected computer’s master boot record (MBR) and partition table. The worst part is that RedBoot isn’t equipped with a viable recovery mechanism, so it appears to be either a wiper or a buggy ransomware.

Sept. 22, 2017. Another fresh strain called InfinityLock leverages quite an unusual tacticto pressure victims into coughing up Bitcoins for their data. It shows a phony Command Prompt window that’s actually an animated screen imitating commands being typed by a hacker. This specimen’s payload is disguised as Adobe Premier ‘crack’.

Sept. 21, 2017. The distribution of the latest Locky ransomware persona dubbed Ykcol is backed by several concurrent malspam waves. These campaigns are run by six different cybercriminal groups. The phishing themes include ‘new voice message in mailbox’, ‘status of invoice’, and ‘Herbalife order number’.

Sept. 21, 2017. Online extortionists stick with the Hidden Tear proof-of-concept ransomware to devise real-life samples. An umpteenth abuse case involving this educational specimen gives rise to a new blackmail virus called CyberDrill. This culprit demands a huge ransom of 5 BTC (about $26,000) for the private decryption key.

Sept. 20, 2017. Administrators of some Eastern European ‘Dark Web’ forums are reportedly disputing the idea of promoting ransomware via their shady resources. Some of their arguments for dropping this activity are as follows: ransomware attracts attention to malware in general, increases users’ overall security awareness, and relies on luck rather than intelligence.

Sept. 18, 2017. A brand new variant of the Locky ransomware is released. It stains encoded data entries with the .ykcol extension token and drops ransom how-to’s named ykcol.htm and ykcol.bmp. As before, this iteration is making the rounds through malspam spawned by Necurs, one of the biggest botnets around.

Sept. 13, 2017. An offending program called the Paradise ransomware is rapidly paving the way towards worldwide propagation. An interesting fact is that it is distributed on a Ransomware-as-a-Service (RaaS) basis, a widespread malicious affiliate model. The infection employs asymmetric RSA cryptosystem to lock files and blemishes them with the .paradise extension prepended with the attackers’ email address.

Sept. 12, 2017. The developers of GlobeImposter, one of the most frequently updated ransomware strains, pay tribute to the 40th U.S. President in their own, very special way. The most recent version of this blackmail malware appends the .reaGAN extension to enciphered data and instructs victims to reach the attackers at Ronald_Reagan@derpymail.org for decryption clues.

Sept. 11, 2017. The Jigsaw ransomware lineage produces two new editions in one day. Both of them zero in on users in Poland, judging by the language of the ransom notes. The extensions appended to hostage files are .pablukCRYPT and .pabluk300CrYpT!. Fortunately, the previously developed free Jigsaw Decrypter tool supports these variants.

Sept. 9, 2017. One more Turkish ransomware named ApolloLocker appeared. It brings a lot more damage than just file encryption. ApolloLocker has a data theft component. It steals personal and bank data. The ransomware utilizes .locked file extension and creates ransom note named DOSYALARI-KURTAR.txt/url.

Sept. 8, 2017DilmaLocker virus discovered. This ransomware focuses on Portuguese-speaking victims. It marks locked files with the ._dilmaV1 extension and provides restoration advice in a text file  called RECUPERE_SEUS_ARQUIVOS.html.

Sept. 7, 2017. In an attempt to circumvent detection by antimalware suites, the authors of the above-mentioned GlobeImposter ransomware manage to get their newest malicious binary signed with a valid digital signature. The good news is, the Comodo CA revoked the certificate later on that day.

Sept. 6, 2017. Another ransomware with a trivial name Hacked attempts to be bilingual. The ransomware in question adds the .hacked extension to locked files. Hacked malware comes with a GUI that has English and Italian versions. The virus asks for $2,000 and puts a short deadline of just 3 days.

Sept. 5, 2017. A fresh sample called the SynAck ransomware turns out to be a serious threat to businesses. It tends to infect corporate networks via poorly secured RDP connections. The perpetrating code encrypts proprietary files and concatenates a victim-specific random 10-character string to each one. The crooks demand a ransom of $2,100 payable in Bitcoin.

Sept. 4, 2017. Cybercriminals attack about 26,000 MongoDB web servers that use weak or default authentication. The content of the hijacked databases was replaced with a ransom note asking for 0.5 Bitcoin and coercing victims to contact the threat actor at cru3lty@safe-mail.net. It’s noteworthy that a different hacker group hit approximately the same number of MongoDB databases in early January 2017.

Sept. 2, 2017.

CryptoMix, which is one of the most common types of ransomware around, gets a new variant. The infection encrypts files and ads new names consisting 32 hexadecimal characters with the .arena extension in the end. The ransom note is named _HELP_INSTRUCTION.txt.

Sept. 1, 2017. The architects of a new malspam campaign spreading the Locky ransomware start using a really intricate payload execution technique. It revolves around run-on-close macros. In a nutshell, this means that the contamination chain commences when a victim closes a trojanized Word file attached to a phishing email. Some security solutions don’t flag this type of payload delivery as malicious, so the infection sneaks inside undetected.

To recap, it’s hard to call September groundbreaking as far as the ransomware plague is concerned. It’s sort of disconcerting, though, that malware analysts didn’t release any free decryption tools during the month. Hopefully, this will change in October. Anyway, when confronted with one of these cyber culprits, the only effective way to sort things out is to restore data from an up-to-date backup.

To see our entire Ransomware News archive going back to January, please click here…