Reviewing Last Month’s Ransomware

By David Balaban

There were hardly any massive ransomware outbreaks last month, however, outbreaks continued. The criminals must have been busy prepping for the holidays. The online extortion activity didn’t stand still, though. A new wave of MongoDB database hijacking for ransom got millions of voters in California nervous. To top it off, healthcare facilities and counties kept falling victim to Mac ransomware. Keep reading this chronicle for December to learn more.

Dec.1, 2017
Experts from Zscaler cybersecurity firm unveil links between two independently crafted ransomware samples called Bugware and Vortex that share common roots code-wise. Both are based on the same open-source .NET codebase. The analysts compare these strains’ payload specificity, encryption workflow, and C2 infrastructure.

Dec. 2, 2017
An offbeat blackmail virus starts propagating in South Korea. Its uniqueness lies in free decryption of a victim’s data in case it spots Minecraft 1.11.2 on an infected machine. The author must be a big fan of the game. This infection appends the.RansomMine string to encoded files.

Dec. 4, 2017
The recently discovered HC7 ransomware might be decryptable for free under certain circumstances. According to researchers, victims may be able to retrieve the private RSA decryption key using RAM capture tools. There is a prerequisite to successful recovery via this forensic method. It works if the plagued computer has not been rebooted since the time of contamination.

Dec. 5, 2017
An unidentified ransomware sample infects the computer network of the Colorado Center for Reproductive Medicine. The institution’s management states that the impact may be bigger than data encryption alone. The threat actors may have obtained access to CCRM’s servers holding sensitive patient information.

Dec. 7, 2017
Part of the digital infrastructure of the Mecklenburg County (North California) gets crippled by the LockCrypt ransomware. The contaminant affects the municipal financial reporting, child support enforcement, transactions processing, and a few more online services.

Dec. 8, 2017
GlobeImposter, one of the most widespread blackmail threats around, continues its well-trodden imitation trend. For the record, its initial version mimicked another strain called Globe. The most recent edition blemishes ransomed files with the .arena extension, the one used by the CrySiS/Dharma ransomware lineage.

Dec. 9, 2017
The perpetrating program codenamed Blind ransomware undergoes a tweak. Its new variant subjoins the .napoleon string to encrypted data entries. A noteworthy hallmark sign of this sample is the exploitation of IIS (Internet Information Services), which means that the payload is deposited and executed on computers manually.

Dec. 11, 2017
A brand new crypto infection called File Spider is spreading like wildfire in the Balkans. Specifically, its distribution is restricted to Croatia, Bosnia and Herzegovina, and Serbia. The pest is making the rounds via spam emails containing Microsoft Word attachments with malicious VBA macros. It concatenates the .spider extension to hostage files.

Dec. 13, 2017
Cybercriminals abuse the benign Hidden Tear ransomware project once again. This educational code becomes a basis for other real-world crypto malware. The fresh offshoot is dubbed TrOwX. It appends the .locked extension to encoded files and drops a ransom note named READ_AND_CRY.txt. Besides English speaking victims it targets users in China.

Dec. 15, 2017
A database containing confidential information of more than 18 million Californian voters gets compromised as a result of a new wave of the notorious MongoDB server breaches. The attackers exported database content and left a ransom note demanding
0.2 Bitcoin for returning the information.

Dec. 18, 2017
A new ransomware distribution campaign is discovered that stands out from the rest. It props the circulation of the WannaDecryptor infection. The harmful binary is bundled with a cryptocurrency multiplier called Bitcoin-x2 v5.1. Since users are not alerted in any way on the extra component of the download, they get their data encrypted instead of obtaining more Bitcoin. Earlier this group focused on victims from South Korea.

Dec. 19, 2017
Thomas Bossert, President Trump’s homeland security adviser, makes an official statement regarding the attribution of the WannaCry ransomware outbreak from May this year. According to it, the White House has evidence of North Korean hackers’ involvement in this extortion wave.

Dec. 20, 2017
Romanian police chase down and apprehend five people on suspicion of spreading the infamous CTB-Locker and Cerber blackmail malware throughout Europe and the U.S. Whereas that’s certainly good news, the arrestees are mere distributors of the Trojans, and the authors remain unidentified.

Dec. 21, 2017
The underground ransomware business appears to be getting less profitable. At least, that’s the conclusion one can draw from the shift in the activity of the cybercriminal group behind the VenusLocker ransomware. The crooks have reportedly abandoned online extortion and started peddling Monero mining programs instead.

Dec. 28, 2017
CryptoMix, one of the oldest active ransomware strains in the wild, gets a minor facelift. Its latest variant switches to concatenating the .tastylock string to hostage files. The name of the ransom note (_HELP_INSTRUCTION.txt) remains the same, but the content has changed a bit. Now it instructs victims to send email to [email protected] for decryption steps.

The destructive ransomware plague is underway, with some ups and downs occurring once in a while. This fact should incentivize home users and organizations to adopt dependable backup strategies so that the damage from an e-blackmail attack is reduced to the minimum.

In summary, the ransomware epidemic is still around and it’s getting nastier. Unfortunately, there is no vaccine for this cyber menace, so data backups continue to be the best thing since sliced bread when it comes to preventing the worst-case scenario. So back it all up and stay safe. Keep up with a year in review of Ransomware, here: http://www.cyberdefensemagazinebackup.com/ransomware-news/

About the Author
David Balaban is a frequent writer for CDM, a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy- PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-
PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.