April 2017: The Month in Ransomware

Online extortionists took their attacks to a whole new level last month. They brought the infamous Locky monster back to life after more than three months of hiatus. The architects of the Jigsaw ransomware campaign were busier than ever, contriving seven new variants of their plague. The Hidden Tear, EDA2, and CryptoWire proof-of-concept ransomware projects gave rise to a slew of real-world spinoffs.The quantitative summary for April is as follows: 41 new strains appeared, 22 old ransomware samples were updated, and six decryption tools were released by researchers. Read the report below to learn more.APRIL 1, 2017Security loophole in Gigabyte BRIX firmware spottedIt turns out the firmware for Gigabyte BRIX compact PC kits is susceptible to ransomware attacks. When taking the floor at Black Hat Asia 2017, researchers from Cylance presented their proof-of-concept UEFI Ransomware that exploits two vulnerabilities in vF6 and vF2 firmware versions for GB-BSi7H-6500 and GB-BXi7-5775 models, respectively.APRIL 2, 2017New ransomware codebase surfacesA strain called GX40 appears to be a potential codebase for cooking up other extortion tools. This particular infection stains one’s files with the .encrypted extension and instructs victims to contact [email protected] for recovery steps.First GX40 offspring spottedResearchers’ apprehension regarding the GX40 code starts materializing as its new spinoff takes root. The somewhat crude derivative uses [email protected] address to interact with victims.AngryKite ransomware is angry indeedThis sample badly scrambles file names and affixes the .NumberDot string to each one. An interesting hallmark sign of AngryKite is that it tells victims to dial 1-855-455-6800 to sort things out.DeathNote Hackers ransomwareHaving infected a computer, the strain in question displays a screen with the “DeathNote Hackers” inscription, hence the name. It uses the Rijndael block cipher to lock victims’ files down and demands a ransom of 0.5 BTC. Security analysts were able to get hold of the unlock code, which is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.APRIL 3, 2017The almost cute Fluffy-TAR
This cyber baddie has English and French editions of the ransom note in store and adds a PNG image of a pink fluffy creature wearing sunglasses, whatever that should mean. Fluffy-TAR appends the .lock75 extension to encoded files and asks for 0.039 BTC to restore data.Cerber gets some fresh make-upThe latest variant of Cerber has switched to using a new combo of ransom how-to files. The updated editions are called _READ_THI$_FILE_[random characters]_.hta/jpeg/txt.Amadeous creation still in progressThe code of this in-development HiddenTear based sample has clues suggesting that the author’s name is Paul. In fact, researchers came across this project a while ago. Paul appears to have been quite busy working on his infection lately. At least, he finally came up with “Amadeous” as its name.Faizal is your commonplace ransomwareAnother offspring of the questionably sensible HiddenTear PoC project is found. It’s called Faizal, and its ransom note is in Indonesian. This infection uses the .gembok string to label affected files.APRIL 4, 2017PadCrypt takes after Spora in a wayThe TOR payment site used by PadCrypt contains a new review page. It says victims can get a partial refund of their ransom on condition that they give the decryption service a good feedback. Another widespread threat called Spora was the first one to introduce such a feature in early February.Bart ransomware crackedBitdefender devises a free decryptor for Bart ransomware. It supports locked files with the .bart, .bart.zip, and .perl extensions appended to them.New GX40 derivativeCybercrooks use the code of the above-mentioned GX40 ransomware to coin one more descendent. Its fresh incarnation requests 0.02 BTC for decryption and uses [email protected] email address to interact with those infected.New Jigsaw variant is outThe latest Jigsaw edition blemishes one’s encrypted files with .I’WANT MONEY suffix and tells victims to contact the extortionists via [email protected]APRIL 5, 2017A ray of hope for Vortex victimsMichael Gillespie, the creator of the commendable ID Ransomware service, tweets he can decrypt data held hostage by Vortex / Floreta. Those hit by said Trojan should contact the researcher for assistance.Samas ransomware tweakAn updated version of Samas, also referred to as SamSam, goes live. It concatenates the .skjdthghh string to files and leaves the following decryption how-to manual: 009-READ-FOR-DECCCC-FILESSS.html.PadCrypt updatePadCrypt, which had recently hit the headlines with its new abominable review service, gets a bit of fine-tuning and reaches version 3.5.0.Fantom RaaS may pop up anytime soonWhen reversing the latest iteration of Fantom, security analysts stumbled upon something interesting. Its code now contains a ‘PartnerID’ value. This ostensibly insignificant nuance may indicate a serious concern, though. It’s quite possible that the crooks are about to launch a Ransomware-as-a-Service platform for Fantom.The army of CryptoWire spinoffs gets a new soldierAlthough the proof-of-concept ransomware called CryptoWire originally contained no panel so that felons weren’t likely to abuse it for real-world attacks, the author’s preemptive measure didn’t work. First, there where Lomix and UltraLocker pests that borrowed the code uploaded to GitHub. And now there is another one called “[email protected]”, which propagates as an AA_V3.exe file.Another Python based troublemakerResearchers spot a new ransomware sample coded in Python. It instructs victims to submit 0.3 BTC within three hours or else the hostage data will purportedly become irrecoverable.HiddenTear abused againThe educational HiddenTear project gives rise to one more real-life menace. It’s a Turkish strain referred to as Kripto. This infection displays a warning window titled “Dikkat”, which is the Turkish for “Attention”.APRIL 6, 2017LMAOxUS sample demonstrates PoC exploitationAn Indian black hat hacker who goes by an online handle “Empinel” has adjusted the open-source code of EDA2 proof-of-concept ransomware to actual extortion activity. In particular, he was able to eliminate a backdoor left by the EDA2 author; therefor,e third-party interference with the campaign behind the scenes is no longer possible.Teenager apprehended in Austria over ransomware incidentAustrian law enforcement track down and arrest a 19-year-old man on suspicion of plaguing the IT network of a Linz-based company with the Philadelphia ransomware. This attack rendered data on the target organization’s servers inaccessible. Although the crook demanded a ransom of $400 for recovery, the company never paid up and restored all information from the backup.“Rensenware” joke infection wants you to play a gameA developer nicknamed Tvple Eraser, who most likely resides in Korea, creates a program called Rensenware. Unlike conventional ransom Trojans, this one doesn’t demand money for data decryption. Instead, it tells victims to score 200 million in the LUNATIC level of the TH12 ~ Undefined Fantastic Object shooting game. Later on, the dev reached out to popular security resources, stating that it was a joke. Nevertheless, people got infected for real.A cybercrime ring’s earnings revealedResearchers from F5 Labs, a company specializing in application threat intelligence, got hold of statistics for a ransomware campaign exploiting Apache Struts vulnerability cataloged as CVE-2017-5638. According to their findings, the crooks made 84 BTC (about $98,000) in ransom since March 10, 2017.Cry9 ransomware encryption defeatedFabian Wosar, the chief technical officer at Emsisoft, creates a decryption tool for Cry9. This strain uses multiple extensions to label encoded data entries, including .[id][email protected], .[id]_[[email protected]].xj5v2, and .[id]_[wqfhdgpdelcgww4g.onion.to].r2vy6.APRIL 7, 2017Researchers react to questionable SCADA ransomware claimsAn article on proof-of-concept SCADA and ICS ransomware called ClearEnergy, which was published by Security Affairs on April 5, calls forth a great deal of criticism on the security community’s end. Some analysts blame the PoC authors at CRITIFENCE for not conducting proper research and unverified claims about alleged real-world attacks.Matrix ransomware boasts high-profile distributionAlthough this infection isn’t new, it’s not until recently that it has started propagating on a large scale. The circulation of its current edition reportedly relies on the use of the EITest campaign and the RIG exploit kit.Cerberos ransomware is nothing out of the ordinaryIn spite of the fact that this Trojan’s name sounds similar to Cerber, there are no ties between the two. The somewhat primitive Cerberos appears to be a CyberSplitterVBS spinoff.APRIL 8, 2017New sample configured to stain data with the .kilit suffixA group of researchers called the MalwareHunterTeam (MHT) comes across crude in-development ransomware that’s set to append the .kilit string to encrypted files. Details of the discovered code indicate that the author may be from Turkey. Interestingly, this one parses its configuration from a page hosted at Blogspot.APRIL 9, 2017Serpent ransomware keeps crawlingNew edition of the Serpent Trojan surfaces. It subjoins the .serp extension to hostage files and drops README_TO_RESTORE_FILES_[random string].txt document with ransom instructions.APRIL 10, 2017Cry9 decryptor made more efficientEmsisoft CTO Fabian Wosar updates his free decryptor for Cry9, which infects computers via RDP. The new version of the decryption tool can handle more Cry9 variants and boasts better performance.APRIL 11, 2017Crooks won’t stop using open-source Hidden TearAlthough the academic ransomware project called Hidden Tear originally pursued benign educational goals, it has spawned numerous real-life derivatives. Security analysts stumbled upon another one of these spinoffs that uses the .locked extension to label encrypted files. Its warnings are in Portuguese and it has a GUI, which isn’t common for Hidden Tear-based samples.Minor change made to BTCWareThe latest version of the BTCWare ransom Trojan has switched to using a new email address for communication with victims. It instructs those infected to shoot a message to [email protected]Eduware trying to be helpfulThe strain called Eduware, or the Kindest Ransomware ever, enciphers data for real but doesn’t engage in extortion proper. Instead, it decrypts files after a victim watches an instructive YouTube video about ransomware as a phenomenon.APRIL 12, 2017Mole ransomware spreads in an unusual wayThe distribution vector used by the new Mole ransomware involves malspam that encourages recipients to click on a link redirecting to a bogus web page titled “Microsoft Word Online”. The document on that site looks corrupted, and the victim is told to download and install a rogue plugin to view the content. The plugin, though, is actually a ransomware payload. This Trojan uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt ransom note.Meet Anthony, a newbie extortionist with ambitionsMHT spots a new Hidden Tear offspring whose maker’s name might be Anthony – at least, that’s what certain attributes in its code suggest. This one appends files with the .rekt extension.Jigsaw variant targeting French-speaking audienceA fresh sample from the Jigsaw family blemishes hostage files with the .crypte extension and displays a ransom alert in French.El-Diablo, another Hidden Tear cloneThis in-dev ransom Trojan is configured to leave a decryption how-to called El-Diablo_ReadMe.txt. Based on code metadata, the developer’s nickname is “SteveJenner”.New Globe v3 version takes after DharmaThe latest build of Globe v3 appears to mimic the Dharma pest. In particular, it appends the .[[email protected]].wallet string to encrypted files.Jigsaw family keeps expandingSecurity researchers spot a Jigsaw edition that concatenates the .lcked extension to affected data entries and uses a new scary-looking background for its ransom warning.Lame ransomware builder on the tableAlthough this new malicious tool looks like it allows would-be extortionists to create their own viable ransomware, it actually provides some junk open-source code to copy and compile. It goes with a .NET UI.APRIL 13, 2017CradleCore ransomware kitA growing trend in the cybercrime environment revolves around Ransomware-as-a-Service (RaaS) portals. The perpetrators who created Cradle, however, ended up going a different route. They are selling their source code called CradleCore to anyone who wants to try their hand at online extortion. Negotiations regarding the price start at 0.35 BTC.APRIL 14, 2017Officially, Cerber is today’s prevalent ransomware threatAccording to Q1 2017 report released by Malwarebytes Labs, Cerber outperforms all the other crypto threat families by far. Its market share reached a whopping 86.98% in March.Hidden Tear PoC abused once againA new offspring of the Hidden Tear open-source educational code is spotted. It leaves a ransom note named READ_IT_FOR_GET_YOUR_FILE.txt. The creator is most likely from Thailand. An offbeat hallmark sign of this Trojan is that it appends one’s files with one of four extensions chosen randomly. These include .loveyouisreal, .okokokokok, .ranranranran, and .whatthefuck. The email address to reach the attacker is [email protected]pyCL ransomware devs try a new spreading tacticThe pyCL ransomware, which is a Python-based CTB-Locker replica, starts proliferating via malicious Word documents. It appends the .crypted extension to files and creates a shortcut named “Decrypt My Files” pointing to the index.html ransom note.Small tweak made to the Dharma ransomwareThe newest variant of Dharma stains its victims’ encrypted files with the .onion extension preceded by the following string: .id-[random].[[email protected]].APRIL 15, 2017German screen locker surfacesA new ransom Trojan is discovered that locks the screen rather than encrypts data. It displays a picture of the villain from the Jigsaw movie on its warning screen. Researchers were able to obtain two applicable unlock codes: HaltStopp! and 12344321.Schwerer ransomware spottedThis one is coded in AutoIt scripting language. It requests €150 to unlock files. The ransom must be paid within three days.APRIL 16, 2017Troldesh ransomware updateThe only conspicuous change made to Troldesh, also known as Shade, is the new .dexter extension concatenated to hostage files. It still leaves a series of README[0-10].txt ransom notes and displays a desktop background with warning text in Russian and English.Ransomware named after notorious computer wormNew strain called the C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E appends an apropos .conficker extension to encrypted files. It drops a recovery how-to named Decrypt.txt and demands 0.5 BTC for decryption.Malabu ransomware pops upThe Malabu ransom Trojan originally asks for a Bitcoin equivalent of $500, but the amount goes up to $1000 in 48 hours. The crooks use some bad language in the ransom note and the file extension.APRIL 17, 2017SnakeEye is underwayThreat actors identifying themselves as the “Snake Eye Squad” appear to be working on SnakeEye. It is based on crude, open-source code available online.Ransomware that obliterates dataNew unnamed sample developed by someone from Turkey doesn’t work right. It deletes victims’ files beyond recovery instead of encrypting them.APRIL 18, 2017Academic ransomware gives rise to a RaaSCybercriminals behind the file-encrypting infection called Karmen have started distributing their harmful program on a Ransomware-as-a-Service basis, which is a malicious counterpart of regular affiliate networks. A really disconcerting thing about this whole story is that the code of Karmen is based on Hidden Tear.Atlas, another threat to watch out forHaving encrypted one’s files, the strain in question appends them with the .ATLAS extension and drops a recovery walkthrough named ATLAS_FILES.txt.APRIL 19, 2017LOLI RanSomeWare releasedWhether it’s a deliberate misspelling or utter ignorance, the Korean author of the LOLI RanSomeWare chose to dub his brainchild this way. The pest affixes the .LOLI suffix to locked files.APRIL 20, 2017Jigsaw assumes new characteristicsThe background of the new Jigsaw variant warning window now features images of Joker and Batman. This edition concatenates the .fun extension to hostage data entries and threatens to delete an incremental number of files until the ransom is submitted.Karmen ransomware becomes MordorThe Karmen ransomware, which started propagating via a RaaS portal a few days back, transforms into a crypto infection called Mordor. It is attributed to Russian cybercriminal underground.Crappy Hidden Tear spinoff goes liveA new derivative of the open-source Hidden Tear is spotted in the wild. It uses the .locked extension to label scrambled data. The cipher-backed file processing currently applies to the desktop only, but the Trojan fails to complete the encryption and crashes.APRIL 21, 2017AES-NI distribution harnessing exploitsThe AES-NI campaign reportedly leverages NSA exploits leaked by the Shadow Brokers hacker group recently. The infection targets Windows servers, uses the .aes_ni_0day file extension, and drops a ransom note named “!!! READ THIS – IMPORTANT !!!.txt”.The comeback of LockyWhen it seemed that Locky had completely vanished form the extortion landscape, it reemerged after almost four months of inactivity. The pest arrives with malicious spam carrying fake payment receipts on board. The current Locky edition uses the Redchip2.exe payload.Locky circulation keeps relying on NecursThe new wave of Locky spam is reportedly Necurs botnet-borne. This particular tandem made the ransomware under consideration one of the top crypto menaces of 2016. The volume of this malspam is reaching tens of thousands of rogue emails per hour.The OSIRIS edition of Locky is still the caseThe authors of Locky still stick with the Egyptian mythology theme for the current variant of their creation. It’s the exact same build that was in rotation in late 2016. It concatenates the .OSIRIS extension to encrypted files and leaves a ransom note called OSIRIS-[4 random characters].htm.APRIL 22, 2017Brazilian JeepersCrypt ransomwareJudging by the name and design of the warning screen, this one pays homage to the Jeepers Creepers horror film. It adds the .jeepers suffix to every hostage file, demands 0.02 BTC for decryption and provides a 24-hour deadline to pay up.APRIL 23, 2017New features added to ID RansomwareMHT extends the identification functionality of ID Ransomware service. Those infected with crypto malware can now figure out which strain they are facing by entering the email address, Bitcoin wallet address, or Tor URL mentioned in the ransom note.AES-NI infection making the rounds more activelyIndicators of compromise, in this case, include the .aes_ni_0day extension concatenated to locked files and a recovery how-to called “!!! READ THIS – IMPORTANT !!!.txt”. Interestingly, the ransom note states that the perpetrating program uses NSA exploits dumped by the Shadow Brokers hacker ring in mid-April.“Hopeless” ransomware, a CryptoWire spinoffAnalysts come across a new derivative of the open-source CryptoWire, which is academic ransomware originally designed for educational purposes. Its warning screen is titled “Sem Solução” (“Hopeless” in Portuguese), hence the name. The infection blemishes files with the .encrypted extension. Fortunately, it is easy to crack – the decryption password is 123.APRIL 24, 2017XPan campaign dissectedKaspersky Lab does an informative write-up on XPan. The proliferation of this sample is mostly isolated to Brazil, and the threat actors deposit the bad code onto computers manually by brute forcing targets’ RDP access credentials. Indicators of compromise include the .one extension appended to files and “Recupere seus arquivos aqui.txt” ransom note, which is the Portuguese for “Recover your files here”.Getrekt version of Jigsaw – better luck next timeAn umpteenth edition of Jigsaw shows up. Having scrambled one’s data, it affixes the .getrekt string to original filenames. Fortunately, researcher Michael Gillespie quickly updates his Jigsaw Decryptor tool to support this spinoff.PshCrypt is such a junkNew ransom Trojan is spotted that stains files with the .psh extension and displays a primitive warning screen asking for 0.05 BTC. It didn’t take security analysts long to do the math and figure out that the serial code for decryption is “HBGP”.Big fail for FailedAccess
Security experts were able to crack a ransom Trojan while its ill-minded author was still working on it. The sample is dubbed FailedAccess due to the extension it appends to files. MalwareHunterTeam’s Michael Gillespie defeated its crypto in the blink of an eye. Those infected can use his StupidDecryptor solution to restore hostage information.APRIL 25, 2017Details of the CTF ransomwareThe name of this new strain suggests that its developer must be a big fan of Capture the Flag competition. The ransom Trojan derives a victim-specific encryption key from a plagued workstation’s MAC address and concatenates the .CTF extension to encoded files.A minor change made to pyteHole pestThe only tweak accompanying the latest pyteHole update is the new .adr suffix being added to filenames as part of the data scrambling routine.Mole using a tricky distribution tacticAccording to Palo Alto Networks, a CryptoMix spinoff appending files with the .MOLE extension is propagating via a complex social engineering methodology. Its payload arrives with rogue emails impersonating the United States Postal Service. The messages encourage would-be victims to visit a counterfeit Microsoft Word styled website and download the ransomware camouflaged as an Office plugin.APRIL 26, 2017NMoreira reaches version 4Cybercrooks release a new variant of the NMoreira that uses the .NM4 extension to label encrypted files. This sample provides a troubleshooting walkthrough called “Recovers your files.html”.APRIL 27, 2017Cerber update introducing minor changesThe latest build of Cerber uses a new set of ransom notes, namely _!!!_README_!!!_[random]_.txt and _!!!_README_!!!_[random]_.hta. Another noteworthy modification has to do with the payload delivery method. The campaign now leverages a vulnerability in RTF documents cataloged as CVE-2017-0199 to deploy malicious Visual Basic scripts on computers.Ransomware impersonating a law enforcement agencyAn in-development sample is discovered that displays International Police Association themed warning messages. There is no crypto involved in its modus operandi. Instead, the pest moves a victim’s files into a password-protected archive, appending each item with the .locked string preceded by an extra space. Researchers figured out that those infected can unlock the archive by entering “ddd123456” in the password field.Jigsaw won’t stop mutatingAnother Jigsaw update features a new extension added to filenames after the encryption has been performed. The string is [email protected] Obviously, it matches the email address to reach the attackers for step-by-step recovery instructions.An insight into current Cerber campaignThe perpetrators behind Cerber are diversifying their contamination tactics. Both of the prevalent distribution channels use booby-trapped ZIP email attachments. However, the file extracted from the archive can be either in JS or RTF format. The latter type is a .doc file that exploits the above-mentioned CVE-2017-0199 vulnerability.APRIL 28, 2017Mordor strain isn’t prosaic at allThe relatively new real-world derivative of Hidden Tear is gaining momentum. It does not target German users, stains encrypted files with the .mordor extension, and leaves a data buyout how-to named READ_ME.html. Whereas the name is Mordor, the payment page is titled “Milene Ransomware” for some reason. Go figure.APRIL 29, 2017The .wallet extension getting popular with crooksTaking after Dharma and Globe v3 strains, the newest variant of CryptoMix starts flagging encrypted files with the .wallet string. The build in question instructs victims to send a message to [email protected] or [email protected] for recovery steps.Another BTCWare updateAfter some minor fine-tuning, this crypto malware now appends files with the .[[email protected]].btcware extension and drops a ransom note named #_HOW_TO_FIX.inf.APRIL 30, 2017RSAUtil pops upOne of the hallmark signs of the specimen dubbed RSAUtil is that it’s coded in Delphi. Having completed the encryption part of its mission, it concatenates the [email protected][random characters] extension to filenames and drops a recovery tutorial called How_return_files.txt.DeadSec-Crypto v2.1 ransom Trojan spottedThis sample might be a rising threat to Portuguese-speaking audience. While currently in development, it is configured to append files with the .locked suffix and demand 0.05 BTC for data decryption. The author’s email address indicated in the ransom note is [email protected] The deadline for paying up is set to one week.SUMMARYOne of the most unsettling tendencies in the present-day online extortion ecosystem has to do with cybercrooks’ growing interest in weaponizing educational ransomware code. It doesn’t take a rocket scientist to understand that PoCs like Hidden Tear, EDA2 and CryptWire never worked as intended. Instead of demonstrating the modus operandi of crypto-malware to researchers, these projects have become a cradle for numerous real-life strains. This should give security enthusiasts some food for thought – they should make felons’ lives harder, not easier. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply