Kaspersky Lab updated their RannohDecryptor solution, which can now restore data locked by CryptXXX. In particular, the tool decrypts files with the .cryp1, .crypt and .crypz extensions.New Samas version spottedAlso known as SamSam, this ransomware now subjoins .theworldisyours to enciphered files. The decryption manual is named CHECK-IT-HELP-FILES.html.The Go language getting popular with cyber crooksResearchers discovered a new ransomware specimen written in the Go programming language. It adds the .braincrypt extension to mutilated files and leaves a ransom note called “!!! HOW TO DECRYPT FILES !!!.txt”. The contact email address is [email protected]Indonesian users targeted by EnkripsiPC ransomwareEnkripsiPC, also referred to as IDRANSOMv3, derives the decryption key from the name of the infected computer. The circulation of this sample is localized to Indonesia. Michael Gillespie, a well-known security researcher, found a way to decrypt the files.DECEMBER 21, 2016The new Manifestus ransomwareThis sample appears to be a variant of the M4N1F3STO pest, which locks the screen and encodes data. The parasite demands 0.2 Bitcoin for decryption.ProposalCrypt, a new sample at largeThis infection concatenates the .crypted extension to skewed files. The size of the ransom is 1 Bitcoin.Padlock screen locker isn’t that dangerousThe Padlock malware displays a lock screen saying, “Your files have been deleted and your PC has been locked.” This is a bluff, though – it doesn’t actually erase anything. The unlock code is ajVr/GRJz0R.Free-Freedom ransomwareThe warning window displayed by this sample says it was coded by a 13-year-old boy. Fortunately, Free-Freedom doesn’t do any crypto for real – it wreaks havoc with file permissions instead. Analysts were able to determine that the unlock code is ‘adam,’ which is probably the kid’s name.DECEMBER 22, 2016Cerber ransomware adopts a new tacticAs opposed to all the earlier variants, the latest edition of Cerber no longer deletes Shadow Copies of files. Furthermore, it skips quite a few directories that used to be targeted. The threat actors also chose to capitalize on locking Microsoft Office documents in the first place.Winnix Cryptor details revealedThis strain appends files with the .wnx extension and creates YOUR FILES ARE ENCRYPTED!.txt ransom note. The attackers were found to access servers remotely and execute a batch file inside the targeted environment. The ransomware leverages GPG (GNU Privacy Guard) cryptosystem to encode data.Cerber starts using new IP rangesIn order to get around blacklisting when obtaining accurate UDP statistics, Cerber now switches to using the following IP ranges: 188.8.131.52/23, 184.108.40.206/27, and 220.127.116.11/27.The abominable Guster ransomwareThe new Guster sample affixes the .locked extension to scrambled data entries and generates a very obnoxious warning screen featuring animation effects and audio.Free-Freedom ransomware tweakUnlike the original variant of the Free-Freedom infection, the newest one has been renamed “Roga.” It uses the .madebyadam file extension. As per the analysis of this sample, the decryption password is ‘adamdude9’.DECEMBER 23, 2016Koolova ransomware gets instructiveThere is an interesting way for users infected with the fresh version of the Koolova ransomware to get their personal files back. The program decrypts data for free on condition that the victim reads a few articles on methods to avoid ransomware.A CryptoLocker copycat discoveredThe perpetrating program in question is camouflaged as CryptoLocker but actually doesn’t have much in common with its infamous prototype. The impostor uses the .cryptolocker extension to stain encoded files.Cerber devs looking forward to ChristmasAccording to MalwareHunterTeam, some of the new domains used by the operators of the Cerber ransomware have the word “Christmas” in their URLs.The enduring VenusLocker ransomwareAlthough the cyber parasite called VenusLocker seemed to have gone extinct for good, it reemerged in a new campaign. This ransomware asks for one Bitcoin and sets a 72-hour deadline for paying up.Details of the Alphabet ransomwareThe in-dev malady called Alphabet is supposed to combine screen-locking mechanisms and data encryption – at least, that’s what its warning screen says. However, the current version doesn’t encode files and provides the unlock code.DECEMBER 24, 2016GlobeImposter decryptedGlobeImposter is a replica of the Globe ransomware, borrowing its prototype’s ransom notes, the extension being appended to files, as well as the general look and feel. It uses the .crypt string to label encrypted data entries and leaves a ransom note named HOW_OPEN_FILES.hta. Fortunately, Emsisoft’s Fabian Wosar was able to create a free decryptor for GlobeImposter.DeriaLock ransomware hitting the headlinesThe uniqueness of the new DeriaLock ransom Trojan is that its author can unlock all infected computers in a few keystrokes. That’s what the analysis of its code reveals. Having locked a victim’s screen, the program demands $30. Those infected are supposed to contact a specified Skype account for payment details.Another Cerber updateCerber ransomware makers released a new edition featuring an updated range of IP addresses for UDP statistics. Another change is that the ransom notes are now called _[random]_README.hta and _[random]_README.jpg.DECEMBER 25, 2016BadEncript authors should work on their spellingThe new sample called BadEncript concatenates the .bript extension to one’s locked files and drops the More.html ransom manual on the desktop. The quality of the ransomware name spelling, however, leaves a lot to be desired.New extension used by the Jigsaw infectionJigsaw ransomware operators updated their tool on Christmas day. The new iteration appends the .hush extension to encrypted objects while keeping the original file names intact.Latest NMoreira variant defeatedCourtesy of Fabian Wosar, Windows users hit by the .maktub file extension version of NMoreira (XPan or XRatTeam) can get their files back for free. The tool called Emsisoft Decrypter for NMoreira can decrypt most file types scrambled by this offending program. Be advised the recovery process can be time-consuming, though.DECEMBER 27, 2016The comeback of ODCODC ransomwareResearchers spotted a fresh sample of the ODCODC ransom Trojan that creates HOW_TO_RESTORE_FILES.txt help file and scrambles file names according to the following pattern: C-email-[attacker’s_email_address]-[original_filename].odcodc.DECEMBER 28, 2016Ransomware on Smart TVsAn Android screen locker was discovered that targets LG Smart TVs. The infection displays a fake FBI warning and demands $500 for unlocking the compromised device.New sample appending files with an email addressAnother crypto ransomware surfaced that concatenates the [email protected] string to one’s locked files and leaves “!!!.txt” ransom note.DECEMBER 29, 2016KillDisk virus starts exhibiting ransomware behaviorThe new version of the malicious software called KillDisk has got extortion properties under the hood. Rather than simply erase its victims’ files, now it encrypts them and asks for a whopping ransom of 222 Bitcoin.Ransomware disguised as popular security suitesSecurity analysts stumbled upon an instance of the GoldenEye disk-encrypting ransomware whose payload is camouflaged as ESET antivirus installer. Another sample called Stampado was found to arrive at PCs as a rogue AVG product.Dharma ransomware opts for using HTA ransom manualAs part of the recent update, Dharma ransomware authors have adopted a new victim interaction principle where the ransom note is in HTA format. It is now called Info.hta.DECEMBER 30, 2016Samas ransomware tweakThe latest edition of the Samas, or SamSam, ransomware uses the .whereisyourfiles extension and WHERE-YOUR-FILES.html ransom note.The open source ransomware issue dissectedAn article published on MalwareTech explains on the ins and outs of proof-of-concept ransomware projects, emphasizing that they are more beneficial to cyber criminals than researchers.SUMMARYThe main takeaway remains the same: users and organizations are much better off having a plan B in ransomware attack scenarios than dealing with the aftermath of such compromises. The countermeasures should revolve around safe online practices and reliable data backups. Hopefully, 2017 is going to become a game changer in favor of the security industry when it comes to defeating ransomware.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.