December 2017: The Month in Ransomware

Ransomware activity was on a fairly high level till mid-December but slowed down by the end of the month, perhaps due to threat actors’ holiday spree.Some of the newsmaking events include the onset of the first-ever blackmail virus targeting network-attached storage devices; the breach of California voter database; and arrests of CTB-Locker and Cerber distributors in Romania.Here is what December 2017 was like statistically: 27 new ransomware samples were discovered, 26 existing ones got a makeover; and one free decryptor was released by researchers.DECEMBER 1, 2017CryptoMix ransomware slightly modifiedThe latest edition of the CryptoMix strain switches to using the .TEST extension for encrypted files as well as an updated list of contact email addresses. The name of the rescue note has not changed, still being _HELP_INSTRUCTION.txt.The ‘low-cost’ Halloware infectionSecurity analysts discover a new ransomware sample called Halloware being marketed on dark web forums. It stands out from the rest due to the low price its developer asks for the kit – only $40.BTCWare undergoes a tweakThe BTCWare family of crypto parasites spawns a new variant. It affixes the .[attacker email]-id-id.shadow extension to hostage files. As before, the perpetrating program is distributed via compromised remote desktop services.Globe2 ransomware updatedThe ransomware lineage codenamed Globe2 expands with a fresh version that scrambles filenames and blemishes them with the .abc extension. Fortunately, Emsisoft’s free decryption tool for Globe2 supports this variant.False alarm on the Clico Cryptor specimenThis one acts like garden-variety ransomware, but its actual gist is trickier than it appears. Clico Cryptor turns out to have been made by Polish researchers and pursues the goal of testing antivirus and sandbox products for detection efficiency.Magniber ransomware keeps mutatingMagniber, the inheritor of Cerber ransom Trojan spreading via the Magnitude exploit kit, gets some fine-tuning. Another variant in the wild stains encoded files with the .dlenggrl extension.A comparison of two samples with common rootsAnalysts at Zscaler Cloud Security post an article where they dissect the Vortex and Bugware file-encrypting strains. These samples were picked for a reason – they are both based on .NET open source ransomware code.DECEMBER 2, 2017Blind ransomware updatedA fresh mod of the Blind ransomware appends the .napoleon suffix to encrypted data entries and drops a ransom notification named How_Decrypt_Files.hta. The extension is prepended with the threat actors’ email address, [email protected] ransomware surfacesThis culprit labels encoded files with the .eTeRnItY string, hence the name. It’s somewhat buggy at this point due to a flaw in rendering an animated GIF object, which makes the offending program crash.New version of the JCoder ransomware spottedJCoder was discovered in August and reportedly hails from Vietnam. Its most recent edition uses the .MTC extension for ransomed data and drops a recovery note named “WanaCry 0.2.ini”.Magniber continues the update trendSeveral new variants of the Magniber ransomware are released in one hit. They use the .fbuvkngy, .dwbiwty, and .xhspythxn strings to stain encrypted files.New ransomware with a name speaking for itselfResearchers come across a sample whose GUI is titled “Payment”. It displays its warnings and provides decryption steps in Spanish. Fortunately, it lacks a full-fledged crypto functionality in its current state.RansomMine baddie on the radarThe ransomware in question zeroes in on Korean users. It adds the .RansomMine extension to locked files. Interestingly, the Trojan automatically decrypts data if it spots a copy of Minecraft 1.11.2 on an infected machine. The author must be a big fan of the game.DECEMBER 3, 2017HC6 ransomware dissectedA new entry on the Extreme Coders Blog sheds light on the modus operandi of HC6, a relatively new revolutionary specimen that uses PyInstaller program to generate the malicious executable.Handsomeware made for funAlthough the sample called Handsomeware appears to act like a commonplace crypto pest, it turns out to be a pseudo ransomware as it does not actually encrypt anything. However, it does demand €300 worth of Bitcoin in exchange for who knows what.Crypt0 ransomware is all about randomnessThe infection called Crypt0 appends a randomly generated extension to each encoded file and drops a recovery how-to named READ_IT.html on the desktop. It is yet another spinoff of the academic Hidden Tear ransomware code. The crooks instruct victims to pay up within a specified timeframe, namely six days. The C2 server is down at the time of the analysis, so the infection fails to encrypt.A barely conspicuous change made to CrySiSThe CrySiS ransomware lineage, also known as Dharma, spawns a new edition featuring a really small tweak compared to the forerunner. While both concatenate the .java string to encrypted files, the newcomer uses curly braces instead of brackets to wrap the attacker email part of the extension. So, a sample file named Picture.jpg will look similar to this after the transformation:{[email protected]}.java.Magniber distributors stay restlessYet another iteration of the Magniber ransomware takes root. The updated variant adds the .dxjay extension to hostage files.Shadow Blood ransomware spottedOne more Hidden Tear PoC derivative called Shadow Blood uses the .TEARS extension to label encrypted data items. It drops READ_ME.txt rescue note with some interesting text in it, namely “Send me some Bitcoins or iPhone X, and I also hate Man City, Chelsea, Liverpool, Samsung, being drunk,” whatever that should mean.DECEMBER 4, 2017HC7 ransomware victims may get luckyMalware researchers unearth a flaw in the encryption routine used by the HC7 blackmail virus. It may hence be possible to retrieve the decryption key via memory forensics.A politically flavored Hidden Tear variantThe previously discovered HT spinoff staining data with the .hacking extension gets revamped. It displays a wallpaper featuring the political leaders of Germany, France, and Russia. The new ransom note is named Message_important.txt.Magniber is now identifiable with ID RansomwareID Ransomware, an online service created by a crew of security analysts calling themselves the MalwareHunterTeam, gets enhanced with signatures for the Magniber ransomware. Therefore, the portal fully supports all variants of this blackmail infection submitted by victims.DECEMBER 5, 2017StorageCrypt, a new scourge affecting NAS devicesThe blackmail virus codenamed StorageCrypt is discovered that targets specifically NAS (network-attached storage) devices, including Western Digital My Cloud. The entry point for the contagion is an exploit called SambaCry.Another medical facility hit by ransomwareThe Minneapolis branch of the Colorado Center for Reproductive Medicine suffers the consequences of a ransomware onslaught. In the upshot of this attack, some of the patient records may have been stolen, including names, addresses, contact details, and Social Security numbers.BTCWare strain modified againThe newest variant of BTCWare, one of the most prolific file-encrypting threats across the board, switches to the .wallet extension for enciphered files. It also uses a new contact email address, namely [email protected]ExecutionerPlus, another cyber villain on the tableThis sample is reportedly based on the CryptoJoker ransomware code. It appends the .pluss.executioner or .destroy.executioner extension to ransomed files. An offbeat hallmark is that it goes bundled with Coinhive, a JavaScript miner for the Monero cryptocurrency.DECEMBER 6, 2017HC7 ransomware updatedA fresh mod of the HC7 ransom Trojan is spotted. It contaminates computers via poorly secured remote desktop services. To gain a foothold on an entire enterprise network if that’s the case, the infection uses PsExec function. The new extension affixed to filenames is .GOTYA. Furthermore, HC7 now drops RECOVERY.txt rescue note.DECEMBER 7, 2017Ransomware attacks a U.S. countyThe Mecklenburg County in North Carolina falls victim to the LockCrypt ransomware. The perpetrating program ends up crippling the County’s computer systems used for financial reporting, transactions processing, Criminal Justice Services with the Sheriff’s Office, Child Support Enforcement and quite a few others.The sarcastic Christmas ransomwareFrankly, concepts like Christmas and ransomware don’t align with each other. Nonetheless, cybercrooks have ventured into combining them. The new Christmas ransomware displays a picture of a jolly snowman on its ransom note screen and demands $100 worth of Bitcoin for file recovery.An addition to the Xorist ransomware familyThe Xorist lineage hasn’t been updated for quite some time, so the fresh variant was a bit of a surprise to researchers. It drops a ransom manual named “HOW TO DECRYPT FILES.txt” and stains hostage files with the .CerBerSysLocked0009881 extension.Santa Encryptor sample in developmentSanta Encryptor is another Christmas themed ransomware spotted by analysts. It is currently in test mode and does not utilize cryptography yet. The culprit is configured to request $150 worth of Bitcoin for decryption.DECEMBER 8, 2017GlobeImposter got its name for a reasonThe ransomware dubbed GlobeImposter is an imposter indeed. It started off mimicking the Globe strain back in 2016, and now it tries to imitate the CrySiS/Dharma baddie by concatenating the .arena string to encrypted files.DECEMBER 9, 2017Napoleon ransomware dissectedMalwarebytes releases a write-up on the recent variant of the Blind ransomware that stains locked data items with the .napoleon suffix. One of the researchers’ findings is that the pest is most likely making the rounds via compromised IIS (Internet Information Services).DECEMBER 10, 2017D4rkL0cker Test spotted before going liveIt has become a good tradition in malware analysis circles to discover in-development ransom Trojans prior to their launch into the wild. That’s how things went with the sample called D4rkL0cker Test. Its GUI states that the infection uses an RSA-2048 cipher to make data inaccessible, but the culprit does not actually perform any encryption in its current state.DECEMBER 11, 2017File Spider crawling over the BalkansA brand new blackmail virus called File Spider is underway. One of the distinguishing hallmarks of this campaign is that it is restricted to specific countries, including Bosnia and Herzegovina, Croatia, and Serbia. The ransomware is distributed by dint of malspam with booby-trapped Word documents on board that contain macros. It labels encoded files with the .spider extension.More details on File Spider unearthedSecurity analysts give a comprehensive technical summary of the new cyber culprit in a blog post. The lowdown on it includes the malicious macro code, binary execution peculiarities, a complete list of targeted file formats, skipped directories, and all IOCs (indicators of compromise).NxRansomware trying to rise from the ashesThis one was discovered in late March 2017. The campaign obviously didn’t bode well for its authors as the distribution quickly faded. Months afterwards, though, the infection resurfaced with an edition whose GUI is titled “I’ll Make You Cry”. Its payload is disguised as Google Chrome update.Screen locker following poor OPSEC practicesA new Trojan is spotted that claims to be a file-encrypting threat but actually just locks one’s screen. Unlike most ransomware strains out there that accept payments in Bitcoin, it instructs victims to enter their credit card details.DECEMBER 13, 2017CryptoMix authors must be really busy ‘working’A fresh version of the prolific CryptoMix ransomware surfaces. It concatenates the .WORK extension to ransomed files drops a rescue note named _HELP_INSTRUCTION.txt and uses an updated list of contact email addresses.HC7 ransomware undergoes some changesThe cybercrooks behind HC7 strain release another edition that subjoins the .DS335 string to every encrypted data entry. The decryption steps are provided in RECOVER.txt manual.Noblis ransomware is nothing out of the ordinaryThis pest displays a GUI that says, “Crypter – your files have been encrypted.” The recovery instructions are in Spanish. The infection adds the .noblis extension to locked files and provides a payment deadline of 24 hours.Blind ransomware gets a tweakAnother Blind ransomware spinoff is discovered. It blemishes encoded files with the .[[email protected]].skeleton extension. The recovery how-to document is named How_Decrypt_Files.txt. The one previously used was in HTA format.TrOwX ransomware based on a PoCA new offshoot of the educational Hidden Tear ransomware called TrOwX is spotted in the wild. It appends the .locked suffix to encoded files and uses a ransom note named READ_AND_CRY.txt.DECEMBER 14, 2017RSA-NI ransomwareThe threat actors behind the new RSA-NI ransomware must have been inspired by the success of an older sample named AES-NI. The latter reportedly used NSA exploits leaked by a group of cybercriminals calling themselves The Shadow Brokers (TSB). The newcomer mainly targets web servers and provides a 24-hour timeframe to pay up.DECEMBER 15, 2017Extortionists hit California voter databaseOne more incident involving MongoDB server hacks hits the headlines. This time, the perpetrators steal and hold sensitive data of 18.2 million California voters for ransom. The amount requested by the attackers is 0.2 Bitcoin (about $2,800).Satan’s Doom Crypter ransomware on the looseThis strain is an umpteenth one based on the notorious Hidden Tear proof-of-concept code. It affixes the .locked string to ciphered files and provides recovery steps in the READ_IT.txt manual.Cyclone ransomware spottedThe blackmail malware in question is written in Python. It concatenates the .cyclone suffix to encrypted data items and instructs victims to submit 0.005 Bitcoin within a 48-hour time span.Cryptomaniac ransomware campaign underwayThe new cyber culprit called Cryptomaniac uses an apropos .maniac extension to label encrypted files. The ransom notes are named Readme_to_recover_files.html/txt. The crooks demand $500 worth of Bitcoin for decryption.Godra ransomware targeting Croatian usersThe hallmarks of the Godra ransomware attack include the .godra extension being added filenames, as well as a ransom how-to file named KAKO OTKLJUCATI VASE DATOTEKE.txt.DECEMBER 18, 2017RSAUtil ransomware modifiedA brand-new edition of the RSAUtil blackmail program surfaces. It affixes the .ID.GORILLA extension to encrypted files and provides recovery steps via How_return_files.txt rescue note.Satan Cryptor 2.0 isn’t that mysticalThis infection is making the rounds by exploiting SMB (Server Message Block) vulnerabilities of targeted systems. It concatenates the .satan extension to files.Cryptocurrency multiplier used as a smokescreen for ransomwareSecurity analysts stumble upon a counterfeit Bitcoin multiplier tool called Bitcoin-x2 v5.1 that, when downloaded, installs the WannaDecryptor ransom Trojan onto the computer.DECEMBER 19, 2017America’s conflict with North Korea goes cyberThe White House officials make an official statement regarding the deleterious WannaCry ransomware outbreak from May. According to it, North Korea is directly responsible for the cyber-attack.GlobeImposter authors want to refill their ‘wallet’The latest version of the GlobeImposter pest switches to using the .wallet extension for ransomed data objects. It leaves a ransom notification named how_to_back_files.html.Retis ransomware appearsThe ransom Trojan called Retis displays an alert screen in French. Files are appended with the .crypted extension.RSAUtil updated once againYet another mod of the RSAUtil ransomware starts using the .ID.VENDETTA suffix for hostage files. No further changes have been introduced.DECEMBER 20, 2017Newsmaking ransomware-related arrestsIn the course of Operation Bakovia, Romanian law enforcement agency named Directorate for Investigating Organized Crime and Terrorism apprehends five individuals for distributing the Cerber and CTB-Locker (Critroni) ransomware specimens.DECEMBER 21, 2017Details of a defiant ransomware campaign unearthedTwo people from the cyber-gang arrested in Romania have reportedly compromised the Washington D.C. police surveillance system to spread blackmail malware. The hack took place over RDP.Ransomware group switches to cryptocurrency miningThe cybercriminal crew behind the VenusLocker ransomware appears to have changed their activity vector and started mining Monero cryptocurrency instead.GlobeImposter spreading via booby-trapped imagesAn ongoing GlobeImposter campaign involves malspam delivering toxic 7z archive attachments. The extracted JavaScript code installs the perpetrating program instantly.More details on the Retis ransomwareResearchers conduct an in-depth analysis of this recently released infection. It is written in .NET and leverages AES cryptosystem to lock down one’s data. Fortunately, Retis uses a hard-coded encryption key, so it is potentially decryptable without paying the ransom.File-Locker, a threat to KoreansThe new File-Locker ransomware zeroes in on Korean victims only. The crooks demand 50,000 South Korean Won (about $50) for decryption.DECEMBER 22, 2017More hallmarks of the current GlobeImposter wave revealedThe more recent edition of this prolific ransomware concatenates the ..doc extension to encoded files (the double dots aren’t a typo). So a sample file named Pic.jpg will morph into Pic.jpg..doc entry. The infection is circulating via spam containing rogue image attachments enclosed in 7z archives.CryptoMix strain fine-tunedA fresh variant of the competently tailored CryptoMix ransomware starts using the .FILE extension to blemish encrypted data. The name of the ransom note, _HELP_INSTRUCTION.txt, is the same as before. Its contents, though, have been slightly modified and now include an updated list of emails addresses to reach the attackers.DECEMBER 25, 2017Another update of the Blind ransomwareThe latest spinoff of the Blind ransomware family concatenates the .blind2 extension to encoded files prepended with the attackers’ email address in square brackets. The rescue note is named How_Decrypt_Files.txt.New strain called Dangerous RansomwareThis one smears hostage files with the .wtf string and drops a recovery how-to named HOWTODECRYPTFILES.html. Additionally, the threat actors offer a Tor-based online chat for communication.DECEMBER 28, 2017CryptoMix switches to a new extensionOne more version of the CryptoMix ransomware is discovered. It uses the .tastylock extension to stain encrypted files, while the name of the ransom note is invariable (_HELP_INSTRUCTION.txt). The new contact email address is [email protected] . It targets China for now.A ‘compassionate’ variant of SamSam ransomwareA new build of the SamSam/Samas blackmail virus blemishes encrypted data with the .weapologize suffix. The ransom notification is named 0009-SORRY-FOR-FILES.html.SQ_ ransomware updatedThe most recent iteration of the file-encrypting strain dubbed SQ_ switches to prepending the BA_ string to encrypted files. This prefix is also applied to the ransom note name, BA_ IN YOUR FILES..txt.DECEMBER 29, 2017Pulpy ransomware, a fresh one on the tableThis one does not appear to be related to any existing sample. It appends the .aes extension to encrypted data items and drops a ransom manual named Instruction.txt.MadBit strain spottedAlso referred to as MadBit Encryptor, this infection labels hostage files with the .enc string. Victims are instructed to contact [email protected] for decryption steps. To prove that the decryptor works, the crooks offer free recovery of one file as long as it does not contain valuable information and does not exceed 1 Mb in size.Online extortionists proved once again that there is hardly any target they cannot attack and hold for ransom. Counties, hospitals, voter databases, NAS devices are all susceptible to these destructive onslaughts. Although the ransomware plague is constantly mutating, the only thing that reduces the risks remains the same. It all boils down to backups, so users and organizations should have a viable backup strategy in place. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply