February 2017: The Month in Ransomware

The shortest month of 2017 was relatively slow in terms of ransomware activity, but it gave rise to several disconcerting tendencies in the cybercrime ecosystem. Crypto infections that steal sensitive information along the way, top-notch Android ransomware utilizing dropper techniques, low-cost Ransomware-as-a-Service platforms – all of these took root in February. Overall, 26 new strains emerged and 15 old ones were updated. Security experts released five free decryption tools. Go ahead and peruse the timeline below to learn more.FEBRUARY 1, 2017Samas ransomware keeps mutatingA new edition of Samas, or SamSam, ransomware emerges in the wild. It blemishes encrypted files with the .letmetrydecfiles extension and leaves a data recovery how-to called LET-ME-TRY-DEC-FILES.html.FEBRUARY 2, 2017Avast upsets online extortionists againAvast research team devises free decryptors for three widespread ransomware families including Hidden Tear, Jigsaw, and Stampado. Another battle won by Avast is a small, yet important, milestone in the war against this segment of cybercrime.FEBRUARY 3, 2017U.S. County falls victim to ransomwareAn undisclosed strain of file-encrypting malware attacks the IT network of all government offices in Licking County, Ohio. The compromise cripples the County’s computer systems and phone network, including 911 emergency services.Arrests over a defiant ransomware attackThe United Kingdom’s National Crime Agency apprehends a British man and a Swedish woman in London on suspicion of infecting the CCTV system of Washington D.C. with ransomware. Both suspects are 50 years old. This attack had rendered U.S. capital’s video surveillance network inoperable a week before the inauguration of Donald Trump.Ranion, a new RaaS out thereA Ransomware-as-a-Service system called Ranion is advertised on darknet sites as a platform built strictly for educational purposes. Is this true? Of course not. The proprietors of this RaaS provide wannabe fraudsters with a perfectly viable extortion model. The fee for using the service amounts to 0.95 BTC (about $1,200) per year or 0.6 BTC ($760) for six months.Ransomware prank that isn’t funnyYourRansom crypto infection is first spotted. It concatenates the apropos .yourransom extension to encrypted files and drops README.txt ransom manual. The interesting thing is that the attacker asks victims whether they like this joke and instructs them to contact him at [email protected] for free decryption.New LambdaLocker strain written in PythonThis one uses a combo of AES-256 and SHA-256 ciphers, adds the .lambda_l0cked suffix to encoded files, and creates a ransom note called READ_IT.hTmL. The size of the ransom is 0.5 BTC.FEBRUARY 4, 2017PadCrypt backed by an affiliate platformResearchers discover that the PadCrypt ransomware is available on a RaaS basis. Therefore, anyone who wants to break bad can join the affiliate network, get their custom build of the infection, and use a tracking mechanism when conducting an extortion campaign of their own.Details of YourRansom sampleIt turns out that the above-mentioned strain called YourRansom is based on an open-source project by a Chinese enthusiast nicknamed popu125. The original code was posted on GitHub and is currently unavailable.FEBRUARY 6, 2017Spora ransomware keeps impressingOperators of the Spora ransomware have a tech support system that not every legitimate online service can boast. The support agents respond to victims’ requests amazingly fast and offer them an odd deal: provide positive feedback and get a discount for the ransom.Android ransomware gets smarterThe latest spinoff of the ransom trojan called Android.Lockdroid.E uses a dropper to adapt to the configuration of a specific Android device that got infected. Online malefactors used to apply this technique on Windows-based machines only, so the sample in question is a game changer in a way.FEBRUARY 7, 2017CryptoShield updateA new variant of the CryptoShield ransomware is out. Its version number is 1.1. The pest uses an updated set of email addresses to interact with victims, namely [email protected], [email protected], and [email protected]Erebus ransomware is a tricky oneThe crypto malware called Erebus is capable of obtaining elevated privileges on a target computer without user consent via User Account Control prompt. It simply circumvents UAC authorization. The size of the ransom is comparatively low, amounting to a Bitcoin equivalent of $90.The comeback of JobCrypterRansomware watchers spot a new sample of the JobCrypter ransomware in the wild. This strain had been inactive since late May 2016. The discovered variant leaves ransom notes in French and demands 500 EUR for data decryption.Aw3s0m3Sc0t7 sample isn’t that awesomeJudging by the name of this ransomware, its developer is probably someone named Scott who really likes himself. Having scrambled one’s files, the infection concatenates the .enc extension to each one.A kleptomania-stricken ransom trojanAn unnamed ransomware specimen is discovered that pilfers a victim’s sensitive data, including private keys and Base64 encoded certificates, and then demands 1 Bitcoin for not disclosing this data.FEBRUARY 8, 2017New sample targeting Portuguese-speaking audienceAnother CryptoLocker copycat starts infecting computers with Portuguese language locales. It adds the “.id-[random digits][email protected]_” string to the names of encrypted files and drops a ransom note called COMO_ABRIR_ARQUIVOS.txt.One more milestone reached by ID RansomwareMalwareHunterTeam’s ID Ransomware is one of the most helpful online resources aimed at identifying different file-encrypting infections. At this point, it can detect a whopping 300 ransomware families.FEBRUARY 9, 2017The poisonous Serpent ransomwareA fresh data-scrambling specimen called Serpent ransomware is discovered. It appears to be a successor of the infamous WildFire Locker and Hades Locker strains. It appends files with the .serpent extension and creates recovery how-to’s named HOW_TO_DECRYPT_YOUR_FILES_[3 random characters].html/txt. Similarly to its forerunners, Serpent targets Danish users.DynA-Crypt isn’t a commonplace threatThe perpetrating program called DynA-Crypt is an explosive fusion of crypto malware and a data-stealing infection. So the impact is twofold: on the one hand, it locks down a victim’s important files and stains them with the .crypt extension; on the other, it harvests keystrokes, furtively takes screenshots, and collects information related to a variety of applications.Another Hidden Tear spinoffHidden Tear is a proof-of-concept ransomware created by Turkish coder Utku Sen. Unfortunately, cybercrooks have used it to cook up multiple real-life crypto infections. The new Digisom ransomware is one of these derivatives. It demands a fairly low ransom of 0.05 Bitcoin, or about $60.Details of the Fadesoft trojanFadesoft displays a Resident Evil movie themed warning screen containing a logo of the fictional Umbrella Corporation. The size of the ransom is 0.33 Bitcoin (about $400).FEBRUARY 10, 2017SerbRansom 2017, a new sample on the tableThe offending entity called SerbRansom 2017 creates a recovery manual with the flag of Serbia depicted in the center. It appends the .velikasrbija string to filenames and requests a $500 worth of Bitcoin for decryption.Wcry ransomware spottedThis crypto infection is nothing out of the ordinary. It uses the .wcry extension to scar encrypted files, hence the name. The trojan demands 0.1 Bitcoin for decryption.Ransomware attacks via RDP on the riseResearchers at TrendMicro discover a considerable spike in the number of Remote Desktop Protocol brute force attacks depositing the Crysis ransomware on computers. A particularly unsettling fact is that the threat actors are actively employing this technique to target healthcare organizations in the United States.FEBRUARY 11, 2017SerbRansom 2017 campaign attributionBased on the analysis of the recently discovered SerbRansom infection, its author hails from Serbia and displays hatred towards Kosovo and Croatia in his other felonious activities. The crook also created an app for SQL injection targeting Croatian sites.Ransomware employing RARRansom trojans don’t necessarily leverage cryptographic algorithms to lock down one’s files. Some strains move their victims’ data to a password-protected RAR archive instead. A new sample from the latter category is spotted. To unlock the archive called All_Your_Documents.rar, those infected have to cough up 0.35 Bitcoin.FEBRUARY 13, 2017Samas ransomware updated againThe latest edition of the Samas ransomware appends scrambled files with the .encryptedyourfiles extension and provides a recovery how-to named 001-READ-FOR-DECRYPT-FILES.html.New CyberSplitter variant emergesAlso referred to as CyberSplitterVBS, this ransomware family spawns another version displaying a FBI themed warning screen with a “Your computer has been locked!” message. It provides a 72-hour deadline to submit 0.5 Bitcoin for decryption. Otherwise, the data will allegedly become irrecoverable.FEBRUARY 14, 2017Ransomware for Industrial Control SystemsDavid Formby, Srikar Durbha, and Raheem Beyah, researchers from the Georgia Institute of Technology, tailor a proof-of-concept ransomware that targets programmable logic controllers in ICS and SCADA systems.Alarming ransomware stats hit the headlinesAccording to Kaspersky Lab, 47 out of 62 ransomware specimens propagating in 2016 were created by Russian-speaking cybercriminals. This means that 75% of online extortion campaigns originate from Russia and possibly other former Soviet Union countries.CyberSplitter devs are more active than everTwo more variants of the CyberSplitter ransomware are discovered. One of them displays an image of Saher Blue Eagle in its ransom note. This term denotes an infamous Remote Access Trojan (RAT), so the crooks pay homage to black hat hacking tools in a way.Minor tweak of the JobCrypter ransomwareA new build of the JobCrypter strain instructs victims to send a message to one of the following email addresses for decryption steps: [email protected], [email protected], or [email protected] Other than this updated list, the infection didn’t undergo any changes.FEBRUARY 15, 2017An interesting move by Cerber makersThe infamous ransomware called Cerber, which has been active for a year now, adopts an offbeat strategy. When running a scan for data to be encrypted, its most recent version ignores files used by security solutions, including firewalls, antivirus, and antispyware tools. Perhaps the malefactors are thus trying to demonstrate that the routine computer defenses don’t pose a hurdle to their filthy business.N1N1N1 ransomware updateNot much has been modified in the latest edition of the N1N1N1 ransom trojan. The noteworthy changes include a new file marker of 333333333333 and a different Tor site for the Command and Control server.FEBRUARY 16, 2017A ransomware decryption masterclassFabian Wosar, CTO and Head of Malware Research Lab at Emsisoft, demonstrates the process of ransomware analysis in a live video. During the streaming session, he reverses a new sample called Hermes and proves that its encryption can be cracked.Fine-tuning of PrincessLockerThe perpetrating program in question now drops a recovery manual called @_USE_TO_FIX_JJnY.txt and uses a new Tor link to communicate with its C2 server.The onset of Kasiski ransomwareJudging by the text in its ransom note, the Kasiski sample targets Spanish-speaking users. It creates the INSTRUCCIONES.txt decryption walkthrough and uses the [KASISKI] prefix to label crippled files.FEBRUARY 20, 2017XYZWare is nothing out of the ordinaryA Hidden Tear POC spinoff called XYZWare is discovered. It was crafted by an Indonesian coder. The pest creates a ransom note called README.txt.A change to CryptConsoleThe only tweak made to CryptConsole as part of a recent update is the new email address [email protected] used for communication with victims.Merry X-Mas ransomware decryptor updatedEmsisoft releases a new build of the decryption tool for Merry X-Mas, or MRCR, ransomware. The application can now handle the latest version of this crypto infection that concatenates the .merry extension to files and leaves Merry_I_Love_You_Bruce.hta ransom note.FEBRUARY 21, 2017Android ransomware evolution dissectedAnalysts at ESET publish a whitepaper named “Trends in Android Ransomware”. They singled out the main evolutionary vectors of Android lockers’ activity observed during the past year. According to the report, these threats increasingly leverage spam as the entry point, focus more on the Asian market, use encrypted payloads, and often impersonate adult applications hosted on unofficial app stores.Sage ransomware upgraded to version 2.2Sage 2.2 ransomware takes after its predecessor in many ways. It still affixes the .sage extension to filenames and uses the same cryptographic routine. The only alteration is that it has switched to using the !HELP_SOS.hta ransom note.Another day, another Samas version releasedThe latest build of the Samas ransom trojan adds the .weencedufiles string to encoded entries and uses READ-READ-READ.html file with restoration steps.Avast vs. CryptoMix ransomwareA new free tool by Avast decrypts data mutilated by one of the CryptoMix ransomware variants. In particular, it supports the edition that operates in offline mode, uses AES-256 algorithm, and appends files with the .cryptoshield, .lesli, .rscl, .scl, .code, .rmd, or .rdmk extension. This offending program also drops ransom notes called HELP_DECRYPT_YOUR_FILES.html and “# RESTORING FILES #.txt”.FEBRUARY 22, 2017Trump Locker ransomware discoveredThe new Trump Locker isn’t an independently developed sample. Its authors borrowed the code from the Venus Locker specimen. Interestingly, it appends the most widespread types of files with .TheTrumpLockerf extension and uses .TheTrumpLockerp suffix for less popular ones. The ransom note is named “What happen [sic] to my files.txt”.The decryptable Crypt888 strainThe trojan called Crypt888 puts the “Lock.” prefix before original filenames and displays a picturesque sea view instead of ransom demands. A free decryptor by Avast can take care of this one.Details of the PyL33T ransomwarePyL33T is the conventional name of a new Python based crypto ransomware. It concatenates the .d4nk extension to one’s skewed files.Patcher plague targeting MacsAlthough file-encrypting threats designed for Mac OS X aren’t very common, new samples do pop up once in a while. The latest infection from this category is camouflaged as patchers for different Mac apps, including Adobe Premier Pro CC 2017 and Office 2016. Referred to as the Patcher ransomware, it uses the .crypt file extension and a README!.txt ransom note. Unfortunately, its buggy crypto routine may render data irrecoverable.FEBRUARY 23, 2017Unlock26 virus gives victims a math lessonThe ransomware called Unlock26 isn’t run-of-the-mill because it requires that infected users solve a math problem before they can get to the payment phase. No contact details of the attacker are indicated in the warning window or elsewhere.Android ransomware with voice inputA unique infection known as Android.Lockdroid.E instructs its victims to use the QQ instant messenger for contacting the threat actors. What is more, after paying the ransom, an infected Android user is supposed to press a specified button and speak the obtained unlock code. This means that the attackers are starting to use voice recognition technology in their extortion schemes.Pickles ransomware isn’t a jokeThis is another sample coded in Python. It replaces filenames with random hexadecimal strings followed by the .EnCrYpTeD extension and drops a decryption how-to called READ_ME_TO_DECRYPT.txt.A new sample written in GoThe Vanguard ransomware is the first one coded in Google’s Go language (golang) in a long time. It arrives with a rogue email attachment named MSOffice. Other than that, Vanguard is poorly explored at this point because the C2 server is not functioning.FEBRUARY 24, 2017CryptoMix starts using a new file extensionAnother update of the CryptoMix pest has brought about a small tweak. The ransomware now stains encrypted files with the .cryptoshiel string, which is obviously a misspelling.FEBRUARY 25, 2017Crooks zero in on MySQL serversExtortionists targeted MongoDB, ElasticSearch, CouchDB, and several more server types heavily during the past two months. Hundreds of recent ransomware incidents demonstrate that it’s MySQL databases’ turn to undergo similar attacks. The threat actors take the content of these servers hostage and demand 0.2 Bitcoin for recovery.The self-explanatory Damage ransomwareResearchers spot a new file-encrypting infection that uses the .damage extension to stain scrambled files. The ransom note is called [email protected][random].txt.BarRax, another Hidden Tear derivativeThis is one of the numerous spinoffs of the controversial open-source ransomware called Hidden Tear. It appends the .BarRax suffix to encrypted files. Interestingly, its authors set up a publicly accessible support forum, which is a rare thing for the extortion underground.Unlock26 operators launch a RaaSThe architects of the Unlock26 trojan create a Ransomware-as-a-Service platform of their own. It’s called Dot-Ransomware and allows crooks to build their custom payloads. The configurable values include the list of targeted file formats, ransom sizes based on country, and the type of encryption. The authors’ cut is 50% of all ransoms paid.FEBRUARY 26, 2017Sardoninir ransomware emergesThe sample called Sardoninir concatenates the .enc extension to locked files. It goes with a hard-coded list of about 100 email accounts that it uses to submit the encryption code to the attacker’s email address [email protected]New Crypt0L0cker details uncoveredItalian ransomware researchers provide an in-depth analysis of the spam wave involved in the new iteration of the Crypt0L0cker strain. In particular, the researchers dwell on the abuse of the “Posta Elettronica Certificata” system to sign rogue emails with the ransomware on board.FEBRUARY 28, 2017Expert’s thoughts on the future of ransomwareRenowned cryptographer Matthew Green publishes an article where he expresses his viewpoint about crypto implementation tactics that ransomware developers may start employing in the near future.Ransomware attacking Czech usersA new strain called FileLocker propagates in the Czech Republic. Its payload is hosted on several local websites compromised by the threat actors. FileLocker adds the .ENCR string to mutilated files and demands 0.8 Bitcoin for decryption.Good news for Patcher ransomware victimsMalwarebytes analysts come up with a way to restore data affected by the Patcher, or Findzip, ransomware. This sample targets Mac OS X machines, and it was originally believed to distort files beyond recovery. Fortunately, the researchers tailored a workaround to get data back using the PkCrack app and a number of Xcode commands.SUMMARYThe evolution of ransomware is underway. Threat actors are starting to add quality tech support to their foul play, so marketing is becoming part of the malicious equation. Aside from home users, the targets also include educational establishments, local governments, and closed-circuit television systems. To top it all off, Android ransomware is shaping up to be a major concern, with voice recognition features now complementing its extortion toolset.The only way to stay on the safe side in this environment of ubiquitous perils is to take effective precautions. The best plan B imaginable is to have a data backup in store, while proper online hygiene works wonders in terms of prevention. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply