November 2016: The Month in Ransomware

Ransomware authors kept trying to break new ground with their attacks last month, just like they did in October. One of the cybercriminal rings blatantly compromised San Francisco Municipal Transit Agency, demonstrating that critical infrastructure isn’t much of a moving target. Also, a slew of low-impact screen lockers and .NET-based ransomware surfaced. Peruse this report for November to learn more.NOVEMBER 1, 2016Cerber now brings the version number out in the openAs part of a new update, Cerber ransomware has started to indicate its version number on the warning wallpaper that replaces the victim’s original one. This change applies to Cerber v4.1.0 and onward. The ransom note is still called Readme.hta.NOVEMBER 3, 2016The low-impact Smash ransomwareThe infection displays a window with a funny image of Super Mushroom from the Super Mario game. As opposed to its prototype, this character holds a knife in this case, so it doesn’t look as cute. Fortunately, there is a great deal of bluff about the Smash ransomware. It simply locks the screen and doesn’t actually encrypt or delete anything.DummyEncrypter, aka DummyLockerSome ransomware programs lock one’s screen. Some encrypt data. The hybrid sample called DummyEncrypter, or DummyLocker, does both. It leverages the AES-256 cryptographic standard to scramble files and appends them with the .dCrypt extension. The payload is disguised as the CCleaner installer.The hateful zScreenLocker ransomwareThis one encrypts its victim’s files and displays a “Ban Islam” message in the desktop background of an infected computer. The unlock password is fairly weak, so it can be brute-forced.EncryptoJJS isn’t as bad as it appearsThe new ransomware specimen called EncryptoJJS appends the .enc extension to every encrypted file and leaves the “How to recover.enc.txt” ransom note. It’s not very professionally designed, hence potentially decryptable.NOVEMBER 4, 2016The old school look and feel of PayDOSThe PayDOS sample displays its warning message and ransom demands within the command prompt window. It requests 0.33 Bitcoin for decryption. Strangely enough, it instructs victims to reach the attacker via a nonexistent email address – [email protected] Looks like an in-development ransomware.Nothing special about the Gremit RansomwareThe strain appears to be buggy as it only encodes data inside one predefined directory that may even be missing on a contaminated machine. If the encryption is successful, it appends files with the .rnsmwr extension.RSA dissects new Cerber ransomware editionsExperts at RSA publish an article titled “The Evolution of Cerber… v4.1.x”, with a detailed analysis of the recent Cerber iterations that display the version number on the desktop wallpaper. The research touches upon the proliferation vectors and the ransomware’s Command and Control infrastructure.NOVEMBER 5, 2016CLock.Win32.RansomwareFortunately, a new perpetrating program called CLock doesn’t actually implement cryptography. All it does is intimidate victims with a red screen that asks for 20 USD payable through PayPal. The attacker’s email address indicated on the alert window is [email protected]NOVEMBER 7, 2016Cerber ransomware v4.1.4 is underwayThe distribution channel exploited by this variant of Cerber involves emails pretending to deliver invoices. The attached ZIP files contain Microsoft Word documents that display a rogue macros activation popup when opened.NoobCrypt featuring buggy obfuscationThe new edition of NoobCrypt relies on an evaluation build of an obfuscator that has been non-functional since October 5, 2016. Luckily, files can be decrypted with an arbitrary unlock key.The emergence of a Cerber copycatA sample impersonating the Cerber ransomware was discovered. Dubbed CerberTear, this one is based on the open-source code of Hidden Tear, a notorious educational project that gave rise to numerous real-world ransom Trojans.Jigsaw Ransomware variant targeting French usersSecurity analyst Michael Gillespie (@demonslay335) spotted a new edition of the Jigsaw Ransomware that leaves a ransom note in French. The infection concatenates the .encrypted extension to locked entries. Due to a flaw in the crypto, files can be decrypted for free.NOVEMBER 8, 2016FSociety ransomware claiming to use RSA-4096 cryptoThe code of the FSociety ransomware is based on another strain called RemindMe, which has been in rotation since April 2016. The infection uses the .dll extension to label all encrypted files and drops ransom notes called Decrypt_Your_Files.html.Ransomware disguised as a PaySafeCard generatorThis sample definitely stands out from the crowd because it pretends to be a PaySafeCard PIN code generator. While an unsuspecting victim is busy trying to generate their code, the ransomware encrypts data behind the scenes. It prepends the original file extensions with the “.cry_” string. This infection can render the system unstable as it encrypts executables along with personal files.New AiraCrop ransomware on the tableThe name stems from the ._AiraCropEncrypted extension being added to encrypted objects. The ransomware leaves the “How to decrypt your files.txt” manual that provides victims with a recovery avenue. A Brazilian cybercriminal ring called TeamXRat is the one presumably responsible for distributing this sample.The iRansom pest for saleWannabe online extortionists can purchase a readily available ransom Trojan called iRansom on darknet resources. This turnkey infection concatenates the .Locked extension to crippled files, demands a rather low ransom of about 0.15 BTC, and instructs victims to shoot an email to [email protected] afterward.NOVEMBER 9, 2016Experimental PHP ransomware called HeimdallA programmer from Brazil created open-source PHP-based ransomware that targets web servers. Dubbed Heimdall, this proof-of-concept code is available on the author’s GitHub page. Hopefully, the outcome of this project won’t be similar to that of EDA2 and Hidden Tear POCs, which spawned actual threats propagating in the wild.Telecrypt ransomware targeting Russian usersThis offending program uses the Telegram API to interact with its Command and Control servers. The interface is in Russian. It demands a ransom of 5,000 Rubles (about 80 USD), which is payable via QIWI Wallet or Yandex.Money.The “Kolobok” fairy tale themed ransomwareResearchers discovered another ransom Trojan that zeroes in on Russian victims. It features a colorful desktop background based on the “Kolobok” fairy tale, which is popular in the countries of Eastern Europe. Fortunately, this almost cute sample is no longer in the real-world rotation.NOVEMBER 10, 2016Rogue bank fraud alerts spreading LockyThe operators of the Locky ransomware have launched a new phishing campaign. It involves fake notifications about suspicious banking transactions. These emails are allegedly sent by an account manager representing the U.S. Office of Personnel Management (OPM). The attached ZIP archive contains a booby-trapped JavaScript file that downloads and executes Locky on the recipient’s computer.NOVEMBER 14, 2016The fall of the CrySiS ransomwareThe developer of the CrySiS ransom Trojan joins a support thread at Bleeping Computer forums and provides a Pastebin link to a page with Master Decryption Keys for their infection. Whatever the threat actor’s motivation was, he made it possible for CrySiS victims to restore their data. Kaspersky Lab updated their RakhniDecryptor tool to support the ransomware. Therefore, everyone infected can use the app to decrypt hostage files for free.Karma ransomware mimicking a system optimizerThis new sample pretends to be a performance optimization utility called Windows-TuneUp. Rather than enhance system productivity, though, Karma ransomware encrypts files using the AES standard, appends them with the .karma extension, and leaves # DECRYPT MY FILES #.html/txt ransom notes. The rogue optimizer propagates via a pay-per-install scheme and freeware bundling.PadCrypt 3.0 added an affiliate platformThe cybercrooks behind the PadCrypt ransomware launch an affiliate system. It allows interested parties to distribute version 3.0 of the infection and share their revenue with the developers.The Angela Merkel ransomwareOne of the ransomware deployment rings decided to play politics, creating the Angela Merkel ransomware. The perpetrating program’s main window is titled “Angela Merkel has infected you” in German and displays a photo of the current Chancellor of Germany. Victims’ files are appended with the .angelamerkel extension.NOVEMBER 15, 2016The bluff of the Ransoc ransomwareThe strain in question is scareware rather than a regular ransom Trojan. It locks its victim’s desktop and displays a “Penalty Notice” screen claiming that some prohibited content was spotted on the PC. The pest tells the user to pay a fee of 100 USD within 3 hours otherwise the case allegedly goes to court.CryptoLuck devs use an exploit kit for distributionThe malefactors in charge of the CryptoLuck ransomware campaign use a network of compromised websites and the infamous RIG-E exploit kit to deposit their code onto Windows computers. The infection uses a combo of AES-256 and RSA cryptographic algorithms and concatenates the .[victim_ID]_luck extension to encrypted files. The size of the ransom is 2.1 BTC.The German “demo” ransomware spottedThis offending program is unusual because it only targets .jpg objects on an infected computer. It adds the .encrypted extension to each. The ransom note called HELP_YOUR_FILES.txt contains text in German. It tells the victim to submit 0.5 BTC for recovery.NOVEMBER 16, 2016Ransomware author seeks assistance from a security analystAn individual claiming to be the Apocalypse ransomware developer contacts Emsisoft researcher Fabian Wosar. The ne’er-do-well asks Mr. Wosar to help fix an imperfection in the encryption routine. Successful troubleshooting would purportedly prevent the ransomware from corrupting victims’ files. Wosar doesn’t comply and instead develops a decryption tool.The comeback of PClockThe PClock ransomware, which resembles the notorious CryptoLocker, reappears on the computer threat landscape after months of inactivity. Distributed via spam, this strain extorts about 0.5 BTC and sets a payment deadline of 120 hours.Princess Locker decryptor is underwayA member of the Malwarebytes research team nicknamed ‘hasherezade’ manages to crack the Princess Locker ransomware. The automatic free decrypt tool development is in progress.NOVEMBER 17, 2016Globe ransomware decryptor updatedEmsisoft’s Fabian Wosar releases an updated decryptor for Globe2, the newest variant of the Globe ransomware that appends the .blt, .raid10, .zendr4, and several other extensions to scrambled files.Locky distributors opt for more social engineeringThe latest iteration of the Locky ransomware proliferates via rogue Adobe Flash Player update websites. Would-be victims are redirected to pages stating that their current version of Flash Player is out of date. These sites trigger the malicious executable automatically.The new Crypton ransomwareThis one represents the array of crypto threats coded in the .NET programming language. It uses a generic malware dropper to infect PCs, encrypts one’s data using a mix of AES and RSA ciphers, and appends the “_crypt” string to filenames while keeping the extension unaltered. The ransom size ranges from 0.2 BTC to 2 BTC.ShellLocker demands 100 USD in BitcoinsShellLocker is another .NET-based ransomware. The use of this programming language is evidently on the rise with online extortionists. This sample adds the .L0cked extension to files and requests a Bitcoin equivalent of 100 USD for decryption.Dharma ransomware, a new CrySiS heirA few days after the CrySiS authors released their Master Decryption Keys, a very similar strain surfaced. Referred to as “Dharma,” the revamped threat appends the attackers’ email address and the .wallet extension to filenames. Victims are supposed to contact the crooks over email. The addresses include [email protected], [email protected], [email protected], [email protected], [email protected], and a few more. The ransom notes are called README.txt and README.jpg.NOVEMBER 18, 2016The success of ID RansomwareThe ID Ransomware project by MalwareHunterTeam went live in April 2016. It helps ransomware victims identify the particular maliware strain that hit them. To this end, users must upload a ransom note or a sample encrypted file to the service. By determining the name and version of the infection, victims can apply for researchers’ assistance in decrypting their data. As of mid-November, the service could detect 238 different ransomware families.CHIP propagation backed by an exploit kitA new ransomware strain surfaced that leverages the RIG-E exploit kit for proliferation. Users get infected when visiting malicious or compromised sites. The program leaves the CHIP_FILES.txt ransom note to provide victims with a data decryption walkthrough.The Deadly ransomware causing side effectsThe sample called Deadly poses a major problem because there is a critical flaw in the way it handles encrypted files. It fails to save the decryption key. Consequently, victims’ data is irrecoverable.NOVEMBER 19, 2016PadCrypt 3.0 gets trickierThe distributors of PadCrypt version 3.0 adopt a new contamination tactic. The ransomware masquerades as a Visa Credit Card generator. While a targeted user fills out the fields within this phony applet’s interface, the infection scours their computer for personal files and encrypts them.NOVEMBER 21, 2016Locky ransomware spreading via Facebook spamThe threat actors behind Locky contrived a new distribution scheme. It relies on a Facebook spam campaign that spawns a disguised ransomware payload over Facebook’s instant messaging platform. The contagious file looks like a photo and has the .svg extension. When a recipient opens the file, an obfuscated XML script redirects them to a bogus YouTube page that pushes a malicious Chrome extension. This way, the malware downloader called Nemucod ends up inside the PC and executes Locky.Crypt888 ransomware updateCrypt888 prepends the “Lock.” string to filenames. The ransom notes are in Portuguese. The pest demands a Bitcoin equivalent of 2000 USD for decryption. Owing to a tool by Avast, it’s possible to decrypt the files.Locky switches to the .aesir extensionA new version of the Locky ransomware emerges. It concatenates the .aesir extension to encrypted files and drops the _[random_number]-INSTRUCTION.html/bmp ransom notes. The infection continues to propagate via spam.Vindows Locker devs should work on their spellingThe new strain called Vindows Locker encrypts files and appends the .vindows extension to them. It recommends victims give a phone call to a purported Microsoft support technician and thus get their files back for a one-time charge of 349.99 USD.NOVEMBER 22, 2016Princess Locker decryptedThe above-mentioned Malwarebytes researcher ‘hasherezade’ finally releases a free decryptor for Princess Locker.NOVEMBER 23, 2016Telecrypt ransomware is no longer an issueThe Malwarebytes team keeps finding ways to get around the crypto of some ransomware families. This time, an analyst named Nathan Scott discovered and exploited a flaw in the Telecrypt ransomware data scrambling routine. The decryption tool allows infected users to restore their data for free.A likely future change in the Locky spamExperts from the Cisco Talos Group stumbled upon a new Locky spam campaign involving a file format that the crooks hadn’t used before. Masqueraded as bill payment advice messages from the HSBC financial services company, the rogue emails contain MHT file attachments. Once opened, these files trigger the contamination chain.The Thanksgiving ransomware foundAlthough this one displays an image of a turkey on infected users’ desktop, it isn’t likely to evoke any holiday sensations. Dubbed the Thanksgiving ransomware, the sample is most likely still in development. The ransom note indicates the attacker’s email address, [email protected]OzozaLocker spotted and promptly decryptedHaving completed the encryption process, OzozaLocker affixes the .Locked extension to every affected file and requests 1 BTC for decryption. The ransomware instructs a victim to reach the author at [email protected] When a user double-clicks on a random encrypted file, a VBS script goes off and displays a popup with decryption steps.NOVEMBER 24, 2016Locky starts using the .zzzzz extensionShortly after the Aesir variant of Locky went live, the criminals released a new edition that concatenates the .zzzzz string to encoded entries. Other than that, the newbie and its precursor appear to be identical.Cerber ransomware 5.0 surfacesThe newest build of the Cerber plague propagates via the RIG-V exploit kit. Similarly to its forerunner, it displays the version number on the desktop wallpaper and appends files with a victim-specific 4-character extension that matches the GUID of the infected machine.Another strain based on proof-of-concept codeA new crypto infection heated up experts’ discussion regarding the controversy of open-source educational ransomware. Researchers discovered a sample based on the Hidden Tear proof-of-concept project. The ransomware features a Jigsaw movie-themed backgroundOpen-source origin of the Lomix ransomwareLomix is another offending program based on open-source code. Malware researchers should definitely think twice before making their POCs available to the public. In this case, the project called CryptoWire became the prototype of the real-world sample in question. The Lomix ransomware extorts a Bitcoin equivalent of 500 USD for decryption.The new CockBlocker pestCockBlocker, also referred to as RansomwareDisplay, adds the .hannah extension to scrambled files. It appears to be in development, with no in-the-wild distribution spotted thus far.NOVEMBER 25, 2016Cerber update introduces a minor modificationThe only noteworthy change that took effect as part of the new Cerber ransomware update has to do with the ransom note. The infection now drops the “_README_.hta” recovery manual instead of “REAME.hta” file used earlier.NOVEMBER 26, 2016A screen locker that’s easy to defeatA new non-crypto ransomware surfaced that locks its victim’s screen, states that viruses were detected on the PC, and recommends contacting a technician over the telephone. Having analyzed this sample, researchers were able to retrieve the unlock password – 01548764GHEZG784.The Crypter ransomware targeting Brazilian usersCrypter is a low-impact ransom Trojan that renames one’s files rather than encrypting them. The ransom note is in Portuguese. The ransom amounts to 1 BTC.Another screen locker is full of bluffThe sample displays a lock saying, “Your Windows Has Been Banned.” It wrongfully states that unusual activity was detected on the computer and instructs the victim to contact the nearest Microsoft technician for troubleshooting. The unlock code is 123456 – as simple as that.NOVEMBER 28, 2016Kangaroo ransomware is double troubleThe offending code under consideration encrypts one’s personal files and generates a lock screen each time the victim tries to log into Windows. Those infected are told to contact the threat actor at [email protected] for recovery advice.VindowsLocker crackedSecurity analysts were able to create a free decryptor for VindowsLocker, which employs tech support scam tactics to make victims cough up 349.99 USD. It turns out that the attackers’ own decryption model is buggy and doesn’t function right.HDDCryptor ransomware attacks San Francisco MuniA piece of ransomware that overwrites the Master Boot Record of an infected machine compromised the IT infrastructure of the San Francisco Municipal Transit Agency (SFMTA), also known as Muni. This attack paralyzed the faring system and other IT network components for several days. The threat actors demanded 100 BTC, or about 73,000 USD, for recovery.PowerShell-based ransomware spottedA new sample of PowerShell-based ransomware overwrites one’s original files and requests a ransom to fix the problem. It appears to be a demo variant at this point.HTCryptor ransomware based on a POCThis strain appears to be another spinoff of the Hidden Tear open-source code. As part of the attack workflow, it attempts to disable Windows firewall in order to evade detection.NOVEMBER 29, 2016SFMTA stops rumors about data theftSan Francisco Muni officials deny that HDDCryptor operators stole over 30 GB of corporate data in the course of the recent breach.Emsisoft keeps upsetting ransomware devsFabian Wosar from Emsisoft releases a decryptor for the NMoreira ransomware, also referred to as XPan. The free tool allows victims to restore files with the .maktub and ._AiraCropEncrypted! extensions.Ransomware hits Carleton UniversityCarleton University in Canada suffers the consequences of a ransomware attack. An unidentified file-encrypting strain impacted the institution’s email servers and a number of other IT services. The adversary demands 39 Bitcoins.NOVEMBER 30, 2016Jigsaw ransomware trickeryA new edition of Jigsaw uses a phony Electrum Coin Adder tool to obfuscate its installation and the data encryption process.Zeta ransomware updateThe latest variant of the file-encrypting plague called Zeta switches to using the .rmd extension for scrambled data objects. This extension is prepended with the attacker’s email address, [email protected]The new look and feel of TorrentLockerCrypt0L0ckerThe criminals behind TorrentLocker, or Crypt0L0cker, made a few tweaks to their extortion program. The most recent iteration concatenates a random 6-character extension to encrypted files and leaves the HOW_TO_RESTORE_FILES.txt/html ransom notes.Princess Locker gets new makeupThe latest incarnation of the Princess Locker features new ransom instructions called !_HOW_TO_RESTORE_*[victim_ID]*.txt. The ID is unique for every victim and consists of 4 or 6 hexadecimal characters.SUMMARYThat’s it for November. One of the fundamental takeaways from this report is that the ransomware epidemic keeps assuming new shapes. The cybercrooks are focusing more on targeting organizations, including transportation companies and educational institutions. Under the circumstances, the only viable response is to maintain data backups. Hopefully, law enforcement agencies will come up with a way to track these criminals down and stop the ransomware plague in the near future. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply