November 2017: The Month in Ransomware

November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt should be really ashamed of themselves, as their brainchild goes a scorched-earth route and simply destroys victims’ data beyond recovery. Furthermore, quite a few copycats of the infamous WannaCry ransomware popped up only to demonstrate that the original is always better than the sequel.All in all, here’s a brief statistical breakdown of the month: 37 new ransomware species were discovered, 23 existing samples got a facelift, and three ransomware decryptors were released by the white hats.NOVEMBER 1, 2017Hidden Tear offshoot with French originThreat actors continue to abuse the proof-of-concept Hidden Tear ransomware. Its newest real-life incarnation targets French users, appends encrypted files with the .hacking extension, and instructs victims to contact the attacker at [email protected]NOVEMBER 2, 2017Ostentatious claims regarding Hidden TearAn umpteenth remake of the above-mentioned academic Hidden Tear goes live. It blemishes encrypted files with the .locked string, drops READ_ME.txt help manual, and displays a questionably truthful warning screen that says it’s “one of the most powerful ransomware’s around”.Magniber strain updatedMagniber, a ransomware sample that’s most likely a successor to the nasty Cerber culprit, undergoes an update within one of the multiple affiliate campaigns. The infection switches to subjoining the .skvtb extension to ransomed files.It’s time for Jigsaw to get some fine-tuningCybercriminals release a new variant of the Jigsaw ransomware, a true old stager on the extortion arena. The pest now appends the .game suffix to victims’ data entries while still displaying the same movie-themed background.Hermes ransomware remakeHermes 2.1 Ransomware is what this perpetrating program’s current edition is called. It stains encrypted files with the .HRM extension and leverages a mix of the RSA cipher and Microsoft’s CryptGenRandom function to lock data.New hallmarks of the Matrix ransomwareA few tweaks are made to the existing blackmail Trojan called Matrix. Its latest build labels hostage data with the _[[email protected]].[original extension] string and provides recovery steps in a document named !OoopsYourFilesLocked!.rtf.NOVEMBER 3, 2017GIBON ransomware released and quickly decryptedThis one appears to be quite professionally tailored, but that’s a delusive impression in a way. It concatenates the .encrypt extension to files, leaves a ransom how-to named READ_ME_NOW.txt, and works just like garden-variety ransomware. However, malware analyst Michael Gillespie finds a way to defeat the crypto and contrives a free decryption tool shortly after GIBON’s discovery.Sad Ransomware lives up to its nameThe specimen in question drops _HELPME_DECRYPT.html rescue note and appends a victim-specific extension to locked files. When it’s done encrypting data, it generates a short beep sound. Files cannot be decrypted without meeting the ransom so far.Ranion ransomware gets a fresh look and feelRanion was originally spotted in early February 2017 as a RaaS (Ransomware-as-a-Service) platform. It took the crooks nine months to come up with a fresh edition that blemishes a plagued user’s files with the .ransom extension and provides recovery tips in README_TO_DECRYPT_FILES.html manual. The ransom note is available in seven different languages.NOVEMBER 4, 2017Hidden Tear echoes back, once againA new blackmail virus based on the educational Hidden Tear code appears. It’s called Curumim and targets Portuguese-speaking audience. The pest concatenates the .curumim extension to encoded files and provides a ransom payment deadline of one day.XiaoBa ransomware updatedThis strain originally surfaced on October 27, so it took the ne’er-do-wells one week to craft and release an updated edition. The infection now locks the screen of an infected PC and demands a Bitcoin equivalent of 250 RMB (Chinese Yuan), which is worth about $37.Zika ransomware continues the HT sagaThe scandalous Hidden Tear project gives rise to Zika, a ransom Trojan targeting Spanish-speaking users. It concatenates the .teamo string to locked data items.Waffle ransomware isn’t too deliciousThe new Waffle ransomware is exactly what it sounds like. Its ransom notification is named ‘Waffle’ and includes a picture of a bunch of waffles in the background. Furthermore, it appends the .waffle extension to a victim’s files. The ransom amounts to $50 worth of Bitcoin.NOVEMBER 6, 2017Unexpected details of the GIBON ransomware unearthedIn-depth analysis of the GIBON ransomware campaign has revealed that it’s much older than previously thought. Specifically, this turnkey ransomware kit has been marketed on Russian dark web forums since May 2017.NOVEMBER 7, 2017Sigma ransomware spottedThe payload of this sample is disguised as GUID Helper tool (GUID.exe.bin). Having encrypted a victim’s valuable files, Sigma stains them with a random extension and drops a ransom how-to document named ReadMe.txt. The attackers demand $1,000 worth of Bitcoin for the private key and decryptor software.NOVEMBER 8, 2017The premature Christmas RansomwareExtortionists are, obviously, prepping for the holiday season with the new Christmas Ransomware. It displays a picture of a leafless forest with Christmas toys hanging on the trees. The ransom amounts to 0.03 Bitcoin (about $230). It is currently in development and does not encrypt data yet.Another city hit by blackmail virusThe computer servers of the city of Spring Hill, TN get hijacked by an unknown strain of ransomware. The infection reportedly took root as an employee clicked on a booby-trapped email attachment. As a result, city workers are unable to use email and accept online payments. The criminals ask for $250,000 to restore the affected services.Jhash ransomware uses a file extension familiar to manyThe fresh sample called Jhash is a Hidden Tear spinoff zeroing in on Spanish-speaking computer users. It subjoins the .locky extension to encoded files and instructs victims to submit ransoms via the Payza online payment platform.NOVEMBER 9, 2017Ordinypt – classic ransomware or wiper?The specimen in question is propagating in Germany. Ordinypt drops rescue notes named Wo_sind_meine_Dateien.html (“Where_are_my_files.html” in English). As opposed to commonplace crypto parasites, this one overwrites files with random values instead of encrypting them. Consequently, there is no way to restore the data.NOVEMBER 10, 2017LockCrypt has got a RaaS-related backgroundThe sample called LockCrypt was originally distributed via a Ransomware-as-a-Service platform called Satan. Later on, the threat actors must have invested some money and effort to code their own ransomware operating independently from the RaaS. LockCrypt is deposited on computers and servers by brute-forcing RDP credentials.CrySiS ransomware fine-tunedThe most recent edition of the CrySiS, or Dharma, ransomware switches to adding the .cobra extension to locked files. It also drops ‘Files encrypted!!.txt’ ransom note and instructs victims to contact the attackers at [email protected] for recovery steps.LOL ransomware passes itself off as a keygenThe malicious binary of the C# based LOL ransomware strain is masqueraded as a keygen application for VMware products. It concatenates the .lol string to encrypted files.NOVEMBER 11, 2017Jigsaw strain gets slightly modifiedA brand-new variant of the Jigsaw ransomware is detected in the wild. It stains hostage data with the .##encrypted_by_pabluklocker## extension token and displays an updated set of messages.Blackmail virus pretending to come from Cyber PoliceThreat actors take advantage of the Hidden Tear project to coin another real-world crypto infection. The latest incarnation sports a warning message saying, “Your computer is blocked by Cyber Police for unlicensed software’s usage.” The pest subjoins the .locked suffix to ransomed files.GlobeImposter changes its behaviorSome of the recent editions of the fertile GlobeImposter strain feature an externally inconspicuous yet significant modification in their modus operandi. The developers have changed the culprits’ config extraction script and the technique used to encrypt configuration data.NOVEMBER 12, 2017Stroman ransomware resurfacesAlthough the perpetrating program in question hasn’t ever been in wide distribution and pretty much vanished from the extortion arena lately, it spawned a new version out of the blue. The baddie now concatenates the .fat32 extension to files and provides recovery tips in the info.txt manual.NOVEMBER 13, 2017CryptoMix reaches the end of alphabetThe latest mod of the fairly professionally made CryptoMix ransomware switches to using the .XZZX extension string for scrambled files. As before, the rescue note is named _HELP_INSTRUCTION.txt.jCandy isn’t sweet at allMalware analysts stumble upon a fresh specimen called jCandy. It affixes the .locked-jCandy string to no-longer-accessible data. Interestingly, this one drops two different editions of the ransom how-to at the same time named READ_ME.txt and JCANDY_INSTRUCTIONS.txt.In-dev French ransomware discoveredOnce again, security experts were able to spot a blackmail infection before it went real-world. This one displays all of its warnings in French and is configured to stain files with the .lockon suffix. This would-be baddie currently doesn’t encrypt data anywhere except a directory named ‘testrw’.Dr.Web cracks a relatively new ransom TrojanA ransomware lineage blemishing encrypted data with the .[attacker’s email].blind or .[attacker’s email].kill extensions is now potentially decryptable courtesy of Dr.Web antivirus vendor. Those infected may be able to restore their files using the company’s Rescue Pack tool. Be advised: this service isn’t free.Unsurprisingly, GlobeImposter gets another updateThe most recent iteration of GlobeImposter brings about the following new attributes: the .kimchenyn file extension, plus a ransom notification named how_to_back_files.html.Fresh Amnesia2 ransomware version turns out somewhat crudeThe edition in question scrambles filenames beyond identification and concatenates the .am extension to each one. Its ransom how-to document, ENCRYPTED FILES.txt, contains nothing but a bunch of digits that don’t make sense. So victims have no idea how to pay the ransom even if they are up to it. This, by the way, isn’t a good idea because a free tool called Emsisoft Decrypter for Amnesia2 supports this pest.Goofed ransomware surfacesThe silly name doesn’t make this Hidden Tear offspring any less harmful than the rest. It speckles encrypted files with the .goofed extension and provides recovery steps in YOU_DONE_GOOFED.txt document. Goofed ransomware demands $100 worth of Bitcoin for decryption.NOVEMBER 14, 2017GlobeImposter authors get naughtyThe GlobeImposter family expands with yet another sample. This time, the culprit concatenates the .SEXY extension to ransomed data entries and instructs users to send a message to [email protected] for recovery steps.NOVEMBER 15, 2017J. Sterling Student Survey ransomwareThis one zeroes in specifically on students of J. Sterling Morton school district, Illinois. Its propagation relies on a bogus student survey that looks trustworthy enough for would-be victims to go ahead and click through. The ransomware does not do any real damage in its current state.NOVEMBER 16, 2017RASTAKHIZ ransomware campaign underwayCybercriminals strike again using the Hidden Tear PoC. One more spinoff labels encrypted data with the .RASTAKHIZ extension. The infection goes with a well-designed GUI.NOVEMBER 17, 2017CryptoMix switches to a numeric extensionOne more version of the CryptoMix ransomware pops up that concatenates the .0000 string to one’s skewed files and uses an updated set of four contact email addresses. The name of the ransom note is the same (_HELP_INSTRUCTION.txt).WannaSmile ransomwareThis one sure sounds better than the ill-famed WannaCry threat but isn’t much more promising for victims. Its ransom note ‘How to decrypt files.html’ is in Persian. The extension added to filenames is .WSmile.CorruptCrypt is good at evading AVsThe sample called CorruptCrypt boasts a zero detection rate two days after discovery, which is a disconcerting hallmark. It uses two extensions concurrently to stain locked files, namely .corrupt and [email protected]Hand of God screen locker isn’t celestial at allThe ransom Trojan in question displays an “FBI anti-piracy warning” screen and instructions in French. It coerces victims to pay 0.06 Bitcoin (about $580) for unlocking their computers.BASS-FES proves the Hidden Tear abuse story is ongoingYet another derivative of the academic Hidden Tear starts making the rounds. It’s called BASS-FES, which is an acronym for BitchASS File Encryption System. This pest subjoins the .basslock suffix to encrypted items.NOVEMBER 18, 2017Russian imitation of WannaCry appearsThe warning screen displayed by this ransomware is a close resemblance to WannaCry’s, but it is titled “Wanna die decrypt0r” and contains Russian text. While still in development, it does not encrypt files at this point.NOVEMBER 20, 2017CrySiS ransomware updateThe latest mod of the CrySiS/Dharma ransomware strain switches to concatenating the .java extension to encrypted data entries.NOVEMBER 21, 2017Cryakl ransomware devs feel fairytale-ishCryakl is a lineage that was one of the pioneers on the extortion arena and pretty much vanished from this threat landscape. As part of the first update in many months, though, the pest starts adding the .fairytale string to encoded files.CryptoLocker lookalike called Locket ransomwareThe Locket sample goes with a GUI imitating that of the infamous CryptoLocker. Although it fails to perform encryption, it demands a ransom of 0.1424 BTC (about $1,500).GlobeImposter fine-tunedA fresh variant of the GlobeImposter crypto baddie subjoins the .Ipcrestore extension to enciphered files and continues to drop a rescue note named how_to_back_files.html.NOVEMBER 22, 2017The unusual qkG ransomwareAs opposed to other ransomware strains, the qkG sample only targets Microsoft Office documents spotted on a contaminated computer. To add insult to injury, it also affects all new Word files that the victim opens.Test version of IGotYou ransomwareThe culprit in question appends the .iGotYou extension to encoded files. Luckily, it isn’t fully functional at this point, and it only encrypts data in a Test folder on drive C of the author’s computer. The infection demands 10,000 Indian rupees for decryption, which provides a clue about the developer’s country of residence.Another day, another WannaCry copycatSecurity analysts spot a WannaCry ransomware imitator displaying its warning messages in Portuguese. It coerces victims to submit the ransom of 0.006 BTC within seven days.NOVEMBER 23, 2017A similarity between the new Scarab ransomware and LockyJust like Locky, the old stager in the extortion landscape, the Scarab ransomware is making the rounds via malicious spam generated by the Necurs botnet. It blemishes encrypted files with the .[[email protected]].scarab extension and leaves a ransom how-to file named “If you want to get all your files back, please read this.txt”.Researchers unearth ransomware statistics for AfricaAccording to Sophos, the top ransomware lineages in Africa as of 2017 are Cerber (80% prevalence), WannaCry (17%), Locky and Jaff (1% each), and the destructive Petya (0.5%).Cryp70n1c Army blackmail virusThis one is a Hidden Tear offshoot that stains locked data with the .cryp70n1c suffix. It threatens to delete all hostage files unless the victim coughs up the ransom in a three-day timeframe.NOVEMBER 24, 2017Girlsomeware appears to be a prankThe new ransom Trojan called Girlsomeware instructs those infected to click on several dozen checkboxes in order to restore allegedly encoded files. However, it doesn’t actually encrypt anything, so the trivial assignment isn’t compulsory at all.NOVEMBER 25, 2017ExoBuilder fails to impressThe ExoBuilder tool is being advertised on black hat hacking forums as a means to create new ransomware. It is supposed to subjoin the .exo extension to files and drop a rescue note named UnlockYourFiles.txt. However, all it does is sprinkle a slew of new files all over the computer and displays a full-screen warning to instill fear. An infected user should simply restart their machine to get rid of it.NOVEMBER 27, 2017StorageCrypter stands out from the crowdThe specimen codenamed StorageCrypter zeroes in on NAS (network-attached storage) devices. Having skewed one’s valuable files, it concatenates the .locked string to each one and provides recovery steps in the _READ_ME_FOR_DECRYPT.txt how-to document.Samas ransomware refreshedA brand-new version of the Samas/SamSam blackmail virus is different than its forerunner in that it uses the .areyoulovemyrans extension to label hostage data.Magniber starts using a gibberish extensionMagniber, the crypto infection believed to be a successor of Cerber, undergoes fine-tuning in a way. It switches to using the .vpgvlkb extension for ransomed files, which doesn’t appear to make any sense. Another tweak is that it drops a recovery avenue named ‘read me for decrypt.txt’.Researchers trying to hunt down a new cyber culpritMalwareHunterTeam’s Michael Gillespie tweets with another ransomware hunt suggestion to fellow-analysts. The baddie being sought is a new French ransom Trojan someone uploaded to the ID Ransomware portal. It stains data with the .locked suffix and uses a rescue note named READ_ME_FOR_ALL_YOUR_FILES.txt. The initiative is to no avail at the time of this writing.NOVEMBER 28, 2017HC6 ransomware decryptedSecurity experts contrive a free decryption tool supporting the HC6 ransomware. This perpetrating program appends the .fucku extension to encoded files and leaves a ransom note named recover_your_files.txt.Known ransomware passing itself off as a keygen programFor the record, the CryptON ransomware is a .NET based sample discovered a year ago. Its latest update has introduced a fairly unusual alteration. The infection’s payload now goes camouflaged as a keygen utility for EaseUS Data Recovery, a popular file restoration suite.Crypt12 strain updatedSecurity analysts were able to fine-tune the existing free decryptor for Crypt12 ransomware shortly after its new edition has been spotted in the wild. The tool now supports the variant that blemishes encrypted files with the ‘=[victim ID][email protected]’ extension.MaxiCrypt ransomware discoveredThis one scrambles filenames and appends them with the .[[email protected]].maxicrypt extension. The ransom how-to file is named ‘How to restore your data.txt’.NOVEMBER 29, 2017Brazilian WannaPeace ransomware spottedCybercrooks from Brazil calling themselves AnonymousBr must have decided to pay homage to the mega-successful WannaCry ransomware that broke out in May 2017. The copycat is called WannaPeace. It prepends the ‘_enc’ string to an original file extension. The ransom amounts to 0.08 BTC (about $900).Crypt888 ransomware reemergesThe proprietors of the extortion campaign through Crypt888 ransomware haven’t released any fresh variants for months. This has changed with a recent update no one in the security circles really expected. The pest now instructs victims to contact the attackers via [email protected] email address.NOVEMBER 30, 2017HC6 strain upgraded to HC7? How prosaicThe brand new HC7 variant from the existing lineage uses the .GOTYA string to stain encrypted files. According to preliminary analysis, it infects computers via hacked RDP services.ACCDFISA ransomware gaining momentum in BrazilThis sample is one of the oldest known ransom Trojans that has literally risen from the ashes. The name stands for ‘Anti Cyber Crime Department of Federal Internet Security Agency’, a purported organization that doesn’t even exist. According to statistics obtained via ID Ransomware service, this infection has been increasingly targeting Brazilian users during November.New lousy specimen out thereAnalysts stumble upon a sample using a binary named REAL DANGEROUS RANSOMWARE.exe. Despite the scary executable, it turns out to be all bark but no bite. It’s nothing but a screen locker that a victim can get around by simply pressing Alt+F4.GlobeImposter and Necurs are now in cahootsThe architects of the GlobeImposter ransomware campaign change their tactics in terms of distribution. The crypto culprit has begun making the rounds via spam generated by Necurs, one of the world’s largest botnets.SUMMARYOnly three new decryption tools crafted in November versus a slew of fresh ransomware strains still make an unsettling ratio. Under the circumstances, users should rely on their personal online hygiene rather than researchers’ success. Simply exercising caution with spam email attachments significantly reduces the risk of being infected. Keep that in mind, and don’t forget to back up your important files on a regular basis. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published.