September 2016: The Month in Ransomware

Crypto ransomware authors were really busy coining new samples, updating the existing ones and adopting novel techniques in September, just as they did in August and the months before it. Some of them opted for the use of pop culture themes in their victim interaction modules. Others started leveraging ‘autopilot’ offline encryption mode with no need to obtain crypto keys from Command and Control servers. More threats emerged that target Russian and Brazilian users. Thankfully, security analysts did a great job keeping up with these rapid transformations and created multiple free decryptors to help ransomware victims get their files back intact.SEPTEMBER 1, 2016Ransomware payload disguised as a Pokemon Go botThe ransom Trojan dubbed Nullbyte didn’t pioneer malware’s harnessing of the buzz around Pokemon Go. Even so, its loader and code are of a much higher quality than some of its predecessors could boast. Hosted on GitHub, the rogue installer mimics the user interface of NecroBot, a popular free Pokemon Go bot.This ransomware scrambles one’s files using the AES algorithm, concatenates the _nullbyte extension to each encrypted file, and demands 0.1 Bitcoin for recovery. The good news for everyone infected is that Michael Gillespie, a security researcher also known as demonslay335, came up with a free decryptor for the Nullbyte plague.CryLocker acts on behalf of a fake security organizationNot all ransomware attacks are straightforward. Some of these infections leverage social engineering techniques and try to impersonate law enforcement agencies to appear more plausible. This is how the CryLocker ransomware operates. Its warning message states that a victim’s data was encrypted by the Central Security Treatment Organization, an entity that doesn’t even exist.This sample circulates via the exploit kit called Sundown, appends the .cry string to encoded files, and extorts 1.1 BTC as the ransom. Interestingly, it harvests users’ geolocation details and interacts with its C2 servers over UDP protocol.SEPTEMBER 6, 2016Locky switches to offline encryptionThe Zepto spinoff of Locky, one of the most widespread ransomware samples, started using an embedded RSA key rather than obtain one from its C2 server. This way, even if a firewall on a system is configured to block communication with Command and Control servers, the infection can still complete the encryption routine due to its new autopilot feature.RarVault ransomware archives data instead of encrypting itThis sample is offbeat in several ways. Its attack surface is restricted as it only targets Russian users. Furthermore, as its name suggests, it moves a victim’s files into an RAR archive and locks this repository with a strong password. According to a recovery manual named RarVault.htm, the infected user needs to send two ransomware-generated files to a specified email address and then receive restoration instructions in response.SEPTEMBER 7, 2016KawaiiLocker, another threat targeting RussiansThe ‘How Decrypt Files.txt’ ransom note dropped by KawaiiLocker ransomware is in Russian, so its circulation is isolated to Russian victims. In order to restore their data, users are told to pay the ransom of 6,000 Rubles or about 100 USD. Infected users are supposed to interact with the perpetrators over email.The extortionists provide a test decryption option to prove that the recovery work. All it takes is sending one small file out of ‘cryp_list’ document to [email protected] Thankfully, a researcher nicknamed Thyrex has created a viable decryption solution for this ransomware.SEPTEMBER 8, 2016Philadelphia, a new ransomware as a serviceThe crypto threat called the Philadelphia Ransomware is intended to bring online extortion to the masses. Anyone who wants to try their hand at this domain of cybercrime can purchase a copy of this infection on the dark web for 400 USD.The sample is customizable, allowing a would-be crook to set targeted file extensions, edit interface texts, add languages, and define whether or not to infect removable media and network shares. A very interesting feature built into Philadelphia Ransomware code is the Mercy Button that makes it possible for a threat actor to decrypt any victim’s data for free.Flyper Ransomware is nothing out of the ordinaryThis specimen is a commonplace infection that abuses cryptography to reach spiteful, mercantile goals. It propagates over spam email attachments, denies access to a victim’s personal files, and demands 0.5 Bitcoin for the secret key and decryptor. For detailed recovery instructions, the infected users are told to send a message to [email protected]SEPTEMBER 9, 2016Uniqueness of the CryPy ransomwareThe data locking plague dubbed CryPy accommodates a fusion of regular ransomware traits and non-standard features. Written in Python, it uses the Advanced Encryption Standard (AES) to render one’s files inaccessible and creates a recovery document named Readme_For_Decrypt.txt on the desktop. The attribute that makes this sample stand out from the crowd is that it encodes files individually, leveraging a separate AES key for each one.SEPTEMBER 10, 2016Philadelphia Ransomware decryptedFabian Wosar, a well-known security analyst with Emsisoft who focuses on ransomware research, was able to create a free decryption tool for the above-mentioned Philadelphia Trojan. To use the solution, an infected user must drag and drop an arbitrary encoded file with the .locked extension and its unencrypted copy to the app’s interface.Crysis ransomware spinoff imitates charity fundraisingThe cybercriminals in charge of this campaign try to dupe victims into thinking they are helping homeless people. The ransom manual added by this infection contains information about some commendable initiatives to support those in need. In fact, though, this is just a manipulative tactic aimed at defrauding people out of their money. This offending program appends the .([email protected]).crypt extension to scrambled files.SEPTEMBER 12, 2016NoobCrypt, a threat with a gaping hole in its cryptoIt didn’t take security experts long to discover a critical flaw in the way the NoobCrypt ransomware implements cryptography. It turns out that this Trojan leverages the same secret encryption key for every infected user. Data recovery, therefore, is feasible for all victims as long as they have the key.There are three variants of this ransomware that offer ransoms of different sizes. Each one can be decrypted with its own key. Jakub Kroustek, a malware analyst with Avast, was able to retrieve all the unlock codes and posted them on Twitter for everyone infected to use.Knock-knock! Here comes LockLockThis strain got its name from the .locklock extension that it concatenates to every encrypted data object. The Read_Me.txt ransom manual tells a victim to reach the ransomware devs by sending an email to [email protected] or by joining a Skype chat at ‘locklockrs’. The sample encrypts data using the AES-256 algorithm, a tough-to-crack symmetric cryptosystem.According to the results of reverse engineering, the code of LockLock is based on EDA2, an open-source educational project like Hidden Tear whose original purpose was to demonstrate how crypto ransomware operates.SEPTEMBER 14, 2016Atom, a ransomware affiliate programThe security industry has been witnessing an increase in Ransomware as a Service (RaaS) projects over the past several months. The idea of these malignant initiatives is to provide turnkey ransomware kits that can be customized according to a criminal’s preferences and distributed in an arbitrary way. As opposed to its predecessor called the Shark Ransomware Project, the new Atom affiliate program allows wannabe extortionists to generate a fully functional ransomware executable rather than just lines of code.The affiliate dashboard provides extensive stats on any given campaign, including total installs, total payments, and Bitcoins earned. The creators of this platform get a 20 percent share of all affiliate sales. Strangely enough, Atom’s entire online infrastructure is hosted on the public Internet rather than anonymous Tor sites.Stampado ransomware decryptor updatedThe Stampado ransomware kit is written in AutoIt scripting language and uses the AES-256 standard to encrypt victims’ data. It appends the .locked extension to every jumbled file. Fabian Wosar, a malware analyst mentioned above, updated his decryptor for Stampado to address the changes recently made to the ransomware.SEPTEMBER 15, 2016Double encryption, an unexpected byproduct of ransomware competitionThe aforesaid Stampado infection goes above and beyond the regular ransomware operational patterns. Not only does its new edition scan a contaminated computer’s local drive and mapped network shares for popular file types, but it also traverses data repositories for files with extensions appended by other ransomware.In other words, if a PC is already infected with a ransom Trojan like Locky, Cerber, Cryptowall, LeChiffre, or PadCrypt, Stampado will encrypt these locked files again. To restore the data, the victim, therefore, has to submit more than one ransom to more than one attacker.Razy ransomware mimics another strainThere are a few noteworthy things about the latest iteration of the ransomware called Razy. First of all, it accepts ransoms in prepaid PaySafeCard worth 10 Euros. Secondly, it displays a warning screen that bears a close resemblance to that of Jigsaw, another widespread family of crypto infections. However, the sample in question lacks Jigsaw’s file obliteration functionality, although it claims to erase data if a victim tries “anything funny.”Fantom ransomware now utilizes offline encryptionSimilarly to the new edition of Locky, the updated ransom Trojan called Fantom can do without Command and Control servers to encode its victims’ important files. Consequently, even if a targeted user disconnects his or her machine from the Internet or the firewall blocks suspicious outbound traffic, their data will undergo scrambling with a strong cryptosystem anyway.SEPTEMBER 17, 2016Mash notes in encrypted filesThe ‘cuteness’ of a new infection dubbed FenixLocker consists in the fact that it drops a love message into the structure of every scrambled data component. The mash note reads, “FenixIloveyou!” Apparently, some ransomware authors can get sentimental and let the world know about it – too bad, as the infected victims suffer the consequences.SEPTEMBER 18, 2016HDDCryptor wreaks havoc with the Master Boot RecordThe extremely dangerous ransomware called HDDCryptor does more than personal data encryption. It rewrites the infected system’s Master Boot Record (MBR) with a custom boot loader instead. This makes the computer inoperable. To recover from the attack, a victim must contact the crooks by shooting an email with their personal ID to [email protected] or other address indicated on the lock screen. The size of the ransom is in the range of 600-700 USD, and it’s payable in Bitcoin.FenixLocker is no longer a problemAn effective decrypt tool for FenixLocker ransomware was released courtesy of the Emsisoft vendor. Therefore, all the users whose valuable files suddenly became appended with the [email protected]!! string can get their data decrypted with a lightweight automatic tool. All it takes to restore a file is drag and drop it onto the executable of Emsisoft Decrypter for FenixLocker.SEPTEMBER 21, 2016New features of the revamped Fantom ransomwareThe latest variant of the Fantom ransomware is intelligent enough to determine what type of user got hit and set a corresponding size of the ransom. If an organization is under attack, the amount to pay for decryption is going to be bigger than in a scenario where a home user is compromised. The email address to reach the criminals varies based on the victim type as well. Other interesting properties include the switchable design of desktop wallpapers and the encryption of network shares.SEPTEMBER 22, 2016More decryptors releasedFabian Wosar, a true ransomware fighter from Emsisoft, continues to keep cyber extortionists at bay as he regularly updates his free decryptors. He made some tweaks to his recovery solutions in order to crack new editions of the Apocalypse and Stampado plagues. By the way, the crooks in charge of the Apocalypse strain had even named their latest infection the Fabiansomware to taunt the researcher.Locky returns to online encryptionSomething obviously went wrong with the autopilot operation of the Locky ransomware. A fortnight after the offline encryption routine was introduced, most of its distributors switched back to the use of Command and Control infrastructure for obtaining RSA keys and other configuration purposes.Cerber distribution campaign on steroidsThe Cerber ransomware is reportedly getting a substantial boost in propagation. As opposed to about 6,000 unique infection instances per day in August, the campaign has come to generate approximately 80,000 daily hits. Experts assume this may be due to the emergence of a new high-profile affiliate.SEPTEMBER 23, 2016Cyber SpLiTTer Vbs doesn’t go further than the lock screenThe ransomware called Cyber SpLiTTer Vbs, which was spotted by researchers on the dark web, has a text-to-speech feature similar to that of the Cerber Trojan. However, it is apparently an abandoned project or still in development because it doesn’t actually encrypt anything. When launched, this sample simply displays a warning screen.UnblockUPC emerges on the ransomware arenaThis strain is fairly run-of-the-mill. It encrypts one’s personal files, drops a ransom manual named ‘Files encrypted.txt,’ and demands 0.18 BTC, or about 100 Euros, for decryption. UnblockUPC isn’t currently in active rotation, though. By some reason, UnblockUPC likes to target people in Poland.SEPTEMBER 24, 2016A CTB-Locker replica on the looseDelivered with spam email attachments, the ransomware dubbed MarsJoke mainly attempts to compromise U.S. government and educational institutions. It sets a desktop background very similar to that of CTB-Locker, a once very widespread crypto plague. MarsJoke tells its victims to send 0.7 BTC to a specified Bitcoin address during 96 hours. Otherwise the files will be erased.Nagini ransomware pays tribute to Harry Potter seriesThe Nagini pest is one of the many crypto threats out there that leverage motives of popular movies or Internet trends. This one displays a lock screen with an image of the Lord Voldemort character on it. Fortunately, Nagini is only functioning in test mode and isn’t in real-world circulation at this point.SEPTEMBER 26, 2016Details of the Help_dcfile ransomwareThis digital intruder creates a help_dcfile.txt decryption manual on the infected computer’s desktop, hence its name. It uses a combo of AES and RSA cryptographic standards and appends the .XXX extension to every scrambled data file.The Donald Trump RansomwareCybercriminals sometimes harness trending political topics in their campaigns, the new Donald Trump Ransomware being a demonstration of this. Although malware analysts discovered a development version of this Trojan, some code tweaks can make it a real-world problem. This infection uses the AES algorithm to encode files and concatenates the .encrypted extension to each one.Locky ransomware begins using the .odin extensionThe latest update of Locky brought a number of noteworthy changes. Hostage files are now appended with the .odin extension rather than .zepto used by the previous iteration. The new names of ransom notes are _HOWDO_text.html and _HOWDO_text.bmp. This spinoff is still not decryptable for free.DXXD ransomware decryptedMichael Gillespie, a researcher nicknamed demonslay335, devised an automatic decryptor for the DXXD ransomware. This infection targets Windows Server machines, concatenates the dxxd string to original filenames, and creates a ransom manual named ReadMe.TxT.Another educational ransomware releasedA cybersecurity engineer named Maksym Zaitsev created CryptoTrooper, an open-source Linux ransomware pursuing educational goals. He posted the code on GitHub so that everyone interested could test it. However, due to a great deal of disapproving feedback from the security community, the author ended up removing the code. The page now suggests a crypto-challenge for those who want the kit.SEPTEMBER 28, 2016Princess Locker – cute but dangerousThe ransomware called Princess Locker is reminiscent of the Cerber plague in several ways, so these two may hail from the same malicious workshop. It concatenates a random 5-character extension to encrypted files and demands an unusually big ransom of 3 Bitcoins or more than 1,800 USD. Other than that, the sample is fairly commonplace.Decryptor released for Al-Namrood ransomwareOwing to Emsisoft’s Fabian Wosar, users infected with a spinoff of the Apocalypse ransomware called Al-Namrood can revive their locked data with the .unavailable or .disappeared extension. Be advised: the decryptor requires a unique user ID indicated in the ransom instructions.New variant of Razy targets German usersIt’s hard to label the Razy ransomware as a professionally tailored sample, but it appears to be expanding to new victim audiences. A recent code tweak involves the addition of a German version. This plague is recognizable by the .razy extension appended to scrambled data.SEPTEMBER 29, 2016TeamXRat brings ransomware to BrazilResearchers over at Kaspersky Lab discovered a new cybercriminal ring that operates in Brazil. The perpetrators have started distributing a crypto infection that adds the ._xratteamLucked extension to files and demands 1 BTC for decryption.Nuke ransomware campaign is underwayThis new sample leverages symmetric AES cryptosystem to lock data, creates HTML and TXT ransom manuals called ‘!!_Recovery_instructions_!!’, and tells victims to send an email to [email protected] for ransom payment directions.Apocalypse Trojan creator joins a security forumThe developer of the Apocalypse ransomware obviously got so fed up with researchers’ successful decryption work that he posted a comment on a dedicated thread at Bleeping Computer forums. The message taunts Fabian Wosar, the person who keeps cracking every new edition of this ransomware.SEPTEMBER 30, 2016MarsJoke ransomware decryptedThe tool called RannohDecryptor by Kaspersky is now capable of restoring files encoded by MarsJoke, a strain that resembles CTB-Locker in many ways. A restriction is that the decryptor can reinstate files with the .a19 extension only.Trend Micro vs. Globe ransomwareResearchers at TrendMicro found a way to unencrypt files locked by the Globe ransomware. This infection uses the Purge movie theme in its warning messages, including the desktop wallpaper. Moreover, it appends the .purge extension to every encrypted file. Fortunately, the updated Trend Micro Ransomware File Decryptor automatically restores these .purge entries to their original state.SUMMARYLast month was extremely productive for security researchers, but so was it for ransomware devs. Whereas more and more decryptors are being created to address the ongoing crypto plague, keep in mind that an ounce of prevention is worth a pound of cure. So back up your important data and think twice before opening an email attachment that looks fishy.For more ransomware prevention tips, please click here.You can also learn more about ransomware here. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply