September 2017: The Month in Ransomware

September 2017 was comparatively slow in terms of ransomware.Perhaps the extortionists kept struggling to bridge the money laundering gap after the FBI took down the BTC-e Bitcoin trading platform in late July. Some of the noteworthy events include the emergence of Locky’s new persona called Ykcol, failed experiments of GlobeImposter ransomware devs with code signing, and another massive wave of MongoDB server hijacks.Here’s what the month looked like by the numbers: 41 new strains went live, and 55 existing families were updated. Meanwhile, not a single fresh decryptor was created by researchers.SEPTEMBER 1, 2017Locky devs keep thinking out of the boxA new wave of Locky ransomware distribution features a unique payload execution mechanism. Whereas the infection still arrives via malspam attachments with embedded Word macros, the installation process isn’t triggered until a would-be victim closes the document.CryptoMix edition introducing a new extension tokenThe architects of the CryptoMix ransomware campaign release a new spinoff that concatenates the .arena extension to hostage files. The Trojan drops a decryption manual named _HELP_INSTRUCTION.txt on the infected machine’s desktop.SEPTEMBER 4, 2017Thousands of MongoDB servers held for ransomFew server owners have learned the lesson from massive database breaches that took place in early 2017, obviously. About nine months later, three cybercriminal groups hijacked more than 25,000 unsecured MongoDB databases during a time span of one week. The attackers have replaced their contents with a ransom demand of 0.05-0.2 BTC.Nulltica ransomware introduces an offbeat self-spreading techniqueAt first sight, the new crypto infection called Nulltica seems to be a commonplace derivative of the Hidden Tear proof-of-concept. It encrypts files, speckles them with the .locked extension, and demands $50 worth of Bitcoin for recovery. However, it stands out from the rest by automatically sending booby-trapped messages to a victim’s Facebook contacts.Ultimo ransomware is fairly dullThis one is a garden-variety Hidden Tear offshoot. It leverages crypto securely and subjoins the .locked suffix to every encrypted data item.Old screen locker gets a faceliftSecurity analysts come across a new version of the blackmail Trojan whose hallmark is the “Your Windows Has Been BANNED” alert that takes over the plagued computer’s screen. The infection tries to dupe victims into ‘reactivating’ the operating system for $50 payable in Bitcoin.Minor GlobeImposter updateAn umpteenth iteration of the GlobeImposter pest is discovered. It labels encrypted data with the .clinTON extension and instructs victims to contact [email protected] for decryption steps.The self-proclaimed Conficker ransomwareThe authors of this sample must be fascinated by the notorious Conficker worm that took the world by storm in 2008-2009. The new ransom Trojan using that name is, in fact, a Hidden Tear variant that affixes the .Saramat string to encoded files.SEPTEMBER 5, 2017Meet SynAck, another emerging threatThe SynAck ransomware is a relatively new specimen backed by a powerful propagation campaign. It zeroes in on enterprise networks, abusing remote desktop services to spread. SynAck concatenates random 10-character extensions to hostage files and drops RESTORE_INFO-[victim ID].txt ransom how-tos.TeamWinLockerWindows malware equipped with multiple featuresThis is a new screen locker with Russian roots. Even if a victim manages to get around the lock screen, they will be confronted with additional issues. For instance, TeamWinLockerWindows tweaks the HOSTS file to block popular sites, including Google, Yandex, and some social networks.SEPTEMBER 6, 2017ApolloLocker is more than ransomwareThe strain called ApolloLocker targets Turkish users and does more damage than unauthorized data encryption. It additionally accommodates a data theft module, putting the victim’s personally identifiable information at risk. The ransomware uses the .locked extension to blemish encrypted files and leaves rescue notes named DOSYALARI-KURTAR.txt/url.‘Hacked’ ransomware tries to be internationalThe sample in question appends files with the .hacked extension, hence its name. It goes with a GUI with clickable tabs for English and Italian languages. The perpetrating program demands $2,000 worth of Bitcoin and provides a payment deadline of three days.FRansomware being createdDiscovering in-development strains before they go live is a fairly common thing in the security community. This was also the case with the specimen called FRansomware, which is currently in test mode. All it does at this point is display a red warning screen that instructs a victim to pay $150 within 48 hours.DilmaLocker baddie spottedThis file-encrypting virus targets Portuguese-speaking users. It stains ransomed files with the .__dilmaV1 extension and provides restoration steps in a manual named RECUPERE_SEUS_ARQUIVOS.html.SEPTEMBER 7, 2017GlobeImposter creators take their attacks to a new levelNot only is the GlobeImposter ransomware family one of the most fruitful in terms of spinoffs, but it’s also trying to break new ground as far as its modus operandi goes. A fresh variant is released that uses the .f41o1 extension and READ_IT.html ransom note. Interestingly, its payload file is signed with a valid signature issued by Comodo, so the infection is more likely to slip under the radar of AV tools.Amnesia offshoot passing itself off as WannaCryThe latest edition of the Amnesia ransomware blemishes encrypted data with the .wncry extension, which suggests that it tries to imitate the notorious WannaCry e-malady.GlobeImposter certificate trick failsResearchers discover the second GlobeImposter variant during the day. It has switched to using the .4035 extension for locked files. Another noticeable change is that this spinoff no longer boasts a verified signature from a code-signing authority.SEPTEMBER 8, 2017A Locky copycat on the tableAppending the .armadilo1 extension to encrypted files, the new Locky imitator dubbed ArmaLocky drops rescue notes identical to those generated by the infamous prototype.Samas lineage growsA fresh edition of Samas/SamSam ransomware surfaces. The only noteworthy tweak is that the newcomer stains encrypted data with the .disposed2017 extension.SEPTEMBER 10, 2017Delphi-based ransomware taking rootA new blackmail infection coded in Delphi is a console application that the attacker launches remotely. This suggests that the most likely entry point is remote desktop services hacking. The ransomware blemishes encrypted data with the .[[email protected]].locked_file extension string and leaves a rescue note named !HOW_TO_UNLOCK_FILES!.html.SEPTEMBER 11, 2017There is nothing celestial about the Paradise ransomwareThis sample is making the rounds on a Ransomware-as-a-Service basis. It implements RSA cipher securely enough to thwart decryption and concatenates the id-[8-char victim ID].[[email protected]].paradise extension to hostage files. The ransom note is named #DECRYPT MY FILES#.txt.ExoLock, another one on the tableThe strain in question subjoins the .exolocked string to encrypted data. It instructs victims to submit 0.01 Bitcoin (about $40) for recovery, which is quite a low ransom compared to others across the board.New Jigsaw spinoffs releasedThe Jigsaw ransomware lineage gets two more editions added to the pack. These offshoots use the .pablukCRYPT and .pabluk300CrYpT! extensions for hostage files and a new desktop background featuring the Grim Reaper. Both display ransom instructions in Polish.Ranion ransomware origin uncoveredThe Ranion infection, which is backed by a low-cost RaaS platform, was discovered in early February 2017. It’s not until now, though, that researchers found ties between this ransomware’s code and the Hidden Tear proof-of-concept.SEPTEMBER 12, 2017Blackhat ransomware surfacesThis specimen is a derivative of MoWare_H.F.D., which in turn is a Hidden Tear PoC spinoff first spotted in late May 2017. It employs XOR encryption to make data inaccessible and appends the .H_F_D_locked suffix to files.SoF*cked ransomware making the roundsThe authors of the new blackmail Trojan called SoF*cked are, obviously, dirty language fans. The infection drops a decryption how-to named READTHISHIT.txt and affixes the .fff extension to hostage files.Happy Crypter makes victims sadThe Happy Crypter ransomware development is currently in progress, but it’s already equipped with the crypto and victim interaction modules. The pest does not add any extra extension to encoded files. The size of the ransom is set to 0.9 Bitcoin.In-dev PayOrDie ransomwareThis one isn’t fully functional yet, being configured to only encrypt data in a predefined folder on its author’s desktop. It scrambles filenames beyond recognition but does not append any extension.GlobeImposter pays homage to U.S. PresidentThe latest version of the GlobeImposter ransomware speckles encrypted files with the .reaGAN string and instructs victims to send an email to [email protected] for recovery steps.SEPTEMBER 13, 2017Mystic ransomware appearsThe makers of the new sample called Mystic ransomware must have used a wrong magic wand to do the math with the ransom size. The ransom.txt note demands 1.01 Bitcoin and indicates that’s about $280 – not quite the correct conversion rate, obviously. The perpetrating program does not concatenate any extension to locked data. Victims are coerced into paying up during five days.Extortionists leave a message for security researcherAt first sight, a brand new edition of the DCry ransomware is nothing out of the ordinary. It encrypts files and appends them with the .dian extension. However, when debugging the code, researchers found a few lines saying, “Hello, demonslay335. We love you!” For the record, demonslay335 is the online alias of Michael Gillespie, the creator of ID-Ransomware service and numerous free ransomware decryption tools.RestoLocker, an umpteenth PoC offshootThe RestoLocker blackmail malware is one of the numerous Hidden Tear derivatives out there. It subjoins the .HeroesOftheStorm suffix to encoded files.SEPTEMBER 14, 2017RBY ransomware discoveredThis one uses an executable file named Kryptonite. It is likely to have common roots with a ransomware strand called Kryptonite that has been around since June 2017 and pretends to be a Snake game. RBY ransomware displays warning messages in English and Russian.PSCrypt ransomware tweakThis strain gained notoriety for a massive outbreak specifically in Ukraine a few days before the nasty NotPetya ransomware started wreaking havoc in this country. The most recent iteration of this family has switched to the .paxynok extension for hostage data.SEPTEMBER 15, 2017HTA Virus hailing from GermanyA new German ransomware called HTA Virus is spotted. It is currently in testing mode and hasn’t made any real victims yet. The infection demands $20 worth of Bitcoin.Bud ransomware, a likely Jigsaw spinoffThe file-encrypting malware called Bud shares some characteristics with the Jigsaw strain, which suggests that it comes from the same ransomware production workshop. The size of the ransom is €500 worth of Bitcoin.SEPTEMBER 17, 2017Hackers Invasion ransomware makers lack common senseThe sample called Hackers Invasion labels encrypted data with the .Doxes extension. Its ransom demands are completely blown out of proportion as it instructs victims to pay $120,000 worth of Bitcoin within a 54-hour deadline. Researchers were able to obtain the unlock code, which is AnikulapoFela70. So better luck next time, crooks.Blackmail Trojan claiming to be from the FBIThe culprit in question is a variant of the so-called Stupid ransomware. It displays an FBI-themed lock screen, encrypts a victim’s valuable files, and concatenates the .XmdXtazX suffix to them.SEPTEMBER 18, 2017Some wordplay from Locky authorsA brand new variant of the Locky ransomware is released. Its ill-minded developers have added a new file extension token to their collection, namely the .ykcol string. That’s what you get if you spell ‘locky’ backward, by the way. This build scrambles filenames and drops ykcol.htm and ykcol.bmp rescue manuals.Pendor ransomware under a microscopeAlthough the Pendor strain has been in rotation for a while, it’s not until now that analysts hunted down a sample to analyze. Its ransom screen resembles Petya’s and demands a Bitcoin equivalent of $50 for decrypting hostage data. The decryptor being promoted is a Command Prompt utility.ZONEware has nothing revolutionary under the hoodThis one subjoins the .ZW string to locked files and tells victims to submit 0.025375 Bitcoin (about $100) to undo the crypto effect. It additionally sets a payment deadline of 72 hours.New Samas offshoot springs upThe hallmark signs of yet another Samas/SamSam ransomware edition include the .myransext2017 file extension and a decryption how-to named 005-DO-YOU-WANT-FILES.html.SEPTEMBER 19, 2017Extortionists stick with the FBI themeResearchers come across a perpetrating program that locks the screen with the FBI logo and coerces victims to pay $300 during seven days to regain access to the computer. Fortunately, the unlock key has been calculated – it’s [email protected]Destroyer ransomware spottedThe pest in question is actually a spinoff of the Hitler ransomware discovered in August 2016. It targets German-speaking users and demands €10 payable within 24 hours.SEPTEMBER 20, 2017Hacker community disputing over ransomwareSome hot discussion is reportedly underway among the admins of Dark Web resources regarding the expediency of promoting ransomware. Some crooks fear excessive attention from law enforcement due to this extortion vector and the growth of computer users’ overall security awareness via vast media coverage of the ransomware phenomenon.CryptoMix assumes some predator huesThe latest specimen from the CryptoMix lineage blemishes encoded files with the .shark extension and makes filenames completely unidentifiable by replacing each one with 32 hexadecimal characters. The ransom note is named _HELP_INSTRUCTION.txt.RotoCrypt ransomware updatedAlso known as RotorCrypt, this strain was discovered last month and hasn’t reached any noteworthy heights since then. And yet, the felons in charge have released a new iteration that adds the following string to one’s files: !-=solve a [email protected]=-.PRIVAT66.SEPTEMBER 21, 2017The pervasive CyberDrill_2 ransomwareOn the face of it, the new CyberDrill_2 sample looks like the nasty WannaCry infection. However, it is just another HiddenTear PoC derivative that affixes the .cyberdrill extension to files. Its GUI additionally contains threats about firing a DDoS attack at the victim’s sites unless a 5-Bitcoin ransom is paid.Technicy ransomware with Polish rootsThis infection is based on the educational Hidden Tear and zeroes in on Polish users. It stains victims’ files with the .technicy extension.SEPTEMBER 22, 2017Locky spreading like wildfire, againSecurity researchers are observing a dramatic increase in the propagation of the Locky ransomware. It’s a mighty malspam wave operated by a new player in the cybercriminal underground that has raised a red flag. This campaign pushes the above-mentioned .ykcol variant of the infection.nRansom demands bizarre thingsThe strain called nRansom is hilarious and harmful at the same time. It instructs those infected to send at least 10 nude pictures of themselves to the attacker’s email. This misbehaving program does not demand any money, which isn’t a classic ransomware tactic.A new screen locker pops upThe baddie in question hijacks a victim’s screen with an image of a man with a backpack, whatever that means. When on board, it triggers a malicious process named LockerViruses.The ominous Message of Death ransomwareThis one blemishes files with the .locked suffix and displays a rescue note asking for $350 worth of Bitcoin for decryption. The perpetrating code is in development at this point.CyberSoldier pest is too crude to work rightThe ransomware called CyberSoldier concatenates the .CyberSoldiersST extension to ciphered files. It keeps crashing and may fail to complete the encryption process, though.BTCWare authors must be fans of dragonsThe most recent edition of the BTCWare blackmail Trojan appends files with the attackers’ email address, victim ID, and the .wyvern string. Just like previous variants, it infiltrates computers via compromised remote desktop services.InfinityLock adopts a clever tacticIn order to trick users into installing it, the InfinityLock ransomware payload passes itself off as Adobe Premiere crack. After contamination, it displays a counterfeit Command Prompt window that emulates the process of an attacker typing commands and ransom payment steps.SEPTEMBER 23, 2017Locky devs are fond of pop cultureSpam emails sprinkling the newest Ykcol variant of the Locky ransomware turn out to contain a Visual Basic script with multiple references to characters from Game of Thrones. The felons must have decided to convey some personal interests via their foul play.The blurred gist of RedBootA new sample called RedBoot acts similarly to the Petya infection. It replaces an infected computer’s MBR (Master Boot Record) with a custom one, corrupts the partition table, and also encrypts a vast range of data, staining files with the .locked extension. However, its current edition doesn’t include a recovery option of any sort, so it looks more like a wiper at this point.Python-based SuperB ransomwareRather than go the standard ransomware route, SuperB overwrites a victim’s original files with rescue notes and encrypts copies of them made in advance. It appends every hostage file with the .enc extension.SEPTEMBER 24, 2017John’s Locker is a complete failAlthough the specimen called John’s Locker claims to encrypt an infected user’s personal data, that’s either bluff or an overstatement of the culprit’s capabilities, as there is actually no crypto involved. Because files remain intact, all it takes to fix the problem is close the warning window.SEPTEMBER 25, 2017A crude CryptoLocker copycat spottedResearchers cataloged the strain in question as CryptoClone as it mimics the look and feel of the notorious CryptoLocker. It concatenates the .crypted string to encoded files and provides a payment deadline of 72 hours. It is reportedly possible to decrypt data without paying up.Fresh screen locker discovered and crackedRansomware analysts come across a new Trojan that locks one’s screen and tries to extort $50 worth of Bitcoin. The infection instructs plagued users to shoot a message to [email protected] for detailed recovery steps. Fortunately, a bit of professional insight into its code reveals that victims can enter the ‘qwerty’ password to make the lock screen vanish.Onion3 Crypt v.3, another one on the tableThe sample going by such a weird name turns out to be a derivative of the academic Hidden Tear code inconsiderately outsourced by Turkish researcher Utku Sen back in 2015. It stains locked files with the .onion3cry-open-DECRYPTMYFILE suffix.The dull THTLocker pestYet another run-of-the-mill blackmail infection called THTLocker is released. Its lock screen includes some primitive warning text in Russian and English.SEPTEMBER 26, 2017In-development BlackMist sampleOne more crypto infection is busted before it even goes real-world. Its fully functional edition is supposed to subjoin the ‘blackmist’ string to original file extensions. The ransom amount is set to $100 worth of Bitcoin.Bitdefender Ransomware Recognition ToolThis brand new contrivance by Bitdefender Labs is intended to help ransomware victims identify the lineage and sub-version of the blackmail infection they are confronted with. Having scanned an infected system, this utility returns exhaustive information on the name of the ransomware and suggests an applicable decryption tool if available.Another day, another screen lockerSecurity analysts stumble upon a fresh unnamed screen locking baddie that targets Portuguese-speaking users based on the language used for the warning message.SEPTEMBER 27, 2017An eccentric Hidden Tear offshootA new spinoff of the educational Hidden Tear ransomware is discovered. It uses the .locked file extension and ransom how-to named READ_IT.txt. The latter includes the following text snippet, “I really like sushi, pizza, and chickens.” How can this information be of help to victims? Go figure.SEPTEMBER 28, 2017Malspam campaigns get increasingly intelligentA powerful spam wave is underway via the notorious Necurs botnet. The automated malicious service figures out which payload to deliver – the Locky ransomware or banking Trojan called Trickbot – based on the recipient’s geographic location. Users living in Australia, Belgium, Ireland, Luxembourg, or the UK will receive booby-trapped emails with Trickbot on board. Everyone else runs the risk of falling victim to Locky.Small tweak of the Paradise strainAn update made to the Paradise ransomware isn’t a game changer at all. The infection has switched to an HTML rescue note rather than a TXT edition dropped previously.Cypher ransomware fine-tunedThe latest iteration of the blackmail virus called Cypher uses the .crypt extension to speckle encrypted files. This Python-based family surfaced in late August, with the original edition appending the .enc string to data entries.Laser Locker Beta, a cradle of screen lockersMalware analysts discover a utility Laser Locker that allows wannabe threat actors to create custom variants of the SurveyScreenlocker infection. The personalized build can be optionally configured to disable Task Manager, System Restore, and Command Prompt.SEPTEMBER 29, 2017DMA Locker copycat, the most blatant forgery of allAlthough the Slovenian impostor sample called DMA Locker tries to imitate the original, it turns out to be an epic fail. Its unscrupulous developer simply pilfered a screenshot of the prototype’s GUI from a popular security blog.Jigsaw update is no funA fresh version of the Jigsaw ransomware concatenates the .fun extension to encoded files and demands $500 in Bitcoin. It pressures victims into paying up by threatening to permanently delete some of the hostage files at certain time intervals.SUMMARYThere were no considerable ups or downs in the ransomware underground in September.New blackmail campaigns kept taking root, old samples were being fine-tuned as usual, and the Hidden Tear PoC continued to be a major source of ransomware development.Stay tuned to learn whether this well-established paradigm will change anytime soon. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply