22 Ransomware Prevention Tips

David Balaban em 24/01/2016 no site The State of Security

Dealing with the aftermath of ransomware attacks is like Russian roulette, where submitting the ransom might be the sole option for recovering locked data. This is precisely why focusing on prevention is a judicious approach to adopt.

The growth of ransomware over the past few years has driven the security industry to create myriads of tools applicable for blocking these types of threats from being executed on computers. Few of them are 100% bulletproof, though.

This article is focused on additional measures that users should employ to ensure a higher level of defense against these plagues.

1. First and foremost, be sure to back up your most important files on a regular basis.

Ideally, backup activity should be diversified, so that the failure of any single point won’t lead to the irreversible loss of data. Store one copy in the cloud, resorting to services like Dropbox, and the other on offline physical media, such as a portable HDD.

An efficient tactic is to toggle data access privileges and set read/write permissions, so that the files cannot be modified or erased. An additional tip is to check the integrity of your backup copies once in a while.

2. Personalize your anti-spam settings the right way.

Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It’s a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr.

3. Refrain from opening attachments that look suspicious.

Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.

4. Think twice before clicking.

Dangerous hyperlinks can be received via social networks or instant messengers, and the senders are likely to be people you trust, including your friends or colleagues. For this attack to be deployed, cybercriminals compromise their accounts and submit bad links to as many people as possible.

5. The Show File Extensions feature can thwart ransomware plagues, as well.

This is a native Windows functionality that allows you to easily tell what types of files are being opened, so that you can keep clear of potentially harmful files. The fraudsters may also utilize a confusing technique where one file can be assigned a couple of extensions.

For instance, an executable may look like an image file and have a .gif extension. Files can also look like they have two extensions – e.g., cute-dog.avi.exe or table.xlsx.scr – so be sure to pay attention to tricks of this sort. A standalone known attack vector is through malicious macros enabled in Microsoft Word documents.

6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.

This habit can prevent compromises via exploit kits.

7. In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.

This is particularly efficient on an early stage of the attack because the ransomware won’t get the chance to establish a connection with its Command and Control server and thus cannot complete the encryption routine.

8. Think of disabling vssaexe.

This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.

If it is disabled on a computer at the time of a compromise, ransomware will fail to use it for obliterating the shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted files afterwards.

9. Keep the Windows Firewall turned on and properly configured at all times.

10. Enhance your protection more by setting up additional Firewall protection.

There are security suites out there that accommodate several Firewalls in their feature set, which can become a great addition to the stock defense against a trespass.

11. Adjust your security software to scan compressed or archived files, if this feature is available.

12. Disabling Windows Script Host could be an efficient preventive measure, as well.

13. Consider disabling Windows PowerShell, which is a task automation framework.

Keep it enabled only if absolutely necessary.

14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).

In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.

15. Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.

16. Use strong passwords that cannot be brute-forced by remote criminals.

Set unique passwords for different accounts to reduce the potential risk.

17. Deactivate AutoPlay.

This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.

18. Make sure you disable file sharing.

This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.

19. Think of disabling remote services.

Otherwise, the threat could rapidly propagate across the enterprise network, thus calling forth serious security issues for the business environment if your computer is a part it.

For example, the Remote Desktop Protocol can be leveraged by the black hat hackers to expand the attack surface.

20. Switch off unused wireless connections, such as Bluetooth or infrared ports.

There are cases when Bluetooth get exploited for stealthily compromising the machine.

21. Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system.

The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.

22. Block known-malicious Tor IP addresses.

Tor (The Onion Router) gateways are the primary means for ransomware threats to communicate with their C&C servers. Therefore, blocking those may impede the critical malicious processes from getting through.

Since ransomware is definitely today’s number one cyber peril due to the damage it causes and the prevalence factor, the countermeasures above are a must. Otherwise, your most important files could be completely lost.

The key recommendation, though, is the one about backups – offline or in the cloud. In this scenario, the recovery consists of removing the ransom Trojan and transferring data from the backup storage.

Currently, dealing with the consequences of ransomware isn’t very promising from the file decryption perspective. That is why thwarting the virus attack can save you a pretty penny and guarantee peace of mind.

November 2017: The Month in Ransomware

Em 06/12/2017 no site The State of Scurity

November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt should be really ashamed of themselves, as their brainchild goes a scorched-earth route and simply destroys victims’ data beyond recovery. Furthermore, quite a few copycats of the infamous WannaCry ransomware popped up only to demonstrate that the original is always better than the sequel.

All in all, here’s a brief statistical breakdown of the month: 37 new ransomware species were discovered, 23 existing samples got a facelift, and three ransomware decryptors were released by the white hats.

NOVEMBER 1, 2017

Hidden Tear offshoot with French origin

Threat actors continue to abuse the proof-of-concept Hidden Tear ransomware. Its newest real-life incarnation targets French users, appends encrypted files with the .hacking extension, and instructs victims to contact the attacker at fbi-cybercrimedivision@hotmail.com.

NOVEMBER 2, 2017

Ostentatious claims regarding Hidden Tear

An umpteenth remake of the above-mentioned academic Hidden Tear goes live. It blemishes encrypted files with the .locked string, drops READ_ME.txt help manual, and displays a questionably truthful warning screen that says it’s “one of the most powerful ransomware’s around”.

Magniber strain updated

Magniber, a ransomware sample that’s most likely a successor to the nasty Cerber culprit, undergoes an update within one of the multiple affiliate campaigns. The infection switches to subjoining the .skvtb extension to ransomed files.

It’s time for Jigsaw to get some fine-tuning

Cybercriminals release a new variant of the Jigsaw ransomware, a true old stager on the extortion arena. The pest now appends the .game suffix to victims’ data entries while still displaying the same movie-themed background.

Hermes ransomware remake

Hermes 2.1 Ransomware is what this perpetrating program’s current edition is called. It stains encrypted files with the .HRM extension and leverages a mix of the RSA cipher and Microsoft’s CryptGenRandom function to lock data.

New hallmarks of the Matrix ransomware

A few tweaks are made to the existing blackmail Trojan called Matrix. Its latest build labels hostage data with the _[RELOCK001@TUTA.IO].[original extension] string and provides recovery steps in a document named !OoopsYourFilesLocked!.rtf.

NOVEMBER 3, 2017

GIBON ransomware released and quickly decrypted

This one appears to be quite professionally tailored, but that’s a delusive impression in a way. It concatenates the .encrypt extension to files, leaves a ransom how-to named READ_ME_NOW.txt, and works just like garden-variety ransomware. However, malware analyst Michael Gillespie finds a way to defeat the crypto and contrives a free decryption tool shortly after GIBON’s discovery.

Sad Ransomware lives up to its name

The specimen in question drops _HELPME_DECRYPT.html rescue note and appends a victim-specific extension to locked files. When it’s done encrypting data, it generates a short beep sound. Files cannot be decrypted without meeting the ransom so far.

Ranion ransomware gets a fresh look and feel

Ranion was originally spotted in early February 2017 as a RaaS (Ransomware-as-a-Service) platform. It took the crooks nine months to come up with a fresh edition that blemishes a plagued user’s files with the .ransom extension and provides recovery tips in README_TO_DECRYPT_FILES.html manual. The ransom note is available in seven different languages.

NOVEMBER 4, 2017

Hidden Tear echoes back, once again

A new blackmail virus based on the educational Hidden Tear code appears. It’s called Curumim and targets Portuguese-speaking audience. The pest concatenates the .curumim extension to encoded files and provides a ransom payment deadline of one day.

XiaoBa ransomware updated

This strain originally surfaced on October 27, so it took the ne’er-do-wells one week to craft and release an updated edition. The infection now locks the screen of an infected PC and demands a Bitcoin equivalent of 250 RMB (Chinese Yuan), which is worth about $37.

Zika ransomware continues the HT saga

The scandalous Hidden Tear project gives rise to Zika, a ransom Trojan targeting Spanish-speaking users. It concatenates the .teamo string to locked data items.

Waffle ransomware isn’t too delicious

The new Waffle ransomware is exactly what it sounds like. Its ransom notification is named ‘Waffle’ and includes a picture of a bunch of waffles in the background. Furthermore, it appends the .waffle extension to a victim’s files. The ransom amounts to $50 worth of Bitcoin.

NOVEMBER 6, 2017

Unexpected details of the GIBON ransomware unearthed

In-depth analysis of the GIBON ransomware campaign has revealed that it’s much older than previously thought. Specifically, this turnkey ransomware kit has been marketed on Russian dark web forums since May 2017.

NOVEMBER 7, 2017

Sigma ransomware spotted

The payload of this sample is disguised as GUID Helper tool (GUID.exe.bin). Having encrypted a victim’s valuable files, Sigma stains them with a random extension and drops a ransom how-to document named ReadMe.txt. The attackers demand $1,000 worth of Bitcoin for the private key and decryptor software.

NOVEMBER 8, 2017

The premature Christmas Ransomware

Extortionists are, obviously, prepping for the holiday season with the new Christmas Ransomware. It displays a picture of a leafless forest with Christmas toys hanging on the trees. The ransom amounts to 0.03 Bitcoin (about $230). It is currently in development and does not encrypt data yet.

Another city hit by blackmail virus

The computer servers of the city of Spring Hill, TN get hijacked by an unknown strain of ransomware. The infection reportedly took root as an employee clicked on a booby-trapped email attachment. As a result, city workers are unable to use email and accept online payments. The criminals ask for $250,000 to restore the affected services.

Jhash ransomware uses a file extension familiar to many

The fresh sample called Jhash is a Hidden Tear spinoff zeroing in on Spanish-speaking computer users. It subjoins the .locky extension to encoded files and instructs victims to submit ransoms via the Payza online payment platform.

NOVEMBER 9, 2017

Ordinypt – classic ransomware or wiper?

The specimen in question is propagating in Germany. Ordinypt drops rescue notes named Wo_sind_meine_Dateien.html (“Where_are_my_files.html” in English). As opposed to commonplace crypto parasites, this one overwrites files with random values instead of encrypting them. Consequently, there is no way to restore the data.

NOVEMBER 10, 2017

LockCrypt has got a RaaS-related background

The sample called LockCrypt was originally distributed via a Ransomware-as-a-Service platform called Satan. Later on, the threat actors must have invested some money and effort to code their own ransomware operating independently from the RaaS. LockCrypt is deposited on computers and servers by brute-forcing RDP credentials.

CrySiS ransomware fine-tuned

The most recent edition of the CrySiS, or Dharma, ransomware switches to adding the .cobra extension to locked files. It also drops ‘Files encrypted!!.txt’ ransom note and instructs victims to contact the attackers at cranbery@colorendgrace.com for recovery steps.

LOL ransomware passes itself off as a keygen

The malicious binary of the C# based LOL ransomware strain is masqueraded as a keygen application for VMware products. It concatenates the .lol string to encrypted files.

NOVEMBER 11, 2017

Jigsaw strain gets slightly modified

A brand-new variant of the Jigsaw ransomware is detected in the wild. It stains hostage data with the .##encrypted_by_pabluklocker## extension token and displays an updated set of messages.

Blackmail virus pretending to come from Cyber Police

Threat actors take advantage of the Hidden Tear project to coin another real-world crypto infection. The latest incarnation sports a warning message saying, “Your computer is blocked by Cyber Police for unlicensed software’s usage.” The pest subjoins the .locked suffix to ransomed files.

GlobeImposter changes its behavior

Some of the recent editions of the fertile GlobeImposter strain feature an externally inconspicuous yet significant modification in their modus operandi. The developers have changed the culprits’ config extraction script and the technique used to encrypt configuration data.

NOVEMBER 12, 2017

Stroman ransomware resurfaces

Although the perpetrating program in question hasn’t ever been in wide distribution and pretty much vanished from the extortion arena lately, it spawned a new version out of the blue. The baddie now concatenates the .fat32 extension to files and provides recovery tips in the info.txt manual.

NOVEMBER 13, 2017

CryptoMix reaches the end of alphabet

The latest mod of the fairly professionally made CryptoMix ransomware switches to using the .XZZX extension string for scrambled files. As before, the rescue note is named _HELP_INSTRUCTION.txt.

jCandy isn’t sweet at all

Malware analysts stumble upon a fresh specimen called jCandy. It affixes the .locked-jCandy string to no-longer-accessible data. Interestingly, this one drops two different editions of the ransom how-to at the same time named READ_ME.txt and JCANDY_INSTRUCTIONS.txt.

In-dev French ransomware discovered

Once again, security experts were able to spot a blackmail infection before it went real-world. This one displays all of its warnings in French and is configured to stain files with the .lockon suffix. This would-be baddie currently doesn’t encrypt data anywhere except a directory named ‘testrw’.

Dr.Web cracks a relatively new ransom Trojan

A ransomware lineage blemishing encrypted data with the .[attacker’s email].blind or .[attacker’s email].kill extensions is now potentially decryptable courtesy of Dr.Web antivirus vendor. Those infected may be able to restore their files using the company’s Rescue Pack tool. Be advised: this service isn’t free.

Unsurprisingly, GlobeImposter gets another update

The most recent iteration of GlobeImposter brings about the following new attributes: the .kimchenyn file extension, plus a ransom notification named how_to_back_files.html.

Fresh Amnesia2 ransomware version turns out somewhat crude

The edition in question scrambles filenames beyond identification and concatenates the .am extension to each one. Its ransom how-to document, ENCRYPTED FILES.txt, contains nothing but a bunch of digits that don’t make sense. So victims have no idea how to pay the ransom even if they are up to it. This, by the way, isn’t a good idea because a free tool called Emsisoft Decrypter for Amnesia2 supports this pest.

Goofed ransomware surfaces

The silly name doesn’t make this Hidden Tear offspring any less harmful than the rest. It speckles encrypted files with the .goofed extension and provides recovery steps in YOU_DONE_GOOFED.txt document. Goofed ransomware demands $100 worth of Bitcoin for decryption.

NOVEMBER 14, 2017

GlobeImposter authors get naughty

The GlobeImposter family expands with yet another sample. This time, the culprit concatenates the .SEXY extension to ransomed data entries and instructs users to send a message to sexy_chief@aol.com for recovery steps.

NOVEMBER 15, 2017

J. Sterling Student Survey ransomware

This one zeroes in specifically on students of J. Sterling Morton school district, Illinois. Its propagation relies on a bogus student survey that looks trustworthy enough for would-be victims to go ahead and click through. The ransomware does not do any real damage in its current state.

NOVEMBER 16, 2017

RASTAKHIZ ransomware campaign underway

Cybercriminals strike again using the Hidden Tear PoC. One more spinoff labels encrypted data with the .RASTAKHIZ extension. The infection goes with a well-designed GUI.

NOVEMBER 17, 2017

CryptoMix switches to a numeric extension

One more version of the CryptoMix ransomware pops up that concatenates the .0000 string to one’s skewed files and uses an updated set of four contact email addresses. The name of the ransom note is the same (_HELP_INSTRUCTION.txt).

WannaSmile ransomware

This one sure sounds better than the ill-famed WannaCry threat but isn’t much more promising for victims. Its ransom note ‘How to decrypt files.html’ is in Persian. The extension added to filenames is .WSmile.

CorruptCrypt is good at evading AVs

The sample called CorruptCrypt boasts a zero detection rate two days after discovery, which is a disconcerting hallmark. It uses two extensions concurrently to stain locked files, namely .corrupt and .acryhjccbb@protonmail.com.

Hand of God screen locker isn’t celestial at all

The ransom Trojan in question displays an “FBI anti-piracy warning” screen and instructions in French. It coerces victims to pay 0.06 Bitcoin (about $580) for unlocking their computers.

BASS-FES proves the Hidden Tear abuse story is ongoing

Yet another derivative of the academic Hidden Tear starts making the rounds. It’s called BASS-FES, which is an acronym for BitchASS File Encryption System. This pest subjoins the .basslock suffix to encrypted items.

NOVEMBER 18, 2017

Russian imitation of WannaCry appears

The warning screen displayed by this ransomware is a close resemblance to WannaCry’s, but it is titled “Wanna die decrypt0r” and contains Russian text. While still in development, it does not encrypt files at this point.

NOVEMBER 20, 2017

CrySiS ransomware update

The latest mod of the CrySiS/Dharma ransomware strain switches to concatenating the .java extension to encrypted data entries.

NOVEMBER 21, 2017

Cryakl ransomware devs feel fairytale-ish

Cryakl is a lineage that was one of the pioneers on the extortion arena and pretty much vanished from this threat landscape. As part of the first update in many months, though, the pest starts adding the .fairytale string to encoded files.

CryptoLocker lookalike called Locket ransomware

The Locket sample goes with a GUI imitating that of the infamous CryptoLocker. Although it fails to perform encryption, it demands a ransom of 0.1424 BTC (about $1,500).

GlobeImposter fine-tuned

A fresh variant of the GlobeImposter crypto baddie subjoins the .Ipcrestore extension to enciphered files and continues to drop a rescue note named how_to_back_files.html.

NOVEMBER 22, 2017

The unusual qkG ransomware

As opposed to other ransomware strains, the qkG sample only targets Microsoft Office documents spotted on a contaminated computer. To add insult to injury, it also affects all new Word files that the victim opens.

Test version of IGotYou ransomware

The culprit in question appends the .iGotYou extension to encoded files. Luckily, it isn’t fully functional at this point, and it only encrypts data in a Test folder on drive C of the author’s computer. The infection demands 10,000 Indian rupees for decryption, which provides a clue about the developer’s country of residence.

Another day, another WannaCry copycat

Security analysts spot a WannaCry ransomware imitator displaying its warning messages in Portuguese. It coerces victims to submit the ransom of 0.006 BTC within seven days.

NOVEMBER 23, 2017

A similarity between the new Scarab ransomware and Locky

Just like Locky, the old stager in the extortion landscape, the Scarab ransomware is making the rounds via malicious spam generated by the Necurs botnet. It blemishes encrypted files with the .[suupport@protonmail.com].scarab extension and leaves a ransom how-to file named “If you want to get all your files back, please read this.txt”.

Researchers unearth ransomware statistics for Africa

According to Sophos, the top ransomware lineages in Africa as of 2017 are Cerber (80% prevalence), WannaCry (17%), Locky and Jaff (1% each), and the destructive Petya (0.5%).

Cryp70n1c Army blackmail virus

This one is a Hidden Tear offshoot that stains locked data with the .cryp70n1c suffix. It threatens to delete all hostage files unless the victim coughs up the ransom in a three-day timeframe.

NOVEMBER 24, 2017

Girlsomeware appears to be a prank

The new ransom Trojan called Girlsomeware instructs those infected to click on several dozen checkboxes in order to restore allegedly encoded files. However, it doesn’t actually encrypt anything, so the trivial assignment isn’t compulsory at all.

NOVEMBER 25, 2017

ExoBuilder fails to impress

The ExoBuilder tool is being advertised on black hat hacking forums as a means to create new ransomware. It is supposed to subjoin the .exo extension to files and drop a rescue note named UnlockYourFiles.txt. However, all it does is sprinkle a slew of new files all over the computer and displays a full-screen warning to instill fear. An infected user should simply restart their machine to get rid of it.

NOVEMBER 27, 2017

StorageCrypter stands out from the crowd

The specimen codenamed StorageCrypter zeroes in on NAS (network-attached storage) devices. Having skewed one’s valuable files, it concatenates the .locked string to each one and provides recovery steps in the _READ_ME_FOR_DECRYPT.txt how-to document.

Samas ransomware refreshed

A brand-new version of the Samas/SamSam blackmail virus is different than its forerunner in that it uses the .areyoulovemyrans extension to label hostage data.

Magniber starts using a gibberish extension

Magniber, the crypto infection believed to be a successor of Cerber, undergoes fine-tuning in a way. It switches to using the .vpgvlkb extension for ransomed files, which doesn’t appear to make any sense. Another tweak is that it drops a recovery avenue named ‘read me for decrypt.txt’.

Researchers trying to hunt down a new cyber culprit

MalwareHunterTeam’s Michael Gillespie tweets with another ransomware hunt suggestion to fellow-analysts. The baddie being sought is a new French ransom Trojan someone uploaded to the ID Ransomware portal. It stains data with the .locked suffix and uses a rescue note named READ_ME_FOR_ALL_YOUR_FILES.txt. The initiative is to no avail at the time of this writing.

NOVEMBER 28, 2017

HC6 ransomware decrypted

Security experts contrive a free decryption tool supporting the HC6 ransomware. This perpetrating program appends the .fucku extension to encoded files and leaves a ransom note named recover_your_files.txt.

Known ransomware passing itself off as a keygen program

For the record, the CryptON ransomware is a .NET based sample discovered a year ago. Its latest update has introduced a fairly unusual alteration. The infection’s payload now goes camouflaged as a keygen utility for EaseUS Data Recovery, a popular file restoration suite.

Crypt12 strain updated

Security analysts were able to fine-tune the existing free decryptor for Crypt12 ransomware shortly after its new edition has been spotted in the wild. The tool now supports the variant that blemishes encrypted files with the ‘=[victim ID]=hello@boomfile.ru.crypt12’ extension.

MaxiCrypt ransomware discovered

This one scrambles filenames and appends them with the .[maxicrypt@cock.li].maxicrypt extension. The ransom how-to file is named ‘How to restore your data.txt’.

NOVEMBER 29, 2017

Brazilian WannaPeace ransomware spotted

Cybercrooks from Brazil calling themselves AnonymousBr must have decided to pay homage to the mega-successful WannaCry ransomware that broke out in May 2017. The copycat is called WannaPeace. It prepends the ‘_enc’ string to an original file extension. The ransom amounts to 0.08 BTC (about $900).

Crypt888 ransomware reemerges

The proprietors of the extortion campaign through Crypt888 ransomware haven’t released any fresh variants for months. This has changed with a recent update no one in the security circles really expected. The pest now instructs victims to contact the attackers via maya_157_ransom@hotmail.com email address.

NOVEMBER 30, 2017

HC6 strain upgraded to HC7? How prosaic

The brand new HC7 variant from the existing lineage uses the .GOTYA string to stain encrypted files. According to preliminary analysis, it infects computers via hacked RDP services.

ACCDFISA ransomware gaining momentum in Brazil

This sample is one of the oldest known ransom Trojans that has literally risen from the ashes. The name stands for ‘Anti Cyber Crime Department of Federal Internet Security Agency’, a purported organization that doesn’t even exist. According to statistics obtained via ID Ransomware service, this infection has been increasingly targeting Brazilian users during November.

New lousy specimen out there

Analysts stumble upon a sample using a binary named REAL DANGEROUS RANSOMWARE.exe. Despite the scary executable, it turns out to be all bark but no bite. It’s nothing but a screen locker that a victim can get around by simply pressing Alt+F4.

GlobeImposter and Necurs are now in cahoots

The architects of the GlobeImposter ransomware campaign change their tactics in terms of distribution. The crypto culprit has begun making the rounds via spam generated by Necurs, one of the world’s largest botnets.

SUMMARY

Only three new decryption tools crafted in November versus a slew of fresh ransomware strains still make an unsettling ratio. Under the circumstances, users should rely on their personal online hygiene rather than researchers’ success. Simply exercising caution with spam email attachments significantly reduces the risk of being infected. Keep that in mind, and don’t forget to back up your important files on a regular basis.

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

October 2017: The Month in Ransomware

David Balaban em 06/11/2017 no site The State of Security

Ransomware activity didn’t skyrocket last month, but there was definitely a substantial increase compared to September.

Perhaps the most serious wake-up call was the onset of BadRabbit, a Petya-like culprit going on a rampage in Eastern Europe. A likely successor of the Cerber ransomware dubbed Magniber started making the rounds via the Magnitude exploit kit. A Halloween-themed Trick-or-Treat blackmail malware demonstrated that cybercriminals follow the traditions too – in their own way, though.

Overall, 28 new strains emerged, 18 existing ones underwent updates, and only one free decryptor was released.

OCTOBER 3, 2017

BTCWare edition using a self-explanatory extension

A new variant of the BTCWare blackmail virus is discovered. It appends the .payday extension to hostage files and drops a ransom note named !! RETURN FILES !!.txt. Victims are instructed to contact the attackers via email for detailed decryption steps.

OCTOBER 5, 2017

Browser scam revolving around ransomware

Cybercriminals launch a tech support scam campaign where users bump into rogue browser alerts stating ‘Ransomware Detected’. The deceptive popups recommend would-be victims to call a toll free phone number for assistance. The self-proclaimed support agents will then try to defraud the unsuspecting users of a fee to fix the purported security issue.

Samas ransomware updated

Researchers come across an uncatalogued Samas/SamSam ransomware version that blemishes encoded data with the .loveransisgood string.

Ransomware attacks a U.S. city

All internal information systems of the City of Englewood, Colorado, are knocked offlinedue to a ransomware incursion. No details regarding the trouble-making strain are available at this point. Fortunately, sensitive information belonging to employees or residents has not been obtained via this infection.

Another crypto onslaught against a healthcare facility reported

According to a recent press release, the computer network of Arkansas Oral & Facial Surgery Center was affected by file-encrypting ransomware on July 26, 2017. While the facility’s patient information database reportedly remained intact, some documents and imaging files, including x-rays files, were encrypted.

OCTOBER 6, 2017

Ender Ransomware wave didn’t pan out

A new screen locker called Ender Ransomware displays a poorly designed warning screen with hardly intelligible text. Courtesy of security analysts, the unlock code has been revealed – it’s ‘aRmLgk8wboWK5q7’. Better luck next time, script kiddies.

OCTOBER 8, 2017

GlobeImposter authors diversify their distribution portfolio

A new wave of malicious spam disseminating GlobeImposter ransomware payloads is detected. The shenanigans now revolve around phony website job applications with a booby-trapped resume on board. The attached Word file instructs a recipient to enable macros, which in turn leads to the Trojan being downloaded onto the host.

OCTOBER 9, 2017

LockOn ransomware, not in the wild yet

Analysts stumble upon a new in-development sample called LockOn. It is presumably a variant of the Hidden Tear proof-of-concept that currently targets data in a hard-coded ‘Test’ path. Files are appended with the .lockon extension.

OCTOBER 10, 2017

BugWare, a new one on the table

This one does with a GUI in Portuguese and targets Brazilian users. It concatenates the .[slavic@secmail.pro].bugware extension to enciphered data entries. The deadline for payment is 72 hours.

Locky gets a buggy facelift

The latest variant of the much-spoken-of Locky ransomware changes its behavior by using the new .asasin extension for encrypted files along with asasin.htm/bmp rescue notes. The original malspam wave spreading this edition is crude, though – recipients see a disorderly string of base64 encoded text instead of the trojanized email attachment.

Another screen locker in the wild

The prolific screen locking Trojan featuring “Your Windows Has Been Banned” message is updated with a new version. It instructs victims to call or email pseudo tech support for steps to fix the issue. Predictably enough, the unlocking routine boils down to submitting a ransom.

New Hidden Tear iteration takes root

An uncatalogued spinoff of the Hidden Tear proof-of-concept ransomware called AnonCrack is spotted. It uses the .crack string to label hostage files and displays ransom demands in Spanish.

Plus one sample for RotorCrypt lineage

A fresh specimen representing the RotorCrypt ransomware family is released. It affixes the “!___FIDEL4000@TUTAMAIL.COM___.biz” extension to encoded files. The recovery-through-payment steps are provided in a how-to file named DOCTOR.

Atchbo ransomware pops up

This brand new sample blemishes data with the .ExoLock or .Exo extension and leaves a ransom note named UnlockYourFiles[0-49].txt. The size of the ransom ranges from 0.007 to 0.01 Bitcoin.

OCTOBER 11, 2017

The soaring ransomware economy

According to a report released by IT security firm Carbon Black, the dark web marketplace for ransomware has expanded by about 2,500% in 2017 over 2016. Some of the statistics are as follows: ransomware is sold via more than 6,000 underground sites, and some developers earn on the order of $100,000 per year by simply retailing their malicious products.

BTCWare authors can’t wait for payday to come

Another edition of the BTCWare pest switches to the .[checkzip@india.com]-id-[victim ID].payday extension for enciphered files. As before, the infection is making the rounds by abusing unsecured remote desktop services.

OCTOBER 12, 2017

New BugWare variant hastily released

Just two days after discovery of the Brazilian BugWare blackmail virus, its new build goes live. It features some GUI tweaks and a different extension being subjoined to ransomed files, namely .[slavic@secmail.pro].criptografado. Also, the culprit now goes with a list of countries to target.

OCTOBER 13, 2017

The groundbreaking DoubleLocker ransomware

An Android ransom Trojan code-named DoubleLocker is discovered. Unlike run-of-the-mill mobile ransomware samples that simply lock the screen of a targeted device, this one also encrypts all files on the primary storage and appends them with the .cryeye extension. Furthermore, it exploits the Accessibility service of the host operating system in order to maintain persistence.

New CryptoMix spinoff surfaces

The updated perpetrating program concatenates the .x1881 suffix to encrypted items and drops a decryption manual named _HELP_INSTRUCTION.txt. There are no other noteworthy changes compared to the precursor.

Anubi ransomware pops up

This fresh blackmail infection adds the .[anubi@cock.li].anubi extension to files and provides a recovery walkthrough in __READ_ME__.txt document. The contact email address may vary.

The vague gist of CCord SystemLocker

The offending entity in question is a Windows screen locker that might reportedly be a crackme challenge. The unlock code can be obtained by visiting a specific website. At this point, it is ‘cracked:cracked’.

OCTOBER 14, 2017

WannaCry theme used in an online scam

A new wave of tech support scams is gaining momentum. When victims are redirected to the deceptive landing page, they see a popup warning stating that their computer is infected with WannaCry, one of the most sophisticated ransomware strains to date.

A write-up on Sage 2.2 ransomware is released

Bart Blaze, the threat intelligence analyst at PwC, publishes an informative technical summary on Sage 2.2, a widespread file-encrypting infection that has been in the wild since February 2017. The post includes exhaustive behavioral characteristics of the culprit and illustrations of all victim interaction modules.

OCTOBER 15, 2017

Yet another proof-of-concept abuse case

Researchers spot a fresh in-development spinoff of Hidden Tear, a ransomware codebase originally devised for educational purposes. It’s called ViiperWare. While this would-be pest currently only targets Test path on its creator’s machine, it concatenates the .viiper string to locked data.

CryptoDemo isn’t as prosaic as it appears

The sample in question imitates the interface of CryptoLocker, the notorious prototype of most present-day blackmail viruses. The interesting discovery about it is that it appears to be an EICAR test file, that is, an entity intended to check the response of anti-malware suites.

OCTOBER 16, 2017

Crypto Tyrant ransomware

This one presumably hails from the so-called DUMB ransomware family. Its warning window contains text in Farsi (Persian language). Crypto Tyrant provides a 24-hour deadline for a ransom payment.

Thought-extinct ransom Trojan updated

An existing e-blackmail strain called Vortex gets a facelift after many months of hiatus. Just like the original build, the newcomer zeroes in on Polish users. It drops a ransom how-to file named #$# JAK-ODZYSKAC-PLIIKI.txt.

New screen locker shows up

Ne’er-do-wells responsible for the new screen locking ransomware campaign leverage a fairly banal social engineering technique. When a victim’s screen gets locked up, the following message appears on it, “Your computer is running a pirated version of Windows.” Interestingly, the infection demands $100 worth of Ethereum, not Bitcoin. After the payment, users are also supposed to send 20 nude pictures of themselves to the pranksters.

OCTOBER 17, 2017

Ransomware-related distraction maneuver by hackers

Threat actors from North Korea reportedly pulled off a large-scale heist in early October targeting Taiwan-based Far Eastern International Bank (FEIB). Interestingly, the criminals used ransomware called Hermes as a smokescreen to avert the attention of the commercial firm’s officials and law enforcement from the theft.

Blind ransomware spotted

Judging by the ransom note, this one appears to be a variant of the prolific CrySiS/Dharma ransomware. It subjoins the .blind extension to ransomed files and leaves a rescue note named How_Decrypt_Files.hta.

The Magic ransomware surfaces

The sample called The Magic is a derivative of the Hidden Tear PoC that targets Italian users. It appends the .locked suffix to encoded data items and demands €100 worth of Bitcoin.

RotorCrypt strain fine-tuned

The latest edition of the RotorCrypt ransomware blemishes encrypted files with the “!_DESKRYPT@TUTAMAIL.COM_.rar” extension.

OCTOBER 18, 2017

Possible heir of Cerber appears

A new crypto culprit is discovered that bears a close resemblance to Cerber, a real ransomware heavyweight of the last two years. Dubbed Magniber, this infection is making the rounds via the Magnitude exploit kit, which is one thing it has in common with the likely prototype. Another similarity is that the two share an almost identical Tor-based payment system.

Magniber isn’t a worldwide threat, so far

According to researchers at Malwarebytes, the newsmaking Magniber pest currently zeroes in on South Korean users. Having encrypted files, it appends them with a victim-specific five-character extension and drops a rescue note named READ_ME_FOR_DECRYPT_[random]_.txt. If Magniber determines that the victim’s operating system language is different than Korean, it automatically deletes itself from the machine

Workaround for some Magniber victims

Analysts at Zimperium security firm came up with a way to recover data ransomed by Magniber. The method has got some restrictions, though. It only applies to scenarios where files got locked down with a hard-coded crypto key. The stars align only in case a computer was hit from an IP address other than Korean or if the ransomware failed to establish a connection with its C2 servers.

OCTOBER 19, 2017

WhatsApp spam delivering ransomware

A new spam campaign is making the rounds in Brazil. It targets WhatsApp users, serving a payload of the Bugware ransomware edition that stains encrypted files with the .[maxvision@secmail.pro].criptografado extension.

Saher Blue Eagle ransomware update

The not-so-widespread blackmail malware called Saher Blue Eagle undergoes some refreshing. The most recent version affixes the .SaherBlueEagleRansomware string to hostage files.

OCTOBER 20, 2017

Ransomware pretending to come from the FBI

An umpteenth FBI-themed ransom Trojan is spotted in the wild. Its ransom notification includes the Bureau’s logo and threatens to delete all data in 72 hours unless a ransom of €50 is paid. The infection subjoins the .XmdXtazX string to locked files.

Hidden Tear offshoot called LordOfShadow

Yet another derivative of the academic Hidden Tear ransomware surfaces. It spreads mainly in Brazil, appends the .lordofshadow suffix to a victim’s personal files, and adds a rescue note named LEIA_ME.txt (“READ_ME” in Portuguese) to the desktop.

OCTOBER 21, 2017

Run-of-the-mill Ordinal ransomware

Cybercriminals won’t seem to stop abusing the controversial Hidden Tear PoC. This time, a group of threat actors created a new spinoff called Ordinal ransomware. It subjoins the .Ordinal extension to hostage data items and drops a recovery how-to file named READ Me To Get Your Files Back.txt.Ordinal.

Handy tool released to assist ransomware victims

McAfee software vendor contrives a solution called McAfee Ransomware Recover (Mr²)for 32- and 64-bit Windows editions. It is a framework that includes all available free ransomware decryptors created by security researchers.

OCTOBER 22, 2017

One more milestone of ID Ransomware portal

ID Ransomware, an online service devised by MalwareHunterTeam, is now capable of identifying 500 different families of blackmail viruses.

OCTOBER 23, 2017

Windows 10 anti-ransomware feature goes live

The feature called “Controlled Folder Access”, which was previously announced by Microsoft, has been rolled out to computers running Windows 10 as part of the latest Fall Creators Update. It allows users to restrict software access to certain folders in order to prevent malicious code like ransomware from making changes to data.

Allcry ransomware surfaces

Another data-encrypting baddie called Allcry ransomware is detected in the wild. It adds the .allcry string to filenames, leaves ReadMe.dic rescue note, and demands 1 Bitcoin for recovery.

Felons prepping for Halloween

Security analysts spot a new specimen called Trick or Treat. It is currently in development and doesn’t do any real damage.

Jigsaw ransomware updated

A fresh Halloween-themed iteration of the Jigsaw lineage begins making the rounds. It features an image of the Pennywise character on its warning screen and concatenates the .beep suffix to files.

Comrade ransomware makes an appearance

The Comrade cyber pest is nothing but one more offshoot of Hidden Tear. It uses an apropos .Comrade extension to stain encrypted files and drops a decryption how-to document named DECRYPT_FILES.txt. The ransom amounts to $480 worth of Bitcoin.

OCTOBER 24, 2017

BadRabbit infection going on a rampage in Europe

A devastating ransomware sample called BadRabbit is unleashed to hit users, businesses, and government institutions in Eastern European countries including Ukraine, Bulgaria, the Netherlands, and Russia. The culprit is reminiscent of the NotPetya ransomware in that it encodes victims’ data and replaces the Master Boot Record with a custom bootloader. BadRabbit arrives with rogue Flash updates, demands 0.05 Bitcoin for decryption, and provides a 40-hour deadline to pay up.

OCTOBER 25, 2017

BadRabbit’s connection to NotPetya confirmed

Different security companies and researchers state that the BadRabbit ransomware does share a great deal of its code with the infamous NotPetya. There are also clues linking the two campaigns with the same cybercriminal crew dubbed TeleBots.

The reach of BadRabbit expands

The perpetrating program in question has reportedly also hit some users outside Europe. Specifically, around 1% of the victims are in the United States, and researchers expect this quantity to grow. The likely entry point is an SMB (Server Message Block) vulnerability. Most organizations infected in the U.S. share some of their IT infrastructure with affected companies in the targeted countries.

Broad coverage of the BadRabbit predicament

A growing number of security firms are publishing technical write-ups on the BadRabbit ransomware campaign. The report by Malwarebytes is particularly informative.

Crypto Tyrant ransomware wreaking havoc in Iran

The Computer Emergency Response Team Coordination Center of Iran alerts local users about the increased activity of the recently discovered Crypto Tyrant ransomware.

Perpetrators continue to take advantage of NSA exploits

According to Cisco’s Talos Intelligence Group, the threat actors behind the newsmaking BadRabbit ransomware used an exploit codenamed EternalRomance to deposit the infection onto machines. This is another case of hackers using tools contrived by the NSA for surveillance following the NotPetya campaign. A bevy of these exploits was dumped by The Shadow Brokers cybercriminal crew in April 2017.

WannaBeHappy ransomware being created

Malware analysts stumble upon an in-development file-encrypting pest called WannaBeHappy, whose denomination is obviously a tribute to the infamous WannaCry culprit. It adds the .encrypted suffix to hostage files and demands $500 worth of Bitcoin.

New strain with Greek roots

A ransomware sample called Kerkoporta (“Backdoor” in English) starts making victims. The contagion turns out to be a bundle of a blackmail virus and a remote access tool. Fortunately, its impact is restricted to simply renaming files and locking the screen.

Researchers trying to hunt down another crypto baddie

MalwareHunterTeam’s Michael Gillespie (@demonslay335) announces a hunt for samples of an uncatalogued ransom Trojan that victims have been submitting to ID Ransomware portal. The elusive specimen subjoins the .rubina5 string to encoded data and leaves a recovery manual named HOW_TO_DECRYPT_FILES.txt.

The Losers ransomware representing an existing family

The Cry36/Nemesis ransomware lineage gets a new bullet in its gun barrel. Its latest variant concatenates the .losers extension to ciphered files and provides recovery tips via a ransom notification named HOWTODECRYPTFILES.html.

A tweak of blackmailers’ tactics

According to security experts’ observations, a group of malefactors has been applying a novel technique to make database owners cough up money. They compromise servers, move data to password-protected ZIP archives, and demand a ransom for the security key. The ‘Unzip your ZIP files.txt’ rescue note instructs victims to contact the ne’er-do-wells at zip@email.tg.

OCTOBER 27, 2017

Matrix strain undergoes a distribution tweak

Almost a year after the Matrix ransomware campaign was launched, its operators change their tactic to a tangible extent. They start leveraging the stealthy RIG exploit kit to serve the payload when a user visits a hacked website.

XiaoBa blackmail malware

The Chinese sample in question affixes the .XiaoBa[number 1-34] extension to locked files and drops a rescue note named _@Explanation@.hta.

xRansom appears to be a guinea pig in a way

This in-development specimen is too buggy to do much real damage, at this point at least. It zeroes in on four data formats only, doesn’t mark files with any extra extensions, and doesn’t drop ransom notifications at all.

YYTO ransomware updated

A fresh edition of the YYTO cyber-culprit is spotted that instructs a victim to send several encrypted files and their personal key to colecyrus@mail.com.b007. The ransom note is named Help.txt.

Some hope for BadRabbit victims

It turns out that the BadRabbit ransomware differs from the rest in that it does not erase shadow copies of victims’ data. Those infected may, therefore, be able to use this imperfection to their advantage and restore previous versions of hostage files. Another potential recovery vector revolves around a buggy encryption key handling routine employed by the Trojan.

OCTOBER 28, 2017

Tweak made to the Xorist ransomware

A brand new version of the Xorist crypto infection switches to using the .error[victim ID] extension for ransomed files. The payment deadline is set to 48 hours. The attacker’s email address is 1ss33ggur@scryptmail.com.

OCTOBER 30, 2017

GlobeImposter fine-tuned

Although the GlobeImposter ransomware family isn’t expanding nearly as fast as it used to, it is still on the go. A new edition is discovered that stains encrypted files with the .apk string.

Trick or Treat ransomware assumes a new look and feel

A week after the original Trick or Treat ransom Trojan variant went live, a successor started making victims. It uses a modified background for the warning screen and demands a Bitcoin equivalent of $20.

OCTOBER 31, 2017

ONI ransomware hits Japanese enterprises

The ONI strain is quite tricky, as it is part of a well-orchestrated campaign targeting Japanese medium and large companies. It appends the .oni extension to encoded files and drops !!!README!!!.html ransom how-to. Some deeper insight unearthed that the plagued organizations had been contaminated with a remote access tool called Ammyy Admin RAT for months prior to the ransomware onslaught. The ransomware was therefore just a component of the elaborate, persistent compromise.

RansWare sample surfaces

Despite the fact that RansWare is nothing but a garden-variety infection that doesn’t even complete the encryption properly, it demands an unthinkable ransom of 100 Bitcoin (about $740,000). The timeframe for payment is one month.

SUMMARY

Ransomware architects didn’t come up with anything truly groundbreaking in October, which is good news.

However, the rising curve of the extortion economy demonstrates that blackmail infections continue to be the mainstay of the present-day cybercrime. No matter what new techniques the crooks may have up their sleeve, nothing beats data backups when it comes to risk mitigation in a ransomware scenario.

Keep that in mind and stay on the safe side.