We recently discovered two new ransomware variants, AlumniLocker and Humble, which exhibit different sophisticated behaviors and extortion techniques post-encryption.
One of these techniques includes an unusually high ransom payment and a threat to publicize victims’ critical data. These new variants prove that ransomware’s targeted and extortion-focused era is alive and well in 2021.
Technical analyses
AlumniLocker ransomware
We recently spotted the AlumniLocker ransomware, a variant of the Thanos ransomware family, which asks for a ransom payment of 10 bitcoins (equivalent to US$457,382.60 as of writing). The ransomware actors also threaten to publish their victims’ data on their “wall of shame” website if they don’t send the payment within 48 hours.
AlumniLocker arrives via a malicious PDF email attachment. Based on our investigation, the PDF is a fake invoice that urges the victim to download it.
The malicious PDF contains a link (hxxps://femto[.]pw/cyp5) that, once clicked, will download a ZIP archive containing a downloader.
The ZIP archive also contains a fake JPG file, which is actually a PowerShell script that will download and execute the AlumniLocker payload by abusing a Background Intelligent Service Transfer (BITS) module.
The AlumniLocker ransomware file is a Themida-packed Microsoft Intermediate Language (MSIL) executable file. It appends .alumni to encrypted files:
Once AlumniLocker encrypts a victim’s files, a text file that details the amount of ransom demanded by the actors, as well as instructions on how to send over the payment, is shown via Notepad. If the ransom amount is not paid within the specified period, the ransomware actors threaten to publish the victim’s personal files on their website, which is inaccessible as of writing.
Humble ransomware
We spotted the Humble ransomware in February 2021. This not-so-typical ransomware family is compiled with an executable wrapper (Bat2Exe). Our investigation points to two Humble ransomware variants, both with extortion techniques that prompt victims to pay ransom expeditiously. One variant threatens a victim that once they restart their system, the Master Boot Record (MBR) will be rewritten. Meanwhile, the other variant makes the same threat about the MBR being rewritten if the victim does not pay the ransom within five days.
The main executable is the batch file itself — something that might be uncommon but not new. What sets this ransomware apart from others is its utilization of a public webhook service from communication platform Discord to report to its author or publish infection reports from its victims.
The Humble ransomware denies explorer.exe from viewing or accessing local storage drives.
The first Humble ransomware variant we analyzed drops the %temp%\{temp directory}\extd.exe component, which is usually used for cryptography and web API binary, to aid with file encryption.
The malware utilizes certutil.exe, a program that manages Windows certificates, to generate a key from a randomized input. This will then be used by the extd.exe component to encrypt files.
Humble ransomware encrypts 104 file types, including files with the following extensions: .exe, .pdf, .mp3, .jpeg, .cc, .java, and .sys.
After a machine is successfully encrypted, the malware sends a report to the ransomware operator’s Discord webhook panel via a custom-made AutoIt-compiled Discord webhook binary.
The malware will generate a random string that will then be used to append the infected files. The malware also displays a ransom note that is set as a user’s lock-screen image, warning the victim against restarting the system.
The second Humble ransomware variant that we analyzed downloads the component file (detected by Trend Micro as Boot.Win32.KILLMBR.AD) using PowerShell, certutil.exe, and extd.exe, instead of being encoded within and being automatically dropped from the batch file.
This variant informs the victim of the infected machine that if they do not pay the ransom of 0.0002 bitcoins (US$9.79 as of writing) within five days, all files will be deleted.
Security recommendations and Trend Micro solutions
As ransomware families and variants evolve, they become more deliberate with their approaches and employ the use of complex techniques and behaviors with the goal of successfully siphoning off millions in ransomware payments. According to the insurance company Coalition, cyberextortion amounts doubled from 2019 to the first quarter of 2020.
Users and organizations should follow important security recommendations in order to keep their devices and systems protected from ransomware, including enforcing the principle of least privilege, disabling local admin accounts, and limiting access to shared or network drives.
The following are other vital recommendations for users and organizations to prevent ransomware attacks:
- Unverified emails and links embedded in them should be opened with caution, as ransomware has been known to spread in this manner.
- Important files should be backed up using the 3-2-1 rule: Create three backup copies on two different media with one backup in a separate location.
- Regularly update software, programs, and applications to protect them from the latest vulnerabilities.
- Keep personal information safe, as even this could give out clues to security information on used systems.
How can Trend Micro protect organizations from ransomware?
Trend Micro’s comprehensive XDR solution applies the most effective expert analytics to the deep data sets collected from Trend Micro solutions across the enterprise, making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with guided investigation simplifies the steps to achieving a full understanding of the attack path and impact on the organization.
The Trend Micro Apex One™ solution offers threat detection, response, and investigation within a single agent. Automated threat detection and response provide protection from an ever-growing variety of threats, including fileless and ransomware. An advanced endpoint detection and response (EDR) toolset, strong security information and event management (SIEM) integration, and an open API set provide actionable insights, expanded investigative capabilities, and centralized visibility across the network.
Trend Micro Cloud One™– Workload Security has a virtual patching feature that can protect the system from exploits. Since some of the malware’s techniques can bypass signature-based security agents, technologies like Trend Micro Behavior Monitoring and Machine Learning can be used to prevent and block those threats.
Indicators of compromise (IOCs)
AlumniLocker ransomware
SHA-256 |
Description |
Detection |
10c252d04e0eb8a91688919a57f27193f0567cf45c8cafdd27577314bf7db704 |
PDF file (source of infection) |
Trojan.PDF.MALPHISH.AUSJERCF |
57fafcf93acfc6c45a05ef60207226e21e83f538f2e6ea8077f67c907cdce729 |
Link downloader file |
|
dd61a8b804059891d5f25b39c1dcd5e880088e217ba30aa80ba2c9dbd35d060d |
JPG PowerShell downloader file |
|
e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8 |
Ransomware file |
|
hxxps://femto[.]pw/7unw |
Ransomware source |
N/A |
hxxps://femto[.]pw/cyp5 |
Ransomware source |
|
hxxps://www[.]minpic[.]de/k/bgk5/fsqz7 |
Malicious link file source |
|
hxxps://www[.]minpic[.]de/k/bgk6/17lim/ |
Malicious link file source |
Humble ransomware
SHA-256 |
Description |
Detection |
6be8927f5d508259c8100d363b42215d7c90845b1c6716a71414a6abbd0df230 |
Ransomware package |
Ransom.Win32.HUMBLE.THBAGBA |
c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31 |
Ransomware package (later variant) |
|
5f42b161717463991122f88dd7dba95a26bdd3d8c9ed21c316ba7a51e7270f66 |
Ransomware package (later variant) |
|
dd10602b2500fac1f816c54d698c55ebe6a9e208b909bdafc074ccdb2d82a725 |
final.exe (gameover.exe) |