Ransomware Recap: Sept. 9, 2016
Last week, Trend Micro researchers uncovered a ransomware strain that veers from usual routines of hostaging specific files or folders found in local drives, removable media and network shares. Named HDDCryptor (detected as Ransom_HDDCRYPTOR.A), this particular ransomware also has the capability of locking the entire drive—marking it a very destructive threat for home users and enterprises.
Downloaded from malicious websites or as a file delivered by other malware, this particular ransomware drops several components, both malicious and legitimate, to the system’s root folder during installation.
A closer look by Trend Micro researchers revealed that this ransomware makes use of commercially available software for encryption and its other routines. In one of the samples, HDDCryptor makes use of a network password recovery freeware to look for previously accessed networked folders. On the other hand, the use of open source disk encryption software DiskCryptor was also discovered to be used in its disk and network file-level encryption routines.
[Blog: HDDCryptor: A Detailed Analysis]
Last week, a modified version of Locky (detected by Trend Micro as Ransom_HPLOCKY.SM51) also emerged. This configured version, according to reports, show hardcoded RSA keys, which means that this particular ransomware does not need to contact its C&C servers to run. It arrives as a downloaded dynamic-link library file (.dll) and with its embedded RSA keys, the files found in the system can be encrypted even without the command coming from its servers.
Here are other notable ransomware stories that made the rounds last week:
Philadelphia
Reports of a remodeled version of the Stampado ransomware surfaced by the tail-end of last week, being sold by its developer (under the moniker The Rainmaker) for US$400. Dubbed as Philadelphia ransomware (detected by Trend Micro as Ransom_STAMPADO.B), this version was advertised as an advanced ransomware variant aimed newcomers who are looking to run a well-oiled ransomware operation. Researchers furthered that the developer was projecting a victim-base of 20,000 on its first day of distribution.
According to Rainmaker, Philadelphia raises the level of the ransomware scene with capabilities like auto-detecting payments, automatic decryption and infection of USB drives and machines found in the network. The ransomware encrypts files and appends them with a .locked extension before it demands a ransom of 0.3 bitcoins. Interestingly, a Mercy button was available for cybercriminals who would be willing to decrypt files of their victims for free.
CryPy
As the week drew to a close, researchers uncovered a new ransomware strain written in Python, named CryPy (detected by Trend Micro as Ransom_CRYPY.A). This particular ransomware encrypts files using the AES-256 encryption algorithm and, interestingly, continuously communicates with its C&C server on every single file it encrypts. The server provides a 32-character password before providing random characters to rename the files in this format CRY
RarVault and Kawaiilocker
Two ransomware strains that are said to be targeting Russian-speaking victims were reported last week. RarVault (detected by Trend Micro as Ransom_RARVAULT.A) reportedly moves files found in an infected system to a password protected .rar archive. After which, a 127-character password (using Latin and Cyrillic characters) is generated via AES-256 cryptography. Interestingly, the files are not encrypted the way typical, more sophisticated ransomware would. Also, the authors behind RarVault does not use anonymous servers, which researchers and analysts deem to be the work of newbie cybercriminals. It also creates a RarVault folder containing the ransom note that details instructions on how to contact the data kidnappers into recovering the files.
The other ransomware, called KawaiiLocker (detected by Trend Micro as Ransom_KAWAIILOCKER.A), encrypts files using the AES encryption algorithm but retains the filenames of the locked files. It is also capable of deleting shadow copies of files to make recovery impossibllle. The ransom note, found in a HOWTODECRYPTFILES.txt file, demands a ransom of 6,000 rubles with a one-week deadline.
Flyper and CryptFuck
Two more ransomware based on Hidden Tear were also sighted in the past week. Flyper and and CryptFuck (both detected by Trend Micro as Ransom_CRYPTEAR.SM) were seen possessing the same patterns in their codes.
A multi-layered approach that secures all possible gateways of compromise is the most effective defensive strategy for defending against ransomware. A solid back-up of valuable files, on the other hand, mitigates damages brought by a ransomware infection.
Ransomware Solutions
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.