Ransomware Recap: Sept. 9, 2016

September 13, 2016

ransomware-weekly-recapLast week, Trend Micro researchers uncovered a ransomware strain that veers from usual routines of hostaging specific files or folders found in local drives, removable media and network shares. Named HDDCryptor (detected as Ransom_HDDCRYPTOR.A), this particular ransomware also has the capability of locking the entire drive—marking it a very destructive threat for home users and enterprises.

Downloaded from malicious websites or as a file delivered by other malware, this particular ransomware drops several components, both malicious and legitimate, to the system’s root folder during installation.

A closer look by Trend Micro researchers revealed that this ransomware makes use of commercially available software for encryption and its other routines. In one of the samples, HDDCryptor makes use of a network password recovery freeware to look for previously accessed networked folders. On the other hand, the use of open source disk encryption software DiskCryptor was also discovered to be used in its disk and network file-level encryption routines.

[Blog: HDDCryptor: A Detailed Analysis]

Last week, a modified version of Locky (detected by Trend Micro as Ransom_HPLOCKY.SM51) also emerged. This configured version, according to reports, show hardcoded RSA keys, which means that this particular ransomware does not need to contact its C&C servers to run. It arrives as a downloaded dynamic-link library file (.dll) and with its embedded RSA keys, the files found in the system can be encrypted even without the command coming from its servers.

Here are other notable ransomware stories that made the rounds last week:

RansomCuck

A new DetoxCrypto variant was sighted early last week that locks files in affected computers using DES encryption algorithms before appending the files with a .encrypt extension. Known as RansomCuck, the ransom note also gives its victims a two-week deadline to pay up. Once the timer runs out, the hostaged files run the risk of being deleted if the victim fails to settle the price.

Philadelphia

Reports
of a remodeled version of the Stampado ransomware surfaced by the tail-end of last week, being sold by its developer (under the moniker The Rainmaker) for US$400. Dubbed as Philadelphia ransomware (detected by Trend Micro as Ransom_STAMPADO.B), this version was advertised as an advanced ransomware variant aimed newcomers who are looking to run a well-oiled ransomware operation. Researchers furthered that the developer was projecting a victim-base of 20,000 on its first day of distribution.

According to Rainmaker, Philadelphia raises the level of the ransomware scene with capabilities like auto-detecting payments, automatic decryption and infection of USB drives and machines found in the network. The ransomware encrypts files and appends them with a .locked extension before it demands a ransom of 0.3 bitcoins. Interestingly, a Mercy button was available for cybercriminals who would be willing to decrypt files of their victims for free. 

CryPy

As the week drew to a close, researchers uncovered a new ransomware strain written in Python, named CryPy (detected by Trend Micro as Ransom_CRYPY.A). This particular ransomware encrypts files using the AES-256 encryption algorithm and, interestingly, continuously communicates with its C&C server on every single file it encrypts. The server provides a 32-character password before providing random characters to rename the files in this format CRY.cry. After what looks like a long process of locking files, the ransom note will provide its victims e-mail addresses to contact for payment instructions.

RarVault and Kawaiilocker

Two ransomware strains that are said to be targeting Russian-speaking victims were reported last week. RarVault (detected by Trend Micro as Ransom_RARVAULT.A) reportedly moves files found in an infected system to a password protected .rar archive. After which, a 127-character password (using Latin and Cyrillic characters) is generated via AES-256 cryptography. Interestingly, the files are not encrypted the way typical, more sophisticated ransomware would. Also, the authors behind RarVault does not use anonymous servers, which researchers and analysts deem to be the work of newbie cybercriminals. It also creates a RarVault folder containing the ransom note that details instructions on how to contact the data kidnappers into recovering the files.

The other ransomware, called KawaiiLocker (detected by Trend Micro as Ransom_KAWAIILOCKER.A), encrypts files using the AES encryption algorithm but retains the filenames of the locked files. It is also capable of deleting shadow copies of files to make recovery impossibllle. The ransom note, found in a HOWTODECRYPTFILES.txt file, demands a ransom of 6,000 rubles with a one-week deadline.

Flyper and CryptFuck

Two more ransomware based on Hidden Tear were also sighted in the past week. Flyper and and CryptFuck (both detected by Trend Micro as Ransom_CRYPTEAR.SM) were seen possessing the same patterns in their codes.
Flyper uses RSA-2048 encryption and appends a .flyper extension name to its encrypted files. The decryptor tool can be purchased once the payment of 0.5 bitcoins is made. CryptFuck, on the other hand, encrypts files using the AES algorithm and appends affected files with the extension name, .urfucked. This particular ransomware is said to be similar to Fantom ransomware. The ransom note, which gives its victims a 72-hour deadline to pay the ransom, shows a bit of a nod to popular TV show, Mr. Robot. Researchers also deem that this ransomware is still in its early development stage, based on the comments in Italian found embedded in its code. 

A multi-layered approach that secures all possible gateways of compromise is the most effective defensive strategy for defending against ransomware. A solid back-up of valuable files, on the other hand, mitigates damages brought by a ransomware infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.