Published on May 10th, 2017📅| 1
Ransomware Timeline: Top Stories April 2017
The extortion epidemic through crypto ransomware is ongoing and reaching new heights. More than 40 new samples took root and over 20 existing strains were updated in April, which clearly demonstrates the unsettling trend. The crooks were playing around with new attack vectors and had some success. The records below reflect the state of ransomware underground as of last month.
Apr. 1, 2017
As the Gigabyte BRIX small computer kits are gaining momentum these days, it’s within the realms of possibility that cybercriminals will try their hand at targeting them. Moreover, researchers from Cylance discovered weak links in the firmware of these devices. Their proof-of-concept UEFI ransomware presented at Black Hat Asia 2017 exploits vulnerabilities in vF2 and vF6 firmware versions of Gigabyte BRIX kits to deploy the attack.
Apr. 4. 2017
Bitdefender Labs security vendor releases a free decryption tool for all editions of the Bart ransomware, which encrypts data without Internet connection. The indicators of compromise include a warning screen similar to the one displayed by Locky ransomware, and the .bart, .bart.zip, or .perl extension concatenated to hostage files.
Apr. 6, 2017
Austrian police arrests a teenager who allegedly contaminated computer systems of an unnamed company in Linz city with the Philadelphia ransomware. The 19-year-old crook was able to lock down important records of the targeted organization and requested a Bitcoin equivalent of $400 for the decryption key. The company rejected this demand, leveraged a previously made backup to restore the data, and reported the incident to local law enforcement.
Apr. 6, 2017
A questionably judicious Korean programmer creates and starts distributing a malicious program called Rensenware. This one stands out from the rest because it isn’t money-driven. Having encrypted one’s personal files, the infection instructs the victim to score 200 million in TH12 ~ Undefined Fantastic Object computer game, which is an extremely challenging task. The developer who goes by an alias Tvple Eraser tweeted he had done it for fun. He also released a free tool to simulate the game score. That was a bad joke, obviously.
Apr. 7, 2017
A ransom Trojan dubbed Matrix is on the rise. It appends the .bl0cked suffix to encrypted files and replaces the original desktop wallpaper with a warning screen. It turns out that its main propagation vector revolves around the use of so-called EITest scripts on compromised websites and the high-profile RIG exploit kit, which explains the rapid growth of the threat worldwide.
Apr. 10, 2017
Emsisoft releases an enhanced version of their Cry9 ransomware decryption utility. The perpetrating entity in question chiefly employs RDP (Remote Desktop Protocol) to infect computers. The updated decryptor boasts performance improvements and supports more Cry9 editions.
Apr. 12, 2017
The authors of the relatively new Mole ransomware have added some trickery to the mix of their payload delivery. While the new variant of this offending code still harnesses spam to propagate, the rest of the infection chain has become more complex. Victims are lured into visiting a counterfeit “Microsoft Word Online” site, which in its turn instructs them to install the ransomware proper disguised as a useful plugin. For the record, this baddie stains encrypted files with the .MOLE string and drops a ransom note named Instruction_For_Helping_File_Recovery.txt.
Apr. 13, 2017
The online extortion business is starting to assume new characteristics as the developers of the Cradle ransomware chose to put up their source code for sale on the dark web. Dubbed CradleCore, the malicious kit includes the entire code proper, C++ and PHP server scripts, as well as the payment panel. Negotiations about the price reportedly start at 0.35 BTC, which is worth about $550.
Apr. 14, 2017
The Cerber ransomware becomes the world’s top threat in its niche. According to “Cybercrime tactics and techniques Q1 2017” report by Malwarebytes, this plague’s overall market share has been steadily growing since January. It went up from 70.05% to 86.98% over the first quarter of 2017.
Apr. 18, 2017
Ransomware-as-a-Service (RaaS) is becoming increasingly popular with cybercriminals. It denotes a principle where architects of crypto infections provide affiliates with access to their code and payment processing infrastructure in exchange for a cut from all ransoms submitted by victims. The ransomware called Karmen created by a Russian crook nicknamed DevBitox joins such a framework as well. Sadly enough, this perpetrating product is a spinoff of Hidden Tear, a proof-of-concept ransom Trojan made by Turkish security researcher in August 2015.
Apr. 20, 2017
The new AES-NI ransomware is circulating in an unusual fashion. It employs and weaponizes 0day NSA exploits dumped by the Shadow Brokers hacker group in mid-April. This data-scrambling sample appends the .aes_ni_0day suffix to encrypted files and leaves a document with step-by-step recovery instructions called “!!! READ THIS – IMPORTANT !!!.txt”.
Apr. 21, 2017
The notorious Locky ransomware is back with the Necurs botnet propping its propagation. The new malspam campaign revolves around fake payment receipts. When opened, the booby-trapped objects attached to these emails turn out to be Word files with macros enabled. The VBA macros, in their turn, fire up the ransomware payload in the background. The Locky variant arriving this way is called OSIRIS, the one that was in rotation in late 2016.
Apr. 23, 2017
The ID Ransomware online service devised by MalwareHunterTeam now goes equipped with additional identification features. It allows ransomware victims to determine the strain by Bitcoin address, email, or The Onion Router URL indicated in the ransom note. The only criteria applicable prior to this enhancement included the decryption how-to file and sample encrypted file.
Apr. 27, 2017
Another build of the Cerber ransomware is out. It features updated ransom notes named “_!!!_README_!!!_[random]_.hta/txt”. The distribution mechanism underwent a change, too. The infection is now deposited on target computers via malspam with toxic RTF file attachments. When an unsuspecting recipient opens one of these rogue documents, a vulnerability categorized as CVE-2017-0199 is used to trigger a harmful Visual Basic script on the machine and execute the ransomware behind the scenes.
Apr. 29, 2017
The new Onion ransomware starts making the rounds via a large-scale malspam wave. It appends ransomed files with the .id-[victim identifier]..onion extension, where the email address can be one of the following: [email protected], [email protected], or [email protected] Based on its behavior and C2 infrastructure, this sample is most likely a Dharma ransomware variant.
Apr. 30, 2017
A new CryptoMix ransomware edition concatenates the .wallet extension to hostage data entries. That’s quite strange, because some editions of the CrySiS/Dharma and Sanctions file-encrypting infections use the exact same string to label encrypted items. Perhaps the extortionists are running out of ideas regarding their indicators of compromise. Go figure. One way or another, the felons behind CryptoMix are definitely not trying to be original.
Although the use of the same extension by different ransomware strains might suggest a lack of creativity on threat actors’ end, it doesn’t make the epidemic any less devastating. Ransomware is still the top cyber menace to watch out for, and it doesn’t seem to slow down.