Ransomware Recap: August 26, 2016

ransom-recapThis week’s ransomware activity continues to revolve around earlier-released ransomware families that have inspired new ones. Existing ransomware strains, in turn, have seen continued developments that feature changes to their infection and distribution strategies. A number of new variants that surfaced were obviously inspired by popular media: be it in the form of movies, television shows, and even mobile applications and games.

Here are some of the most notable ransomware families and variants that surfaced over the past week:

Locky’s surge as one of the most prominent ransomware families seen of late continues. Recently, a new variant (detected by Trend Micro as RANSOM_LOCKY.F116HM) makes use of older tactics, but with slight technical alterations. Locky has been known to use macro, JavaScript, and VBScript to arrive on a potential victim. This time, the variant makes use of a dynamic-link library file (.dll) to hide circumvent detection and behavior monitoring—reminiscent of tactics employed by other ransomware families like CrypMic/CryptXXX.

Similar to Locky, a new variant of an earlier-discovered family called CrypMIC (detected by Trend Micro as Ransom_CRYPMIC.X) was discovered this week featuring changes to its arrival tactics. Unlike its predecessors, this particular variant arrives via an executable file (.exe) rather than the usual dynamic-link library file (.dll). It then encrypts files found in the victim’s system using AES-256 encryption. The ransom note provides a unique victim personal ID which will be used to sign into a web page for the payment and decryption instructions.

A new ransomware family called Alma Locker (detected by Trend Micro as Ransom_ALMALOCK.A) was found being delivered by the RIG exploit kit. This ransomware strain is also said to be one of the few that has a functioning Tor command & control server. After encrypting the files with AES-128 encryption, the malware will append a random 5-character extension. A unique 8-character ID will also be provided to the victim, as well as a 5-day deadline to pay the ransom of 1 bitcoin.

At the onset of the week, a ransom screenlocker (detected by Trend Micro as Ransom_SCRNLOCK.A) was discovered. While it is observed to still be on its testing phase, the screenlocker disables processes like the Windows Task Manager and explorer.exe, likely to prevent  the user from halting the malware’s ongoing processes. Unlike other screenlockers seen of late, this variant also disables the system restart function. After encrypting system files using AES-256 encryption, the ransom note is displayed demanding 200 CZK (Czech koruna). That equates to around US$8, making it  the cheapest ransomware ransom demanded so far.
Popular media once again inspired this ransomware family. Called Globe ransomware (detected by Trend Micro as Ransom_PURGE.A), this family is based on the Hollywood thriller Purge: Election Year. Unlike most crypto-ransomware that use popular encryption algorithms, this ransomware strain uses the Blowfish algorithm and utilizes an HTA or HTML Application file to display the demanded ransom. The ransom note features a corresponding personal ID for each victim, which is used to contact the developer for payment instructions. The ransomware will then replace the Windows wallpaper with the background containing characters of the said movie, along with the developer’s email address.
Another ransomware strain hiding under the guise of a critical Windows Update has recently surfaced, yet again. Fantom ransomware (detected by Trend Micro as Ransom_FANTOMCRYPT.A) is said to be based on the open-source EDA2 ransomware project. A fake Windows Update screen appears, feigning an ongoing critical update installation while the encryption is happening in the background. This ransomware searches local drives for files and encrypts them using AES-128 encryption before appending the .fantom extension.

Another ransomware variant that is reportedly based off an earlier discovered family. Called Domino ransomware (detected by Trend Micro as Ransom_DOMINO.A), this ransomware strain is said to be patterned after another open-source ransomware project, Hidden Tear. This variant arrives from a modified installer of the KMSPico program. Once the installer is executed, it will extract a password-protected .zip file that contains the file encryptor executable, and the ransom note. The ransom note, titled HelloWorld! and written in broken English, requires the victim to pay 1 bitcoin, after which, an email address is provided to contact the developers for the decrypt key. A popular television series, Game of Thrones, was also referenced in this ransom note saying, “Winter Is Coming!”, as it warns the victim of a 72-hour deadline.

A multi-layered approach to protect possible entry points is the best way to defend against ransomware. Securing all possible gateways from this threat before they reach networks and systems is the most effective way to minimize risks of infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.