Ransomware Recap: Sept. 23, 2016

ransomware-weeklyBusinesses in Australia and New Zealand were recently in the crosshairs of ransomware attacks involving Crysis (detected by Trend Micro as Ransom_CRYSIS.A), a family first seen in February of 2015. Last week, Trend Micro researchers noted how this particular ransomware family has been taking on new targets via remote desktop protocol (RDP) brute force attacks—a behavior first observed in August.

According to the researchers, this a deviation from the common infection vectors utilized by this ransomware family. Crysis has been previously known to arrive as an infected attachment with double file extensions to mask the malware, and distributed in various spam campaigns or via embedded links to compromised websites.

[Related: Ransomware and spam]

However, the use of brute-forced RDPs, has been seen as a lucrative option for operators. Researchers discovered Crysis used in attacks that involve brute-forced RDP credentials with the ransomware executed through a redirected drive coming from the source machine.

Crysis attacks weren't the first time cybercriminals leveraged RDPs in ransomware attacks. Past incidents show that the method has already been used by those targeting businesses. In October 2015, perpetrators behind LowLevel04 ransomware (detected by Trend Micro as Ransom_LEVELO.A) reportedly brute-forced RDP credentials before manually downloading and installing the malware in the target’s systems. Just like Crysis, it has the capability of scanning mapped networks and removable drives and then encrypting files found in them.

Here are the other notable ransomware stories from the past week:

A ransomware variant was spotted making the rounds late last week, involving a visually intimidating ransom note claiming to be  “Petya ransomware 2017”. However, a closer look revealed that the ransomwar wasn't Petya but, in fact, a new variant of an older ransomware family, MIRCOP (detected by Trend Micro as Ransom_MIRCOP.A).
Interestingly, this new variant (detected as Ransom_MIRCOP.F116IL) could be called a downgrade from its predecessor, given the fact that the malware’s autorun mechanism has been removed. This variant encrypts files and renames them in this format:  Lock.{Original Filename and Extention} before asking for a ransom payment of 0.8 bitcoins.

Black Feather and Dev-Nightmare
Two more ransomware based on the open source Hidden-Tear were seen over the past week. Black Feather (detected by Trend Micro as Ransom_HiddenTearBlackFeather.A) comes under the guise of an inconspicuous PDF file. When opened, this prompts a message saying that the file is damaged. In the background, however, the encryption routine begins. The AES-encrypted files are appended with the .blackfeather extension. A text file then pops up on screen and asks the victim to pay a ransom of 0.3 bitcoins, amounting to about US$180,for the decrypt key.  Researchers, however, believe that the decrypt key does not exist.

Around the same time last week, Dev-Nightmare (detected by Trend Micro as Ransom_HiddenTearDevNightmare.A) surfaced. After infecting a target’s system, this particular ransomware encrypts and appends a .2xx9 extension to its locked files. The ransom note on display shows a ransom demand that ranges between .5 to 1.5 bitcoins (at the time of writing, 1 bitcoin is equivalent to $US600). The ransom note also displays an email address meant for a victim to communicate with the developers.

Cyber Splitter
A new ransomware variant, described to have properties resembling Cerber, was reportedly seen last week called Cyber Splitter (detected by Trend Micro as Ransom_CYBERSPLIT.A). This particular ransomware is spread through malicious email messages with attachments disguised as an invoice or other types of important document. On the other hand, this ransomware variant may take the form of a fake update to infiltrate an organization.

As the week drew to a close, a ransomware family called Erebus (detected by Trend Micro as Ransom_EREBUS.A) was seen being distributed via malicious ads. The malvertisments lead visitors to a dedicated Rig exploit kit server that drops the ransomware as a payload. After encrypting the victim's files using RSA-2048 algorithm, this ransomware appends the files with a .ecrypt extension before displaying the ransom note. Specific instructions are provided to the victim through a personal home page.

While newer families and updated variants continue to make news, a multi-layered approach that safeguards all possible gateways of compromise should be protected, as the best way to prevent ransomware from entering the network. Maintaining regular backups of important files is also the best way to mitigate the damage caused by a ransomware infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

Updated on October 6, 2016, 02:00 AM (UTC-7)

The post was updated to clarify the distribution method and behavior of the Erebus ransomware.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.