Ransomware Recap: Oct. 21, 2016

Trend Micro researchers are currently looking into samples of a new variant of the hard drive-locking ransomware family, HDDCryptor. Early in September, researchers found a HDDCryptor (detected by Trend Micro as RANSOM_HDDCRYPTOR.A) variant exhibiting unique routines.

While the new variant (detected by Trend Micro as RANSOM_HDDCRYPTOR.F) shares a number of similar characteristics with its predecessor, initial analysis show that this version differs in how it was packed. As with the first version of HDDCryptor, this variant drops similar components, but in a different folder, %systemroot%\Users\ABCD. On system reboot, the file encryption of the infected machine’s disk drive ensues, before replacing the screen with a note that informs the victim that the computer has been compromised.

Further analysis of discovered samples is still ongoing to see whether this is an upgraded variant or one that is simply based on the earlier version of the said ransomware family.

More notable ransomware stories from the past week:

When it was first discovered in May 2016, Enigma ransomware was said to be targeting Russian-speaking victims. Recently,  researchers spotted a new variant of this particular ransomware. This particular variant (detected by Trend Micro as RANSOM_ENIGMA.B) still writes its ransom note in Russian and encrypts files using AES algorithm. Upon completion, a .1txt extension is added to the encrypted files.

A ransom of 0.4273 bitcoins (more than US$280) is then demanded from the victim, but allows the victim to decrypt one file free of charge—a tactic used to prove to victims that the provided decryptor works. Failure to pay the ransom within a specified time frame causes the ransom amount to increase by 25%.

Researchers recently discovered an open-source PHP ransomware capable of encrypting server-side files. Reportedly, Indonesian developer ShorTcut (or Shor7cut), from the hacking crew Indonesia Defacer Tersakiti, jumped from defacing websites to infecting them with PH-based ransomware he developed.

Initially known as "JapanLocker," this particular ransomware was deployed in web servers that ShorTcut broke into. Further analysis led researchers to the malware’s open-source code, named, “shc Ransomware” or “SyNcryption” authored by the user ShorTcut, giving the ransomware a more appropriate name (detected by Trend Micro as RANSOM_SHOR7CUT.A).

The ransomware variant encrypts data by fusing base64 encoding, ROT13 encryption, and top-bottom swapping. In order to deploy the malware, web servers have to be broken into in order to run the installer. Explorations on the source codes of ShorTcut’s past activities, especially his shared exploits and authored scripts in various hacking forums, led researchers to a source code with a Facebook URL that was found advertising the services of an IT company based in Jakarta.

The recently-discovered Nuke ransomware (detected by Trend Micro as RANSOM_NUCLEAR.F116JD) locks files from targeted systems using the RSA algorithm and renames files using random characters before appending either a .0x5bm or a .nuclear55 extension. Following successful encryption, it drops two ransom note files—a text file and an HTML file—and replaces the desktop wallpaper.

The note specifies a demand of.5 to 1.5 bitcoins to be paid within a 96-hour deadline, but it does not provide any specific payment instructions or payment page. Instead, it provides an email address that the victims can contact. Like other ransomware variants, the perpetrators behind this malware allows victims to attach one encrypted file—a lure to convince users that files will be retrieved after paying the ransom.

Another fake lockscreen window surfaced last week that tricks targets into believing that they were caught doing illegal online activities. The ransomware variant (detected by Trend Micro as RANSOM_FAKELOCK.F) flashes the warning "You have been downloading copyrighted porn, software, and music. You have posted them on the internet.” It then demands a payment of US$200 through Moneypak to unlock the machine. Interestingly, the “Unlock” button will terminate the process without further verification.

Awareness of the many known tactics used by cybercriminals is the best way to prevent a ransomware infection. A multi-tiered approach to defend against ransomware is also important to safeguard all possible points of compromise in a system or a network. When ransomware infects a system,  a solid back-up strategy in place will mitigate damages of infection.

Ransomware solutions:

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting infected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.