Ransomware Recap: Oct. 21, 2016
Trend Micro researchers are currently looking into samples of a new variant of the hard drive-locking ransomware family, HDDCryptor. Early in September, researchers found a HDDCryptor (detected by Trend Micro as RANSOM_HDDCRYPTOR.A) variant exhibiting unique routines.
While the new variant (detected by Trend Micro as RANSOM_HDDCRYPTOR.F) shares a number of similar characteristics with its predecessor, initial analysis show that this version differs in how it was packed. As with the first version of HDDCryptor, this variant drops similar components, but in a different folder, %systemroot%\Users\ABCD. On system reboot, the file encryption of the infected machine’s disk drive ensues, before replacing the screen with a note that informs the victim that the computer has been compromised.
Further analysis of discovered samples is still ongoing to see whether this is an upgraded variant or one that is simply based on the earlier version of the said ransomware family.
More notable ransomware stories from the past week:
A ransom of 0.4273 bitcoins (more than US$280) is then demanded from the victim, but allows the victim to decrypt one file free of charge—a tactic used to prove to victims that the provided decryptor works. Failure to pay the ransom within a specified time frame causes the ransom amount to increase by 25%.
Initially known as "JapanLocker," this particular ransomware was deployed in web servers that ShorTcut broke into. Further analysis led researchers to the malware’s open-source code, named, “shc Ransomware” or “SyNcryption” authored by the user ShorTcut, giving the ransomware a more appropriate name (detected by Trend Micro as RANSOM_SHOR7CUT.A).
The ransomware variant encrypts data by fusing base64 encoding, ROT13 encryption, and top-bottom swapping. In order to deploy the malware, web servers have to be broken into in order to run the installer. Explorations on the source codes of ShorTcut’s past activities, especially his shared exploits and authored scripts in various hacking forums, led researchers to a source code with a Facebook URL that was found advertising the services of an IT company based in Jakarta.
The note specifies a demand of.5 to 1.5 bitcoins to be paid within a 96-hour deadline, but it does not provide any specific payment instructions or payment page. Instead, it provides an email address that the victims can contact. Like other ransomware variants, the perpetrators behind this malware allows victims to attach one encrypted file—a lure to convince users that files will be retrieved after paying the ransom.
Awareness of the many known tactics used by cybercriminals is the best way to prevent a ransomware infection. A multi-tiered approach to defend against ransomware is also important to safeguard all possible points of compromise in a system or a network. When ransomware infects a system, a solid back-up strategy in place will mitigate damages of infection.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting infected by ransomware:
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases