Last week, Trend Micro researchers uncovered traces of a new ransomware variant being pushed by Rig exploit kit. However, this particular variant, named Alcatraz Locker ransomware (detected by Trend Micro as RANSOM_ALCATRAZ.F116J5), appears to be in its development stage based on the sample obtained and studied by our experts.
[Related: An overview of the exploit kit landscape after Angler]
After it encrypts files using the AES-256 algorithm, it appends the extension .alcatraz to the renamed locked files. The ransom note then demands a ransom of 0.3283 bitcoins—amounting to an estimated value of over US$200—to be paid within a 30-day deadline. Failure to comply, as the ransom note states, will result in permanent deletion of the encrypted files.
A link to its support page shows multi-lingual orientation: English, Italian, French, Spanish, and German but it is not limited to these five languages as the Tor support page caters to even more readers with languages like Japanese, Russian, and Mandarin. It is interesting to note though, that the link to the payments page led to a page that says, “What are you doing here,” which may indicate that the ransomware may not be operational yet. Trend Micro researchers will continue to monitor movement and activity of this particular ransomware variant.
Opposite this, a fully-operational ransomware was also unearthed recently. Dubbed Princess Locker (detected by Trend Micro as RANSOM_PRINCESSLOCKER.A), developers of this particular variant may have derived the name from the steep ransom it demands from its victims. After its encryption routine, this variant demands a rather hefty amount of 3 bitcoins (around US$1,800) for a decryptor tool. Once its 7-day countdown timer expires, the amount doubles to 6 bitcoins—for a ransom of over $3,700.
Princess Locker renames affected files by appending the extension with a random string of 4 to 5 alphanumeric characters before displaying a ransom note with a link directing to a Tor payment site where a victim is asked to log in. Earlier reports surmise that the language selection page, which allows a victim to choose from any of the 12 available languages, bears a resemblance to that of Cerber.
Once logged in using the provided unique victim ID from the ransom note, the payment site displays elaborate details on what happened to the victim’s machine and how the Princess Decryptor can be obtained. A feature of the payment page also allows the decryption of one file for free. The victim is given the ability to select a sample file to be decrypted. The result, as seen by Trend Micro researchers, will be uploaded to an archive named Decrypted.zip without the need for a password. This is done to convince victims that paying is the best option to regain access to the files.
Here are other notable ransomware stories from the past week:
The continued development of new ransomware families and the surfacing of updated variants shows that this cyber extortion malware is still profitable for cybercriminals. An effective defense against ransomware involves the adoption of a multi-layered approach that secures all possible gateways of compromise. A solid back-up of valuable files, on the other hand, mitigates the damage from data loss caused by a ransomware infection.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.