Ransomware Recap: August 19, 2016

ransomware-weeklyThe introduction of new ransomware families and continuous updates given to earlier-released ransomware strains indicate how lucrative this attack form is to cybercriminals—cashing in on how fast and easy it is to deploy using tried-and-tested methods.

Last week, we saw familiar ransomware families resurface with newer and improved variants, older families inspiring new families, and even new business models revolving around the development and distribution of ransomware. Here’s our review of ransomware activity seen last week:


At the onset of the week, Locky, currently one of the most popular ransomware families, turned up again. This time, it was found using another arrival tactic—the use of Windows Scripting Files (WSF). WSF is a file that enables the combination of multiple scripting languages within a single file.

This tactic makes detection and analysis of ransomware trickier, given the fact that WSF files are not typically included in the list of files normally monitored by endpoint solutions for malicious activity. It's reminiscent of the tactic employed by Cerber ransomware in an email campaign back in May 2016, which proved to be a successful trick for bypassing security measures. As such, the entry of this new Locky variant was seen being delivered by legitimate-looking emails that appear to be targeting companies, with subject lines such as “bank account record”, “annual report”, and “company database”. This new variant was also seen being traded in the Brazilian underground market.


Satana ransomware (detected by Trend Micro as RANSOM_SATANA.A) first emerged a couple of months back with techniques and qualities attributed to earlier-released ransomware families Petya and Mischa. The ransomware, named after the translation of “devil” in Italian, is known to lock a victim’s personal files, and replace its master boot record (MBR) with its own version that then stops the machine from booting its operating system.
However, unlike former ransomware families it is patterned from, Satana completes its encryption routine then continues on to operate in the background. On the next system reboot, the ransomware renders the "Black Screen of Death," and displays the ransom note that demands 0.5 bitcoin (amounting to US$300).


At the beginning of this August, a new screen-locking ransomware (detected by Trend Micro as RANSOM_FAKELOCK.E) was seen disguised as a Windows activation window. The ransomware may not be widely-distributed, but it shows qualities that differentiate it from other typical screen-locking ransomware that came before it.
Similar to a tech support scam, RansomLock displays a message box that says the user’s key is expired and tricks the user into clicking a button. This will lead to a standard Windows 10 wallpaper that asks its would-be victim to contact a toll-free number to regain access to their machines.


Researchers spot the release of the latest version of Shade ransomware (detected by Trend Micro as Ransom_CRYPSHED.N) making its rounds in Russian territories and CIS. First seen in late 2014 and early 2015, it has since grown to be one of the most distributed ransomware variants in Russia.

The upgrade now adds the silent download and installation of a remote access tool to its features apart to its file-encrypting capabilities. Upon arriving in a machine, the ransomware checks for activities related to accounting by looking for installed applications and strings connecting it to any banking software. When a match is found, the malware executes remote control tools.

The added malware comes in the form of a bot named Teamspy, a malicious version of the legitimate TeamViewer remote control application, to communicate with a command and control (C&C) server. The use of such bots allows perpetrators to stealthily keep an eye on the victim’s machine and its activities to use the most effective way of sourcing out cash.


Another ransomware was spotted in the middle of the week that was said to be derived from HiddenTear (detected by Trend Micro as Ransom_KAOTEAR.A, due to its KakaoTalk and Hidden Tear properties). The ransomware downloads an executable file named KakaoTalk.exe and encrypts files and documents using AES encryption before appending an extension name in Korean. The ransom note is displayed shortly after encryption, which is also hard-coded in Korean. Continuing observations and analysis of the ransomware strain, including comparison to other open-source ransomware, is ongoing. Interestingly, victims are directed to a decryption site that was earlier used by CrypMic.


Before the week drew to a close, a new ransomware variant of earlier discovered family, EDA2, dubbed FSociety ransomware (detected by Trend Micro as Ransom_CRYPTEAR.SMILA) was discovered. This is due to its apparent reference to a television show made popular in the US, Mr. Robot, with a ransom note that features an image referencing the show's infamous group, FSociety.

Like most open source code ransomware and EDA2 variants, it encrypts files using AES-256 encryption before uploading the RSA-encrypted decryption key to its C&C server, then appending the extension .locked to its encrypted files. Interestingly, this particular ransomware strain shows signs of ongoing development given that the ransom note does not provide payment details or means to contact the perpetrator.


Cybercriminals are known to ride the wave of public interest seen in popular media. With the global popularity of Pokemon GO, it was only a matter of time before cybercriminals thought of a way to cash in.
Cybercriminals were quick to leverage Pokemon GO to spread ransomware targeted players looking for the app. This new ransomware (detected by Trend Micro as Ransom_POGOTEAR.A) poses as a Pokemon GO application for Windows. Analysis revealed attributes linked closely to Hidden Tear, an open-source ransomware code first seen in August 2015. The new ransomware is also capable of creating a “Hack3r” backdoor user account with Administrator privileges in Windows. The ransom note features an image of Pikachu, and appears to target Arabic-speaking users.


A new Ransomware as a Service (RaaS) emerged early last week dubbed the Shark Ransomware Project (detected by Trend Micro as Ransom_SHARKRAAS). The service offers a platform for any wannabe-cybercriminal with ransomware that can be customized. Reports show that the service does not require any technical expertise from its would-be client—requiring just a form to be filled out. The developers get to keep 20% of the collected ransom payments, while the “distributor/affiliate” gets 80%.

Interestingly, unlike other RaaS offerings seen in the past, the service went live in July on a publicly-accessible WordPress site instead of operating anonymously in the underground. Unlike most RaaS site offerings, the Shark Ransomware Project operates differently by giving its client a “base ransomware executable” that allows the would-be distributor to modify its configuration.


By the end of last week, a new ransomware family called DetoxCrypto was discovered being distributed in two different variants: the first being a typical ransomware that has the capability of taking a snapshot of the victim’s Windows screen, and the other, was yet another take on the global mobile application phenomenon, Pokemon GO.

The Calipso variant of DetoxCrypto (detected by Trend Micro as Ransom_Detoxcrypt.A) takes the form of a typical ransomware that encrypts files before displaying a lock screen with payments instructions (and some music). Following execution, the ransomware can take a screenshot of the active screen of its infected system and upload it to the malware author’s servers. Given this capability, researchers see that the price of the ransom could vary, given the sensitivity of content captured on the screenshot.

The Pokemon GO-themed variant of this ransomware (detected by Trend Micro as Ransom_Dextocrypt.A) executes the downloaded file Pokemongo.exe before it encrypts files found in the victim's machine. After encryption, it will display a lock screen containing the ransom note with accompanying music. Analysis of the variant’s arrival methods is still ongoing but it is apparent that the perpetrators behind the ransomware are looking to cash in on the game's popularity.

Preventing ransomware can be a challenge, but it is not impossible. A multi-layered approach that safeguards possible entry points from this threat to reach networks and systems is the best way to minimize the risk of reaching endpoints.

Arming users with knowledge on infection techniques commonly used by cybercriminals effectively helps in building a shield against ransomware. In organizations, IT admins should proactively share information on possible ransomware entry points that could compromise not just one’s machine but the company’s network.  A regular backup schedule of critical data gives users and organizations the upper hand when faced with this threat, as victims won't have to resort to paying the ransom to regain access to locked data.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware such as cuteRansomware, Alfa, CTB Faker, and Ranscam.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.