Ransomware Recap: Nov. 21- Dec. 2, 2016

When it comes to ransomware sightings in the past two weeks, one of the most talked about incidents involve  an identified ransomware attack reportedly impacting more than 2,000 of the almost 9,000 machines connected to the San Francisco Municipal Transportation Agency (SFMTA) network. This, in turn, has caused a system disruption that forced the agency to allow passengers to ride for free. It was later shared that the metro subway station's ticketing machines and fare gates were turned off to avoid inconveniencing the public.

SFMTA representative Kristen Holland, in a statement released on November 28, shared that approximately 900 machines were primarily affected by the attack, contrary to earlier reports, and highlighted that no data was accessed from any of the agency’s servers. The statement was contrary to the attackers' threat that 30gb-worth of data was exfiltrated and will be sold in the Deep Web should the ransom demand of 100 bitcoins, or US$ 73,000, be left unpaid. Further, the cybercriminals behind the attack offered to decrypt one machine for 1 bitcoin, in an attempt to convince the SFMTA to pay the ransom.

SFMTA joins the lineup of organizations whose operations have been disrupted by a successful ransomware attack. In a blog entry, Trend Micro researchers confirmed that the ransomware involved was an iteration or evolved variant of HDDCryptor, a ransomare family that was discovered in September 2016. Samples of the ransomware have been analyzed, revealing subtle updates since its initial sighting.

As with other versions of HDDCryptor, the attack on SFMTA was done using tools necessary to enable full disk encryption, including data from shared network drives. Based on their analysis of the incident, Stephen Hilt and Fernando Merces believe that this particular attack is more targeted compared to those that involve exploit kits or automated installers. Instead, admin credentials may have been used to schedule a job that would operate on all the affected devices.

A closer look at the ransomware showed how the developers of the malware are constantly improving their codes by adding features like anti-sandbox and anti-debugging features, string encoding, and simple resource encryption to circumvent AV detection technologies. It is also interesting to note that no researcher has been able to attribute HDDCryptor executables to any known phishing campaigns. This means that the actors behind the attack may have had prior access to the SFMTA systems, allowing them to manually execute the ransomware.

Apart from HDDCryptor, other earlier discovered ransomware families continue to make its presence felt. In our last recap, Cerber’s reign as one of the more prominent ransomware families of late was highlighted with the continuous emergence of updates that add evolved capabilities and improved attack tactics.

Over the past two weeks, Cerber's surge continues with the release of yet another variant, version 5.0, shortly followed by an updated version, 5.0.1 (detected by Trend Micro as RANSOM_CERBER.AUSJB). These updates reportedly incorporated minor changes to its code to make its main routine shorter than it previous versions. It also checks information of the targeted machine, like available memory and used disk space, before communicating with its servers. Previous versions simply flagged this type of information.

Not long after, December opened with a new version of Cerber (detected by Trend Micro as RANSOM_CERBER.AUSKM). Unlike previous versions, it shows a tweaked version of the ransom note, without indicating its version number. Interestingly, upon successful encryption, it adds four randomly-generated alpha-numeric characters to the extension name to the encrypted file. It also is reminiscent of the first sightings of Cerber, with the inclusion of an audio message announcing compromise. It demands a ransom of almost $500 for a decryption key.

Here are other notable ransomware stories in the past two weeks:

Locky, much like Cerber, received a number of swift and constant updates over the past couple of months. Lately, Locky has adopted the use of different extension names, showing how its developers are actively updating and developing newer ways to infect and extort its victims.

Shortly after its discovery, samples of another Locky variant (detected by Trend Micro as RANSOM_LOCKY.Z) surfaced, this time using a .zzzzz extension appended to the filenames of its encrypted files. With routines similar to previously-seen Locky variants, this has been observed to originate from spam emails under the guise of false order receipts supposedly made by the victim. Upon execution and successful encryption, the ransom note gives specific instructions on how to settle the ransom.

CRYPTOWIRE and LOMIX

The entry of the new ransomware families and updates of variants released in the past mean one thing—ransomware works for cybercriminals. In order to defend against ransomware, a multi-layered approach is key to shutting out the malware from all possible gateways. IT admins in organizations should empower the workforce with necessary education to keep employees abreast of attack tactics.  On the other hand, when infected, a solid back-up of important files can mitigate damages brought by a successful ransomware infection.

Ransomware solutions: