Ransomware Recap: New Versions and Descendants of Past Families Emerge in July

ransomware-recap-julyFrom upgraded variants to rehashed versions sold cheaply in the Dark Web, the ransomware threat continues to grow. In fact, the FBI recently projected that the losses caused by ransomware infections on home users and enterprises could reach a billion dollars in 2016 alone—and with all that money being paid to these extortion operations, it's not expected to stop.

[Read more: The psychology behind the success of ransomware]

Last June marked the inception of this series of recapping the movement and activity seen in the ransomware landscape. Here are some of the most notable ransomware stories that made news in July.

Patterns Uncovered: Ransomware Strains Inspired by the Success of Earlier Families


Mid-July saw the surfacing of a new ransomware type that bears some similarities to CryptoLocker, in terms of its functionality. Stampado (detected by Trend Micro as  RANSOM_STAMPADO.A) was heavily advertised in the cybercriminal underground, for a fraction of the price of malware typically peddled in the Ransomware-as-a-Service (RaaS) market at 39 USD, with accompanying videos that show how it works. While this relatively low price for a “lifetime license” drew attention from researchers and journalists, samples of the malware have not been obtained upon its discovery. Upon closer analysis, Stampado also showed similarities with the behavior of Jigsaw—both encrypted files using AES and deleted chunks of the hostaged files after a time period lapsed without paying the ransom. Stampado lists 96 hours before the entire database gets deleted fully.


When CrypMIC (detected by Trend Micro as RANSOM_CRYPMIC) was discovered, researchers were quick to spot similarities with CryptXXX, which was seen as an attempt to replicate the latter’s success in the ransomware game with a similar entry point, ransom note, and even its payment user interface. However, CrypMIC does not append any extension name to files that it has already encrypted, making it difficult to spot which of the files have been affected.

Tried and Tested: Surges and Continued Updates


Following numerous updates to improve capabilities, such as the addition of distributed denial-of-service (DDoS) and the use of double-zipped Windows Script Files (WSFs) to evade detection, July saw the release of Cerber’s latest variant (detected by Trend Micro as RANSOM_CERBER.CAD) that put Office 365 users in homes and in businesses at the crosshairs of attack. This was done by making use of macro-laced Office documents attached in spam emails. Once the user clicks on the attachment, the variant encrypts 442 file types using combined AES-256 and RSA encryption. Upon closer analysis, this new variant was also discovered to have been pushed by Rig and Magnitude exploit kits, both of which have been sighted to leverage zero-day vulnerabilities.


Before July drew to a close, a wave of legitimate business websites were found to have been hijacked by a botnet named SoakSoak to deliver ransomware to anyone who visits their website. Vulnerable and unpatched content management systems (CMS) were impacted by the automated attack. Hijacked websites then redirect visitors to a malicious website, where the payload was found to be CryptXXX, one of the more infamous ransomware families seen of late.

New Blood: New Ransomware Variants

cuteRansomware, CTB Faker, Alfa, and Ranscam

Four variants have almost simultaneously emerged in the same week in July. cuteRansomware (detected by Trend Micro as RANSOM_CRYPCUTE.A) using Google Docs to transmit encryption keys and gathering user information to evade detection. However, findings show that the ransomware also uses other cloud apps aside from Google Docs.
Alfa ransomware (detected by Trend Micro as Ransom_ALFA.A) surfaced not long after. Believed to be a descendant of Cerber, the malware scans its infected system’s local drives and encrypts over 142 file types, appending a “.bin” extension name to the locked file.

CTB Faker
(detected by Trend Micro as Ransom_ZIPTB.A) then emerged, apparently mimicking an earlier ransomware type, CTB Locker. This variant is spread via bogus profiles from adult sites that trick users with the promise of access to a password-protected striptease video. The poisoned link then leads to the download of the ransomware hosted on JottaCloud.

A low-profile ransomware strain named Ranscam was also discovered in July, which threatens to delete files unless a 0.2 bitcoin-ransom is paid. The tricky part, though, is that the files are deleted even if the ransom has already been paid for—which makes it more of a pointless scam than ransomware. While considered low-profile and not widely-spread, these families are still representative of the unrelenting effort of cybercriminals to come up with the next big thing in the ransomware landscape.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware such as cuteRansomware, Alfa, CTB Faker, and Ranscam.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.