Ransomware Recap: New Disguises and a Change of Cryptocurrency

ransom recap mar 24Ransomware continues to target a section of the online community often attacked with malware: gamers. Roza Locker (detected as RANSOM_ROZALOCK.A), is a new ransomware that aims for Russian-speaking gaming enthusiasts by posing as an installer for a PC game. Once unpacked, the ransomware requests elevated privileges to start encrypting files.

Roza Locker is distributed as an .exe file that, when opened, shows a User Access Control window (UAC) prompting the victim to allow an unknown publisher to make changes to their device. If this doesn’t work and access is denied, a new window that says “ПОИСК …” (which translates to "search" in English) pops up. Presumably this is to encourage the user to return to the previous window and allow access.

If the user grants access, the predetermined file types are encrypted, and the extension .enc is appended to the files. The ransom is set at 10,000 Rubles, or close to US$175.

Aside from encryption, Roza Locker also kills and disables the Task Manager process and prevents the user from accessing certain websites by altering the hosts file %system%\drivers\etc\hosts. The websites blocked by the malware include several legitimate Russian online gaming sites as well as some of the biggest Russian cybersecurity vendors.


An unconventional Star Trek -themed ransomware named after the iconic Captain Kirk (detected as RANSOM_KIRK.A) has been discovered. Simply named Kirk, it was written in Python and demands payment in the cryptocurrency Monero (XMR), not the usual Bitcoin. Monero has been touted as a more private cryptocurrency, and underground criminals are already starting to prefer XMR as a form of payment.  

Staying true to the space theme, Kirk disguises itself as the open source network stress testing application called Low Orbit Ion Cannon (LOIC). Once downloaded, it scans the C: drive for specified file types and then begins to encrypt; any successfully encrypted files are appended with the extension .kirked. Victims are asked to pay a ransom that gradually increases as more time passes, with the demand topping out at XMR 500, or roughly $10,360.  

Another variant of the Kirk ransomware calls itself Lick (also detected as Ransom_KIRK.A) and was found disguised as a ransomware decryptor. It targets the same files, has the same process, and demands the same Monero amount from its victims. The extension for encrypted files is .licked.


In March, we saw CryptoShield, a variant of CryptoMix, being distributed by exploit kits. Now a newer variant called "Revenge" ransomware (detected as RANSOM_CRYPAURA.RVG) is being pushed by the Rig exploit kit—one of the more active kits today which uses a wide variety of ransomware.  

Revenge appends the .revenge extension to files it encrypts and leaves a short and straightforward ransom note with no detail about the timeline, payment amount, or even the typical ransom threats. It simply says that the files can be recovered and asks the victim to email them for more instructions. The note is repeated in several languages: English, Italian, German, Polish and Korean. 

More HiddenTear ransomware

Continuing the trend discussed last week, two more ransomware based on open source projects were found. The MacandChess ransomware (detected as RANSOM_HIDDENTEARMNC.A) seems to still be in its early stages—as of writing it only targets 20 file types for encryption, most of which are document and image files. The Karmen ransomware (detected as RANSOM_HIDDENTEARKARMEN.A) is a little more sophisticated.

Karmen is offered as ransomware-as-a-service (RaaS), with the developers managing the command-and-control servers, processing payments, and getting a share of the proceeds from distributors. Karmen RaaS disguises itself as an application called “Helper”, and once installed performs typical ransomware behavior. It adds the extension .grt to encrypted files and asks for a ransom in Bitcoin. Based on the ransom note, the targets seem to be German and English speakers.

As ransomware continues find new ways trap victims, new delivery systems, and more private payment schemes to facilitate their activities, users must stay vigilant. Effective security solutions can protect their assets from the ransomware threat.

Ransomware Solutions:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.