Ransomware Recap: Oct. 7, 2016

ransomware-weeklyLast week, Trend Micro researchers uncovered traces of a new ransomware variant being pushed by Rig exploit kit. However, this particular variant, named Alcatraz Locker ransomware (detected by Trend Micro as RANSOM_ALCATRAZ.F116J5), appears to be in its development stage based on the sample obtained and studied by our experts.

[Related: An overview of the exploit kit landscape after Angler]

After it encrypts files using the AES-256 algorithm, it appends the extension .alcatraz to the renamed locked files. The ransom note then demands a ransom of 0.3283 bitcoins—amounting to an estimated value of over US$200—to be paid within a 30-day deadline. Failure to comply, as the ransom note states, will result in permanent deletion of the encrypted files.

A link to its support page shows multi-lingual orientation: English, Italian, French, Spanish, and German but it is not limited to these five languages as the Tor support page caters to even more readers with languages like Japanese, Russian, and Mandarin. It is interesting to note though, that the link to the payments page led to a page that says, “What are you doing here,” which may indicate that the ransomware may not be operational yet. Trend Micro researchers will continue to monitor movement and activity of this particular ransomware variant.

Opposite this, a fully-operational ransomware was also unearthed recently. Dubbed Princess Locker (detected by Trend Micro as RANSOM_PRINCESSLOCKER.A), developers of this particular variant may have derived the name from the steep ransom it demands from its victims. After its encryption routine, this variant demands a rather hefty amount of 3 bitcoins (around US$1,800) for a decryptor tool. Once its 7-day countdown timer expires, the amount doubles to 6 bitcoins—for a ransom of over $3,700.

Princess Locker renames affected files by appending the extension with a random string of 4 to 5 alphanumeric characters before displaying a ransom note with a link directing to a Tor payment site where a victim is asked to log in.  Earlier reports surmise that the language selection page, which allows a victim to choose from any of the 12 available languages, bears a resemblance to that of Cerber.

Once logged in using the provided unique victim ID from the ransom note, the payment site displays elaborate details on what happened to the victim’s machine and how the Princess Decryptor can be obtained. A feature of the payment page also allows the decryption of one file for free. The victim is given the ability to select a sample file to be decrypted. The result, as seen by Trend Micro researchers, will be uploaded to an archive named Decrypted.zip without the need for a password. This is done to convince victims that paying is the best option to regain access to the files.

Here are other notable ransomware stories from the past week:


(detected by Trend Micro as RANSOM_KILLERLOCKER.A) emerged last week with scare tactics that seemingly emulate that of a popular ransomware variant family called Jigsaw. When executed, this variant encrypts files with AES 256-Bit and appends the filename with .rip. A ransom note, written in Portuguese, is then displayed onscreen with an image of a villainous clown and a 48-hour countdown.


Reports of the first sightings of Hitler ransomware surfaced almost around the same time Jigsaw first appeared. It locks the screen and displays an image of Adolf Hitler declaring compromise. However, this variant reportedly demands a ransom in the form of a 25-Euro Vodafone cash card to regain access to files that have been already deleted—reminiscent of older ransomware scam variants, particularly RANSCAM.

This time, a new variant of Hitler (detected by Trend Micro as RANSOM_LERITH.C) emerged the past week, almost the same time as KillerLocker’s surfacing. This time, a ransom of 20 Euros, to be paid via PaySafeCard is demanded. The card code is then required to unlock the affected machine.


CryptGo (detected by Trend Micro as RANSOM_CRYPTGO) is an open-source ransomware that is believed to be the first variant to be coded using Google’s GO programming language. Based on the sample analyzed by Trend Micro researchers, it will encrypt files found in the Shared folder. Then, it will encode the filename of the locked file via base64 algorithm and append the extension .encrypted.


JanBleed (detected by Trend Micro as RANSOM_EDA2JANBLEED.A) is another open-source ransomware that surfaced over the past week. This EDA2-based ransomware variant is capable of copying itself in existing ZIP and RAR archives found inside a target’s system either as an evasion tactic or as an attempt to spread to more would-be victims when the archive files are shared or distributed via email. Once it succeeds searching for .zip and .rar files to copy itself into, it proceeds with encrypting its target files. After which, a ransom of US$500 in bitcoin is demanded from the victim, to be sent to a provided bitcoin address.


Developers behind WildFire Locker return with the surfacing of Hades Locker (detected by Trend Micro as RANSOM_HADESLOCK.A). In August, following the fall the ransomware’s command & control center to the hands of the organizations behind NoMoreRansom.org, WildFire Locker has since disappeared from the scene, its decryption keys accessed by security vendors and researchers.

Hades Locker encrypts files targeted from the mapped drives of a victim’s system then appends the extension ".~HL" and the first five characters of a unique encryption password sent from the ransomware’s C&C server. Shadow Volume Copies are also deleted in order to prevent victims from recovering files. A ransom note will then be displayed, showing payment instructions. A ransom of 1 bitcoin, or an amount equivalent to over US$600, is then demanded from the victims to be sent to a bitcoin address belonging to developers that call themselves Hades Enterprises. This amount doubles when the ransom is not paid within the given timeframe.

The continued development of new ransomware families and the surfacing of updated variants shows that this cyber extortion malware is still profitable for cybercriminals. An effective defense against ransomware involves the adoption of a multi-layered approach that secures all possible gateways of compromise. A solid back-up of valuable files, on the other hand, mitigates the damage from data loss caused by a ransomware infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.