Ransomware Recap [Sept. 2, 2016]: CryLocker Uses Imgur as C&C

September 06, 2016

ransom-recap-sept2Last week, Trend Micro researchers have started paying close attention to a particular ransomware strain that is reportedly dropped via the Rig exploit kit. Not long after, Sundown exploit kit was also seen distributing a ransomware variant, called CryLocker (detected as Ransom_MILICRY.A), with similar behavior and evasion tactic, which interestingly involves the use of a legitimate image upload service.

Following encryption of targeted files, the ransomware in question collects information from the victim’s machines and packages them into a malformed .png file before it uploads it in an album found in Imgur, a legitimate site, which in turn serves as its C&C server. Apart from appending a .cry extension to its encrypted files, which is similar to a Buddy ransomware, there appears to be no previously-detected family affiliated or connected to this particular ransomware strain. However, analysis and observations on its behavior and its reach are still ongoing.

Interestingly, a ransomware strain called FairWare emerged at the beginning of the week, reportedly targeting Linux users by hacking a Linux server—demanding a ransom of 2 bitcoins on a 2-week deadline. Not long after, researchers at Duo Security reported malicious activity on Redis server that resulted into the installation of a fake ransomware. This then led to the discovery that FairWare was in fact a scam disguised as a ransomware infection. Cybercriminals behind the ruse tricks would-be victims that the “hostaged” files are simply locked and in need of a decrypt key, which can be obtained by paying a ransom amount. In truth, there were no indications that the files are archived before it was deleted from the victim’s system.

In the past, an actual ransomware family, Ranscam, did the same—promising to provide a decrypt key following payment of demanded ransom, when in fact, the files had already been deleted. This time, the perpetrators behind FairWare relied heavily on using the idea of losing access to one’s important files as a scare tactic to rake in profit.

[Related: The psychology behind ransomware’s success]

Here are other notable stories that surfaced over the past week:

Cerber 3.0

Cerber’s continuing use of a variety of tactics has made it one of the most familiar ransomware families of late. After leveraging cloud platforms, Windows Scripting, and even distributed denial-of-service attacks on its attack tactics, a new version of this particular family has recently been seen in a malvertising campaign targeting users in Taiwan. Similar to its predecessors, this variant is dropped by the Magnitude and Rig exploit kits with voice mechanism functions found in its earlier variants. After encrypting its victim’s files, the Cerber 3.0 appends a .cerber3 file extension. Interestingly, it even offers a ransom discount, which doubles after a five-day deadline.

Researchers discovered another variant of DetoxCrypto ransomware, Serpico (detected by Trend Micro as Ransom_SERPICO.A), this time targeting users in Croatia as evidently seen in its ransom note written in Serbo-Croatian language. It is interesting to note that upon encryption of the files, the original filenames will be retained. Much like its predecessors, an email address was duly provided as a channel to communicate with the attackers for payment instructions.


At the tail-end of the week, another DetoxCrypto ransomware variant, Nullbyte (detected by Trend Micro as Ransom_NULLBYTE) has surfaced, leveraging Pokemon Go, yet again. This time, the ransomware strain lures would-be victims to download a repackaged Pokemon Go cheating program, Necrobot (disguising itself as “Necrobot.Rebuilt”). Upon download, the fake application will ask for user credentials, which will then be uploaded to the C&C server before the encryption of victim’s files are staged. A lockscreen display, demanding a ransom payment of .1 bitcoin follows shortly after a _nullbyte extension was appended to the locked files. A screenshot of the last active Windows screen display will also be uploaded onto the ransomware’s C&C, potentially for preserving incriminating information that will later on be used for blackmailing.

The continuing surfacing of new families and updated variants, and even the emergence of scams that feign an infection show that ransomware is not going anywhere anytime soon. However, this should serve as a reminder to end-users and organizations to bolster defensive strategies that would keep ransomware infections at bay and more importantly, to stop the cycle of compromise by not paying the ransom when infected.

Instead, a multi-layered approach that secures all possible gateways from this threat is the best way to defend against ransomware. A solid back-up of valuable files, on the other hand, mitigate damages brought by a ransomware infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.