Widely-hyped world events are known to be an effective cybercriminal lure, and it's no longer surprising that the hotly-debated US presidential elections is being used as a hook—or as inspiration—for cybercriminal activities. A new ransomware variant was discovered in the wake of last week’s presidential debates, seemingly inspired by Donald Trump (detected by Trend Micro as RANSOM_CRYPTTRX.A). However, the ransomware variant still appears to be in an early stage of development, and does not encrypt files. Instead, it looks for specific files found in the “encrypt” folder, encodes its file names and then renames them with a new extension name, .encrypted. Interestingly, an unlock button restores the names of the renamed files.
Within the same week, news broke about an organization that was hit by a major ransomware attack. Described as the biggest managed cloud computing service in all of the United Kingdom, VESK was reportedly infected by a new variant of SAMAS/SAMSAM, forcing officials into paying the demanded ransom of 29 Bitcoins—an estimated value of £18,600 or US$23,000—to regain access to the affected files.
The compromise was first spotted on Monday, September 26 after the attack an environment that housed the data of 15% of the company’s clients. Nigel Redwood, chief executive of Nasstar, VESK’s parent company, said in a statement, “On Monday the first thing we did was search the environment and kill the process. We then spent time to determine quickest route to restore services.” He added, “We decided to do that by running restores from backups and also paying for the decryption keys, to attack the problem from both angles.”
As of this writing, the company’s mitigation process has started, and a majority of the company’s systems are operating normally to cater to its customers while waiting to complete the rest of the decryption process. The company has since dedicated 24/7 employee shifts to resolve the situation.
VESK joins the roster of large organizations—such as the Hollywood Presbyterian Medical Center and the University of Calgary—that have been forced to pay the ransom to regain operations. The Federal Bureau of Investigation, however, stands firm on their stance on not paying cybercriminals. The agency, through a recently released public service announcement, also urges victims to report infections to aid in the continuing study and understanding of ransomware and its impact.
Here are other notable ransomware stories from last week:
STOPI or StopPiracy
A ransomware variant first observed in 2015 resurfaced by the tail-end of last week, leveraging legitimate institutions to trick victims into paying the ransom. STOPI or StopPiracy (detected by Trend Micro as RANSOM_STOPI.F116IT) creators make use Interpol messaging to make its would-be victims believe that they violated the law, saying that illegally downloaded media and software have been located in the would-be victim’s machine. This is a tactic reminiscent of older Police ransomware like Reveton. After encryption, this particular variant seems to append random characters unique to each sample. One sample analyzed by our researchers appends the 7m2oLM extension to its locked files and changes the icon of the encrypted files into the malware sample’s icon.
After encryption, victims are directed to go to a site with an address feigning affiliations to an anti-piracy campaign. A five-day deadline is given to settle a US$100 fine that is available via vouchers through UKash or PayPal My Cash. Interestingly, the ransom note states that if the payment made in Bitcoins or WebMoney, the fee is only $50.
Following its discovery, creators of DetoxCrypto has since come up with a stream of variants that aim to add to its capabilities. A new variant (detected by Trend Micro as RANSOM_DETOXCRYPTO.A) was spotted last week. Interestingly, this variant spoofs Trend Micro in one of the files that the malware drops.
Initially, a malicious PDF file is displayed while an executable file starts the encryption process in the background. Following encryption, another executable file, named TrendMicro.exe executes an audio file along with a .jpg file that serves as the ransom note.
This is not the first time that a DetoxCrypto variant has mimicked a security provider. Weeks prior, security vendor Malwarebytes was also spoofed by a DetoxCrypto variant with a file named“Malwerbyte”. Researchers easily determined that the variant could still be on a trial run since the sample showed no file-encrypting capabilities.
Locky once again resurfaced last week, with a variant (with samples detected by Trend Micro as RANSOM_LOCKY.AE and RANSOM_LOCKY.AC) that appends affected files with a .odin extension. Similar to its previous variants, this particular version arrives via spam emails with malicious attachments that downloads and launches a DLL file. This will then prompt the encryption of files then appending the extension .odin.
Since June, a major exploit kit campaign, dubbed Afraidgate, has been observed using the Neutrino exploit kit to deliver ransomware. From distributing CryptXXX ransomware, the campaign then shifted to delivering Locky in July. Last month, the campaign began utilizing the Godzilla loader to deliver ransomware. On September 27, Trend Micro researchers observed the Afraidgate campaign switching from Neutrino to Rig exploit kit, and this time, it delivers this Locky variant that uses the .odin extension.
Nagini, a character lifted from the fictional world of Harry Potter, seemed to be the inspiration for a new ransomware variant (detected by Trend Micro as RANSOM_HORCRUX.A). The variant appears to still be in development, targeting only a handful of popular file extensions like .doc, .docx, .pdf, .ppt, .pptx, to name a few.
Apart from the name itself, the ransom note also showcases its pop culture reference, showing an image of another fictional character from the book, Lord Voldemort. Interestingly, it doesn't demand payment in bitcoin, instead requiring a credit card number for payment.
Researchers unearthed a new ransomware family that is setting its sights on government and educational institution targets. MarsJoke (detected by Trend Micro as RANSOM_JOKEMARS.A) arrives via a classic spam mail campaign claiming to come from an airline.
Once a victim takes the bait, they are directed to a malicious link hosting an infected file. The encryption routine will then commence, and later on, a ransom note will be displayed, asking for a 0.7 bitcoins (around US$320). Upon failure to pay the ransom demand in 96 hours, MarsJoke deletes the locked files. Researchers note that the ransom bears an uncanny resemblance to the visual style of CTB-Locker.
The continuous wave of new families and the stream of updates on previously-released variants challenges users and organizations to take a proactive stance to defend against ransomware. Using a multi-layered approach that keeps ransomware out of all possible gateways of compromise is the best way to prevent ransomware. Maintaining regular backups of important files is also the best way to mitigate the damage caused by a ransomware attack.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.