Cybercriminals from around the world are still abusing Hidden Tear, which was originally released to educate and enlighten people about ransomware. This week we’re seeing the continuation of ongoing trends, not only with the use of open source code but with ransomware diversifying and getting regional variants. Ransomware developers are also diverging from the usual threat behavior, now including entertainment and public service announcements with their malware.
The increase of Hidden Tear variants
Hidden Tear has been a problem since July of 2016, when we first detected variants based on the open source ransomware. The activity of Hidden Tear variants peaked in October 2016, but dropped quickly after. However, activity has picked up again in 2017, with a 142% increase in March compared to January.
One of the main problems of open source ransomware is that it allows even novice hackers to develop more dangerous versions of the original and launch sophisticated attacks. The proliferation of Hidden Tear variants we’ve been seeing only emphasizes the hazards of releasing this type of code.
D3evilH0rn ransomware (detected by Trend Micro as RANSOM_HIDDENTEARANONFIVE) is one newly detected Hidden Tear variant. D3evilH0rn sets the ransom at .5 Bitcoin, or around US$600, and attaches .anonfive to encrypted files. It is still being developed.
Another Hidden Tear variant called Dikkat (detected by Trend Micro as RANSOM_HIDDENTEARDIKKAT.A) that targets Turkish speakers is also in development, as well as the Gembok ransomware (detected by Trend Micro as RANSOM_HIDDENTEARGEMBOK.A) which targets Indonesian users. Gembok targets only nine file types and asks victims to contact a Gmail address for more details.
Figure 1. The ransom note of the Hidden Tear-based Turkish ransomware Dikkat
The ransomware XYZware (detected by Trend Micro as RANSOM_HIDDENTEARXYZ) is a variant that possibly originates from Indonesia. The source code is copied from another Hidden Tear-based ransomware called Mafiaware (covered by Trend Micro as RANSOM_CRYPTEAR.SM), which was created by an Indonesian hacker. XYZware's ransom is set at only .1 Bitcoin (around US$120), and the developers ask that proof of payment be sent to a Gmail address.
Hidden Tear game changers
Every ransomware developer has different demands, but this one is particularly unusual. Instead of demanding money, they demand participation. Dubbed RensenWare (detected by Trend Micro as RANSOM_HIDDENTEARRENSEN.A), this Hidden Tear-based variant forces the victim to play “TH12~ Undefined Fantastic Object” and meet a certain score to recover the files. It’s unclear what the motive behind this ransomware is, but the developers seem to be invested in this game.
Figure 2. The RensenWare ransom note includes a mascot
Like RensenWare, another ransomware that forgoes the ransom payment is the Hidden Tear-based variant Kindest ransomware (detected by Trend Micro as RANSOM_HIDDENTEARKINDEST.A). Once a device is infected with “the Kindest ransomware ever” they are given a link to more material teaching them about ransomware, without demanding a cash ransom. Though this is unusual, it isn’t the first educational ransomware that teaches victims through experience.
Figure 3. The Kindest ransomware includes a link to a YouTube video on ransomware
Multi-alias Chinese ransomware
A departure from all the Hidden Tear variants this week is a Chinese ransomware with a lot of aliases: LLocker, lucky88, ruFucker, 003Lock, lambdaE-speakingNC, AlphaE, BloodCrypt, TrueFucker (all detected by Trend Micro as RANSOM_LAMBDALOCKER.A). Written in Python and compiled to an .exe file, this particular ransomware demands .5 Bitcoin, or roughly US$600, and gives its victims a top ten list of Bitcoin trading sites for easier payment. The authors call themselves the LambdaAntiSocietyTeam (LASTeam) and NukeScriptTeam.
Figure 4. LLocker ransom note
This week we see that ransomware is a global problem, which is only exacerbated by resourceful developers who take advantage of any new technology or code. Users from different countries have to be aware that these threats continue to grow, and they can come from cybercriminals that may be familiar with local social engineering lures, vulnerabilities, and weak points.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.