Ransomware Alert: cuteRansomware, Alfa Ransomware, CTB Faker, and Ranscam

ransomware-alertHere's a quick rundown of the ransomware updates and new families discovered within the week:  

cuteRansomware (detected by Trend Micro as Ransom_CRYPCUTE.A)

Found to be based on a source code for a ransomware module called "my-Little-Ransomware" on GitHub, cuteRansomware uses Google  Docs to transmit encryption keys and collect user information to avoid detection. Based on findings, while the ransomware uses Google Docs, it isn’t limited to Google's cloud platform and can be transferred via other cloud apps. cuteRansomware is considered critical as malicious actors are increasingly using the cloud for delivering malware and exfiltrating data via command-and-control and traditional tools lack visibility into SSL—a technique that works to an attacker’s advantage.

Alfa Ransomware (detected by Trend Micro as Ransom_ALFA.A)

Said to be developed by the same group behind Cerber ransomware, Alfa ransomware scans all local drives for certain file types upon infection, targeting up to 142 different file types for encryption. Based on findings, once encrypted, Alfa appends a file extension “.bin” to the encrypted file. Its distribution method is still unknown; however, what is certain is that as of late, its encryption cannot be broken by third-party decrypters.

CTB Faker (detected by Trend Micro as Ransom_ZIPTB.A)

Who says ransomware has to be sophisticated to work? Like the name says, CTB Faker pretends to be CTB Locker ransomware, but instead of encrypting the files on the infected system, CTB Locker moves them into a password-protected ZIP archive and demands a ransom of .08 bitcoins (around US$50) in exchange for the password. CTB Faker, which is actually a WinRAR SFX file, is distributed via fake profile pages on adult sites that contain passwords and links to an alleged password-protected striptease video. As soon as the user clicks on the link in the profile, the ransomware downloads the zip file hosted on JottaCloud. Once the user extracts the contents of the zip files and runs the executable, CTB Faker runs its archiving routine.


Considered low-tech but highly destructive, Ranscam threatens to delete the victim's files unless the ransom of 0.2 bitcoin is paid, but instead of encrypting the files like regular ransomware, it deletes them anyway—which means the victim loses the files even if the ransom is paid. As its name suggests, it's more of a "ransomware scam" than ransomware. According to the report, a compromised user would first notice a ransom note displayed by the malware. It pretends to have moved the user’s files to a “hidden, encrypted partition” instead of leaving the files encrypted in their current location. It's all a lie though—Ranscam already deleted them. 

These four ransomware variants aren’t known to be widely spread, but can be disruptive and even destructive in their own right, especially Ranscam, with its ability to ultimately trick users into paying without giving their files back. Regardless of the type of ransomware family or variant, online best practices such as avoiding opening unverified emails and links embedded in them, and regularly updating software and applications can reduce the risk of getting infected. Backing up files using the 3-2-1 rule can mitigate the effects of the file loss from a ransomware infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware such as cuteRansomware, Alfa, CTB Faker, and Ranscam.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.