Ransomware Recap: Oct. 14, 2016

ransomware-recapTrend Micro researchers recently uncovered three malvertising campaigns and a compromised website campaign leveraging one of the most prominent and fast-evolving ransomware variants of late—Cerber. An entry, published early last week, follows the trail of Cerber version 4.0 (detected as RANSOM_CERBER.DLGE) in the said ongoing campaigns, shortly after the release of version 3.0.

Security researcher Kafeine provided an advertisement that highlights the upgrades and marked improvements of the ransomware family in its latest version, including the noticeable shift of its ransom notes from html format to .hta. The use of randomly-generated strings as file extensions for each successful infection is also a new feature, veering away from its earlier variants' use of the extension .cerber3 on encrypted files. According to Trend Micro researchers, the latest Cerber variant has been spotted in the wild since the onset of October, and has since gained traction among cybercriminals.

This development attests to our recently-published threat report elaborating on the continuing reign of ransomware, which sheds light on details on the continuous adoption of exploit kits and ransomware families targeting newer vulnerabilities.

[Related: A look into the exploit kit landscape after Angler]

Since the beginning of October, PseudoDarkleech, a campaign known to operate through compromised websites, shifted to Cerber 4.0 after previously being sighted distributing CrypMic and CryptXXX.

Older malvertisement campaigns have also been observed turning to Cerber 4.0, similar to the way another identified campaign utilizes the Magnitude exploit kit—whose history is no stranger to Cerber. Another campaign, which makes use of an old casino-themed fake advertisement, was discovered to have shifted gears. It used to deliver Andromeda malware (detected by Trend Micro as Neurevt), but started using the RIG exploit kit to drop Cerber 4.0 in early October.

Much more recently, at the onset of October, a new malvertisement campaign was seen distributing Cerber 4.0—merely a month after it was found dropping Cerber 3.0 using the Neutrino exploit kit. Neutrino, however, recently closed shop, with the team behind it reportedly putting it “out of service”.

The same week, a closer probe into the activities of Cerber led Trend Micro researchers towards the discovery of a new method of infection used by its latest version. This time, it involves the use of an infected PDF file (detected by Trend Micro as PDF_CERBER.A) with an embedded JS script.

A message box appears and tricks a would-be victim to open the malicious document. Once opened, the JS script gets dropped and prompts the download of the latest Cerber version.

Here are other notable ransomware variants reportedly seen over the past week:

Another EDA2-based ransomware variant surfaced over the past week. Called Anubis, the particular variant encrypts files using the AES algorithm and appends them with the extension .coded. The ransom note is then displayed on the victim’s desktop. The text file shows “decryption instructions” that encourages communication with the ransomware operator to learn how to regain access to the files.

A new ransomware variant, Comrade Circle (detected by Trend Micro as RANSOM_COMCIRCLE.A) also emerged over the past week. It takes on the guise of an ongoing Windows critical update while the encryption method is occurring in the background—a routine that is reminiscent of Fantom ransomware, first seen a while back. After its encryption routine is complete, this variant appends the affected files with the extension .comrade and drops a text file that serves as ransom note on the desktop. It also replaces the desktop background of the affected machine and demands a “donation” in the form of bitcoin in exchange for a decryptor tool.

A ransomware variant named Exotic (detected by Trend Micro as RANSOM_EXOTIC.A) was discovered last week, an addition to the stream of online threats made by a group dubbed as EvilTwin or Exotic Squad. This particular variant targets files—including executables—found in targeted folders of a victim’s machine. When encryption is done, this ransomware renames the affected files using a string of random characters and appends each with a .exotic extension. A ransom demand of US$ 50 in bitcoins is then made, with a 72-hour deadline to pay. Every five hours, the ransom note threatens to delete files when payment has not been made before completely deleting all encrypted files after the deadline.

According to reports, this ransomware appears to be still in development, with two other variants observed to have come from the same group of perpetrators. The other two variants display an image of German dictator, Adolf Hitler. Another Hitler-influenced ransomware, named Hitler, was also spotted to have resurfaced recently. However, no links between these similarly-themed variants can be found as of this writing.

APT Ransomware v2.0
Another ransomware based on Hidden Tear was sighted last week. Called APT ransomware v2.0 (detected by Trend Micro as RANSOM_HIDDENTEARAPT.A), this variant appends encrypted files with a .dll extension, and drops an HTML file containing the ransom note in each folder. Victims of this variant are asked to pay a ransom payment of 1 bitcoin, which amounts to more than US$600. To heighten the sense of urgency, it also imposes a five-day deadline for payment. Failure to pay before the deadline results in permanent deletion of files, and a threat that mined information will be sold in the underground market.

A 72-hour deadline is given by Venis ransomware (detected by Trend Micro as RANSOM_VENIS.A). The ransom note that appears after the encryption process notes that sensitive information has been mined from the victim’s machine. It then threatens to delete encrypted files and expose the mined data to the public if the ransom demand is ignored. According the the ransom note, the cybercriminals behind this variant claim to collect usernames, Google Chrome/Firefox passwords, Facebook message and Skype history (deleted and non-deleted), as well as browser and Tor history. Victims are then directed to a website venis.pw), which contains payment and decryption instructions. Venis is reportedly still under development.

To defend against ransomware, a multi-layered approach is vital to make sure that all gateways of compromise are secure from this ever-evolving threat. A solid back-up strategy can also mitigate the potential damage of a successful infection.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.