Ransomware Recap: Sept. 16, 2016

ransomware-recapOn September 15, the Federal Bureau of Investigation issued a public service announcement that strongly urged ransomware victims to report infections to the authority. The PSA is likely a response to the fact that cases of ransomware infections had reached an “all-time high” in the first few months of 2016, with newer, more sophisticated variants surfacing on a regular basis. According to the agency, one particular ransomware variant successfully compromised an estimated number of 100,000 computers daily.

[Threat Report: The Reign of Ransomware]

As reports released by media groups and threat research companies consistently talk about victims and the losses caused by ransomware attacks on individuals and organizations, the FBI emphasizes the difficulty of identifying the actual number of ransomware infections given the number of unreported cases. With the public advisory, the agency looks to establish a clearer understanding of the breadth and severity of ransomware attacks.

As such, the FBI noted in its advisory, “Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.”

Here are other notable ransomware stories from the past week:


The beginning of the week saw the emergence of a ransomware named LockLock (detected by Trend Micro as Ransom_EDALOCK.A). Observed to be based on the open-source ransomware EDA2, initial analysis of the attacks show victims whose IP addresses appear to have come from China. This particular ransomware encrypts using the AES-256 algorithm and appends a “.locklock” extension to its targeted file types. The ransom note, under the file “READ_ME.TXT” demands that the victim communicates with the cybercriminals via an email address or Skype. Interestingly, a YouTube video channel created by the developer was also seen, with a video detailing a possible alternate version of the ransomware.


Last June, RAA (detected by Trend Micro as RANSOM_JSRAA.A) made its first rounds, notably using JScript scripting language. Much more recently, researchers spotted a new RAA variant (detected by Trend Micro as RANSOM_JSRAA.L) targeting companies via spear phishing attacks. This evolved variant now arrives in the form of a password-protected .zip archive attachment. This, according to researchers, is an age-old technique that would thwart anti-malware systems from unpacking the file and scanning it for its malicious content.
However, the new variant proceeds with the encryption process without the need to communicate to a C&C server. Unlike its earlier version, the ransom note, written in Russian, does not ask for a specific amount in Bitcoins.


It looks like the developers of NoobCrypt (earlier variants detected as Ransom_NOOBCRYPT.A and Ransom_NOOBCRYPT.B) didn't learn much from their first release in July 2016, and are, in fact, still living up to its given name. This time, a new variant (detected by Trend Micro as Ransom_NOOBCRYPT.C) reportedly made the mistake of using the same password for all of its victims. This allowed some researchers to develop a list of decryption keys based on the password. When the screen gets locked, a ransom note flashes saying “Made in Romania.” A ransom amount, deadline, and specific bitcoin address are then provided for the particular release on a per-victim basis.

Razy 5.0

Back in July, a ransomware variant that appears to have the same text-to-speech feature similar to Cerber was sighted. Razy (detected at the time as Ransom_RAZYCRYPT.A) encrypted files using AES before appending the extension .razy to the locked files. The new variant of Razy, dubbed by researchers as Razy 5.0 (detected by Trend Micro as Ransom_RAZYCRYPT.B) uses a Jigsaw ransomware-inspired note that demands a payment of 10 euros via PaySafeCard. The ransom note issues a soft threat though—researchers noted that unlike Jigsaw, it does not delete the encrypted files after its set deadline.


Following the surfacing of Fantom—a variant based on the open-source ransomware EDA2—by the end of August 2016, a new variant (detected by Trend Micro as Ransom_FANTOMCRYPT.B) was recently spotted with several updates. Now, Fantom follows the trend of evolved ransomware variants that can encrypt files without having to connect to its C&C servers for the keys. Apart from the offline encryption feature, this updated variant adds network share enumeration, and a per-victim display of ransom values based on the targeted victim’s files in its routines.

The FBI, in its latest advisory, reiterates that paying the ransom is not a recommended solution. Performing regular backups of valuable files is a far better way to deal with ransomware threats. A solid backup strategy eliminates the leverage cybercriminals enjoy when they hostage data, thus stopping the endless cycle of compromise and extortion. Ultimately, a multi-layered approach that seals all possible gateways remains as the most effective way to defend against ransomware, as it stops the malware before they can infect systems.   

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.