Ransomware Recap: Sept. 30, 2016
Widely-hyped world events are known to be an effective cybercriminal lure, and it's no longer surprising that the hotly-debated US presidential elections is being used as a hook—or as inspiration—for cybercriminal activities. A new ransomware variant was discovered in the wake of last week’s presidential debates, seemingly inspired by Donald Trump (detected by Trend Micro as RANSOM_CRYPTTRX.A). However, the ransomware variant still appears to be in an early stage of development, and does not encrypt files. Instead, it looks for specific files found in the “encrypt” folder, encodes its file names and then renames them with a new extension name, .encrypted. Interestingly, an unlock button restores the names of the renamed files.
Within the same week, news broke about an organization that was hit by a major ransomware attack. Described as the biggest managed cloud computing service in all of the United Kingdom, VESK was reportedly infected by a new variant of SAMAS/SAMSAM, forcing officials into paying the demanded ransom of 29 Bitcoins—an estimated value of £18,600 or US$23,000—to regain access to the affected files.
[Related: Ransomware that Goes After Backups]
The compromise was first spotted on Monday, September 26 after the attack an environment that housed the data of 15% of the company’s clients. Nigel Redwood, chief executive of Nasstar, VESK’s parent company, said in a statement, “On Monday the first thing we did was search the environment and kill the process. We then spent time to determine quickest route to restore services.” He added, “We decided to do that by running restores from backups and also paying for the decryption keys, to attack the problem from both angles.”
As of this writing, the company’s mitigation process has started, and a majority of the company’s systems are operating normally to cater to its customers while waiting to complete the rest of the decryption process. The company has since dedicated 24/7 employee shifts to resolve the situation.
VESK joins the roster of large organizations—such as the Hollywood Presbyterian Medical Center and the University of Calgary—that have been forced to pay the ransom to regain operations. The Federal Bureau of Investigation, however, stands firm on their stance on not paying cybercriminals. The agency, through a recently released public service announcement, also urges victims to report infections to aid in the continuing study and understanding of ransomware and its impact.
Here are other notable ransomware stories from last week:
After encryption, victims are directed to go to a site with an address feigning affiliations to an anti-piracy campaign. A five-day deadline is given to settle a US$100 fine that is available via vouchers through UKash or PayPal My Cash. Interestingly, the ransom note states that if the payment made in Bitcoins or WebMoney, the fee is only $50.
Initially, a malicious PDF file is displayed while an executable file starts the encryption process in the background. Following encryption, another executable file, named TrendMicro.exe executes an audio file along with a .jpg file that serves as the ransom note.
This is not the first time that a DetoxCrypto variant has mimicked a security provider. Weeks prior, security vendor Malwarebytes was also spoofed by a DetoxCrypto variant with a file named“Malwerbyte”. Researchers easily determined that the variant could still be on a trial run since the sample showed no file-encrypting capabilities.
Since June, a major exploit kit campaign, dubbed Afraidgate, has been observed using the Neutrino exploit kit to deliver ransomware. From distributing CryptXXX ransomware, the campaign then shifted to delivering Locky in July. Last month, the campaign began utilizing the Godzilla loader to deliver ransomware. On September 27, Trend Micro researchers observed the Afraidgate campaign switching from Neutrino to Rig exploit kit, and this time, it delivers this Locky variant that uses the .odin extension.
Once a victim takes the bait, they are directed to a malicious link hosting an infected file. The encryption routine will then commence, and later on, a ransom note will be displayed, asking for a 0.7 bitcoins (around US$320). Upon failure to pay the ransom demand in 96 hours, MarsJoke deletes the locked files. Researchers note that the ransom bears an uncanny resemblance to the visual style of CTB-Locker.
The continuous wave of new families and the stream of updates on previously-released variants challenges users and organizations to take a proactive stance to defend against ransomware. Using a multi-layered approach that keeps ransomware out of all possible gateways of compromise is the best way to prevent ransomware. Maintaining regular backups of important files is also the best way to mitigate the damage caused by a ransomware attack.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware:
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.