Ransomware Timeline: Top Stories January 2017

    The ransomware epidemic is getting worse over time. File-encrypting threats are constantly mutating to become harder to detect, analyze and defeat. Not only are home users at risk. Businesses, educational institutions, and transportation companies are being increasingly targeted by online extortionists as well. The following timeline of noteworthy ransomware events for the last month alone demonstrates all of these nefarious trends.


Jan. 3, 2017

    Malware developers pay homage to the FSociety brand in several ways. Denoting a New York-based hacker group from the newsmaking Mr. Robot TV series, this term has become a lure for real-world threat actors. A number of unrelated cybercrime rings launched the following malicious services using this fictional brand name: a DDoS botnet, a screen locker, a Windows rebooter, and three crypto ransomware strains.


Jan. 4, 2017

    Emsisoft security firm makes a ransomware decryption breakthrough. Fabian Wosar, a well-known malware analyst with Emsisoft, releases an automatic decryptor for the latest generation of the Globe ransom Trojan. Globe version 3 appends the .decrypt2017 or .hnumkhotep extension to hostage files.


Jan. 4, 2017

     The Merry X-Mas ransomware takes root. It propagates via spam emails containing executable attachments masqueraded as PDF documents. This strain displays Christmas themed warning messages in HTA format and concatenates the .MERRY, .MRCR1, .PEGS1, .RARE, or .RMCM1 extension to encrypted files.


Jan. 4, 2017

    Computer emergency response team of Poland publishes an in-depth technical analysis of the CryptoMix ransomware, also known as CryptFile2. According to this research, the infection proliferates via Rig-V exploit kit, leverages AES-256 cryptographic algorithm to lock down victims’ data, deletes shadow copies of the files, and demands a whopping 5-Bitcoin ransom for decryption.


Jan. 7, 2017

     Fraudsters dupe staff at UK schools into installing ransomware. To this end, the black hats cold-call educational establishments while pretending to be government officials. The scammers encourage their collocutors to open a rogue guidance form received over email. The booby-trapped .zip file contains a ransomware payload that encrypts data and then requests up to £8,000 for recovery.


Jan. 9, 2017

    The above-mentioned Merry X-Mas ransomware starts cross-promoting the nasty DiamondFox virus. The concomitant malware steals victims’ sensitive data, adds infected computers to a botnet, and allows attackers to access systems remotely over RDP.


Jan. 9, 2017

    Online extortionists attack numerous MongoDB servers around the globe. The malefactors, including the notorious Kraken group, succeed in hijacking more than 28,000 unprotected MongoDB databases in roughly one week. The cybercrooks request 0.1-1 Bitcoin for hostage data. Later on, ElasticSearch servers suffer a series of similar attacks.


Jan. 10, 2017

    New Spora ransomware is discovered that boasts flawless encryption practices and uses a professionally tailored payment site. It is intelligent enough to break the victim base down into six categories with different ransom amounts for each. As bizarre as it may sound, Spora’s tech support agents ask victims to write positive reviews about the decryption service in exchange for ransom discounts.


Jan. 10, 2017

     Huge ransomware payout by a school hits the headlines. Having fallen victim to unidentified ransomware, the Los Angeles Valley College lost control of their email servers, voicemail systems, and several other services. The college district officials ended up submitting a ransom of $28,000 to regain access to the affected IT infrastructure.


Jan. 12, 2017

    New Marlboro ransomware turns out to be a fail rather than a successful extortion tool. This sample coded in C++ is easy to identify because it appends the .oops extension to encrypted files. Fortunately, a flaw in the implementation of the XOR cipher allows researchers to create a free decryptor within one day since the campaign started.


Jan. 12, 2017

    Researchers at Emsisoft succeed in creating a decryption tool for the Merry X-Mas ransom Trojan. The free decryptor can restore data locked down by all known editions of this infection, including the latest one that leaves the Merry_I_Love_You_Bruce.hta ransom note.


Jan. 17, 2017

    Experts note a drastic decline in the Locky ransomware operation. Specifically, the spam volumes distributing this threat went down by more than 80% since late December 2016. The reason is that the affiliated Necurs botnet has been offline for about a month. Meanwhile, the threat actors behind Locky switch to using the Kovter Trojan as the main infection vector.


Jan. 17, 2017

    Security analysts discover close ties between the operators of Cerber and Spora ransomware strains. In particular, the two campaigns share the same Command and Control infrastructure. This suggests that these infections are run by affiliated cybercrime groups.


Jan. 18, 2017

    Spora ransomware borrows its distribution tactic from computer worms. One of the discovered entry points involves rogue .LNK files that replace original Windows shortcuts. Once double-clicked, these harmless-looking objects execute the ransomware behind the scenes.


Jan. 19, 2017

     Wannabe crooks can leverage the new Satan ransomware-as-a-service (RaaS) to build custom threats. This RaaS is free to use, but its operators get a 30% fee from all subsequent ransom payments. The ill-minded clients can define the size of the ransom, the deadline before it increases, and how big this increment is.


Jan. 20, 2017

     Fabian Wosar of Emsisoft defeats the encryption of GlobeImposter and releases a free recovery solution. This copycat of the Globe ransomware concatenates the .crypt suffix to scrambled files and drops HOW_OPEN_FILES.hta decryption how-to manual.


Jan. 27, 2017

    Michael Gillespie, a researcher who goes by the handle Demonslay335, spots a new variant of the Jigsaw ransomware in the wild. This one stains encrypted files with the .uk-dealer@sigaint.org extension. Mr. Gillespie updates his previously released  Jigsaw decryptor to support the latest edition of this Trojan.


Jan. 30, 2017

    New ransomware called Zyka emerges. It uses symmetric AES crypto algorithm, affixes the .lock extension to encrypted data and demands 170 USD/EUR worth of Bitcoins for decryption. IT experts manage to create an automatic decryption tool for this sample.


Jan. 31, 2017

     Distributors of the Spora ransomware come up with an intricate contamination mechanism. The infection now arrives with a fake Chrome Font Pack update. Misleading popups displayed on compromised websites tell unsuspecting users to run the update, which is, in fact, a Spora downloader.


Jan. 31, 2017

    A CryptoMix ransomware spinoff called CryptoShield 1.0 uses sophisticated techniques to infect computers. The starting point for the attack is a malicious or hacked website. The so-called EITest script hosted on these pages leads to the RIG exploit kit, which detects unpatched programs on a visitor’s computer and exploits known software vulnerabilities to inject and execute the ransomware.

The main takeaway for end users and companies is to have a plan B in case they fall victim to ransomware. Data backups pose the best mitigation strategy that allows restoring files without submitting a ransom. Furthermore, being reasonably paranoid about email spam can prevent most of these attacks.


About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Source: CyberPunk @ February 21, 2017 at 09:19PM