Ransomware Timeline: Top Stories February 2017

    February was not a game changer for the cyber threat landscape. Crypto ransomware is still the dominating and most toxic type of malicious code in the wild. To their credit, security analysts are getting better at reverse engineering and decrypting these trojans. Read the timeline below to learn how this battle went last month.

 

Feb. 1, 2017

    Researchers at Avast add three more ransomware decryptors to their collection. The new tools can restore data encrypted by Jigsaw, HiddenTear, and Stampado/Philadelphia strains for free. The company now provides a total of 15 automatic decryption solutions.

 

Feb. 3, 2017

    An unidentified ransomware sample attacks the IT infrastructure of Licking County, Ohio. The compromise affected a number of the County’s critical services, including the official website, phone systems and internal computer network. To top it off, the infection also wreaked havoc with local 911 emergency services.

 

Feb. 3, 2017

    United Kingdom’s National Crime Agency (NCA) apprehends two 50-year-old individuals in London who allegedly infected the closed-circuit television network of Washington, D.C with ransomware. The attack took place mid-January and disabled 65% of US capital’s CCTV systems.

 

Feb. 3, 2017

   Security analysts discover a new Ransomware-as-a-Service called Ranion, which is ironically marketed as an educational project. Wannabe cybercrooks can join this RaaS by paying an annual fee of 0.95 Bitcoin, or 0.6 Bitcoin for six months. Ranion operators do not withdraw any fees from ransom payments.

 

Feb. 6, 2017

    It turns out that the Spora ransomware crew provides quality tech support, where agents try to be tolerant to victims and ask them to write positive reviews of the decryption service in exchange for a ransom discount. Also, the infection adds a so-called immunizer to prevent Spora from attacking the same machine in the future.

 

Feb. 6, 2017

    Android ransomware is starting to evolve into a more intelligent and flexible menace. The sample called Android.Lockdroid.E is one of a kind as it leverages a covert dropper that first determines whether a phone is rooted or not, and then adjusts its activity to the returned response.

 

Feb. 7, 2017

    A new crypto threat known as Erebus takes root. While this one appears run-of-the-mill at first sight, it stands out from the crowd in several ways. Erebus easily circumvents User Account Control prompt and demands a fairly low ransom of .085 BTC ($90) for decrypting hostage files.

 

Feb. 8, 2017

    The ID Ransomware service by MalwareHunterTeam is a true breakthrough in combatting file-encrypting infections. It reaches another milestone, being capable of identifying 300 ransomware families.

 

Feb. 9, 2017

    New Serpent ransomware, which is a HadesLocker family spinoff, proliferates via spam and uses Microsoft Word macros vulnerability to infect computers. It currently targets Danish users, leverages a combo of AES-256 and RSA cryptosystems, and demands .75 BTC for decryption.

 

Feb. 9, 2017

    Not only does the fresh ransomware sample called DynA-Crypt lock down victims’ data, but it also records keystrokes, takes screenshots of the desktop, and steals various sensitive information behind the scenes.

 

Feb. 14, 2017

    Security enthusiasts from the Georgia Institute of Technology take the floor at RSA Conference to present their proof-of-concept ransomware that affects Supervisory Control and Data Acquisition (SCADA) environments and Industrial Control Systems (ICS).

 

Feb. 14, 2017

   While summarizing data on the state of the ransomware ecosystem for 2016, Kaspersky Lab discovered that about 75% of all strains were cooked up by Russian-speaking extortionists.

 

Feb. 15, 2017

    The latest edition of the Cerber ransomware does not encode data related to security solutions. It goes equipped with a white-listing feature to skip files used by firewalls, antispyware and antivirus software. This may be a display of defiance by the extortion crew.

 

Feb. 16, 2017

   Emsisoft CTO Fabian Wosar demonstrates the process of ransomware analysis and decryption in a live streaming session. He was able to crack a new sample called the Hermes ransomware.

 

Feb. 21, 2017

    ESET publishes a comprehensive report on Android ransomware trends. According to their findings, threat actors are increasingly targeting the Asian market. Android infections mostly arrive with spam or emanate from unofficial app download resources.

 

Feb. 21, 2017

    Avast creates another free decryption tool that restores data crippled by the latest build of the CryptoMix ransomware. This infection appends encrypted files with the .cryptoshield, .code, .lesli, .rdmk, .rmd, .rscl, or .scl extension.

 

Feb. 22, 2017

    Ransom trojan called The Trump Locker emerges on the cybercrime arena. It uses virtually the same code as the older Venus Locker infection. The spinoff uses two different extensions (.TheTrumpLockerf and .TheTrumpLockerp) to blemish different types of files and requests $50 worth of Bitcoin for decryption.

 

Feb. 22, 2017

    Jakub Kroustek, reverse engineer and malware researcher at Avast, discovers new ransomware written in Python that uses AES encryption algorithm and affixes the .d4nk extension to filenames.

 

Feb. 22, 2017

    ESET analysts spot a sophisticated ransomware sample called Patcher that zeroes in on Mac machines. Its payload impersonates patches of popular software for Mac OS X. Due to errors in the encryption process, even the ransomware operators cannot decrypt the data.

 

Feb. 23, 2017

    A new variant of Android.Lockdroid.E ransomware features a unique way of interacting with victims. Having submitted the ransom, an infected user is supposed to hit a specified button and pronounce the obtained unlock code. Speech recognition functionality has never been used by online extortionists before.

The emergence of growingly complex Android lockers proves that the ransomware evolution is ongoing. The crooks are experimenting with new niches for extortion, so the security industry has yet to come up with an adequate response.

 


About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

        

Source: CyberPunk @ March 4, 2017 at 11:12AM

0
Share