Active campaigns deliver old and new ransomware families

Cyber crooks’ love for ransomware continues unabated, and user are warned about several active campaigns trying to deliver the malware on target computers.

The campaigns have been set up to distribute different ransomware families. The most well-known and well-documented of these is TorrentLocker. The other two are called CryptoFortress and BandaChor.

The latter is not new – in fact, it was first spotted in November 2014. But lately, the malware is again being delivered via email and possibly also via exploit kits.

BandaChor attempts to encrypt diverse files found on the target computer: Office and image files, database files and archive files, movies and so on.

What’s interesting about this threat is that in order to get the encryption key, users are instructed to contact the criminals via email:

The crooks behind CryptoFortress, on the other hand, stick to the well-known modus operandi that includes asking for a ransom to be delivered in Bitcoin.

When initially spotted by researcher Kafeine several days ago, the ransomware was being pushed onto users via the Nuclear exploit kit, and was not detected by any of the popular AV solutions out there. Five days later, the detection ratio improved: nearly 40 of the 57 AV solutions used by VirusTotal tag it as malware.

Kafeine initially thought that it was a TorrentLocker variant due to the visual presentation of the ransomware, which resembles greatly that of its more popular “cousin.”

The subsequent investigation by ESET researchers showed it’s a distinct ransomware family, and that apart from the stolen HTML templates with its CSS, the two are as diverse as they can be:

Researcher Renaud Tabary has also analyzed CryptoFortress in depth, so you can check out his post for all the technical details about the malware.

“Since a unique key is used to encrypt all the files on the system, it is possible, if an infection is currently in progress, to extract the ransom key from a memory snapshot of the malware process,” he says.

“Sadly, once all files are encrypted the malware immediately exits, freeing the encryption key. If one is quick enough to take a whole snapshot of the physical memory shortly afterwards, it is also possible in theory to recover the key used to encrypt the file from the memory. Otherwise, the only solution left to the victims would be to break the 1024 bit RSA public key.”

As always, users are advised to backup their files often, as sometimes AV solutions are not enough to stop this type of threats, and this is a great way to ensure that you won’t lose all your files to this threat or other incidents (disk failure, for example).