Crypto ransomware sightings and trends for Q1 2015

It seems that cybercriminals have yet to tire of creating crypto-ransomware malware.

Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were not limited to that region. Turkey, Italy, and France were also affected by this malware.

We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware.

These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price.

CryptoFortress: “Crypto-Copycat” encrypts files in network shares

TorrentLocker is one of the many crypto-ransomware variants that first emerged as CryptoLocker copycats. These copycats usually presented a ransom note similar to CryptoLocker (in form of a user interface or UI) or simply announced to their victims that their files were “encrypted by CryptoLocker.”

TorrentLocker ransom note that uses CryptoLocker branding

But it seems TorrentLocker now has its own copycat. It was reported earlier this month that a TorrentLocker variant was being pushed by the Nuclear Exploit Kit. Its ransom note is identical to that of TorrentLocker’s. The only difference was that it presents itself as “CryptoFortress.” Examining the malware, we found that CryptoFortress, detected as TROJ_CRYPFORT.A, only mimicked the UI of TorrentLocker. It is different from TorrentLocker’s behavior. Below is a quick comparison of the three variants.

Differences among CryptoLocker, TorrentLocker, and CryptoFortress

CryptoFortress might target fewer file extensions but it could be more since it uses for searching the files to encrypt. Using wildcards means that anything and everything that meets a set condition will be considered valid or included in the result. Thus, any file with its file extension character combination that satisfies the wildcards will be encrypted.

It is also capable of encrypting files in network shares. This changes the threat landscape for crypto-ransomware since others only encrypt remote files in mapped network drives.

CRYPAURA: Scare tactics

Another crypto-ransomware, CRYPAURA, has the weird distinction of using the word “ebola” in its routines. When it first came into the landscape, it used the email address id-{id}_help@antivirusebola[.]com as part of its communication routines. TROJ_CRYPAURA.F, the latest variant of the CRYPAURA family, appends the string “id-{id}_fud@india[.]com’ to the file name of encrypted files. This string is also the email address that the victims are instructed to contact for further decryption instructions.

The new variant is not so different from other crypto-ransomware variants in terms of its routine. However, the number of targeted file types shot up from 39 to 102. Most of file types are backup files for various applications while others are files associated with drawing, 3D modeling, music notation, and source code. These might seem like unusual targets but losing access to these files can be difficult, more so if these files are related to work or school. For example, a digital artist working on a big project can be severely crippled if he loses access to his illustrations or 3D models.

After encrypting files, the malware will change the wallpaper of the affected system, instructing the victim to contact the said email address. The victims will receive a reply asking them to pay $500 in bitcoins.

Teslacrypt: Leveling up with gamers

Another crypto-ransomware has entered the landscape this month. Teslacrypt, detected as TROJ_CRYPTESLA.A, is the first of its kind as it encrypts data related to games and gaming software, specifically Steam. (Of course, it still encrypts the victim’s documents, media files, and backup files.)

This sudden shift of target victims and target files might be motivated by the fact that enterprises, which are common targets of crypto-ransomware, might be better equipped when it comes to protecting their computers from this type of malware.

Cybercriminals might have also assumed that younger people might not have important documents in their computers that they would be willing to pay for just to get them back. However, victims might be willing to pay the ransom amount to recover their game-related data like in-game purchases, especially when they spent time and money to acquire these.

The games being targeted are single player and online games which are popular, like Minecraft, StarCraft II, Assassin’s Creed, Call of Duty, World of Warcraft, and League of Legends.

Upon installation, it attempts to delete the system’s volume shadow copies as a supplement to its file encryption routine. Encrypted files have an .ECC file extension. After encrypting the files in the system, it displays a UI and changes the wallpaper to show its ransom note which instructs victims to visit a Tor payment site to issue the ransom amount of US$500 in BTC for decryption. Like some crypto-ransomware, Teslacrypt offers a free decryption or the “freemium feature” to convince their victims that they can really decrypt their files.

The Teslacrypt ransom note (top) is similar to CryptoLocker’s (bottom)

Trendspotting in the threat landscape

To recap, here are some of the trends we’ve seen cybercriminals use for their crypto-ransomware attacks:

1. More file types or extensions are being targeted, in order to cast a wider net of victims.
2. CryptoLocker’s notoriety continues to live on—most new crypto-ransomware use CryptoLocker’s name to impose extortion.
3. Volume shadow copies are now being deleted to prevent file restoration. Shadow Copy is a Windows feature that takes manual and automatic copies of computer files and volumes. Deleting shadow copies places the victims at the mercy of the cybercriminals.
4. Crypto-ransomware has gone “freemium.” Decrypting a few files for free might convince victims that they can still recover their encrypted files.

Of course, some things have stayed the same, particularly, the need for anonymity. Bitcoin is the preferred mode of payment so that the threat actors could stay anonymous. In that same vein, Tor is the preferred payment site for anonymity and could prevent an easy takedown of their server which could hinder their transactions or revenues.

Evolution and vigilance

These kinds of improvements are reasons why users should always be vigilant in protecting their devices and their files.

Safety practices like installing security software or double-checking emails can go a long way in mitigating threats. For example, never open emails from unknown or unverified senders. Users can first check the reputation of websites before visiting them. When it comes to dealing with unknown or unverified emails, files, or websites, it’s better to err on the side of caution than risk infection. Lastly, we cannot stress the importance of using security solutions for devices, which can block all forms of threats.

Victims who find their files held ransom might be tempted to pay the fee in order to get their files. However, there is no guarantee that the cybercriminals will hold their end of the bargain. Users who pay the fee might just end up without any files or money.

Users can help prevent such instances by regularly backing them up. The accepted rule for backup best practices is the three-two-one rule: at least three copies in two different formats, with one of those copies stored off-site.

Users may also refer to our other materials on ransomware and crypto-ransomware for more information about these threats:

Hashes of related files are as follows:

  • 4b356b88fb3a3dce1f009e4e92cd4a59383e0764
  • d7085e1d96c34d6d1e3119202ab7edc95fd6f304
  • 9174837d72759e33799feac080adeb6280456677

Author: Anthony Joe Melgarejo, Threat Response Engineer at Trend Micro.

More about

Don't miss