• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Price Hikes and Deadlines: Updates in the World of Ransomware

Price Hikes and Deadlines: Updates in the World of Ransomware

  • Posted on:August 7, 2015 at 2:40 am
  • Posted in:Malware, Ransomware
  • Author:
    Trend Micro
0

During the first quarter of 2015, we saw how ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline.

Time-Sensitive Crypto-Ransomware in AU Spam Run

A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days.

The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region, as we have mentioned early this year.

After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late.

The malware has already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280.

Figure 1. Screenshot of TROJ_CRYPLOCK.XW showing deadlines and prices

The malware can encrypt text, image, data, web, database, video, web, backup, and other file formats. It encrypted the local drives alphabetically, starting with the C drive. With the network drives, it encrypted alphabetically based on the network workstation names, then share names.

Once done, it deleted traces of itself from the machine and left only the .ZIP file in the temporary Internet files and some HTML warnings.

Since the business owner did not engage with the cybercriminal, the company lost thousands of valuable files, including business-related databases.

Time Options in New Ransomware Platform

In the theme of time-sensitive threats, we also saw a new ransomware platform, Encryptor RaaS (Ransomware as a Service), which incorporates options to set deadlines and amounts for the increase in ransom price. This is detected as TROJ_CRYPRAAS.A.

Figure 2. Welcome page of the RaaS ransomware platform

After encrypting the user’s files, malware launches Internet Explorer to access the decryption URL using a Tor2Web site, decryptoraveidf7[.] onion[.] to. Tor2Web sites allows users access to Tor sites or  hidden services using a normal web browser.  The malware also drops the ransom note in the desktop folder.

Figure 3. Ransom note of the RaaS ransomware platform

Encryptor RaaS encrypts text, audio, video, data, web, compressed, backup, developer, and other file formats.

Figure 4. Decryptor page of the RaaS ransomware platform

Figure 5. Successful payment page of the RaaS ransomware platform

Encryptor RaaS follows in the footsteps of the notorious Tox by offering ransomware as a service and taking 20% of the Bitcoin earnings. However, unlike Tox, the Bitcoin earnings go straight to the platform users’ Bitcoin wallets and not to the platform creator.

Given news that the creator of Tox is looking to sell his platform, it is likely for cybercriminals to flock to Encryptor RaaS to build their own ransomware for free.

Recommendations

We have been seeing ransomware variants incorporate deadlines in their routines for a time now. This feature is rapidly becoming prevalent in the world of ransomware.  Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines.

While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.

  • Always have a backup strategy, most efficiently by following the 3-2-1 rule as we previously discussed during World Backup Day.
  • Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
  • Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures.
  • Familiarize yourself to Web threats that can lead to ransomware or other threats.
    • Definition and History of Ransomware
    • Ransomware 101: What It Is and How It Works
    • Ransomware News and Updates

With additional analysis and insights by Jonh Chua, Maydalene Salvador, Nazario Tolentino II, Michael Marcos, Kurt Baeten, and Jon Oliver

Update as of August 11 2015, 12:15 A.M. PDT (UTC-7)

TROJ_CRYPRAAS.A has been renamed to RANSOM_CRYPRAAS.SM.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CryptoFortressRaaSransomwareTeslacrypt

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.