During the first quarter of 2015, we saw how ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline.
Time-Sensitive Crypto-Ransomware in AU Spam Run
A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days.
The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region, as we have mentioned early this year.
After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late.
The malware has already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280.
Figure 1. Screenshot of TROJ_CRYPLOCK.XW showing deadlines and prices
The malware can encrypt text, image, data, web, database, video, web, backup, and other file formats. It encrypted the local drives alphabetically, starting with the C drive. With the network drives, it encrypted alphabetically based on the network workstation names, then share names.
Once done, it deleted traces of itself from the machine and left only the .ZIP file in the temporary Internet files and some HTML warnings.
Since the business owner did not engage with the cybercriminal, the company lost thousands of valuable files, including business-related databases.
Time Options in New Ransomware Platform
In the theme of time-sensitive threats, we also saw a new ransomware platform, Encryptor RaaS (Ransomware as a Service), which incorporates options to set deadlines and amounts for the increase in ransom price. This is detected as TROJ_CRYPRAAS.A.
Figure 2. Welcome page of the RaaS ransomware platform
After encrypting the user’s files, malware launches Internet Explorer to access the decryption URL using a Tor2Web site, decryptoraveidf7[.] onion[.] to. Tor2Web sites allows users access to Tor sites or hidden services using a normal web browser. The malware also drops the ransom note in the desktop folder.
Figure 3. Ransom note of the RaaS ransomware platform
Encryptor RaaS encrypts text, audio, video, data, web, compressed, backup, developer, and other file formats.
Figure 4. Decryptor page of the RaaS ransomware platform
Figure 5. Successful payment page of the RaaS ransomware platform
Encryptor RaaS follows in the footsteps of the notorious Tox by offering ransomware as a service and taking 20% of the Bitcoin earnings. However, unlike Tox, the Bitcoin earnings go straight to the platform users’ Bitcoin wallets and not to the platform creator.
Given news that the creator of Tox is looking to sell his platform, it is likely for cybercriminals to flock to Encryptor RaaS to build their own ransomware for free.
We have been seeing ransomware variants incorporate deadlines in their routines for a time now. This feature is rapidly becoming prevalent in the world of ransomware. Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines.
While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.
- Always have a backup strategy, most efficiently by following the 3-2-1 rule as we previously discussed during World Backup Day.
- Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
- Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures.
- Familiarize yourself to Web threats that can lead to ransomware or other threats.
With additional analysis and insights by Jonh Chua, Maydalene Salvador, Nazario Tolentino II, Michael Marcos, Kurt Baeten, and Jon Oliver
Update as of August 11 2015, 12:15 A.M. PDT (UTC-7)
TROJ_CRYPRAAS.A has been renamed to RANSOM_CRYPRAAS.SM.