Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    In our 2013 Security Predictions, we anticipated that cybercriminals would focus on refining existing tools, instead of creating new threats. Two threats that both represent refinements of previously known threats show this effectively.

    CryptoLocker: Latest Ransomware Wave

    Aside from using freebies, contests, or spoofing popular brands, cybercriminals can use other, similarly effective lures from their social engineering toolbox. This includes intimidating or even downright scaring users to coax them into purchasing bogus products or just giving away their data or money. Such tactic is obviously manifested in threats like FAKEAV and now, ransomware.

    Earlier, ransomware had taken a new form – namely, police Trojans. These malware typically block access to the system and show a spoofed local enforcement agency notice to users. This accuses the victims of doing something illegal on the Internet and that they should pay a fine.

    However, the latest ransomware variants (known as cryptolockers) now encrypt files besides locking the system. This is to ensure that users will still pay up even if the malware itself was deleted. A recent cryptolocker (detected as TROJ_CRILOCK.AE) also displays a wallpaper with a warning to users. The warning tells users that even if they delete the malware from their system, the encrypted files will remain inaccessible.

    The private key which supposedly unlocks the encrypted file will be deleted should users choose not to purchase this key for $300 (or 300 euro). Apart from this routine, this malware shows similar routines to other reported cryptolock variants.

    How to Keep a Low Profile, SHOTODOR style

    Another way to make an attack successful is to remain unnoticed by users and even antimalware software. We’ve encountered BKDR_SHOTODOR.A which use garbage code and randomly named files to take obfuscation to the next level. (Note that the perpetrators of this attack are completely different from the previous one.)

    Currently, the infection vector is yet to be determined. Based on our analysis, the threat starts with a dropper component, which drops multiple files onto the affected system. Looking closely into these files, most files contain some numeric values, while other files contain data that is harmless. However, one file stands out because of its large file size. It also contains numeric “garbage” strings. In reality, these codes hide the actual malicious code, which is an obfuscated AutoIt script.

    The question then is, how will the malicious code be executed? One of the dropped files contains an AutoIt script interpreter that loads the obfuscated script mentioned earlier. Once done, it triggers the said script to build the rest of malicious codes by collecting the information in the other dropped files. In doing so, this code creates an executable file in the memory and inject it in a normal process. This malicious executable performs the backdoor routines (e.g. communicating to C&C server, executing of malicious commands etc.).

    By opting to “disperse” the malicious code and building them afterwards to create a malicious executable file, the threat actors are obviously attempting to prevent detection and remain hidden. All the related files are detected by Trend Micro as BKDR_SHOTODOR.A.

    These threats highlight how instead of attackers creating completely new kinds of threats, attackers are opting to modify existing threats which are still effective. While not completely “new”, they still pose a significant threat to users today.

    To protect your systems from this threat, always observe best computing practices such as avoiding visiting unverified sites, clicking links from unknown sources, and avoiding executing/opening attachments from dubious email messages. Trend Micro protects users from this threat by detecting the malware cited in this blog.

    With additional analysis from Alvin Bacani and Lenart Bermejo.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Lirodon

      CryptoLocker is a revival of the original form of Ransomware.

      Except this is even scarier.

    • Riqui

      malwarebytes pro would stop it with file execution protection.

    • Lukas

      Unfortunatelly, our small company – 18 users, mostly working on terminal servers got that virus too. Using Trend Micro small bussiness advanced security but didn’t work for us. One careless user and whole company paralyzed. If the backup data are encrypted too, the last chance is to pay the amount and hope for decryption.

    • ash

      how can I make it go away

    • Drew Palmer

      I’m a fanboi though I know it’s just a matter of time, but is this ransomware in the wild yet for Mac?

      • TrendLabs

        Hi there, Drew.

        As far as we know this ransomware only works for Windows systems. We’ll post updates should we see variants that work for Mac.

    • slipstream

      Regarding SHOTODOR:

      this looks like the output of CryptME, a product sold on hackforums.

      i’ve found plenty of binaries that were put through CryptME.

      most, when unpacked, turned out to be RATs of some sort, generally darkcomet.

    • Sivanesan

      Hi I am using Trend Micro worry-free business security version 7 and one of my colleague system got affected with CryptoLocker virus and all data are encrypted.
      i have removed the virus using combo fix tool, but after that we are unable to access the files. can anyone suggest me that how to decrypt the file.

      • guest

        You can’t.

        “Unfortunately at this time there is no way to retrieve the private key
        that can be used to decrypt your files. Brute forcing the decryption key
        is not realistic due to the length of time required to break the key.
        Also any decryption tools that have been released by various companies
        will not work with this infection. The only method you have of restoring
        your files is from a backup or Shadow Volume Copies if have System
        Restore enabled. More information about how to restore your files via
        Shadow Volume Copies can be found in this section below.”

      • TrendLabs

        Hi Sivanesan,

        Unfortunately, the response from the guest below is correct. The files can’t be decrypted.

    • Tom O’Connor

      Good prediction guys actually only saw someone posting a link to a pc mag article on this today. Go team trendmicro

    • ivankgb

      We have Office Scan 10.5 build 1083 and got hit. Now on support with TM to find out if we could’ve prevented this with a higher version of Office Scan. We also have ScanMail for MS Exchange with latest virus pattern installed (10.341). Anyone has 10.6 installed?

      • TrendLabs

        Hi ivankgb,

        We suggest that you continue to coordinate with our support team as they are the best people who can assist you with this. Thank you!

    • Andrew Drummond

      I got hit with this last week and had Trend Micro Running. Nice catch…

    • Jeremy Schechner

      I have SBS and HES for our small business and nether product caught the virus. I had to remove off of two machines and now dealing with the encrypted files.

      Is there a TM product that could have prevented this?

      • TrendLabs

        Hi Jeremy,

        All Trend Micro products have been updated to prevent infection (thus also preventing the encryption of the files).

        Hope this helps!

    • Samir Patel

      The question I have is TrendMirco able to block Ransom before it’s too late an the files are encrypted? and if so which trendmicro products are able to do this?

      • TrendLabs

        Hi Samir,

        Yes. The ransomware is detected even before the file encryption routine is triggered. As mentioned above, all Trend Micro products are updated to prevent infection.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice