We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.
Read MoreEarly this month, a new variant of mobile ransomware SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) was detected, copying the GUI of the now-infamous WannaCry. The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.
Read MoreCerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissionsâas much as 40%âfor every ransom paid by the victim. Coupled with persistence, Cerber turned into a cybercriminal goldmine that reportedly earned its developers $200,000 in commissions in a month alone last year.
Being lucrative and customizable for affiliates, itâs no wonder that Cerber spawned various iterations. Our coverage of unique Cerber samplesâbased on feedback from Smart Protection Networkâąâshows enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerberâs impact. Weâve also observed Cerberâs adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries.
A reflection of how far Cerber has come in the threat landscapeâand how far itâll goâis Cerber Version 6, the ransomwareâs latest version weâve uncovered and monitored since early April this year. It sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.
Read MoreWe have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was released a month after version 3.0. More details of this latest iteration of Cerber are listed in a ransomware advertisement provided by security researcher Kafeine.
Read MoreSome time ago, I was asked by a colleague to develop a set of Yara rules to detect samples of the Stampado ransomware family. (Yara is an open-source tool used by security researchers to spot and categorize malware samples according to a set of defined rules.)
Stampado is a relatively new Ransomware-as-a-Service (RaaS) threat that’s been on our radar recently. I had access to only a few samples at the time, and first tried looking for common strings among them but had no luck. I then went to compare the files structures and realized all of them had an interesting section at the end of the file, like the one starting at offset 0xde000 as follows:
Read More