WatchPoint Security Blog

November Ransomware in Review

Written by Jordan Kadlec | December 02, 2016

New to WatchPoint is a review of ransomware variants that have appeared throughout the month. While there are numerous variants that are released each week, many will never make it too far into distribution. For this reason, we will mainly focus on the ones that have caused users significant trouble.

Cerber v.4.1.0 and Cerber 5.0

Towards the end of October and at the beginning of November, Cerber version 4.1.0 dubbed as Cerber4, appeared in the wild. While this version shares many of the same characteristics as previous versions, there are enough differences to warrant a breakdown of Cerber4. The main payload is a typical installer that deletes itself after setting up the ransomware. Like most ransomware, Cerber4 encrypts target files upon execution. However, instead of adding ‘.cerber’ to the end of encrypted files, Cerber4 adds a new 4-character extension, making it more difficult for programs to detect the ransomware. In each folder where a file is encrypted, a single README.HTA file is available, displaying instructions for how to unlock encrypted files by paying a ransom.

Cerber4 also uses Akamai infrastructure, possibly leveraging Akamai Ghost, which is a growing trend for ransomware to be deployed along with other mainstream crimeware. Deploying ransomware with other forms of crimeware, such as adware, spyware, or RATs, is aimed at establishing a secondary revenue stream through malvertising.

The week of Thanksgiving, Cerber 5.0 was already released with only a few notable characteristics. The ransomware will now skip 640 bytes, compared to 512 bytes in Cerber4, when encrypting a file. The minimum file size that Cerber 5.0 will encrypt is now 2,560 bytes, compared to 1,024 bytes in the previous version. This means that any file smaller than 2,560 bytes will not be encrypted.

Several New Variants of Locky Ransomware

In an article released earlier this week, we noted that Facebook had been infiltrated by Locky Ransomware using .JPG images. In this hack, cybercriminals exploit a misconfiguration in the infrastructure of Facebook which deliberately forces users to download the ransomware if they click on the .JPG file. Read more about this form of Locky Ransomware here.

Locky has also started to distribute its ransomware through fake Adobe Flash Player updates. This distribution of Locky relies on typosquatting, where cybercriminals prey on users who make a typo when inputting a website domain. As you can see in the screenshot below, the URL in the browser’s address is fleshupdate.com instead. When visiting this site, the user will see a screen claiming that their Flash Player is out of date and the fake update automatically starts to download. If a user then runs this program, they will receive a Locky ransom note instead of a Flash Player update, when the ransomware is finished downloading.

On November 21st, a new Locky variant was discovered, distributing emails that pretended to be an ISP (Internet Service Provider) complaint stating that SPAM has been detected on the user’s computer. These emails will have a subject line of ‘Spam Mailout’ and contain a zip attachment with a JS file that will execute the Locky ransomware when opened. Upon further inspection, this version of Locky has also changed the extension for the encrypted files to .AESIR.

Three days later (Nov. 24) another variation of Locky was discovered, this time sending emails disguised as order receipts. The subject of these emails is ‘Order #’ followed by a series of random numbers. After installation of the attached ZIP file, Locky switches the extension on the end of encrypted files to .zzzzz.

Unfortunately, it’s still impossible to decrypt files encrypted by the Locky Ransomware for free.

CryptoLocker Copycat PClock Resurfaces

While CryptoLocker has been shut down for some time, copycats of one of the most dangerous ransomware to date are appearing everywhere. One of the copycats named PClock has been around since January of 2015. While its number of infections has been low but steady since its inception, security researchers have picked up on a spike in activity from the operators of the ransomware.

PClock is delivered via email and in its most recent campaign is disguised as fax messages with a subject line such as ‘PLEASE READ YOUR FAX T4891.’ While the title is rather boring, the message includes a file named ‘Criminal case against you’ which might get some users’ attention. When users download and open the file, a JScript function starts to download and install a malware known as Crimace. This threat is a malware downloader that connects to an online server and downloads and runs other malware.

Although PClock has evolved since its inception, it is still tabbed as an entry-level operation. The operators have yet to figure out how to host a decryption service on the Dark Web, which is the standard for dealing with decryption operators used by most high-level ransomware threats. While the number of target files has increased twenty-fold, PClock’s operators still require victims to get in touch with them via email in order to receive the decryption key for their encrypted files.

Decryption Keys Released for Several Variants of Ransomware

It’s unclear why a lot of cybercriminals decide to release decryption keys to their ransomware. Whether they are starting to feel guilty for all the trouble they have caused, they are starting to come under some heat from investigators, or they are releasing a better version in hopes to catch you again, users need to be aware of these decryption keys to gain access to their files for free. Below is a list of decryption keys that have been released throughout November.

  • Princess Locker Ransomware
  • Telecrypt Ransomware
  • CrySiS Ransomware
  • Globe Ransomware

CryptoStopper by WatchPoint

2016 has been branded as the ‘Year of Ransomware, ’ and we don’t expect 2017 to be any different. Cybercriminals are just making too much money, and it’s expected that their earnings will collectively surpass $1 billion by year’s end. Typical solutions like anti-malware, firewalls, and patching just aren’t working anymore. Cybercriminals are becoming more sophisticated with their attacks each day and these preventative solutions are finding it impossible to keep up.

Fortunately, WatchPoint has a solution to cure your ransomware anxiety - CryptoStopper. CryptoStopper is an active defense system, employing deception technology to protect networks from ransomware attacks. At $20/Server/Month, CryptoStopper is the best investment you can make to ensure the cybersecurity well-being of your company for the foreseeable future.