4 New Encrypting Ransomware Variants to Watch Out for

Each day, Webroot discovers 6,000 phishing sources, 80,000 new malware and potentially unwanted applications and 51,000 new mobile malware.

Cyber threats are even more sophisticated than they were last year and as they continue to grow, the business is ever-changing. And I do mean business. With payouts in the thousands of dollars and fewer barriers to entry, cybercrime has become a lucrative opportunity for the masses. Dubbed Ransomware-as-a-Service, there are now portals where anyone can create a ransomware payload for free. No coding or scripting knowledge is required. Instead, you simply have to input your specifications for the amount to charge, ransom payment window, late fee and more. What's the catch? The portal creator gets a cut of the profit you make. Still, the payout is significant and as business ventures like this grow in popularity, ransomware will become increasingly common.

To help protect your clients against the latest attack tactics, Tyler Moffit, senior threat analyst of Webroot recently joined us for the webinar, Crypto Ransomware - The Who, What, Why and How. There were many takeaways from the program, available for download below, including overviews of four new encrypting ransomware variants.

1. CryptXXX

Unlike ransomware such as Cryptolocker,  and CryptoWall which are triggered through phishing email attacks, the only way to get CryptXXX is through malvertising and hacked websites. This new variant was created by the same cybercriminals who brought you the Reveton FBI lock, a ransomware Trojan that predates encrypting ransomware. Back in 2012, Reveton would install itself onto and lock Windows® computers, launching a false message from the FBI that accused users of violating federal law. These users had to pay a fine to unlock their computers. Four years later, the same creators are back at it.

Now, these malware authors are exclusively using Neutrino exploit kits to develop malicious ads that either infect machines through social engineering or "drive-by downloads." Unlike social engineering techniques which trick users into infecting themselves, drive-by-downloads execute when you simply load web pages that host malvertising ads. In our webinar, Tyler claimed the majority of CryptXXX is installed in this way, which means if your users click a seemingly harmless ad on Facebook, they could be looking at a $500 default ransom payment. CryptXXX is not only easy to deploy, it's also known to drop Dridex, meaning the ransomware will try to steal your users' credentials. We could encounter more drive-by malware in the future, so understanding its behavior and attack vectors is key. CryptXXX may be a sign of what's to come!

So how do victims know when they've been hit? Here's the message that displays:

CryptXXX ransomware

2. CryptoMix

CryptoMix is interesting because it's one of the few examples of ransomware that doesn't collect payment from the DarkNet. Instead, attackers email a link to an encrypted message that lives on a one-time-viewable Web page. Once it encrypts users' files, it leaves a text pad explaining what happened. At the end of the message, victims are asked to email two addresses and are told they'll be contacted within 12 hours. Tyler predicts that this email approach won't catch on because it takes too long. Rather, he believes attackers are likely to infect more machines by providing a link to a site where victims can instantly pay to decrypt their files. Once users email the cybercriminals, they receive a message claiming that they'll receive free tech support. And if that's not enough of a fraudulent promise, the text also states victims' ransom money benefits a children's charity. Oh and that generous donation equates to 5 Bitcoins (BTC), roughly $2,900!

See here:

CryptoMix ransomware

Within this message – which is only viewable once to the unique user – hackers direct their victims to a Bitcoin wallet address to complete the transaction. At no point do they need to enter the DarkNet. Why could this be effective? For some people, the act of installing anything or using onion links to access the DarkNet is either scary or too complex. Rather than miss out on the opportunity to compromise these users' devices, CryptoMix authors decided to keep it simple and just use Bitcoin to increase their chances of receiving payment.

3. Cerber

Cerber is another ransomware variant that's gaining traction. Notice in the still below that it offers slightly more sophisticated language than others. Most notably, the message features a lengthy FAQ section. Here, the malware authors attempt to gain trust by providing helpful, detailed answers to questions about encryption. Offering educational content helps them appear legitimate, which may lead users to believe the hackers will turn over the decryption key if they comply. What makes Cerber particularly nasty, however, is the requested ransom of 2 BTC (~$1,316) and doubled late payment charge of 4 BTC (~$2,632).

Cerber ransomware

4. KeRanger (Mac OS Encrypting Ransomware)

This last variant proves that despite popular belief, Macs definitely get viruses. Many believe Macs are more robust to malware because we often see more attacks on the Windows® operating system. In reality, Windows dominates the market share of computers. It, therefore, makes sense for malware creators to "phish in the biggest pool" and aim their attacks at PCs. With this logic in mind, you still have to protect your clients from schemes that target Mac users, like KeRanger. This new threat is ransomware that's hidden within the torrenting app, Transmission. When a user downloads the Transmission Bittorent client, what appears as a simple real text file is actually a Mach-O 64-bit executable file that will execute three days after you run Transmission. This helps keep the ransomware hidden so that users don't suspect the app they are using for torrenting as the infection source. Instead, they're tricked into thinking the torrents they're pulling down are the culprits. According to Webroot's KeRanger blog post which provides a more detailed overview of the threat, three days later, "the app executes and drops a file called “kernel_service” into the user’s library directory." By naming it this, attackers intend to confuse anyone that looks in Activity Monitor into thinking it's a system process. The app then grabs the infected Mac's model name and UUID, uploading these into one of its Command and Control servers before encrypting.

See KeRanger's process captured in the webinar screen grab below:

KeRanger ransomware

Crypto ransomware is everywhere. As Ransomware-as-a-Service continues to evolve into a formidable business model, your clients will need your services to ensure their data is secure and accessible. The above examples of encrypting ransomware are only a handful of the threats out there. To protect against the onslaught of nefarious activity, it's vital that you adopt a multi-layered security approach when serving your clients!

To learn more about the state of Crypto Ransomware and how to prevent successful attacks, download our full webinar with Webroot here:

Discover the latest crypto ransomware threats and how to protect your end users

Alie Perkus is a an event marketing coordinator for Continuum. Read more Continuum blogs here.