Lunedì, 17 Ottobre 2016 13:21

Cryplocker (Ransomware)

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).

The ransom prices vary, ranging from $USD 24 to more than $USD 600, or even its bitcoin equivalent. It is important to note, however, that paying for the ransom does not guarantee that users can eventually access the infected system.

Users may encounter this threat through a variety of means. Ransomware can be downloaded by unwitting users by visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered as attachments to spammed email.

Once executed in the system, a ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, a ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.

Ransomware is considered a "scareware" as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to the FAKEAV malware, though using a different tactic. Instead of capturing the infected system or encrypting files, FAKEAV coax users into purchasing their bogus antimalware software by showing fake antimalware scanning results.

Ransomware 101View infographic: Ransomware 101 - What, How, & Why

Early Years

First cases of ransomware infection were seen between the years 2005 – 2006 in Russia. We first reported this incident back in 2006, in which a ransomware variant (detected as TROJ_CRYZIP.A) zipped certain file types and overwrites these, thus leaving only the password-protected zip files in the user’s system. It also created a notepad, which poses as the ransom note to inform users that they can retrieve their files in exchange for $300.

During its initial phase, ransomware were typically files that encrypt particular file types (.DOC, .XL, .DLL, .EXE, just to name a few).

By 2011, we first reported about SMS ransomware threat, in which users with infected systems were asked to dial a premium SMS number. Detected as TROJ_RANSOM.QOWA, this variant also displays a ransomware page repeatedly to users until they finally pay up the ransom via dialing a certain premium number.

To up the ante, we uncovered a ransomware that infects the Master Boot Record (MBR) of a vulnerable system. By targeting the MBR, this variant prevents the operating system from loading. To do this, the malware copies the original MBR and overwrites it with its own malicious code. After doing this routine, it automatically restarts the system for the infection to take effect. When the system restarts, the ransomware displays its notification (in Russian).

Ransomware Leaps Outside Russia

Ransomware infection was initially limited to Russia. But its popularity and profitable business model soon found its way in other countries across Europe. By March 2012, we have noticed the continuous spread of ransomware infection across Europe (and the United States, Canda). Similar to TROJ_RANSOM.BOV, this slew of ransomware displays a notification page from the victim’s local police agency instead of the typical ransom note (see Reveton, Police Ransomware below).

We also uncovered a different tactic to spread ransomware variants. Certain threat actors compromised a popular French confectionary shop’s website to serve TROJ_RANSOM.BOV. This watering hole-like tactic resulted to widespread infection in France and Japan (where the shop has a significant fan-base). Instead of the usual ransom note, TROJ_RANSOM.BOVdisplays a fake notice from the French police agency Gendarmerie Nationale.

The Rise of Reveton or Police Ransomware

Reveton (also known as Police Ransomware or Police Trojan) is a type of ransomware that impersonates law enforcement agency. These malware typically shows a notification page purportedly from the victim’s local law enforcement agency, informing them that they were caught doing an illegal or malicious activity online.

To know which local enforcement agency is applicable to users, Reveton variants track the geographical location of their victims. Thus, affected users living in the US receive a notification from the FBI while those located in France are shown with a notice from the Gendarmerie Nationale.

Reveton variants also employ a different payment method in comparison to early ransomware attacks. Once a system is infected with Reveton variants, users are prompted to pay through UKash,  PaySafeCard, or MoneyPak. These payment methods afford ransomware perpetrators anonymity, as both Ukash and PaySafeCard have faint money trail.

In 2012, we have seen different types of Reveton variants exhibiting new techniques. During the latter part of that year, we reported about variants that play an audio recording using the victim’s native language and another one bearing a fake digital certificate.

The Evolution to CryptoLocker

In late 2013, we saw a new type of ransomware emerge. These ransomware variants now encrypt files, aside from locking the system. This is to ensure that users will still pay up even if the malware itself was deleted. This new type of ransomware was dubbed as “CryptoLocker” due its new behavior. Like previous types of ransomware, these malware demand payment from affected users, this time to unlock their now-encrypted files. 

CryptoLocker message

CryptoLocker scan
Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses an AES key to encrypt files.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available.

Further research revealed that a spam campaign was behind the CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. It downloads a ZBOT variant which then downloads the CryptoLocker malware.

Near the end of 2013, a new variant of  CryptoLocker emerged —with propagation routines. This variant, WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means that the malware can easily spread compared to other variants. This new variant doesn’t rely on downloader malware like CRILOCK to infect systems; rather, it pretends to be an activator for software in peer-to-peer (P2P) file sharing sites. Technical differences have led some researchers to believe this malware is a product of a copycat.

Another file encrypting ransomware soon came into the picture. This malware, known as CryptoDefense or Cryptorbit, like other encrypting ransomware, demands payment for its decryption services. Detected by Trend Micro asTROJ_CRYPTRBIT.H, this variant encrypts database, web, Office, video, images, scripts, text, and other non-binary files. It also deletes backup files to prevent restoration of encrypted files.

The Foray into Cryptocurrency Theft

Ransomware soon began to incorporate yet another element: cryptocurrency (e.g., Bitcoin) theft. We came across two variants of this new malware, called BitCrypt , The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and uses an English-only ransom note. The second variant, TROJ_CRIBIT.B , appends “.bitcrypt 2″ and uses a multilingual ransom note, with 10 languages included. CRIBIT variants use the encryption algorithms RSA(426)-AES and RSA(1024)-AES to encrypt the files. This malware also requires that the payment for unlocking files come in the form of Bitcoins.

It was discovered that a variant of the FAREIT information stealing malwareTSPY_FAREIT.BB, downloads TROJ_CRIBIT.B. This FAREIT variant can steal information from various cryptocurrency wallets, including wallet.dat(Bitcoin), electrum.dat (Electrum), and .wallet (MultiBit). These files contain important information such as transaction records, user preferences, and accounts.

POSHCODER: PowerShell Abuse

A new variant of Ransomware and Cryptolocker threats surfaced that leverages the Windows PowerShell feature to encrypt files. Trend Micro detects this as TROJ_POSHCODER.A. Windows PowerShell is a built-in feature in Windows 7 and higher. Cybercriminals often abuse this feature to make threats undetected on the system and/or network. 

POSHCODER uses AES in encrypting the files and RSA 4096 public key in encrypting the said AES key. Once all files on the infected system are encrypted, it displays the following image:

Ransomware Infects Critical Files

While crypto-ransomware may have become popular with cybercriminals, this doesn’t mean that other types of ransomware have disappeared from the landscape. We recently came across police ransomware that locks the screen of the infected computer.


What makes this particular ransomware different from other police ransomware is that its infection vector is patched malware. Patched malware is any legitimate file that has been modified (via addition or injection) with malicious code. Modifying a legitimate file can be advantageous to cybercriminals as the rate of execution of malicious code will depend on the infected file’s frequency of use. 

Another distinction for this ransomware is that it infects user32.DLL, a known critical file. Infecting a critical file can be considered an evasion technique as it can help prevent detection by behavioral monitoring tools. Additionally, cleaning critical files such as user32.DLL requires extra care as one misstep can crash a system, which could be seen as a possible obstacle for cleaning tools.

The infected user32.DLL will begin a chain of routines that ends with the ransomware being loaded.  Included in the ransomware’s routines is locking the computer’s screen and projecting a “ransom” image, similar to previous police ransomware messages.

Future of Ransomware

In our 2013 Security Predictions, we predicted that conventional threats like ransomware are likely to evolve gradually, as cybercriminals will focus mainly on refining existing tools. This is partly propelled by the ongoing arms race between certain cybercrime groups and security researchers. Because of the positive developments in catching these groups, like the arrests of certain FAKEAV groups and ransomware key figure, we can expect ransomware variants to contain new functions and other improvements in terms of stealth mechanism.

Critroni or Curve-Tor-Bitcoin (CTB) Locker came about in 2014. This type of ransomware uses the Tor network to mask its C&C communications. Some variants of this ransomware asks for bitcoins as ransom. CTB Locker variants in 2015 introduced "freemium" - free decryption service. Also in 2015, TorrentLocker ransomware attacks were prevalent in the Australia-New Zealand region. This particular ransomware adds CAPTCHA code and redirection to a spoofed site.

Watch "TorrentLocker In Action" in the video below:


Within a couple of years, we have seen ransomware evolved from a threat targeting Russian users into an attack affecting several European and North American countries. With profitable a business model and payment schemes affording anonymity for its perpetrators, we may be seeing more of ransomware in the coming years. Thus, it is crucial for users to know how ransomware works and how to best protect themselves from this threat.

Known Ransomware Families

Below are known ransomware families:

Family Name Aliases Description
ACCDFISA Anti Cyber Crime Department of Federal Internet Security Agency Ransom First spotted early 2012; Encrypts files into a password-protected; Cybercriminals behind this ransomware asks payment thru MoneypakPaysafe, or Ukash to restore the files and unlock the screen; Known as a multi-component malware packaged as a self-extracting (SFX) archive; May come bundled with third party applications such as Sdelete andWinRAR
ANDROIDOS_LOCKER   First mobile ransomware spotted; Uses Tor, a legitimate service that allows anonymous server connections; Users with mobile devices affected by this malware may find the files stored in their mobile device rendered useless and held for ransom
CRIBIT BitCrypt Similar to CRILOCK with its use of RSA-AES encryption for target files; Version 1 uses RSA-426; Version 2 uses RSA-1024; Appends the string bitcryp1 (for version 1) and bitcrypt2(for version 2) to the extension name of the files it encrypts
CRILOCK CryptoLocker Employs Domain Generation Algorithm (DGA) for its C&C server connection; October 2013 - UPATRE was found to be the part of the spam mail that downloads ZBOT, which further downloads CRILOCK
CRITOLOCK Cryptographic locker Uses advanced encryption standard (AES-128) cryptosystem; The word Cryptolocker is written in the wallpaper it uses to change an affected computer's wallpaper
CRYPAURA   Encrypts files and appends the corresponding email address contact for file decryption
CRYPCTB Critroni, CTB Locker, Curve-Tor-Bitcoin Locker Encrypts data files; Ensures there is no recovery of encrypted files by deleting its shadow copies; Arrives via spam mail that contains an attachment, actually a downloader of this ransomware; Uses social engineering to lure users to open the attachment; Uses Tor to mask its C&C communications
CRYPDEF CryptoDefense To decrypt files, it asks users to pay ransom money in bitcoin currency
CRYPTCOIN CoinVault Encrypts files and demands users to pay in bitcoin to decrypt files; Offers a one-time free test to decrypt one file
CRYPTFILE   Uses unique public key generated RSA-2048 for file encryption and also asks users to pay 1 bitcoin to obtain private key for decrypting the files
CRYPWALL CryptoWall, CryptWall, CryptoWall 3.0 Reported to be the updated version of CRYPTODEFENSE; Uses bitocin currency as mode of payment; Uses Tor network for anonymity purposes; Arrives via spam mail, following UPATRE-ZBOT-RANSOM infection chain; CryptoWall 3.0 comes bundled with FAREIT spyware
CRYPTROLF   Shows troll face image after file encryption
CRYPTTOR   Changes the wallpaper to picture of walls and asks users to pay the ransom
CRYPTOR batch file ransomware Arrives thru DOWNCRYPT; A batch file ransomware capable of encrypting user files using GNU Privacy Guard application
DOWNCRYPT batch file ransomware Arrives via spam email; Downloads BAT_CRYPTOR and its components such as a decoy document
VIRLOCK VirLock, VirRansom Infects document files, archives, and media files such as images
PGPCODER   Discovered in 2005; first ransomware seen
KOLLAH   One of the first ransomware that encrypts files using certain extension names; Target files include Microsoft Office documents, PDF files, and other files deemed information-rich and relevant to most users; Adds the string GLAMOUR to files it encrypts
KOVTER   Payload of the attack related to YouTube ads that lead to the Sweet Orange exploit kit
MATSNU   Backdoor that has screen locking capabilities; Asks for ransom
RANSOM   Generic detection for applications that restrict the users from fully accessing the system or encrypts some files and demands a ransom in order to decrypt or unlock the infected machine
REVETON Police Ransom Locks screen using a bogus display that warns the user that they have violated federal law; Message further declares the user's IP address has been identified by the Federal Bureau of Investigation (FBI) as visiting websites that feature illegal content
VBUZKY   64-bit ransomware; Attempts to use Shell_TrayWnd injection; Enables TESTSIGNING option of Windows 7
CRYPTOP Ransomware archiver Downloads GULCRYPT and its components
GULCRYPT Ransomware archiver Archives files with specific extensions; Leaves a ransom text file containing the instructions on who to contact and how to unpack the archives containing user's files
CRYPWEB PHP ransomware Encrypts the databases in the web server making the website unavailable; Uses HTTPS to communicate with the C&C server; Decrypt key is only available in the C&C server
CRYPDIRT Dirty Decrypt First seen in 2013 before the emergence of Cryptolocker
CRYPTORBIT   Detection for images, text, and HTML files which contain ransom notes that are indicators of compromised (IOC)
CRYPTLOCK TorrentLocker Poses as CryptoLocker; newer variants display crypt0l0cker on the affected computer; uses a list of file extensions that it avoids encrypting, compared to usual ransomware that uses a list of file extensions to encrypt - this allows CRYPTLOCK to encrypt more files while making sure the affected computer still runs, ensuring users know that their files are encrypted and access to the Internet to pay the ransom is still present
CRYPFORT CryptoFortress Mimics TorrentLocker/CRYPTLOCK user interface; Uses wildcards to search for file extensions; encrypts files in shared folders
CRYPTESLA TeslaCrypt User interface is similar to CryptoLocker; encrypts game-related files
CRYPVAULT VaultCrypt Uses GnuPG encryption tool; downloads hacking tool to steal credentials stored in web browsers; uses sDelete 16 times to prevent/hinder recovery of files; has a customer support portal; is a batch script crypto-ransomware
CRYPSHED Troldesh First seen in Russia; added English translation to its ransom note to target other countries; aside from appending .xtbl to the file name of the encrypted files, it also encodes the file name, causing affected users to lose track of what files are lost
SYNOLOCK SynoLocker Exploits Synology NAS devices' operating system (DSM 4.3-3810 or earlier) to encrypt files stored in that device; has a customer support portal
KRYPTOVOR Kriptovor Part of a multi-component infection; aside from its crypto-ransomware component, it has an information stealing component that steals certain files, processes list, and captures desktop screenshot; uses an open source Delphi library calledLockBox 3 to encrypt files


What Can Users Do?


Users infected by ransomware should do the following:

  • -293px -99px no-repeat;">Disable System Restore.
  • -293px -99px no-repeat;">Run your anti-malware to scan and remove ransomware-related files.

Note that some ransomware requires extra removal steps such as deleting ransomware files in Windows Recovery Console. Be sure to follow all required steps to completely remove the specific ransomware your computer has. 

To prevent ransomware infections, keep these things in mind:

  • -293px -99px no-repeat;">Backup your files regularly.
  • -293px -99px no-repeat;">Apply software patches as soon as they become available. Some ransomware arrive via vulnerability exploits.
  • -293px -99px no-repeat;">Bookmark trusted websites and access these websites via bookmarks.
  • -293px -99px no-repeat;">Download email attachments only from trusted sources.
  • -293px -99px no-repeat;">Scan your system regularly with anti-malware.

Trend Micro Protection

Trend Micro™ Smart Protection Network™ offers protection for users by blocking this threat from possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants, and blocks IP addresses and C&C servers that ransomware variants access. It also blocks spam and email messages verified to carry ransomware disguised as attached files. Most importantly, it detects and deletes ransomware variants if found in the system.

To combat ransomware in your home and home office PCs, try the following Trend Micro products that uses the power of the Smart Protection Network:

Ransomware also affects office networks and workstations. The following Trend Micro products ensure the safety and protection of your corporate networks and desktops against ransomware attacks:

  • -293px -99px no-repeat;">AntiRansomware Tool for Business Users
  • -293px -99px no-repeat;">OfficeScan (Endpoint Protection for Physical and Virtual Desktops)

In addition, Deep Discovery protects your corporate network from ransomware - from monitoring communication ports, analyzing malware, and network traffic monitoring. These prevents the spread of ransomware to other computers in the corporate network and contains the threat should it be detected at any level. 

Other detection and removal tools for ransomware known as CryptoLocker are available for your use:


Latest Notable Ransomware

Below are the latest notable ransomware that Trend Micro analyzed:
Trend Micro Detection Notable Features Month-Year discovered
  • -293px -99px no-repeat;">Encrypts and "quarantines" files
  • -293px -99px no-repeat;">Deletes backup files, making recovery difficult
04 2015
  • -293px -99px no-repeat;">Uses .PDF icon, disguising itself as a legitimate file
  • -293px -99px no-repeat;">Arrives as an email aboutFacebook account suspension
02 2015
  • -293px -99px no-repeat;">Arrives via spam
  • -293px -99px no-repeat;">Has 'freemium' feature
01 2015
  • -293px -99px no-repeat;">TorrentLocker variant found inAustralia and New Zealand
  • -293px -99px no-repeat;">Arrives via fake Australia/NSW Post email
  • -293px -99px no-repeat;">Users redirected to fake sites where CAPTCHA code is required
01 2015
  • -293px -99px no-repeat;">Adds the text 'ebola' in the extension name of encrypted files
11 2014
  • -293px -99px no-repeat;">New type of ransomware known as Cryptoblocker malware
  • -293px -99px no-repeat;">Instead of a text file as ransom note, it displays a message
07 2014
  • -293px -99px no-repeat;">Ransomware that runs on Android
  • -293px -99px no-repeat;">Uses TOR to hide its C&C communication
06 2014
  • -293px -99px no-repeat;">Downloaded by exploits taking advantage of CVE-2013-0422
  • -293px -99px no-repeat;">Downloaded by WhiteHole Exploit kits
02 2013
  • -293px -99px no-repeat;">Downloaded by Cool Exploit kits
  • -293px -99px no-repeat;">Gathers infected system’s IP address, location, and ISP – all details appear in the ransom image
01 2013
  • -293px -99px no-repeat;">Downloaded by Cool Exploit kits
  • -293px -99px no-repeat;">Displays Police Central e-crime Unit (PCeU) warning, urging the user to pay 100 GBP
01 2013
TROJ_REVETON.IT Shows a “treaty” between anti-malware companies 12 2012
TROJ_REVETON.HM "Speaks" – verbal read out of the alert. Language is adjusted based on the country setting of the infected computer. 11 2012
Last modified on Lunedì, 17 Ottobre 2016 13:26