The Prevalence of Crypto-Ransomware

Cryptolocker, a refinement of Ransomware with file-encryption capabilities emerged in the wild last October 2013. It continuously evolves as seen in the inclusion of new tactics and methods to avoid early detection and convinces unsuspecting users to pay the ‘ransom’ to get their files back.

Cryptographic Locker Ransomware

We recently spotted a ransomware variant that claims to be Cryptolocker. Trend Micro detects this as TROJ_CRITOLOCK.A. Dubbed as Cryptographic Locker ransomware, TROJ_CRITOLOCK.A has an MSIL compiled packer, which means that it needs a .NET framework in order to work, as opposed to the previous Cryptolocker version.

TROJ_CRITOLOCK.A encrypts a wide array of files with extensions such as .DOCX, .PSD, .RTF, .PPT, .PPTX, .XLS, .XLSX, and .TXT, among others. It then renames these encrypted files to {original file name and extension}._clf. It uses a Managed Version of Rijndael Symmetric Algorithm, which is different from Cryptolocker’s asymmetric algorithm.


Figure 1. TROJ_CRITOLOCK.A displays this wallpaper on infected systems 

Based on our analysis, once TROJ_CRITOLOCK.A encrypted the files on the infected system, it displays the following message informing users that their files have been encrypted. It then demands users to pay a ransom amount in bitcoins in order to retrieve a “private key” for users’ encrypted files.  The bitcoin price will then depend on the packet the C&C server sends along with the bitcoin address. At the time of infection, we received a request 0.2 bitcoin ransom.


Figure 2. Users are asked to pay ransom via bitcoins

The malware also randomly generates the “key” and “initialization vector” on the affected machine. It sends this information to its C&C server. In addition, it gathers certain system information and connects to certain URLs to send and receive information, thus compromising the system security. It also terminates several processes.

Evolution of Cryptolocker 

At the onset of 2014, we saw other Crypto-ransomware variants like Cryptobit, CrytoDefense, CryptoWall, POSHCODER, Cryptoblocker, and Cryptroni/Critoni.  Trend Micro detects the first version of Cryptolocker  as CRILOCK. The most recent variant we spotted is BAT ransomware, detected as BAT_CRYPTOR. Each variant has its own unique staple quality or notable routine.

Cryptobit asks the users to employ the Tor browser, which enables it to mask its malicious activity in the network and for evasion purposes. On the other hand, Cryptodefense displays a webpage containing instruction to access payment page through a Tor browser.


Figure 3. Cryptodefense displays webpage instructing users on how to pay the ransom

Cryptowall opens a ransom note in Notepad, which contains instruction to access payment page via a Tor browser. Earlier versions of Crytolocker have a graphical user interface (GUI) for its payment purposes. Both CRITONI and Cryptoblocker have a GUI and wallpaper similar to early versions of Cryptolocker.


Figure 4. Graphic user interface of CRITONI

Last May, a ransomware variant dubbed as POSHCODER surfaced that leveraged the Windows PowerShell feature for its encryption routines. Cybercriminals and threat actors abused this feature to avoid being detected in the target system and network.

In the same month, we also spotted the first mobile ransomware detected as ANDROIDOS_LOCKER.HBT that used Tor browser similar to other Crypto ransomware variants. It poses as a fake app, “Sex xonix” and can be downloaded via third party app stores. Last August, another mobile ransomware ANDROIDOS_RANSOM.HBT came into picture and was known to terminate all apps except itself, and encrypts data found in the SD card.

Crypto Ransomware-01

Figure 5. Timeline of  the emergence of Cryptolocker variants as seen in the wild 

Best Practices

Given these improvements, we can surmise that ransomware variants will remain one of the security threats that users and organizations need to protect their systems and devices from. It is highly advisable that users do not succumb to paying the ransom as it may further encourage cybercriminals to continue with their malicious operations. It is recommended to install a security solution that can detect such threats. It is also good practice to back up files and important documents.

Users should additionally stay informed of the nature of ransomware threats. This awareness can go a long way in securing data and systems.

The related hash for TROJ_CRITOLOCK.A is 0f86c35697d16b2516601e9472264b87259672f2.

Additional analysis from Rhena Inocencio

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

The Prevalence of Crypto-Ransomware

Read more: The Prevalence of Crypto-Ransomware

Story added 17. September 2014, content source with full text you can find at link above.