Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB16001: Ransomware

Last Updated: April 13, 2016

Ransomware is a type of malware that infects computer systems, restricting users' access to the infected systems such as the user's systems have been locked or the user's files have been encrypted. Ransomware variants have grown very rapidly since 2015 and often attempt to extort money from victims. HIRT-PUB16001 is an advisory to address issue for Ransomware and Recent Variants.

1. Overview

There are two types of ransomware such as Crypto and Locker ransomware. Crypto ransomware encrypts personal files/folders (e.g., the contents of your documents, spreadsheets, pictures, videos and etc.). Locker ransomware locks the screen and demands payment. No personal files are encrypted.
The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg"). It's use of symmetric cryptography.

In 2006, GPcode, Archives and etc. has been active in the wild. These crypto ransomware were use of RSA public key cryptography. Also the first known locker ransomware was the 2010 "Winlock" trojan. It locks the Windows' screen and demands payment.

Ransomware attacks re-organized around a new type of extortion by Cryptolocker. Gameover Zeus, which first emerged around September 2011, operates silently on victim computers to funnel stolen banking credentials back to the attackers. The Gameover Zeus network was as a common distribution mechanism for Cryptolocker. Also Cryptolocker began appearing about September 2013 and continued to grow rapidly.

Figure 1: Brief History of Ransomware
Figure 1: Brief History of Ransomware

2. Trend

Ransomware variants have grown very rapidly as one of various cyber attacks.

Ransomware attacks grew 113 percent in 2014. Crypto-ransomare was seen 45 times more frequently. (Symantec, 2015 Internet Security Threat Report, Volume 20 (Apr. 2015))

In 2015, 64 percent of binary-file-based ransomware detected have been crypto ransomware while binary-based locker ransomware made up the remaining 36 percent. For crypto ransomware, Japan comes in at number two whereas for locker ransomware, it occupies the sixth spot. (Symantec, The evolution of ransomware (Aug. 2015))

The total number of ransomware samples grew 127% in the past year. Ransomware continues to grow very rapidly - with the number of new ransomware samples rising 58% in Q2. (McAfee Labs, Threats Report (Aug. 2015))

Although a few families - including CryptoWall 3, CTB-Locker, and CryptoLocker - dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities. (McAfee Labs, 2016 Threats Predictions (Nov. 2015))

Ransomware programs were detected on 753,684 computers of unique users; 179,209 computers were targeted by encryption ransomware. (Kaspersky, Overall statistics for 2015 (Dec. 2015))

Figure 2: Top 10 countries for detections of binary file based crypto ransomware
Figure 2: Top 10 countries for detections of binary file based crypto ransomware
Source: Symantec, The evolution of ransomware (Aug. 2015)

Figure 3: The number of new ransomware samples
Figure 3: The number of new ransomware samples
Source: McAfee Labs, Threats Report (Aug. 2015)

3. Solution

Users and administrators take the following preventive measures to protect your computer networks from ransomware infection.

Restore or decrypt encrypted files by ransomware
+ Perform and test regular backups to limit the impact of data or system loss.
+ Data should be kept on a separate device, and backups should be stored offline.

Protect your file from ransomware encryption
+ Restrict users' permissions to run untrusted applications, and apply the principle of "Least Privilege" to all systems and services.

Protect your system from ransomware infection
+ Keep your operating system and software up-to-date with the latest patches.
+ Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.

4. References

4.1 Solution of Ransomware

4.2 History of Ransomware

(1) Windows

YearMonth Ransomware Name
Sep. 2013 CryptoLocker
Payment options: Moneypak, Ukash, cashU, Bitcoin
Encryption algorithm: AES
Public-key algorithm: RSA-2048
References: Dell SecureWorks: CryptoLocker Ransomware (Dec. 2013) Symantec: Trojan.Cryptolocker (Sep. 2013) CryptoLocker Ransomware Information Guide and FAQ (Oct. 2013)
Dec. 2013 CryptoLocker 2.0
Payment options: Bitcoin
Encryption algorithm: 3DES
Public-key algorithm: RSA-1024
References: ESET: Cryptolocker 2.0 (Dec. 2013)
Feb. 2014 CryptoDefense
Ransom note: HOW_DECRYPT.TXT and etc.
References: CryptoDefense (Feb. 2014)
Mar. 2014 CryptoWall 1.0
Ransom note: DECRYPT_INSTRUCTION.TXT and etc.
References: Dell SecureWorks: CryptoWall Ransomware (Aug. 2014) Symantec: Trojan.Cryptodefense (Mar. 2014) CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ (Jul. 2014) CryptoWall 1.0 (Mar. 2014)
Jul. 2014 CTB-Locker (Curve-Tor-Bitcoin Locker)
Public-key algorithm: Elliptic Curve Cryptography
Appending an extension: ctbl
Ransom note: DecryptAllFiles [user_id] .txt and etc.
References: Trend Micro: New Crypto-Ransomware Emerge in the Wild (Aug. 2014) CTB Locker and Critroni Ransomware Information Guide and FAQ (Jul. 2014)
Cryptoblocker
References: Trend Micro: New Crypto-Ransomware Emerge in the Wild (Aug. 2014)
Aug. 2014 TorrentLocker
Appending an extension: encrypted and etc.
Ransom note: DECRYPT_INSTRUCTIONS.html and etc.
References: Analysis of "TorrentLocker" - A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall (Aug. 2014) Trend Micro: TorrentLocker Run Hits Italian Targets (Oct. 2014) TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ (Dec. 2014) Trend Micro: TorrentLocker Ransomware Hits ANZ Region (Jan. 2015)
Oct. 2014 CryptoWall 2.0
Ransom note: DECRYPT_INSTRUCTION.TXT and etc.
References: Inside CryptoWall 2.0: Ransomware, professional edition (Jan. 2015) CryptoWall 2.0 (Oct. 2014)
Nov. 2014 Coinvault
Decryption tool: ransomware decryptor
References: The CoinVault Ransomware Information Guide and FAQ (Nov. 2014)
Jan. 2015 CryptoWall 3.0
Encryption algorithm: AES-256
Public-key algorithm: RSA-2048
Ransom note: HELP_DECRYPT.HTML, HELP_DECRYPT.TXT and etc.
References: Trend Micro: CryptoWall 3.0 Ransomware Partners With FAREIT Spyware (Mar. 2015) CryptoWall 3.0 (Jan. 2015)
Feb. 2015 TeslaCrypt
Appending an extension: ecc, exx, ezz and etc.
Ransom note: HELP_TO_DECRYPT_YOUR_FILES.txt and etc.
Decryption tool: TeslaDecoder
References: Symantec: Trojan.Cryptolocker.N (Feb. 2015) TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ (May. 2015)
Mar. 2015 CRYPVAULT
References: Trend Micro: CRYPVAULT: New Crypto-ransomware Encrypts and "Quarantines" Files (Apr. 2015)
Jul. 2015 TeslaCrypt 2.0
Appending an extension: aaa, zzz
References: Kaspersky: TeslaCrypt 2.0 ransomware: stronger and more dangerous (Jul. 2015) TeslaCrypt 2.0: Cyber Crime Malware Behavior, Capabilities and Communications (Sep. 2015)
Sep. 2015 Chimera
References: Trend Micro: Chimera Crypto-Ransomware Wants You (As the New Recruit) (Dec. 2015)
TeslaCrypt 2.1
Appending an extension: abc(TeslaCrypt 2.1.0), ccc(TeslaCrypt 2.1.0a)
References: TeslaCrypt 2.1 Analysis: Cracking "Ping" Message (Sep. 2015)
Nov. 2015 CryptoWall 4.0
Encryption algorithm: AES-256
Public-key algorithm: RSA-2048
Appending an extension: Random numbers and letters
Ransom note: HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT and etc.
References: CryptoWall 4.0 released with new Features such as Encrypted File Names (Nov. 2015) CryptoWall 4.0 (Nov. 2015)
Dec. 2015 TeslaCrypt 2.2
Appending an extension: vvv
Decryption tool: TeslaCrack
References: Symantec; TeslaCrypt: Major TeslaCrypt ransomware offensive underway (Dec. 2015)
Jan. 2016 TeslaCrypt 3.0
Appending an extension: xxx, ttt, micro
Ransom note: Howto_Restore_FILES.HTM, Howto_Restore_FILES.TXT and etc.
References: TeslaCrypt 3.0 Released with Modified Algorithm and .XXX, .TTT, and .MICRO File Extensions (Jan. 2016) Symantec: Burrp compromised to serve Angler EK and deliver TeslaCrypt ransomware (Mar. 2016)
Feb. 2016 Locky
Appending an extension: locky
Ransom note: _Locky_recover_instructions.txt and etc.
References: Symantec: Trojan.Cryptolocker.AF (Feb. 2016) Symantec: Locky ransomware on aggressive hunt for victims (Feb. 2016)
MSIL/Samas
Appending an extension: encrypted.RSA
Ransom note: HELP_DECRYPT_YOUR_FILES.html and etc.
References: Microsoft: Ransom: MSIL/Samas.A (Jan. 2016) Trend Micro: FBI Posts Warning About Ransomware That Goes After Backups (Apr. 2016) Symantec: Samsam may signal a new trend of targeted ransomware (Apr. 2016)
Mar. 2016 Surprise
Payment options: Bitcoin
Encryption algorithm: AES-256
Public-key algorithm: RSA-2048
Appending an extension: surprise
References: Surprise Ransomware Installed via TeamViewer and Executes from Memory (Mar. 2016)
Petya
Decryption tool: Petya Decryption Site Petya Sector Extractor find key in seconds to restore petya ransomware encrypted mft
References: Trend Micro: RANSOM_PETYA.A (Mar. 2016) Ransomware Petya encrypts hard drives (Mar. 2016) Trend Micro: PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers (Mar. 2016)
KimcilWare
Appending an extension: kimcilware, locked
Ransom note: README_FOR_UNLOCK.txt
References: The KimcilWare Ransomware targets web sites running the Magento Platform (Mar. 2016)
PowerWare
Ransom note: FILES_ENCRYPTED-READ_ME.HTML
References: Threat Alert: "PowerWare," New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word (Mar. 2016) Trend Micro: Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files (Mar. 2016)
Rokku
Appending an extension: rokku
Public-key algorithm: RSA-512
References: Rokku, the "professional" ransomware (Mar. 2016)

(2) Mac

YearMonth Ransomware Name
Mar. 2016 KeRanger
References: Symantec: KeRanger: First Mac OS X ransomware emerges (Mar. 2016)

(3) Android

YearMonth Ransomware Name
May. 2014 ANDROIDOS_LOCKER.HBT
References: Trend Micro: Android Ransomware Uses TOR (Jun. 2014)

(4) Linux

YearMonth Ransomware Name
Nov. 2015 Linux.Encoder
Decryption tool: Decrypter
References: Dr.WEB: Linux.Encoder.1 (Nov. 2015) Ransomware Found Targeting Linux Servers and Coding Repositories (Nov. 2015)

5. Update history

April 13, 2016
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)