HIRT-PUB16001: Ransomware: Hitachi Incident Response Team : Hitachi

Last Updated: April 13, 2016

Japanese

Ransomware is a type of malware that infects computer systems, restricting users' access to the infected systems such as the user's systems have been locked or the user's files have been encrypted. Ransomware variants have grown very rapidly since 2015 and often attempt to extort money from victims. HIRT-PUB16001 is an advisory to address issue for Ransomware and Recent Variants.

1. Overview

There are two types of ransomware such as Crypto and Locker ransomware. Crypto ransomware encrypts personal files/folders (e.g., the contents of your documents, spreadsheets, pictures, videos and etc.). Locker ransomware locks the screen and demands payment. No personal files are encrypted.
The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg"). It's use of symmetric cryptography.

In 2006, GPcode, Archives and etc. has been active in the wild. These crypto ransomware were use of RSA public key cryptography. Also the first known locker ransomware was the 2010 "Winlock" trojan. It locks the Windows' screen and demands payment.

Ransomware attacks re-organized around a new type of extortion by Cryptolocker. Gameover Zeus, which first emerged around September 2011, operates silently on victim computers to funnel stolen banking credentials back to the attackers. The Gameover Zeus network was as a common distribution mechanism for Cryptolocker. Also Cryptolocker began appearing about September 2013 and continued to grow rapidly.

Figure 1: Brief History of Ransomware

2. Trend

Ransomware variants have grown very rapidly as one of various cyber attacks.

Ransomware attacks grew 113 percent in 2014. Crypto-ransomare was seen 45 times more frequently. (Symantec, 2015 Internet Security Threat Report, Volume 20 (Apr. 2015))

In 2015, 64 percent of binary-file-based ransomware detected have been crypto ransomware while binary-based locker ransomware made up the remaining 36 percent. For crypto ransomware, Japan comes in at number two whereas for locker ransomware, it occupies the sixth spot. (Symantec, The evolution of ransomware (Aug. 2015))

The total number of ransomware samples grew 127% in the past year. Ransomware continues to grow very rapidly - with the number of new ransomware samples rising 58% in Q2. (McAfee Labs, Threats Report (Aug. 2015))

Although a few families - including CryptoWall 3, CTB-Locker, and CryptoLocker - dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities. (McAfee Labs, 2016 Threats Predictions (Nov. 2015))

Ransomware programs were detected on 753,684 computers of unique users; 179,209 computers were targeted by encryption ransomware. (Kaspersky, Overall statistics for 2015 (Dec. 2015))

Figure 2: Top 10 countries for detections of binary file based crypto ransomware
Source: Symantec, The evolution of ransomware (Aug. 2015)

Figure 3: The number of new ransomware samples
Source: McAfee Labs, Threats Report (Aug. 2015)

3. Solution

Users and administrators take the following preventive measures to protect your computer networks from ransomware infection.

Restore or decrypt encrypted files by ransomware
+ Perform and test regular backups to limit the impact of data or system loss.
+ Data should be kept on a separate device, and backups should be stored offline.

Protect your file from ransomware encryption
+ Restrict users' permissions to run untrusted applications, and apply the principle of "Least Privilege" to all systems and services.

Protect your system from ransomware infection
+ Keep your operating system and software up-to-date with the latest patches.
+ Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.

4. References

4.1 Solution of Ransomware

4.2 History of Ransomware

(1) Windows

YearMonth	Ransomware Name
Sep. 2013	CryptoLocker Payment options: Moneypak, Ukash, cashU, Bitcoin Encryption algorithm: AES Public-key algorithm: RSA-2048 References: Dell SecureWorks: CryptoLocker Ransomware (Dec. 2013) Symantec: Trojan.Cryptolocker (Sep. 2013) CryptoLocker Ransomware Information Guide and FAQ (Oct. 2013)
Dec. 2013	CryptoLocker 2.0 Payment options: Bitcoin Encryption algorithm: 3DES Public-key algorithm: RSA-1024 References: ESET: Cryptolocker 2.0 (Dec. 2013)
Feb. 2014	CryptoDefense Ransom note: HOW_DECRYPT.TXT and etc. References: CryptoDefense (Feb. 2014)
Mar. 2014	CryptoWall 1.0 Ransom note: DECRYPT_INSTRUCTION.TXT and etc. References: Dell SecureWorks: CryptoWall Ransomware (Aug. 2014) Symantec: Trojan.Cryptodefense (Mar. 2014) CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ (Jul. 2014) CryptoWall 1.0 (Mar. 2014)
Jul. 2014	CTB-Locker (Curve-Tor-Bitcoin Locker) Public-key algorithm: Elliptic Curve Cryptography Appending an extension: ctbl Ransom note: DecryptAllFiles [user_id] .txt and etc. References: Trend Micro: New Crypto-Ransomware Emerge in the Wild (Aug. 2014) CTB Locker and Critroni Ransomware Information Guide and FAQ (Jul. 2014)
Jul. 2014	Cryptoblocker References: Trend Micro: New Crypto-Ransomware Emerge in the Wild (Aug. 2014)
Aug. 2014	TorrentLocker Appending an extension: encrypted and etc. Ransom note: DECRYPT_INSTRUCTIONS.html and etc. References: Analysis of "TorrentLocker" - A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall (Aug. 2014) Trend Micro: TorrentLocker Run Hits Italian Targets (Oct. 2014) TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ (Dec. 2014) Trend Micro: TorrentLocker Ransomware Hits ANZ Region (Jan. 2015)
Oct. 2014	CryptoWall 2.0 Ransom note: DECRYPT_INSTRUCTION.TXT and etc. References: Inside CryptoWall 2.0: Ransomware, professional edition (Jan. 2015) CryptoWall 2.0 (Oct. 2014)
Nov. 2014	Coinvault Decryption tool: ransomware decryptor References: The CoinVault Ransomware Information Guide and FAQ (Nov. 2014)
Jan. 2015	CryptoWall 3.0 Encryption algorithm: AES-256 Public-key algorithm: RSA-2048 Ransom note: HELP_DECRYPT.HTML, HELP_DECRYPT.TXT and etc. References: Trend Micro: CryptoWall 3.0 Ransomware Partners With FAREIT Spyware (Mar. 2015) CryptoWall 3.0 (Jan. 2015)
Feb. 2015	TeslaCrypt Appending an extension: ecc, exx, ezz and etc. Ransom note: HELP_TO_DECRYPT_YOUR_FILES.txt and etc. Decryption tool: TeslaDecoder References: Symantec: Trojan.Cryptolocker.N (Feb. 2015) TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ (May. 2015)
Mar. 2015	CRYPVAULT References: Trend Micro: CRYPVAULT: New Crypto-ransomware Encrypts and "Quarantines" Files (Apr. 2015)
Jul. 2015	TeslaCrypt 2.0 Appending an extension: aaa, zzz References: Kaspersky: TeslaCrypt 2.0 ransomware: stronger and more dangerous (Jul. 2015) TeslaCrypt 2.0: Cyber Crime Malware Behavior, Capabilities and Communications (Sep. 2015)
Sep. 2015	Chimera References: Trend Micro: Chimera Crypto-Ransomware Wants You (As the New Recruit) (Dec. 2015)
Sep. 2015	TeslaCrypt 2.1 Appending an extension: abc(TeslaCrypt 2.1.0), ccc(TeslaCrypt 2.1.0a) References: TeslaCrypt 2.1 Analysis: Cracking "Ping" Message (Sep. 2015)
Nov. 2015	CryptoWall 4.0 Encryption algorithm: AES-256 Public-key algorithm: RSA-2048 Appending an extension: Random numbers and letters Ransom note: HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT and etc. References: CryptoWall 4.0 released with new Features such as Encrypted File Names (Nov. 2015) CryptoWall 4.0 (Nov. 2015)
Dec. 2015	TeslaCrypt 2.2 Appending an extension: vvv Decryption tool: TeslaCrack References: Symantec; TeslaCrypt: Major TeslaCrypt ransomware offensive underway (Dec. 2015)
Jan. 2016	TeslaCrypt 3.0 Appending an extension: xxx, ttt, micro Ransom note: Howto_Restore_FILES.HTM, Howto_Restore_FILES.TXT and etc. References: TeslaCrypt 3.0 Released with Modified Algorithm and .XXX, .TTT, and .MICRO File Extensions (Jan. 2016) Symantec: Burrp compromised to serve Angler EK and deliver TeslaCrypt ransomware (Mar. 2016)
Feb. 2016	Locky Appending an extension: locky Ransom note: _Locky_recover_instructions.txt and etc. References: Symantec: Trojan.Cryptolocker.AF (Feb. 2016) Symantec: Locky ransomware on aggressive hunt for victims (Feb. 2016)
Feb. 2016	MSIL/Samas Appending an extension: encrypted.RSA Ransom note: HELP_DECRYPT_YOUR_FILES.html and etc. References: Microsoft: Ransom: MSIL/Samas.A (Jan. 2016) Trend Micro: FBI Posts Warning About Ransomware That Goes After Backups (Apr. 2016) Symantec: Samsam may signal a new trend of targeted ransomware (Apr. 2016)
Mar. 2016	Surprise Payment options: Bitcoin Encryption algorithm: AES-256 Public-key algorithm: RSA-2048 Appending an extension: surprise References: Surprise Ransomware Installed via TeamViewer and Executes from Memory (Mar. 2016)
	Petya Decryption tool: Petya Decryption Site Petya Sector Extractor find key in seconds to restore petya ransomware encrypted mft References: Trend Micro: RANSOM_PETYA.A (Mar. 2016) Ransomware Petya encrypts hard drives (Mar. 2016) Trend Micro: PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers (Mar. 2016)
	KimcilWare Appending an extension: kimcilware, locked Ransom note: README_FOR_UNLOCK.txt References: The KimcilWare Ransomware targets web sites running the Magento Platform (Mar. 2016)
	PowerWare Ransom note: FILES_ENCRYPTED-READ_ME.HTML References: Threat Alert: "PowerWare," New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word (Mar. 2016) Trend Micro: Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files (Mar. 2016)
	Rokku Appending an extension: rokku Public-key algorithm: RSA-512 References: Rokku, the "professional" ransomware (Mar. 2016)

(2) Mac

YearMonth	Ransomware Name
Mar. 2016	KeRanger References: Symantec: KeRanger: First Mac OS X ransomware emerges (Mar. 2016)

(3) Android

YearMonth	Ransomware Name
May. 2014	ANDROIDOS_LOCKER.HBT References: Trend Micro: Android Ransomware Uses TOR (Jun. 2014)

(4) Linux

YearMonth	Ransomware Name
Nov. 2015	Linux.Encoder Decryption tool: Decrypter References: Dr.WEB: Linux.Encoder.1 (Nov. 2015) Ransomware Found Targeting Linux Servers and Coding Repositories (Nov. 2015)