HKCert
Security Blog

Ransomware Variants in the Wild, Stay Alert and Prevent Infection

Release Date: 28 / 09 / 2018
Last Update: 09 / 11 / 2018

In the past six months, HKCERT has received a number of cases of ransomware infections, which is on the rise. Most of the cases were infected by Cerber, while GlobeImposter, CrySiS and GandCrab were also contributed to the number of infection cases. Most of the computers infected with ransomware were came from enterprise. It can be seen that the recent ransomware attacks mainly take aim at enterprise’s servers and workstations.

 

We analyzed the infection vector, malware characteristics and current decryptable versions of these four ransomware family.

 

RansomwareLatest VersionRansom MessageFile ExtensionsPrimary Infection VectorDecryptable Versions*
CerberV8A message asks victims to buy 'Cerber Decryptor' for decryption via Tor browser.V1-V3 is .cerber.
From V4, it is random characters which number of characters is the same as version number.
Malicious email attachments, malicious webpage advertisements, legitimate programs containing malware, exploited by Apache Struts2 vulnerability.Cerber V1
GlobeImposter3.0A file named ”HOW_TO_BACK_FILES.txt” in encrypted folder shows ID number of victim and contact information of hacker. The message asks victims to send ID number to hacker's email address, then pay ransom money according to hacker's instruction.In 1.0, common extension is ".CHAK".
In 2.0, common extensions are ".TRUE" and ".doc".
In 3.0, common extensions are ".Tiger4444" and ".Ox4444".
Malicious email attachments, penetration scanning, brute force Windows Remote Desktop Services (RDP).GlobeImposter 1.0
CrySISVersion with file extension is .arrowA file named ”FILES ENCRYPTED.txt” in encrypted folder shows contact information of hacker. The message asks victims to communicate with hacker to pay ransom money.Common extensions are ".java", ".arena", ".bip" and ".arrow".Brute force Windows Remote Desktop Services (RDP).No certain version.
GandCrabV5A message asks victims to pay ransom money for decryption via Tor browser.

In V1, extension is ".GDCB".
In V2 and V3, extension is ".GRAB".
In V4, ".KRAB".

In V5, random extension.

Malicious email attachments or links, legitimate programs containing malware, brute force Windows Remote Desktop Services (RDP), brute force Tomcat Manager.GandCrab V1, V4 and V5

 

*You can download decryption tools in below website. HKCERT do not guarantee the tools can recover the files successfully.*

https://www.nomoreransom.org/en/decryption-tools.html

 

Among the infection cases we received, the number of infections of individual users’ computer did not increase significantly, however, the number of infections of enterprise computers and servers showed a significant upward trend. After analysing and investigating the main infection vector of the four kinds of ransomware, we believe that hackers have added attack methods against enterprise computers and servers in new variants of ransomware. Individual users' computers are infected with ransomware mainly because they open malicious attachments or links via spam emails, malicious advertisements on the website and legitimate programs containing malware.

 

For enterprise computers and servers, there are two common types of infection in ransomware variants. One is using the enterprises’ PC as a breakthrough. Sending spam emails or other ways to lure victims to execute malicious contents. After the stepping stone computer is infected, ransomware will look for the computer that turns on Windows Remote Desktop Services (RDP), and try to perform brute force attack. Because RDP services were usually turned on in the enterprise environment, a server that uses a weak RDP password will become the target. Another type is using the server as a breakthrough. The ransomware attacks the server web application by exploiting vulnerabilities or brute force, and then spreads it to other computers in the same network to expand the scope of infection.

 

It can be seen that hackers mainly attack the servers of large enterprises and public organizations which get lot of valuable information in order to guarantee they could get the ransom. Therefore, enterprises and public organizations need to strengthen their network and system security and improve their employee’s security awareness. HKCERT has complied a series of articles “中小企網絡安全七大攻略”(Chinese) for reference. This series is publishing currently. You can browse the following pages:

https://www.hkpc.org/zh-HK/corporate-info/media-centre/media-focus

 

If your computer is infected with ransomware, you can refer to the “Ransomware Decryption Guideline” compiled by HKCERT for decryption:
https://www.hkcert.org/my_url/en/guideline/18092701
 

To learn how to prevent ransomware infection, you can browse the following page:
https://www.hkcert.org/ransomware.hk/ransomware-basic.html
 

More information about ransomware can be found here:
https://www.hkcert.org/ransomware.hk/