HKCert
Security Blog

New Trends of Ransomware

Release Date: 30 / 12 / 2019
Last Update: 30 / 12 / 2019

Ransomware is among the most jeopardising and wide-spreading cyber security threats. It encrypts files on the user's device and demands payment of ransom in order to decrypt the files. HKCERT has been constantly monitoring the ransomware trends, providing security advice to users who approach us for assistance.

Recently, we have noticed a slight increase in cases of ransomware attacks in schools where there was a case of more than a hundred devices being infected. In addition, a new type of cyber attack targeting the network attached storage (NAS) has emerged. Hackers can search for Internet accessible NAS devices through scanning IP address ranges, then infect the NAS by exploiting device vulnerabilities. Ransomware infection may cause serious data loss as enormous files and data backups are often stored in NAS.

In September 2018, HKCERT published a security blog entitled “Ransomware Variants in the Wild, Stay Alert and Prevent Infection”, analysing four ransomwares, namely Cerber, Crysis, GandCrab, and GlobeImposter, which all recorded a relatively large number of infection cases at that time. Analyses included their attack vectors, infection characteristics, decryptable versions, file extensions and ransom messages. This year upon observation, we found that those four ransomwares have been mutated, along with a number of new types. We then analysed three ransomwares, namely Muhstik, Sodinokibi/Nemty and STOP, which are either relatively common with many infection cases or apply new attack tactics. Please refer to appendix for details of the analyses.

With the efforts of cyber security practitioners, a number of ransomwares have been progressively cracked with the availability of some decryption tools. Users, whose devices have been infected by ransomware, can identify the type of ransomware by comparing the file extensions and ransom messages so as to look for the decryption tools that can be used. For ransomwares that have not been listed out in the appendix, users can try to track them through the CRYPTO SHERIFF page of No More Ransom* website, upload the encrypted files and provide relevant information, such as email, website URL, onion or bitcoin address in the ransom message. Noteworthy is that not every ransomware has a designated decryption tool, while not every decryption tool is able to recover files successfully. There is so far no other solutions but to use offline backup files for recovery. Furthermore, to prevent infection from malware, please do not use unauthenticated decryption software.

For the sake of reducing the risk of ransomware infection, users should take precautionary security measures. We advise users to:

  1. beware of suspicious emails. Do not open attachments inattentively, especially compressed files (zip) or executable files (exe).
  2. install security programmes and keep related security signatures up-to-date.
  3. update system and software, such as Microsoft Windows, Office, Adobe reader, Flash player, etc., with the latest security patch to plug the security loopholes and avoid being utilised by malwares.
  4. minimise the number of users who have domain administrative rights to confine the scope and impacts in case of an attack, and use general account in daily operation.
  5. back up important files in a timely and regular fashion. Keep an offline copy of the backups in a safe place to avoid being affected by malwares.
  6. make sure that the cloud service provider has “version history” function when using cloud backup service. It can help recover the previous version of a file, even though the affected file has been synchronised to the cloud.

If your device has been infected by ransomware, we recommend taking the following measures:

  1. First, offline the infected computer to avoid malwares from further affecting files in the Intranet.
  2. Download legitimate clean up tool, and run a full scan to remove the malwares.
  3. If the system or data has been backed up before being infected by malwares, users can restore the system and data from the backups.
  4. If no backup has been conducted, we suggest users not to reinstall the system to avoid loss of encrypted archive records.
  5. Refer to the “Ransomware Decryption Guideline” compiled by HKCERT for decryption.
  6. Contact HKCERT for enquiry or assistance.

*You can identify ransomware and download decryption tools from the website below. HKCERT makes no guarantee of the tools for successful recovery of the files. *
https://www.nomoreransom.org/en/index.html

 

Appendix

RansomwareLatest VersionRansom MessageFile ExtensionsPrimary Infection VectorDecryptable Versions*
Cerber/MagniberMagniberA message asks victims to buy 'Cerber/My Decryptor' for decryption via Tor browser.V1-V3 is “.cerber”.
Other versions are random characters.
Malicious email attachments, malicious webpage advertisements, legitimate programs containing malware, exploited vulnerabilities of Apache Struts2, exploited vulnerabilities of Magnitude and exploitation kit.

Cerber V1

[Decryption Tool Link]

CrySIS/Dharma/PhobosVersion of file extension is “.phobos”A file named "FILES ENCRYPTED.txt" in encrypted folder shows contact information of the hacker. The message asks victims to contact the hacker to pay ransom.The common extensions are ".java", ".arena", ".bip" and ".phobos".Brute force Windows Remote Desktop Services (RDP).

Some extensions are supported by the decryption tool.

[Decryption Tool Link 1]

[Decryption Tool Link 2]

GandCrabV5.2A message asks victims to pay ransom for decryption on a designated webpage via Tor browser.In V1, the extension is ".GDCB".
In V2 and V3, the extension is ".GRAB".
In V4, the extension is ".KRAB".
In V5, the extension is random
Malicious email attachments or links, legitimate programs containing malware, brute force Windows Remote Desktop Services (RDP), brute force Tomcat Manager.

GandCrab V1, V4 and V5 up to V5.2

[Decryption Tool Link]

GlobeImposter4.0A file named "HOW_TO_BACK_FILES.txt" or "how_to_back_files.html" in encrypted folder shows victim’s personal ID serial number and contact information of hacker. The message asks victims to send ID serial number to hacker's email address, then pay ransom according to hacker's instruction.In 1.0 version, the common extension is ".CHAK".
In 2.0 version, the common extensions are ".TRUE" and ".doc".
In 3.0 version, the common extensions are ".the Chinese Zodiac+4444" and ".Twelve Olympians+666".
In 4.0 version, the common extension is ".auchentoshan".
Malicious email attachments, penetration scanning, brute force Windows Remote Desktop Services (RDP).

GlobeImposter 1.0

[Decryption Tool Link]

Muhstik-A message asks victims to pay ransom for decryption on a designated webpage via Tor browser.The extension is ".muhstik".Exploited vulnerabilities of web server or NAS.

The device whose ID includes in below keys list can be decrypted.

[Keys List Link]

[Decryption Tool Link]

Sodinokibi/Nemty-Sodinokibi’s ransom message is posted on a blue screen background. Nemty’s ransom message is [extension]-DECRYPT.txt. The message asks victims to pay ransom for decryption on a designated webpage via Tor browser.In Sodinokibi, the extension is random.
In Nemty, the extension is ".nemty"
Use the Gandcrab infection vector, exploited vulnerabilities of Zero Day.

No decryption tool for Sodinokibi.
Some file types encrypted by specific versions of Nemty can be decrypted.

[Decryption Tool Link]

STOP-A file named "_openme.txt" or "_readme.txt" in encrypted folder shows victim’s personal ID serial number and contact information of hacker. The message asks victims to send ID serial number to hacker's email address, then pay ransom according to hacker's instruction.The common extensions are ".puma", ".pumas", ".coharos" and ". STOP".Malicious email attachments, malicious webpage advertisements, legitimate programs containing malware.

Some extensions are supported by the decryption tool.

[Decryption Tool Link]