New crypto ransomware hits US, Russia and Europe

New crypto ransomware hits US, Russia and Europe

Summary: A gang distributing new crypto ransomware to pay-per-install crime gangs has opted to run its network without a command and control centre to avoid the eye of researchers.

SHARE:
TOPICS: Security, EU
21

Researchers have discovered a new crypto ransomware threat which they claim has at least 50 variants all designed to hit up victims for a $150 payment.

The Cryptolocker malware, which hit the headlines recently for encrypting victims' files and demanding $300 to unlock them, now has a cheaper rival, which researchers at security startup IntelCrawler say began large-scale distribution on 5 December.

The newer crypto-locking malware first checks the infected machine has an internet connection by calling up adobe.com, then deletes any original files the victim has on their PC after first making encrypted copies of them and adding a ".perfect" extension to the files. The attackers place a "CONTACT.TXT" file in each directory, which provides their contact information for victim that choose to buy the decryption key.

Unlike the first wave of Cryptolocker malware that first started hitting PCs around September, there's no Bitcoin payment option in the new version. Instead, the criminals are asking for payment using peer-to-peer payment service Perfect Money or using a virtual card number through Russian payments firm QIWI Visa. 

Also, the newer ransomware doesn't use command and control (C&C) infrastructure common to many botnets, instead managing infected machines through specially-crafted decryption software.

"Each 'decryptor' has a list of hardcoded IP addresses that helps each sample to operate without any C&C at all, in order to hide the owner and to have no roots at all, besides e-commerce details," Andrey Komarov, CEO of IntelCrawler, told ZDNet.

Komarov said he had discovered 50 different builds of the malware, which are being sold on underground markets for pay-per install programs. One build had just under 6,000 infected machines, according to Komarov, with the highest concentration of infections in Russia, followed by the US and the Netherlands.

As with other malware distribution networks, crime gangs are using a variety of methods to infect machines. Some are distributing it through spam while others are using landing pages that for example, host fake music track files. One example was a Tina Turner song, babyBaby.mp3.exe. 

The good news is that IntelCrawler says there is a high level of detection amongst AV companies.

The company recommends victims not to rename any of the encrypted files and not to change the hostname of their PC. It's working on universal decryption software in order to combat the threat.

According to Komarov, the crime gang behind this threat built their tools on the free open 'TurboPower LockBox' library, which uses AES-CTR to encrypt files.

Further reading

Topics: Security, EU

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • That'll be stopped quick.

    "Each 'decryptor' has a list of hardcoded IP addresses"

    Well, that'll be traced quick. Hardcoded IPs means the authors aren't using dynamic IPs, which means the authorities can easily track down the owner(s). Not the brightest of ideas :/.

    "The good news is that IntelCrawler says there is a high level of detection amongst AV companies."

    Not surprised. It sounds more sloppily written than CryptoLocker.
    CobraA1
    • Unless, of course...

      The IP numbers aren't theirs, but just other victims of some takeover that allow redirection... Put two or three layers of such takeovers and they would be completely isolated...

      And any cleanup of the listed IP numbers wouldn't matter - as the attack is already finished.
      jessepollard
      • Possible, not probable . . .

        "The IP numbers aren't theirs, but just other victims of some takeover that allow redirection... "

        Possible, but not very likely. Even most victims would be behind a dynamic IP rather than a static IP. It wouldn't be reliable.

        "And any cleanup of the listed IP numbers wouldn't matter - as the attack is already finished."

        It is? It's highly abnormal for them to not want a steady source of income.
        CobraA1
  • not really

    "Put two or three layers of such takeovers and they would be completely isolated..."

    Not really..an IP tracer can follow the line of address very quickly. The days of bouncing stuff off satellites, etc is restricted to the movies and is pure bullsh/t.

    If a network provider couldnt trace you back to your original PC IP address you wouldnt be able to connect to the internet.

    The only sure way is to use a Laptop on a public network like free wifi you can get in some UK City Centers and use a stolen PC so you could not be directly traced (though the Street Cameras would notice you had been sitting there all day with a PC).

    OR break into someones house..tie them up for a week and use someone else's PC.
    Mi Pen
    •  

      Or just do it in Russia and pay off the cops
      Mythos7
    • That is true if you stay connected.

      But a connection goes no farther than its designated destination. And that is only the bottom layer.

      Trying to find the next layer up gets harder, as you first have to get the bottom layer, then WAIT until another connection is made...

      Do that twice and you will be waiting months before the next step...

      After all, the outgoing connection from the victim is only the first level. The second level isn't even connected at the time, and to find it would require first seizing the destination and hunting for its outgoing destination... repeat for as many levels as there are. And if any level gets cleaned up before you get there, the trail is dead.
      jessepollard
  • how long to back trace the payment

    While I understand the cops often let things like this run so they can swim as far upstream as they can, I just don't understand why it would take more than 24 hours to locate any particular offender.

    Then you send in the Russian torture team with the drugs and tools to find out what you can and burn the body on the way out. Works for me.
    wizardjr
    • Part of the problem is that some countries just don't trust the US.

      Not unsurprising. As soon as a back trace reaches one of these countries, it stops... And even in "friendly" countries it can suddenly reach a paperwork jam... for several months.
      jessepollard
  • Microsoft bullshit

    Let me guess what OS allows to execute this nice song babyBaby.mp3.exe? Okay, where are Mr. Davidson, Wilkie Farrel, Ram U, ye , daftkey, cynical999 and other brilliant Microsoft advocates? Rabid Monkey Howler might also be a good MS protagonist.
    I mean, hasn't MS straightened out all their file permissions sh*&^t by now? Just make a file non-executable by default ( when accessed in a browser, email client etc), require granting execution rights explicitly (though cmd, e.g.). Job done. There's a side-effect to this though, since most people on Windows install (sometimes legitimate) 3-d party apps by clicking on an exe file it would be a pain in the butt., I suppose. No secure repos, not even a single, universal UI to installations and updates. How pathetic! Quite an inextricable predicament.
    eulampius
    • Files downloaded from the internet do not execute by default.

      If you use IE and certain other browsers, files downloaded from the internet do not execute by default. They start out blocked, and you have to go to the file's properties do you can unblock and execute them.

      Besides, the idea that this makes you safe is actually a bit of BS. Merely preventing the file from executing doesn't mean it's not a trojan waiting to take things over when you do decide to run it.

      File permissions aren't a replacement for common sense and a scanner.

      "No secure repos, not even a single, universal UI to installations and updates."

      This was changed in Windows 8. It's called a "store" instead of a "repo," but same idea.
      CobraA1
      • CobraA1

        Com'on, the default Download folder might be set up to not allow execution or prompt a user. Doesn't change the fact that extensions in MS Windows (at least up to W8) determine the files' rights. I saw a a Windows geek change an extension to .txt of open some file to open it with a WordPad.
        No, the file permissions take care of many things. Like, how this mp3 exe file infects a user?
        >>File permissions aren't a replacement for common sense and a scanner.
        So how do they get executed? I click on a bash script that has 0422 permissions. How does it get executed? When I use "chmod +x" or run it with "bash script" command. It's hard to do it by chance without knowing what you do.
        No, trojans, by definition, get installed by a user. This has been for 19 years due to lack of secure repos and a decent unified installer/updater. Windows 8 store doesn't cover most software. A huge chunk is not there. Are any of Firefox, Chrome, Emacs, Apache http server, Thunderbird, vlc, mplayer? No, none of the free software is there, AMOF . Compare it with a typical GNU/Linux or *BSD distro. They got almost all of them covered there.
        eulampius
        • thoughts

          "Doesn't change the fact that extensions in MS Windows (at least up to W8) determine the files' rights."

          I'm pretty sure that locking down downloaded files was earlier, perhaps as early as Vista and later service packs of XP.

          They basically used "are you sure?" dialog boxes, but Windows 7/8 has moved it to the property dialog.

          And no, permissions isn't determined by file extension. Don't confuse file type with file permission. You can certainly tell Windows to not execute .exe files via NTFS permissions.

          "So how do they get executed?"

          By people. They say hey, here's a cool program, lemme see what it is. Maybe it is in fact something they want, but they don't realize some bad guys took it over. Typing archaic commands into a command line won't tell you the internal contents of a file.

          "I click on a bash script that has 0422 permissions. How does it get executed? When I use 'chmod +x' or run it with 'bash script' command."

          Eh, the command line isn't the future. Everything's moving towards smart phone like UIs. Whatever the new security model is, it has to work with recent UIs.

          "No, trojans, by definition, get installed by a user."

          And users have a bad habit of ignoring the hurdles put in front of them, as dialog fatigue has clearly shown.

          "Windows 8 store doesn't cover most software. A huge chunk is not there. Are any of Firefox, Chrome, Emacs, Apache http server, Thunderbird, vlc, mplayer?"

          Chrome is there. Firefox will be there soon. There's a lot of text editors to choose from. If you want to run a server, try a server edition of Windows (there's zero reason for the average joe to run Apache). There's a lot of email clients (and most people do email online anyways). VLC is there. There are also a few other alternative media players.

          Although yes, Microsoft isn't quite on the ball yet for everything. Only recently did Instagram find its way to the Windows store.

          . . . and Linux itself isn't so hot in the software department. Many of my games aren't there. Microsoft Office isn't there. iTunes isn't there. Visual Studio isn't there. You may end up using the website for a service because they may not have a native Linux app.

          When it comes to consumer-level software, Linux has actually been pretty weak. Sure, all the geeky stuff is there like Emacs - but I don't think Emacs is on my mother's "must have" list.
          CobraA1
          • use LO instead of MSO

            I mentioned CLI and Bash so that you could see that an average user would hardly be able to run a dodgy script by simply clicking on it.
            >>"Eh, the command line isn't the future. "
            Cannot resist to answer this. CLI is the past, current and future. Even MS has realized it, you should do too. There is of course GUI, but it's not a complete alternative to it.

            Please, be honest, your mother LO, Firefox, Thunderbird would suffice. Or is she a gamer, VS user? On the other hand, GNU/Linux offers much better user experience, security and stability. No need to reinstall Windows to fix many problems that still plague modern MS Windows, like, sluggishness with time, disk fragmentation, registry hell, messed up system due to trojans and infections, and even many bugs
            eulampius
          • CLI only the future for servers . . .

            "I mentioned CLI and Bash so that you could see that an average user would hardly be able to run a dodgy script by simply clicking on it."

            You can't run a downloaded exe simply by clicking on it anymore in virtually any OS, and downloading software from the internet is being phased out anyways with the introduction of the Windows 8 store, so I'm seeing that this point is tired, old, and should be laid to rest.

            "CLI is the past, current and future."

            For servers, maybe. Not for consumer devices. Good luck trying to find a command line on an iPhone.

            Yes, you're probably looking at a server OS like Linux or a server edition of Windows if you want a CLI in the future. It's not the future of consumer level devices.

            "lease, be honest, your mother LO, Firefox, Thunderbird would suffice."

            She also uses PrintArtist, FYI. But that's a special purpose thing.

            But that's it sometimes - sometimes people (and businesses) have some special purpose thing. All people have different needs, they're not cookie cutter. The great lie of our time seems to be that nobody has special needs anymore.

            If you do want to talk about some theoretical person who only uses LO, Firefox and Thunderbird - I'd probably buy such a person a cheap laptop or tablet. It *may* run some variant of Android or ChromeOS - but then again, it could easily be iOS or Windows 8 RT.

            Well, maybe I couldn't call it "cheap" if it's an iOS device. But I think you get the idea. Standard Linux distros like Ubuntu and Mint are basically dead. People who get Linux today will likely be getting Android or ChromeOS.

            And for your average consumer: Yeah, the CLI is dead. My mother hasn't touched a CLI since the days of DOS. I don't expect her to be using a CLI to set some executable flag if she wants to run a piece of software. That's not realistic.
            CobraA1
          • Windows is more dead

            >>Standard Linux distros like Ubuntu and Mint are basically dead.
            Windows is more dead.
            A better, user-friendlier, more reliable system than any version of so notoriously bloaty Windows.
            You seem to pretend being deaf to what I say here. I didn't recommend your mom using Bash, Perl, Python, PowerShell, CC++, Fortran or any kind of Assembler. I said that in order to mess up with the system by executing a possibly trojaned exe file one needs to get some knowledge of CLI on Linux. So your mom and most consumers will be safer with this setup. If you're saying that it's all the same on Windows, I'd not agree with you. Since, we read about this mo3 exe file and because most people install software by clicking on exe file. You got it now?
            As far as how CLI is utilized by more geekish folks, the obvious problem has been there for a couple decades: Microsoft unwisely thought that CLI was dead (just like you now) and got a huge side-effect as a result. A whole cli-phobic Windows geek culture has been created having tremendously diminished the competence of an average Windows IT guy. They just recently tried to remedy this situation and came up with PS and core server (the latter tackles another huge Windows shortcoming of the OS modularity and flexibility) .
            eulampius
          • More dead?

            "Windows is more dead."

            More dead than an OS with 2% or so market share of non-phone consumer OSes?

            Unless you're running servers or supercomputers, The only Linux distros worth thinking about these days are Android and ChromeOS.

            "A better, user-friendlier, more reliable system than any version of so notoriously bloaty Windows. "

            User friendliness is largely subjective. Reliability concerns usually end up pointing to hardware failures or problems from a bygone era.

            "You got it now?"

            Yup, you like lying.

            Windows changed.

            Your old, tired arguments didn't.
            CobraA1
          • you obviously have hearing problems

            Your command of logic appears to me also quite questionable.
            Windows is changing, Microsoft does very slowly. Still catching up in most cases. What is the bad thing though is that their predatory practices don't, on the contrary, getting more aggravating almost every year...
            eulampius
    • @eulampius

      eulampius wrote:
      "Rabid Monkey Howler might also be a good MS protagonist"

      Actually, no. But, I do know that anyone running Windows is automatically a target of the mass malware miscreants.

      As a result, I recommend that Windows users (Vista and up) do two things to enhance their security:

      1. Create and use a standard user account for day-to-day computing (and use the default account only to administer Windows)
      2. Apply Windows built-in Parental Controls to all standard user accounts on the system and whitelist the applications that a particular user will need to use for day-to-day computing (this transparently creates Software Restriction Policy rules)

      These two actions enforce write where you cannot execute (C:\Users) and execute where you cannot write (C:\Program Files and C:\Windows). This will nip the vast majority of Windows trojans associated with mass malware campaigns in the bud. [For those wanting an easier solution than Parental Controls for creating Software Restriction Policy rules, there's CrytoProtect.]

      How would one achieve this with GNU/Linux? Mount /home (and, possibly, /tmp) as 'noexec'? Nope, it's easily defeatable. I'll let you tell me how one can prevent a user from running an arbitrary executable (including scripts) on GNU/Linux. Waiting ...

      P.S. Software Restriction Policy for Windows Home editions (via Parental Controls) is less robust than with Windows business editions (via gpedit.msc) where one can protect against additional Windows executable types as well as malicious dll's potentially executed by svchost.exe, run32dll.exe, etc.

      P.P.S. Software Restriction Policy is not available for Windows XP Home and is available via gpedit.msc for Windows XP Pro and more recent business editions of Windows.
      Rabid Howler Monkey
      • Correction: 'CrytoProtect' should be 'CryptoProtect'

        .
        Rabid Howler Monkey
      • Ugh, 'CryptoPrevent' not 'CryptoProtect'

        The link to CryptoPrevent:

        http://www.foolishit.com/vb6-projects/cryptoprevent/
        Rabid Howler Monkey