Ransomware Hall of Inframy

Cryptolocker is a type of ransomware virus that infects your computer and secretly encrypts office documents, images, and other important files. Once the files are infected, you will receive a message, or “ransom note,” explaining you cannot access your files unless you pay a “fine.”

The files become encrypted and not even an antivirus software can help. Once the files are locked, it’s impossible to recover them.

” The most common method of infection is via emails with unknown attachments. Although the attachments often appear to be familiar file types such as *.doc or *.pdf, they in fact contain a double extension — a hidden executable (*.exe).

Once opened, the attachment creates a window and activates a downloader, which infects your computer. Because the program is a Trojan, it cannot self-replicate, meaning it must be downloaded to infect your computer. In addition to malicious email attachments, this malware may also come from websites that prompt you download a plug-in or video player. Typically, you will see nothing wrong with your computer until all files have been encrypted. Then, a warning will pop up indicating that you have been infected and showing a countdown timer until all your data is destroyed.

Many antivirus programs can remove this Trojan, but are unable to decrypt your data. In some cases, users have re-installed the Trojan after removal in order to pay the ransom and unlock their data. ” – Kapersky

Technopedia discusses how malware itself is not difficult to remove, the affected files remain encrypted. At the time of the initial outbreak, users without reliable backups had the choice of paying the ransom — and hoping that those behind the infection were honest enough to actually decrypt the affected files — or simply accepting their data as lost. However, there are now online tools that claim to have the ability to decrypt files that have been encrypted by CryptoLocker.

Case 3: Reveton

The Troj/Reveton-Ransomware family consists of computer infections that lock you out of computer unless you pay a ransom.  It does this by displaying a lock screen when you login to Windows that pretends to be from a law enforcement agency in your country.  For example, if you are in the United States of America the message may be from the FBI and if you are in the United Kingdom the message would pretend to be from the Metropolitan Police Service. In order to access your computer you must submit a MoneyPak voucher, or other payment coupon, to the malware developers and they will then unlock your computer so you can access your Windows desktop again.

The lock screens that will be displayed state that your computer was detected as having broken various laws regarding pornographic material, download copyrighted programs, or the distribution of copyrighted programs.  They will then state that you need to pay a fine or the government will prosecute you and that you may have to pay a fine or will be jailed. In order to pay a fine you will typically need to purchase a MoneyPak voucher and submit the voucher identification number into the lock screen.  It is important to remember that these messages are fake and you have not actually been locked out of your computer by the government.

When infected with a variant of the Troj/Reveton-Ransomware family, your computer wil perform the following behavior:

• When you login to Windows you will be shown a screenlocker that pretends to be from a government agency. This screenlocker will state that you must pay a fine in order to gain access to your computer.
• The screen locker will pretend to be from a government agency from the country that corresponds to the geographic region of your computer IP Address. Therefore, if your IP Address is located in the United States you may be shown a message from the FBI, while if you are in Argentina it would be from Police Federal Argentine.

Information provided by Bleeping Computer.

Case 4: Ryuk

The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.

Information sourced from Sophos.

Case 5: SamSam

As the year 2016 began, a ransomware threat appeared that attacked its victims unlike any previous ransomware attack. SamSam, named after the filename of the earliest sample we uncovered, uses a brutally minimalist, manual approach to target and compromise victims.
The attacker or attackers use a variety of built-in Windows tools to escalate their own privileges, then scan the network for valuable targets. They want credentials whose privileges will let them copy their ransomware payload to every machine – servers, endpoints, or whatever else they can get their hands on.
Once in, the attacker(s) spread a payload laterally across the network; a sleeper cell that lays in wait for instructions to begin encrypting. Ever a predator, the attacker waits until late at night, when the target organization is least well equipped to deal with it, before the final blow is struck. A sneak attack while the target literally sleeps, SamSam encrypts a prioritized list of files and directories first, and then everything else.
Unlike virtually every other ransomware attack, the entire attack process is manual. No badly worded spam email with an attachment is the culprit. The attacker breaks in the old fashioned way: using tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities, though not as many as you’d think. SamSam usually succeeds when the victim chooses a weak, easily guessed password.
In this report, we’ll cover the anatomy of a SamSam attack, and why it isn’t necessarily hard to defend against. We also took a deep dive into the ransomware payload, tracing its evolution from an early beta through its (so far) third major revision, with no sign of a slowdown in sight, and an ever-increasing ransom demand with each subsequent attack. Partnering with the cryptocurrency monitoring firm Neutrino, we traced the money trail and discovered far more victims – and funds – than had been previously reported.

Information provided by Sophos.

Case 6: Satan

Cybercriminals have long used themes like the devil, the occult and what you might rather loosely call “the dark arts” as inspiration for malware names: Dark Avenger, Necropolis, Mydoom, Natas (which is Satan backwards) and SatanBug are just a few examples

But there’s one aspect of the Satan ransomware that isn’t old-school, and that’s what we’re looking at in this article: its business model.

Satan is a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools.

But Satan is also an online crimeware service:

As you can see from the welcome screen on Satan’s website, which you access using Tor via a .onion address on the dark web, this ransomware is backed by a cloud service you sign up for.

Satan has brazenly copied the business model of many legitimate online services such as iTunes and eBay: joining up is free, but you pay-as-you-go on a percentage basis when you put business through the site.

The Satan service claims to:

• Generate a working ransomware sample and let you download it for free.
• Allow you to set your own price and payment conditions.
• Collect the ransom on your behalf.
• Provide a decryption tool to victims who pay up.
• Pay out 70% of the proceeds via Bitcoin.

The service (we’ll use that word without quotation marks, but you may infer them if you wish) even supports optional two-factor authentication based on a public-private key pair, just like SSH, and a CAPTCHA to make automatic mass signups more difficult:

Once you have a login, you can begin to generate ransomware samples, tailored to your own price point.

Information provided by Sophos.

Case 7: WannaCry

Information provided by KnowB4.