Bad guys update 7ev3n and CryptXXX ransomware
7ev3n was given more of a facelift while CryptXXX was made into a tougher opponent.
The changes being made already in the relatively new 7ev3n and CryptXXX ransomware families shows that remaining on the cutting edge of product development is no easier for a criminal than it is for honest developers.
Whether it is making basic usability changes as, in 7ev3n's case, or the more technical improvement that was just spotted to CryptXXX, all ransomware users have to keep the malware viable by making changes.
"A developers work is never done," Adam Kujawa, head of malware intelligence for Malwarebytes, told SCMagazine.com in an email.
The smaller type “tweaks” being done to 7ev3n is the norm for what happens in the ransomware business, Kujawa said, adding that most of those specializing in this particular form of criminal activity tend to stick with and keep improving what works.
“Most of the time it's tweaking to boost performance, avoid detection or make it more efficient. The ransomware world as a whole doesn't really step too far outside of the norm, with the exception of a few game changing families, for example before Cryptolocker started encrypting everybody's files, families like Reveton just locked down the screen and pretended to be law enforcement,” Kujawa said.
However, simply updating what is already available is not the only path being taken. Bryan Burns, vice president of threat research for Proofpoint, pointed out that while making constant improvements to existing ransomware certainly takes place, others are out to add to the existing malware that is available.
“With ransomware, the technical barrier to entry is rather low, so we have seen new varieties crop up on a regular basis. There seems to be constant turnover, with old families of ransomware dropping off the map, only to be replaced by new ones. The overall trend is towards more, rather than fewer, varieties in circulation,” he told SCmagazine.com in an emai.
However, Burns pointed out the opposite is true when it comes to other forms of malware.
“This is in contrast to the trend we see with banking Trojans (like Dridex), where the turnover is low, and a single family of malware will see continued investment and evolution over several years. Banking Trojans are much more complex than ransomware, and require significantly more effort to create, so new ones are a relatively rare phenomenon,” he said.
It is also interesting to see how the user's of each family decided to “improve” their ransomware family.
Malwarebytes blogger Hasherezade said the new version of 7ev3n, called 7ev3n-Hone$t, had little to do with improving the ransomware's capabilities, but instead focused on making it more user friendly and the ransom more affordable for the victim.
“The new version is not more effective in terms of encrypting files. The authors just wanted to make user-friendly changes focused on improving the interface. The distribution method didn't change between the versions; it is spread through malicious spam e-mails,” Kujawa said.
The price change was much more dramatic. When first spotted 7ev3n asked for a very pricey 13 Bitcoin payout, but with 7ev3n-Hone$t has been reduced to 0.5 or 1 Bitcoin. The new user interface also gave the ransomware makers the ability to offer a variety of payment options and even a discount for those who paid in full.
“The new ransom note offers various payment models (i.e possibility to decrypt half of the files for 60% of the original price) and a 20% discount in case of paying full sum at once. As we can see, the authors learned to be more user-friendly and made a step towards ‘honesty',” Hasherezade noted.
A few minor back-end changes were noted, including giving the victim the ability to decrypt a few files to show that 7ev3n-Hone$t is in control. The program also no longer blocks the entire computer desktop, but the ransom note just overlays it and still allows programs to be accesses, but not see clearly.
However, with CryptXXX the change was on the back end with the latest incarnation now being more resistant to decryption tools. Proofpoint researchers said it issuing decryptable ransomware was an "embarrassing mistake" for its developers.
“We have seen a mix of dramatic changes and minor tweaking depending on the malware variant; however, cybercriminals will modify threats if they are seeing a return on investment—and unfortunately ransomware has been very profitable for them,” Burn said.