Ransomware rampant, but chinks found in its armor

To say that a day does not pass without a ransomware attack being perpetrated upon an organization somewhere the United States is no hyperbolic statement.

On April 28 the FBI issued a specific warning to Americans on ransomware, meanwhile on the same day the security research firm Proofpoint reported it had recently found three more ransomware variants, CryptFlle2, Br Locker, ROI Locker and MM Locker, operating in the wild. However, there is a silver lining in this storm cloud. Not all ransomware is created equal, and while the majority is effective researchers have found a few variants with major flaws that allow the victim to take back their files without paying a dime.

That isn't to say some people are not being forced to pay. The FBI posted reported that the number of ransomware complaints in 2015 grew to 2,400 with a reported loss of $24 million, compared to about 1,800 complaints filed in 2014 resulting in a loss of more than $23 million.

Andy Feit, who leads Check Point Software Technologies' Threat Prevention segment told that the amount paid that has been made public is just the tip of the iceberg and a “small percentage of those who actually paid.” He also said the situation is going to get worse before it gets better.

“There was a big uptick in ransomware starting late last year and one of the reasons is the ease of doing one of these attacks is the primary reason,” he said.

Previously, banks were targeted by malware or the bad guys tried to trick bank customers into visiting fake websites so their banking credentials could be stolen and then used to take their money from the bank itself.

“But with phishing you just need one click,” Feit said.

The FBI suggested organizations take several preparatory steps that could be implemented in case of an attack, such as backing up data, adding security along with not opening suspicious emails.

But while these steps may or may not be acted upon, the bad guys are not sitting still sending out a steady stream of new ransomware.

Proofpoint's new additions were all spotted in March and April each of which added a little something new to the genre.

CryptFlle2, found in March, is apparently quite effective. It is delivered by Nuclear and Neutrino exploit kits, the files are encrypted using RSA encryption and a Bitcoin payment is demanded for the key.

MM Locker was found in early March. Proofpoint noted that while the malicious software itself was conventional the users went to great length to browbeat the victim into paying through a very long ransom note.

ROI Locker, found in early April, also comes with an interesting ransom note that sympathizes with the victim while also demanding 0.322 Bitcoins, about $136, be sent to have the files released.

“This is unfortunate although for a small fee all your Files [sic] will be returned to their original location as if nothing ever happened.”


Br Locker, discovered on April 18, is targeting Russian speakers and the lock screen is written in that language. Unlike most other attacks it is not asking for a Bitcoin payment, but instead that 1000 rubles, around $15, be sent to a “Beeline” phone number. Beeline is a popular Russian mobile phone service provider. Proofpoint did note that BR Locker not only locked up the computer, but does appear capable of encrypting its files using AES.

ROI Locker is spread through rogue website and uses a uTorrent installer. After installing itself the software moves the captured files into an RAR archive, which is a data container. The ransomware then creates an app that spawns the ransom note, but here a glitch appears.

“Due to the way in which this process is carried out, the password to the RAR archive can be found in clear-text in the victim machine's memory. Additionally, it is important to note that a decrypter has been made publically available for this ransomware, and can be found with additional details at BleepingComputer,” Proofpoint wrote.

Researchers at ESET have also come across some faulty ransomware. Petya and Jigsaw each have implementation flaws that enable victims to get their files back without paying a ransom, wrote Ondrej Kubovič, ESET security evangelist.

Kubovič found that Petya is not even encrypting the files, but only the file table. This shortcut allows users to regain access to their files by using one of the publicly available recovery tools.

Jigsaw, which takes its name from the horror flick Saw, tries to use fear as a tactic to push its victims into paying by saying for each hour that payment has not been received a certain number of files will be permanently deleted.

However, looking into the ransomware code, ESET researchers have found that Jigsaw is poorly implemented. It uses the same static key for all encryptions. At this point, there is already a decryption tool publicly available for users, Kubovič said.

Kevin Epstein, ‎vice president for threat operations center at Proofpoint told that finding flaws in malware is not unusual nor unexpected.

"Coding is hard. The same challenges that can lead to inadvertent flaws in legitimate software also plague attackers -- we see errors in malicious campaigns on a daily basis, ranging from merge mistakes that prevent email from reaching targets, to malformations in headers that effectively neuter malware payloads, to simple typos that foil schemes that would have netted tens to hundreds of millions of dollars (as was the case in the Bangladeshi SWIFT attack). Unfortunately, these missteps still only represent a fractional percent of overall attack volume," he said.

Upated with Kevin Epstein's quote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.