Researchers at Kaspersky Lab said a family of ransomware Trojans that encrypt files, adding extensions “.xtbl” and “.ytbl,” has quickly joined the ranks of top encryptors in Russia, becoming a member of the top three in less than a year.
Kaspersky researchers dubbed the Trojan-Ransom.Win32.Shade, noting in a Monday Securelist blog post that they do not know what the encryptor's creator originally named it but that other security firms have detected it as Trojan.Encoder.858 and Ranson:Win32/Troldesh.
The post explained that the Trojan itself, which has mostly infected systems in Russia, Ukraine and Germany, hasn't really evolved but that “the format of the encrypted file's name, the C&C server addresses and the RSA keys have been changing.”
Ransomware note that appears to those infected.
The researchers said that spam messages with a malicious file attached and exploit kits, particularly Nuclear EK, are the two key methods used to deliver malware. During each mass mailing campaign, the name of the malicious file is changed, although infection can be avoided, of course, by not clicking on the attachment in the first place.
The greater danger comes, the researchers said, when the Trojan is delivered via an exploit kit. In that case, a victim visiting a compromised site—either one that belongs to cybercriminals or a site that has been hacked—is unwittingly infected. The victim typically has no clue that the site is compromised and “malicious code on the website exploits a vulnerability in the browser or a plugin, and the Trojan is then covertly installed in the system,” the post said. “Unlike the spam delivery method, the victim doesn't even have to run an executable file.”
Once the Shade encryptor is in a system, “it connects to a C&C server located in the Tor network, reports the infection and requests a public RSA-3072 key that is subsequently used to encrypt files,” the blog post noted. Not to be deterred if the connection fails to materialize, the Trojan has 100 public keys in its arsenal from which it draws and then begins encrypting files.
It uses a static list of extensions, the researchers said, as it scans for objects to encrypt. They warn users to complete an anti-malware scan if they detect the Shade encryptor. Otherwise, “the system will most probably remain infected with several malicious programs downloaded by the encryptor,” the blog post said.