Category Archives: ransomware

Karmen – Ransomware-as-a-Service keeping Bizet*

Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web.

Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker

Recorded Future on Hidden Tear

Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for  – Nifty dashboard shows the bitcoin rolling in

*Carmen (the opera)

David Harley

Ransomware Timeline

I’m not really in a position to track and write about every development in the world of ransomware. (Rather, I’ve concentrated on information on specific families and pointers to useful information and advice.) 

If a regular timeline is of use to you, though, David Balaban contacted me about his Ransomware Chronicle, which tersely flags ‘New ransomware released’, ‘Old ransomware updated’, ‘Ransomware decrypted’ and ‘Other important events’. No links to further information, though, at time of writing. He also provides ransomware reports for Tripwire’s State of Security blog. 

David Harley

RanRan: Ransomware, Politics and Extortion

An interesting if somewhat niche ransomware analysis from Unit 42: Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes

Falcone and Grunzweig say: ‘The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.’

David Harley

*Bummer for Dharma: Decrypter On The Road

It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension: Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com.

ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor. I imagine others will do the same, if they haven’t already.

David Harley

The Dharma Bums is a novel by Jack Kerouac. And On The Road is another. Sorry, I couldn’t resist.

Patcher/Filezip/Filecoder – data recovery and naming

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley

Kaspersky researcher on Russian ransomware ecosystem

Anton Ivanov for Kaspersky: A look into the Russian-speaking ransomware ecosystem.

He says:

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals.

And:

While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Good article.

David Harley

LogicLocker PoC ICS ransomware

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

David Harley