Ransomware authors appear to be revising some old tactics in a bid to persuade their victims to part with their money, after a new strain of malware was found which locks the user’s screen but does not encrypt files.
Cyphort Labs malware researcher, Paul Kimayong, explained in a blog post that the new family of what it generically dubs “Ransom Locker” malware was discovered after his team followed an infection on a porn site.
This in turn redirected visitors to a RIG exploit kit landing page that served up the ransomware in the form of a malicious flash file and binary.
The final payload locks the victim’s computer and covers the screen with a message from Homeland Security with the usual warning that the user has viewed illegal content and must pay a fine or face criminal liability.
It also includes instructions on how to pay in Bitcoin or Vanilla – a prepaid card from Visa or MasterCard.
The researchers weren’t able to boot it in safe mode for further investigation so they analyzed the memory image offline instead.
Using VirusTotal they found four similar samples in the wild, dating back to the start of February 2016 and with very low detection rates.
Interestingly, Kimayong and his team discovered the malware authors have used VirusTotal themselves to test if their ransomware is detected by heuristics.
“The sample we got is version 0.02a-155. This clearly means it is in the early stage of development,” he wrote.
The malware authors have also made use of the Tor anonymizing network in order to stay hidden from the white hats.
“It’s been a while since we have seen a new family of Ransom Locker in-the-wild, probably due to the success of file-encrypting ransomware such as Cryptolocker, Cryptowall, Locky, etc. Also, Ransom Lockers can be easily cleaned by using ‘rescue discs’ so it was not effective for monetization,” concluded Kimayong.
“However, this new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers. By using Tor, the attacker adds a layer of anonymity while doing its malicious activity. Also, while the attacker has your machine kidnapped, they create a Tor hidden service that allows the attacker to utilize your system for bitcoin payments or other malicious activity.”
The popularity of cryptographic ransomware variants like CryptoLocker has meant earlier “police ransomware” like this has been virtually wiped out.
Trend Micro stats from earlier this year found that crypto-ransomware variants accounted for 100% of UK enterprise infections in February and 99% in January, for example.