A Monthly Overview of Ransomware in 2016


Over the year 2016, we have seen a massive rise in Ransomware, becoming the number one security concern for companies last year. Here is an overview of the year, even though Locky ruled and was the most troublesome throughout the year.

January – CryptoJoker

In January, a new form of CryptoLocker was discovered called CryptoJoker. CryptoJoker was discovered a month before Locky and used the same spreading vector, email. CryptoJoker disguised itself as a PDF in phishing campaigns. Once CryptoJoker infected a host, it would download multiple executable files and encryption all the host’s files with AES-256 encryption and deletes Shadow Volume Copies. CryptoJoker changes the infected files on host to .crjoker extension. Zepko are not aware of any free decryption tools at this moment in time.

February – Locky

Locky has made quite a name for itself in 2016 being first seen in the wild in February 2016. When it was first seen, Locky was encrypting its victims’ files with .locky extension, but now it is seen encrypting files with various file extensions. As mentioned previously Locky was distributed predominately through email phishing campaigns. Within the first month Locky was estimated to have been sent out to about half a million users. Throughout 2016, Locky authors ‘Necurs’, released new versions of Locky, including ‘Zepto’ and ‘Odin’ in September. After that, Locky and its variants seemed to have dropped off. The latest versions and its variants cannot be decrypted at this time.

March – Cerber

Cerber is named after the Greek Mythological creature Cerberus, a three-head dog often called the hound of Hades, guarding the gates of the Underworld. What makes Cerber unique to other ransomware is how it uses its Command and Control (CnC) servers. Usually malware aims to be undetected, however, Cerber is not ‘quiet’. Cerber creates multiple UDP requests to whole net-blocks which is highly detectable network traffic. Cerber file extension is usually .cerber changing the filename completely to a random ten character long string. There are decryption tools for version one of Cerber, however, not for the latest versions.

April – CryptXXX

CryptXXX first appeared in April 2016, along with other malware being pushed out by Angler Exploit Kits (EK). CryptXXX code base seemed rush, as soon after its release, Kaspersky cracked it and supplied a decryption tool for the Ransomware. The authors replied with an updated version in May, but again soon after Kaspersky found a solution. The ransomware authors had another attempt and released a third version in June. This third version lasted until December when it was cracked again.

Furthermore, in April Jigsaw Ransomware was seen for the first time. Jigsaw can now be decrypted as well.

May – TeslaCrypt

Even though TelsaCrypt has been around since February 2015, a very interesting thing occurred in May 2016. The authors of TeslaCrypt released the master decryption key, which allowed malware researchers to develop a decryption tool for the Ransomware. There is a decryption tool called TeslaDecoder tool that may decrypt encrypted files from TeslaCrypt.

June – SilentShade

SilentShade encrypts files using AES-256 with the file extension changed to .silent. The ransom note is written in both English and Russian and is usually called Hacked.txt. The Ransomware also drops another file called YourID.txt, containing a unique ID used by the threat actor to determine who has paid the ransom.

July – Chimera

Although, Chimera was first released in October 2015, the ransomware’s keys were leaked by rival malware developers in July 2016. The Threat Actors behind the Petya (first seen in March 2016) and Mischa reverse engineered the Chimera to gain access to it decryption keys and then released it to the public. It was estimated that 3,500 RSA private keys were released on to pastebin.com. Chimera threat actors at this time offered their variants as Ransomware-as-a-Service (RaaS) making anyone able to distribute malware as their own. However, a free decryption tool does exist.

August – FSociety

The hacker group FSociety, inspired by the TV series Mr. Robot developed their own Ransomware with a variant of EDA2 and uses the file extension .locked. In August there was no active FSociety Ransomware in the wild at the time, as the Ransomware was still in its production stages. It was not until early October that a new/full version was actually released into the wild.

September – Mirai

Mirai translates as the future in Japanese, although not Ransomware, is still a predominant part of 2016 InfoSec. Mirai is a Botnet that only targeted Linux Hosts. However, recently in early February 2017, Mirai was given an upgrade to target the Windows Operating System as well. The Botnet’s largest attacks have been attacks on ‘Krebs on Security’, the French hosting provider ‘OVH’ and ‘Dyn’ a DNS service provider, which in turn caused downtime for major websites such as Netflix, Twitter, Reddit, GitHub and others.

October – CryPy

CryPy’s name is the combination of ‘crypto’ and ‘python’, Python being the language the Ransomware is written in. CryPy is unique as it makes a call to its CnC every time it seeks to encrypt a new file. The ransomware also steals its victim’s data. Another interesting point about CryPy is that it can set a ransom for encrypted files separately, because of this it doesn’t need RSA encryption as the one-time key is stored on the server. CryPy appends ‘CRY’ to the start of infected files and changes the file extension to ‘.cry’. Zepko are not aware of any free decryption tools at this moment in time.

November – Dharma

Dharma was released in November 2016, a few days after CrySiS, its earlier variant, master decryption keys were released. Dharma renames its victims’ files with the email address of the threat actor and changes the extension to .dharma or .wallet. All email addresses follow the format [something]@india.com. At the time of writing this article, Dharma cannot be decrypted.

December – GoldenEye

GoldenEye is essentially a rebrand of Petya and Mischa combined and was first seen in December. The combination has had a lot of revamps, as GoldenEye is the fourth version. GoldenEye spreading vector is predominately phishing campaigns targeting mainly German speaking countries. The Mischa part encrypts every file on the victim and the Peyta pretends to execute a fake CHKDSK, but in reality, it is encrypting the Master File Table (MFT).