Ransomware in the Wild: It’s an Emergency

Pierluigi Paganini
April 12, 2016 by
Pierluigi Paganini

Every week, new ransomware-based attacks are in the headlines. Malware authors are implementing new threats and new features to make these malicious codes even more insidious.

The extortion practice is even more common in the cybercriminal underground; it is a profitable business for criminal gangs worldwide, and the number of attacks is rapidly increasing.

Recently the authorities of the US and Canada issued a joint warning about the recent surge in ransomware infections. According to the Reuters news agency, the FBI has issued a confidential "Flash" message to the businesses and organizations about a recent threat, the Samsam Ransomware, that already targeted several hospitals. The law enforcement Agency shared detailed information about the malware, including the Indicators of Compromise (IoC), that could be used by organizations to monitor their networks for infections.

"The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future," the advisory said.

Among the victims of the Samsam Ransomware, there is the MedStar non-profit group that manages ten hospitals in the Baltimore and Washington area. The bad actors behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files.

The approach of the IT department at MedStar did must be considered as a case study, the organization hasn't paid the Ransom and used its backup to restore the encrypted information.

The IT staff at the MedStar Hospital detected the infection at an early stage and was able to stop the Samsam Ransomware from spreading in the internal network.

This ransomware-based attack demonstrates that a proper security posture could allow victims to detect early the threat and respond in the right way in a short time.

Data backups are necessary for the incident response, in both cases of accidental losses or damages caused by a cyber attack.

Security experts at Trend Micro believe this year will be remembered for the number of ransomware-based attacks on the enterprise. According to data published by the company, the number of infections among UK firms in February 2016 alone far exceeded the figures for the first six months of last year.

In Q1 2016, there was more than triple the infection count for Q1 2015, CyrptoWall and CryptoLocker were the threats that caused the greatest monetary losses for the organizations.

In the UK, the impact of ransomware is particularly serious also for the SMBs, and the situation will worsen.

"There were more UK SMB ransomware infections in February this year than in the first three-quarters of 2015 combined. In fact, the UK's share of global ransomware has jumped from 1% at the end of 2014 to almost 5% as of February 2016, with the biggest spike coming this year," states Trend Micro.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Cryptowall 4.0 and TeslaCrypt 4.0, the classics

When dealing with ransomware, the most popular threats belonging to this specific category of malware are CryptoWall and TestlaCrypt. Both ransomware are still causing problems in the wild; their code is evolving thanks to the contribute of several criminal crews in the cybercriminal underground.

In November 2015, security experts at Bitdefender discovered Cryptowall 4.0, which has been developed by Russians coders. The experts came to this conclusion through evidence collected during their investigations, for example, the servers used for spreading the threat through spam messages were located in Russia, and the Javascript used as a vector was downloading the CriptoWall 4.0 payload from a Russian server.

The malware researchers also confirmed that encryption algorithm used to encrypt the victim's files is the unbreakable AES 256, and the key is encrypted using RSA 2048.

Most Cryptowall 4.0 infections were observed in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.

Figure 1 - Cryptowall 4.0

Another element that suggests the Russian origin of the threat is that it doesn't infect computers using the Russian language.

"Cryptowall 4.0 spam servers are located in Russia, according to the Javascript-written malware downloads the CriptoWall component from a Russian server." states the post published by Bitdefender.

The Cryptowall 4.0 implements some new features such as the encryption of the names and extensions of affected files. Additionally, CryptoWall 4.0 has changed the name of its ransom notes to HELP_YOUR_FILES.TXTand HELP_YOUR_FILES.HTML.

The ransom note itself contains payment instructions and also mocks the infected user.

The new variant was spread through spam messaged and also exploit kits, especially the Angler EK and the Nuclear EK.

The discovery was made by Brad Duncan, a security researcher at Rackspace, who explained that it is the first time that the new CryptoWall 4.0 ransomware is spread by using the an exploit kit. Duncan confirmed that samples of the CryptoWall 4.0 ransomware have been spotted in the wild since 2 November.

"Earlier this month, the BizCN gate actor switched IP addresses for its gate domains to  Also, as early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK).  Until now, I've only associated CryptoWall 4.0 with malicious spam (malspam).  This is the first time I've noticed CryptoWall 4.0 sent by an EK." wrote Duncan. "Until now, I haven't noticed CryptoWall 4.0 from any EKs. And now I've only seen it from the BizCN gate actor."

In January, the experts at Bitdefender confirmed that operators behind the Nuclear EK added the CryptoWall 4.0 to their crimeware kit.

In October 2015, experts at Cisco Talos Group has performed in-depth research on the threat actors behind the Angler Exploit Kit and even had behind-the-scenes access.

Talos gained an inside view of one of the health monitoring servers utilized by an Angler Exploit Kit instance active throughout the month of July 2015. This single server was seen monitoring 147 proxy servers, allegedly generating approximately $3 million in revenue over the span of that single month of July.

Additionally, Talos has determined that this single Angler instance is (or was) responsible for half of all Angler activity that they observed and is likely generating more than $30 million annually. Furthermore, this revenue was generated by the distribution of Ransomware.

Figure 2 - Ransomware infections (Talos Team)

In November, security experts noticed another Exploit Kit, the Nuclear exploit kit,  has been used to serve the ransomware CryptoWall 4.0.

The inclusion of the CryptoWall 4.0 to the Angler EK demonstrates the capability of cybercriminals to follow the evolution of threats and the efficiency of their operations.

Teslacrypt is another infamous ransomware that is arrived at the fourth version. According to the experts at Heimdal Security, Teslacrypt 4.0 implements new functionalities and is more stable of previous variants; its authors fixed various bugs, including one related to encryption of large data files.

In the previous variants, files larger than 4 GB would get permanently damaged when the ransomware tried to encrypt them.

Teslacrypt 4 used RSA 4096 for data encryption to make impossible to recover the encrypted files.

"Consequently, the encrypted data will be impossible to recover, which can determine information loss if the victim doesn't have a backup for the affected data." states a report published by Heimdal Security.

Cyber criminals spread the threat through drive-by attacks leveraging on the Angler exploit kit, a few weeks after its first detection in the wild, the researchers blocked more than 600 domains hosting the Angler EK in just one day. It has been estimated that the daily average of domain spreading Angler EK blocked by the security firms will reach soon 1200 domains per day, on average.

Figure 3 - TeslaCrypt 4.0 (Heimdal Security)

Teslacrypt 4 is also able to harvest user's data, including the "MachineGuid", "DigitalProductID" and "SystemBiosDate".

Experts at Heimdal Security have published the following Indicators of Compromise for the Teslacrypt 4.0:

%UserProfile%DesktopRECOVER[%5 random signs%].html

%UserProfile%DesktopRECOVER[%5 random signs %].png

%UserProfile%DesktopRECOVER[%5 random signs %].txt

%UserProfile%Documents[random file name].exe


TeslaCrypt 4 also creates the following value in the registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun_[random name] C:WindowsSYSTEM32CMD.EXE /C START %user account%Documents[random name].exe

The current list of Teslacrypt 4 Control & Command servers is:







Also in this case, the new variant of TeslaCrypt demonstrates that the threat is rapidly evolving, that first sample was detected in March 2015, meanwhile the version 2.o appeared in the wild in July 2015 and the TeslaCrypt 3.0 in January 2016.

What's new in Q1 - 2016?

The first malware detected in the wild in 2015 is Ransom32, a new crypto-ransomware variant that was first spotted on December 29th, 2015 by the experts at the Bleeping Computer forums. It is the first strain of ransomware developed in the JavaScript scripting language.

Additionally, Ransom32 joins a group of Ransomware-as-a-Service (RaaS) offerings that have become more and more common throughout 2015.

Ransom32 utilizes AES encryption with a 128-bit key using a CTR block mode to encrypt all supported files that it enumerates.

The malware generates a new key for every supported file that is enumerated; these keys are then encrypted using the RSA algorithm with a public key that was obtained from its Command-and-Control (C2) Server during the initial communications between the C2 server and the infected host.

Affected files contain both an encrypted version of the file's data along with the now-encrypted AES key that was used to compromise the original file data.

Ransomware is not a prerogative of Desktop machines, at the end of January security experts at Symantec discovered a new strain of Android ransomware called Lockdroid (Android.Lockdroid. The mobile ransomware it can lock the device, change the PINs, encrypt user data, and perform other operation including fully wiping data forcing a factory reset.

Lockdroid is also able to prevent victims from uninstalling it, even through the command line interface.

Lockdroid uses the clickjacking technique to become device administrator; the method works only in versions before 5.0 Lollipop that doesn't prevent dialog messages from displaying over the system permission dialog.

It poses as an application for viewing adult content that displays a fake "Package Installation" window that tricks users into giving administrator privileges to launch malicious operations.

The Lockdroid ransomware displays a TYPE_SYSTEM_ERROR window on the highest layer on the screen to hide the call to the device administrator requesting API after the user clicks the "Continue" button it displays a fake "Unpacking the components" dialog. The malware waits a few seconds without doing anything, then it displays a final "Installation is Complete" dialog, in this case, it uses a TYPE_SYSTEM_OVERLAY window to hide the window that asks for the activation of administrative privileges.

Figure 4 - Lockdroid uses the clickjacking technique (Symantec)

When the device is infected, users will be prompted to pay a ransom, threatened by the loss of the encrypted data and the submission of the user's browsing history to all their contacts.

Experts at Symantec observed that the ransomware uses the clickjacking technique to perform other activities, including root permission management on rooted devices.

In February, another threat appeared in the wild, its name is Locky Ransomware and was discovered by experts at BleepingComputer.

Locky uses the AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped, it also deletes all of the copies of documents in the Shadow Volume, making impossible to restore documents.

The Locky ransomware spreads via malicious emails with Word document attachments that pretend to be an invoice, but that includes malicious macros used to download the malware from a remote server and execute it.

The Locky ransomware encrypts files renaming them to [unique_id][identifier].locky, where the unique ID and other information are embedded at the end of the encrypted file.

On February 2016, the experts at BleepingComputer reported a new strain of malware belonging to the family of CTB-Locker Ransomware (aka Critroni) that specifically targets websites and defaces them to convince victims to pay the ransom. The new variant of the CBT-Locker most infected WordPress sites.

Crooks behind the threat request a payment of 0.4 BTC to restore encrypted data if victims don't pay within a timeslot the ransom amount increase to 0.8 BTC.

"This is a big month for CTB Locker as they have reinvented themselves by releasing a new variant that I have dubbed "CTB-Locker for Websites" that only targets and encrypts websites. Furthermore, this month CTB-Locker for Windows has also seen an increased distribution, but is still not nearly as active as other ransomware infections such as TeslaCryptCryptoWall, and Locky. " states a post published on BleepingComputer.

The authors of the new CTB Locker allow administrators operating the infected websites to unlock for free two files chosen by the random generator as a proof of decryption key works.

The threat encrypts almost all types of file extensions using the AES-256 algorithm and generates a unique ID for each infected website.

Once the ransomware gains the control of the website, it submits two different AES-256 decryption keys to the affected index.php.

Figure 5 - CTB Locker - BleepingComputer

A first key would be used to decrypt any two random files for free under the name of "test."

The second decryption key would be the one to use to decrypt the remaining files once the victim has paid the ransomware.

Another feature implemented by the author of the CTB-Locker for websites is a feature that allows victims to exchange messages with the crooks behind the ransomware.

Figure 6 - CTB-Locker internal chat

Are you a Mac user? Do you believe to be immune to ransomware? You are wrong, over time, some threats have targeted Apple users.

The last Mac ransomware in order of time was discovered in March by the experts at Palo Alto Networks Unit 42. The researchers discovered a malicious campaign that was targeting Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client. The software was infected with a new family of Ransomware that was specifically designed to target OS X installations.

"On March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware KeRanger." states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger; they also released a technical analysis of the malware.

According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.

"Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger."

The Transmission Project promptly removed the malicious installers on Saturday (March 5), and it is urging its users to update to the latest version (2.92).

The experts discovered that the malware was embedded within the Transmission DMG file itself, the author of the KeRanger malware also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul, to bypass security measured implemented by the Apple's Gatekeeper.

The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.

  • lclebb6kvohlkcml.onion[.]link
  • lclebb6kvohlkcml.onion[.]nu
  • bmacyzmea723xyaz.onion[.]link
  • bmacyzmea723xyaz.onion[.]nu
  • nejdtkok7oz5kjoc.onion[.]link
  • nejdtkok7oz5kjoc.onion[.]nu

Once the ransomware has contacted the server, it starts encrypting documents having more than 300 different extensions, but it is not able to do it without making the initial contact to C&C servers.

When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims

The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn't encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.

In March, experts at Trend Micro spotted a new singular threat dubbed Petya (RANSOM_PETYA.A) that overwrites MBR to lock users out of the infected machines.

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR and leaves a ransom note at system startup.

Petya overwrites the MBR of the hard drive causing Windows to crash when the victim tries to reboot the PC; it will impossible to load the OS, even in Safe Mode.

Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.

Figure 7- Petya Ransomware screen

"As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing The Blue Screen of Death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads." states the post published by Trend Micro.

"Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead."

Another interesting aspect of the Petya is the delivery mechanism used by crooks that relies on legitimate cloud storage services like Dropbox.

Victims would receive an email that appears to be from an applicant seeking a position in a company; it includes a link to a Dropbox folder that contains its alleged CV.

The experts explained that for one of the samples they analyzed, the Dropbox folder was containing contains two files, a self-extracting executable file that purports to be the CV, and a photo of the applicant.

The self-extracting executable is used to serve a Trojan onto the victim's machine, the malware first disables any antivirus programs installed, then downloads and executes the Petya Ransomware.

In the following image are reported the instructions provided by the Petya ransomware to the victims to pay the ransom and restore the encrypted files.

The instruction includes a link to the Tor Project and how to download the Tor Browser to visit a page where to purchase the decryption key to restore the data.

Figure 8 - Petya ransomware

The crooks behind the Petya ransomware request the payment of 0.99 Bitcoins (nearly US$430),   but the price would be doubled if the payment is not completed within a deadline.

In March, the experts at Carbon Black spotted in the wild a new threat dubbed PowerWare ransomware that exploits the native Windows framework PowerShell.

PowerWare is a fileless ransomware that is spread using spam messages, including a Word document attachment purporting to be an invoice. The attackers use an old trick to convince victims in enabling the macros; they request to enable macros to view the document correctly.

The macros run the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks.

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim's PC.

The PowerShell ransomware requests victims to pay a $500 ransom to restore the encrypted files. Also, in this case, the ransom doubles if the victims don't respect the deadline.

March closed with the discovery of the KimcilWare ransomware made by security experts from the MalwareHunterTeam. The threat has been specifically designed to target Web servers, and more specifically Magento e-commerce platforms.

"A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution.  It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using  a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them.  Unfortunately, at this time there is no way to decrypt the data for free." states a blog post published on BleepingComputer.

The KimcilWare ransomware encrypts the files on the Magento platform; it is easy to recognize because it appends the ".kimcilware" extension at the end of each file rendering the store useless.

Figure 9 - Files encrypted by the KimcilWare ransomware (BleepingComputer)

The malware also uses its index file to publish a black page that informs the victims that the server had been encrypted.

Figure 10 - Ransomware Index Page

Of course, the e-commerce platform becomes useless once the malware has encrypted all the files. Experts believe that the KimcilWare ransomware is in its early stages, but that it might rapidly evolve.

Ransomware Description



Written in JavaScript scripting language.

Offered as Ransomware-as-a-Service (RaaS)


It uses the clickjacking technique

clickjacking method works only in versions before 5.0 Lollipop



Locky uses AES encryption algorithm to encrypt both local files and files on network shares.

It spreads via malicious emails with Word document attachments embedding malicious macros used to download the threat.

CTB-Locker for Websites

It targets websites defacing them.

It uses the AES-256 algorithm.

Victims can exchange messages with the crooks using internal chat.



Mac Ransomware

It was targeting Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client.

It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.

Installer signed with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş

Petya Ransomware

Petya overwrites the MBR of the hard drive causing Windows to crash.

Another delivery mechanism relies on legitimate cloud storage services like Dropbox.


It exploits the native Windows framework PowerShell.

It is a fileless malware.

KimcilWare KimcilWare Ransomware targets Magento Platforms

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


The number of cyber attacks relying on ransomware will continue to increase, malware authors and criminal gangs will use new threat and new techniques to maximize their efforts.

Recently security experts at Proofpoint discovered a hacking campaign managed by a cyber gang named TA530 group that has been targeting executives in an attempt to infect their machine with various malware, including ransomware.

Spear-phishing attacks are usually launched for espionage purposes. However, the adoption of these techniques in the criminal field contributed increasing their effectiveness and demonstrated that cyber criminals are evolving their methods in an unpredictable way.



Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.