AhnLab Security Center


Ransomware Trends in the 1st Quarter of 2016


Starting off from CryptoLocker, which was discovered in August 2013, to Locky, which has been massively distributed along with spam mail in the beginning of 2016, ransomware has gained world-wide notoriety. 


AhnLab released a report on “Ransomware Trends in the 1st Quarter of 2016,” analyzing 13 kinds of ransomware that have been discovered in the first quarter of this year. 


This report explains notable features of ransomware discovered in the first quarter of 2016. 

▶ Download the report to read more about ransomware trends 



Highlights 1: Most Rampant Ransomware

1. Ransom32 written in JavaScript 

The so-called Ransom32 is the first ransomware to be written in JavaScript. 


2. CryptoJoker distributed via Phishing email

CryptoJoker uses an AES 256 encryption algorithm and is distributed via phishing email. 


3. LeChiffre that launches remote attacks

Unlike other malware or ransomware, the LeChiffre searches for vulnerable systems and remotely connects to the system to launch its attack. 


4. TeslaCrypt 3.0 that changes file extensions

TeslaCrypt 3.0 shows a change in both encryption algorithm and file extension when compared to previous ransomware. 


5. 7EV3N that disables keyboard keys

7EV3N was distributed via spam mail disguised as information for a Valentine’s Day promotional offer. 


6. HydraCrypt distributed using the Angler Exploit Kit

HydraCrypt is distributed using the Angler Exploit Kit. 


7. NanoLocker spread via spam mail disguised as a PDF file

NanoLocker infects systems by inducing victims to open a fake PDF file attached to a spam mail.


8. DMA Locker that has a whitelist

DMA Locker adopts a whitelist method that does not encrypt some folders and file extensions designated by the attacker.


9. UmbreCrypt that adds an identifier behind the encrypted file extensions

UmbreCrypt is distributed as an email attachment and adds “umbrecrypt_ID_[infected PC_id]” to the encrypted file. 


10. PadCrypt that comes with live chat feature

PadCrypt becomes installed and then infects systems when the victim executes the double-extension file (.pdf.scr) in the zip file attached to a spam mail. 


11. Locky distributed via massive spam campaign

Locky is executed when a victim opens the document or JavaScript file attached to a spam mail. 


12. KeRanger (Mac) that goes after Apple’s OS X

KeRanger runs on Apple’s OS X. It adds “.encrypted” to the encrypted file. 


13. Petya that overwrites the master boot record (MBR)

Petya overwrites the master boot record (MBR), leaving the PC in an unbootable state.


Highlights 2: Changes in Ransomware in 2016

1. Ransomware distribution method

CryptoLocker is distributed as an email attachment disguised as a document file and chat message on Instant Messenger. Attackers also compromise downloaded files on various web services, or exploit the vulnerabilities found in OS, applications and web servers to launch ransomware attacks. They also use malvertising that involves injecting malicious advertisements into legitimate online advertising networks or into a Torrent service that is used to share and download files.


2. File format disguises

Early-stage ransomware would be spread through ScreenSaver files (.scr) or by disguising themselves as document files with extensions such as .doc, .pdf, etc. In the first quarter, ransomware has greatly expanded to go beyond existing file types and now use and exploit new ones such as macros and JavaScript to infect victims. The recent Locky ransomware disguised itself as a normal Word file attachment seeming to be an overseas invoice or payment from the United States, Japan, or China; after its method was discovered to include a malicious macro that is activated when downloaded from the outside, variants of its downloading method were also discovered that included the programming language of JavaScript (.js) in a file attachment.


3. Technical changes in ransomware

New changes have emerged in existing ransomware. Primary is the emergence of RaaS (Ransomware as a Service), which executes business as a proxy for people who plan to make and spread ransomware. That is, these “service providers” create ransomware products for a customer base of people who are planning to create and distribute ransomware to others. These malicious service sponsors provide information to criminal customers on how to spread ransomware and what the current status of infection is. In addition, ransomware has emerged that even loads a “LiveChat” function to give the victims advice on methods of how to extort payment. Ransomware websites have also been discovered that feature a high-quality web design and purport to be an official service to make victims feel as they have received a “ransomware restore service” notice.



Highlights 3: Ransomware Forecast

Until recently, ransomware that first emerged in 2013 typically demanded anywhere from $200 to $400 USD as a ransom. Recently, however, a ransomware that attacked a hospital in the US demanded 9,000 bitcoins (worth roughly $3.6 million USD). The hospital ultimately paid 40 bitcoins ($17,000 USD) to decrypt their encrypted data.


There are two points to note here. First, attackers may re-attack victims who have already paid up. Second, attackers will not stop at demanding ransoms at the previous amount of $400 USD. In addition, the distribution of ransomware for financial gain from a specific organization may become a new type of Advanced Persistent Threats (APTs).


Attackers continue to distribute ransomware variants heavily armed with various features to bypass security solutions. Thus, it is not easy to respond to attacks using only traditional security solutions. Ransomware use encryption algorithms to encrypt files, so it is in fact almost impossible to restore the encrypted files. To prevent ransomware attacks, users need to exercise caution: immediately delete suspicious emails or emails from unknown senders, and always back up important data.


With its line of V3 antivirus products and AhnLab MDS (Malware Defense System), an APT (Advanced Persistent Threats) protection solution, AhnLab has garnered much notice for having detected and responded to the variety of ransomware that have been discovered up to this date. In order to reduce the damages caused by ransomware, users should install the latest updates for V3 engine currently in use. Also, by activating the Execution Holding function for customers who use AhnLab MDS, ransomware can be blocked. 

▶ To learn more about AhnLab MDS, please visit ahnalb.com.