Operations disrupted by crypto-locking ransomware

Ransomware attacks continue, with yet another city saying its operations have been disrupted by crypto-locking malware. As that demonstrates, ransomware remains a formidable threat, with attackers continuing to score notable victims, including Chicago-based Tribune Publishing, which was hit last month by a suspected Ryuk ransomware infection.

Ryuk is one of numerous types of ransomware – including SamSam – that have been seen before, demonstrating that many existing strains of crypto-locking malware continue to be able to shut down organizations and municipalities. Also, the notorious GandCrab ransomware-as-a-service offering, which was a dominant strain of ransomware seen throughout 2018, has recently been getting installed in the noisy second phase of information-stealing attacks.

“The first step in addressing the issue was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper,” the city said. “The second step the city took was to go to the FBI to report the ransomware, after which the city was referred to the Secret Service.”

City spokeswoman Victoria Vargas told BleepingComputer that as a result of the attack, about 30 to 45 systems had been deactivated, which led to employees digging out typewriters from closets to keep records. Unusually, Vargas said attackers didn’t include a cryptocurrency wallet or email address with their ransom demand, but rather a phone number. Extortionists Claim Ransoms Fund Treatments

Ransomware response firm Coveware says that recent ransom notes from attackers wielding CryptoMix crypto-locking ransomware claim that payments will go to what turns out to be a fictitious charity for children with cancer. But to make their cover story look real, the attackers have lifted real details from crowdfunding sites devoted to helping to fund medical treatments for children who have cancer.

Any CryptoMix victim who emails the attackers, using the contact information contained in the ransom note left on their PC, will receive a message back via a site called OneTimeSecret, sharing the bitcoin wallet to which the victim should send their ransom payment, as well as providing more information about the supposed charity, Coveware says.

In 2017, Poland’s Computer Emergency Response Team, CERT.PL, warned that CryptoMix – aka CryptFile2, Zeta, CryptoShield – ransomware, at the time being served by the Rig-V exploit kit, was being used by attackers who also claimed to be working on behalf of a charity that sponsors “presents and medical help for children,” Jarosław Jedynak, an IT security engineer for CERT.PL, said in a blog post.

Unusually, rather than using an automated payment portal, attackers told victims to email them to arrange payment and decryption. Together with the ransom demand – for a massive six bitcoins – Jedynak said this was evidence of what looked like a poorly planned and technologically unsophisticated effort, “especially considering that CryptoMix is really primitive under the hood.”

we were infected and they asked for 10 bitcoins, after some negotiations the price was lowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins and they asked for another .6 as the c&c server will not provide the key due to late payment. after promptly paying another .6 bitcoins (about $4800 in total) there has been no communication from them! its been 2 weeks and nothing.

“Once CryptoMix infects a machine, it tries to communicate with its Command and Control (C&C) server to establish a key to encrypt files (the AES-256 algorithm is used). However, if the server is not available or if there is a connection issue (e.g. blocked communication by a firewall), the ransomware will encrypt files with one of its fixed keys, or ‘offline key,’” said malware analyst Jakub Kroustek, who leads Avast’s threat intelligence team, in a blog post.

Cisco’s decryption tool can crack the ransomware, but it carries a significant caveat. “Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored,” Benge says. “If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.”

As always, security experts note that the best defense against ransomware is to have security tools in place to block it, as well as up-to-date backups stored on disconnected servers, in the event that systems do become infected, so they can be wiped and restored. “Talos encourages users never to pay an attacker-demanded ransom, as this rarely results in the recovery of encrypted files,” she says. “Rather, victims of this ransomware should restore from backups if their files cannot be decrypted.” Vidar Loads GandCrab

An in-depth Vidar analysis published last month by security researcher Fumik0_ reported that the malware, which appears to be based on previously seen malware called Arkei, includes the ability to grab screenshots, search for specific documents, steal two-factor authentication credentials and numerous types of cryptocurrency wallets, as well as load additional malware.