Ransomware such as Cryptolocker has been very active in recent times. With the success of Cryptolocker, we have seen a large number of copycats trying to capitalize on Cryptolocker’s success. Ransomware is a form of malware that encrypts files on the system it infects. The only way to recover the encrypted files is to pay the ransom and [hope to] receive the unlock key. To give you some perspective, our labs group has seen over 50,000 different Ransomware varieties in the last few weeks of publishing this article and it appears that the trend continue for some time.


important.jpg

Important

It is of an extreme important to keep iSheriff Endpoint Security Antivirus/malware signatures up-to-date.


Technical Details:


When the Trojan is executed, it creates the following file:
%AppData%\[GUID].exe

The Trojan locks the desktop, encrypts files, then displays a ransom demand. The ransom demand may include the following or similar message:

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files. To obtain the private key for this computer, which will automatically decrypt files, you need to pay.

This Trojan accepts the following payment types:


· MoneyPak

· Paysafecard

· Ukash

· cashU

· Bitcoin


The Trojan encrypts files with the following extensions:


· *.odt

· *.ods

· *.odp

· *.odm

· *.odc

· *.odb

· *.doc

· *.docx

· *.docm

· *.wps

· *.xls

· *.xlsx

· *.xlsm

· *.xlsb

· *.xlk

· *.ppt

· *.pptx

· *.pptm

· *.mdb

· *.accdb

· *.pst

· *.dwg

· *.dxf

· *.dxg

· *.wpd

· *.rtf

· *.wb2

· *.mdf

· *.dbf

· *.psd

· *.pdd

· *.eps

· *.indd

· *.cdr

· *.dng

· *.3fr

· *.arw

· *.srf

· *.sr2

· *.bay

· *.crw

· *.cr2

· *.dcr

· *.kdc

· *.erf

· *.mef

· *.mrw

· *.nef

· *.nrw

· *.orf

· *.raf

· *.raw

· *.rwl

· *.rw2

· *.r3d

· *.ptx

· *.pef

· *.srw

· *.x3f

· *.der

· *.cer

· *.crt

· *.pem

· *.pfx

· *.p12

· *.p7b

· *.p7c


The Trojan may attempt to contact any of the following (but not limited to) domains:


· 184.164.136.134

· apvfgtlwxopblx.biz

· aunuqtdksfwusw.ru

· bdlsmdixygytss.co.uk

· belylsfdytbhfd.net

· bssqyerxiihsnl.ru

· bwogwcstkeuojl.org

· bwqrwhcqksfrlo.org

· cfmeslxhqfwnsx.info

· chxsedndssjwtm.org

· cutcfjxkymteeg.org

· cyrddmidbwrdlp.co.uk

· dcoovwoelqjuud.info

· djjvkirqarfkhn.ru

· dnhwixpigdjkfb.org

· dotieepaewfbc.org

· eepaccuqcuvglq.com

· ekjqemcpaoopau.info

· ekngeelpbkowts.net

· emvpdmswwgkjdc.info

· eqnpockbktahek.com

· esosujctnhffc.co.uk

· fmkckuryrnmjqc.com

· fperrnuwvvvxl.info

· frghumsxnaicua.ru

· fsfthncvhbnnoe.info

· fshoavhdgpqosx.net

· fylnkrwcnjypgd.biz

· gaefqvxltbkbex.co.uk

· gajnlhugrdikem.ru

· gplddtxdcisamm.ru

· gtjebwivesqyiq.org

· gttudayenwvplw.co.uk

· gtycishqfgvcc.com

· guiagewmxooisv.biz

· gwtorvmiacbrph.com

· hcrsyplfqmuxec.com

· hihlhwhhushsne.co.uk

· hrpelnjyluwefa.co.uk

· icrlqfrcepcerx.biz

· idpsasvkqfxray.net

· iqjniomrcxlkx.net

· ivknfsplyphtfi.info

· iyhbamujfqucid.info

· jhcdifrdujawqk.info

· jlnqviiltuwaad.ru

· jnymfsfukmcda.biz

· jwnbkdvmmsbhoo.com

· kpabeowqbkcvsp.net

· krtwvxrotwchq.ru

· kxggvslsprbjty.co.uk

· lahrcxrfgvnuth.info

· mdeducqmtfcvda.com

· nffobhwykjohtu.net

· okciupwfkvctic.info

· onccjlkxwbseba.net

· otgbtxjxmunbnr.biz

· pmdtbxmocuanyq.com

· ppdnpqqknffpbb.biz

· psagqfjgnlbcbs.net

· puysairxjrmqci.co.uk

· qbsngtwmimxrfp.info

· qdcyqdtdtevenw.co.uk

· qsayiuprbotqdc.ru

· qtxgritlneevix.biz

· qubrwnypfkyvbx.biz

· qwmgiyhuklldlw.com

· qyexsnvlnsregl.org

· rawpyrwrnfndch.com

· rcvenxgmqtdein.org

· refhyefjvgqqvx.biz

· rjqlcjjnlcwaxu.net

· rubkoaversgctp.org

· rvyrxqjufdcpyf.ru

· sckdhotiljpgnh.biz

· sewptgvvisbxil.co.uk

· sgiefrebntnfac.ru

· siavpsgqucahnj.com

· skoldyhrpvgufk.biz

· smdfunkwchspvi.org

· thuuyimsfqnbky.info

· tkuonbqdqbelxv.net

· tsmjyotsslfdfo.org

· ufbujjqonebhni.com

· ulgbehqoorrijf.co.uk

· upssuxytigmjmr.net

· vjvedrgxpfvbep.net

· vnysfydpqtapgy.biz

· vpslmkvwuofxqv.ru

· vqqsvbjyiypdyt.biz

· vtbdmweodpilrp.co.uk

· wcybigjcjqkkkh.com

· wowsgobtunjkcw.ru

· wrtcyhsysuujgw.ru

· wyoqrqvaloolil.org

· xsrcawqdwoeesl.org

· xwuqcenuxdiscm.co.uk

· ybpavmdeaedmcr.info

· ynutaofkhkdplp.net

In addition it is important that you take necessary steps to minimize the risk. Here are some recommendations:


1. Do NOT open attachments from unknown senders. While we have seen Ransomware attacks sourcing from watering hole attacks, or social harvesting attacks, the vast majority are coming in through email via spear-phishing attacks.

2. Backup often.

3. Do not click on links that seem suspicious.

4. Do not allow any software to be installed on your computer that you do not know the origin of.

5. Keep endpoint security software and signatures up-to-date.

6. Use iSheriff Web, Endpoint and Email Security to protect possible infection vectors. iSheriff Email Security will catch these attacks before they reach recipient's inbox and similarly having web security add to your security portfolio will ensure that these threats are caught and cleaned in the cloud - way before they reach user network premises


Please contact iSheriff Technical Support Team for further assistance.