Fig1 4

Symantec: Ransomcrypt A threat to prosperity

While the Ransomlock Trojans have spread over the last few years, we see cyber criminals increasingly Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlocks lock the surface of computers, while Ransomcrypt encrypts individual files. Both threats extort and demand ransom from their victims.

Recently, they were identified from Symantec the Trojan.Ransomcrypt.F (or else Cryptolocker). Trojan.Ransomcrypt.F encrypts files such as images and documents and then demand Bitcoin or MoneyPak ransom to decrypt them. Trojan Ransomcrypt uses strong encryption algorithms that make it almost impossible to decrypt files without the encryption key.

Fig1_4

Figure 1. Trojan.Ransomcrypt.F payment screen

Most of Trojan.Ransomlock.F observed by Symantec were found in North America.

Fig2_2

Figure 2. Trojan.Ransomlock.F infection map

The malicious files come with an email containing a malicious file attachment Trojan.Zbot, which then installs Trojan.Ransomlock.F. Trojan Ransomcrypt uses a domain generation algorithm (DGA) to find and connect to the administration server and (C&C).

Fig3_2

Figure 3. Ransomcrypt DNS requests

Malware developers use DGAS to give to the malicious τους την δυνατότητα χρησιμοποίησης πολύ λίγων στατικών εξυπηρετητών. Όμως κακόβουλο λογισμικό, όπως το Trojan.Ransomcrypt.F χρησιμοποιεί δυναμικά domain names με βάση κάποια κριτήρια. Αυτό καθιστά ακόμη πιο δύσκολο να μπλοκαριστεί σύνδεση του με τους διακομιστές διοίκησης.

Fig5_0

Figure 4. Trojan.Zbot

When comparing Trojan.Zbot and Trojan.Ransomcrypt.F we see similarities in the code that lead us to the conclusion that there may be a connection between the two Trojans. The Zbot source code is freely available on the Internet.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.081 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).