While the Ransomlock Trojans have spread over the last few years, we see cyber criminals increasingly Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlocks lock the desktop of computers, while Ransomcrypts encrypt individual files. And the two threats extort and demand ransom from their victims.
Recently, they were identified from Symantec the Trojan.Ransomcrypt.F (or else Cryptolocker). Trojan.Ransomcrypt.F encrypts files such as images and documents Microsoft Office και στη συνέχεια απαιτούν λύτρα με Bitcoin ή MoneyPak για να τα αποκρυπτογραφήσουν. Το Trojan Ransomcrypt χρησιμοποιεί ισχυρούς algorithms encryption keys that make it almost impossible to decrypt the files without the encryption key.
Figure 1. Trojan.Ransomcrypt.F payment screen
Most of Trojan.Ransomlock.F observed by Symantec were found in North America.
Figure 2. Trojan.Ransomlock.F infection map
The malicious files come with an email containing a malicious attachment called Trojan.Zbot, which then installs Trojan.Ransomlock.F. Trojan Ransomcrypt uses a domain generation algorithm (DGA) to find and connect to the C&C server.
Figure 3. Ransomcrypt DNS requests
The programmers malware χρησιμοποιούν DGAS δώσουν στο κακόβουλο λογισμικό τους την δυνατότητα χρησιμοποίησης πολύ λίγων στατικών εξυπηρετητών. Όμως κακόβουλο λογισμικό, όπως το Trojan.Ransomcrypt.F χρησιμοποιεί δυναμικά domain names με βάση κάποια κριτήρια. Αυτό καθιστά ακόμη πιο δύσκολο να μπλοκαριστεί σύνδεση του με τους διακομιστές διοίκησης.
Figure 4. Trojan.Zbot
When comparing Trojan.Zbot and Trojan.Ransomcrypt.F we see similarities in code which lead us to the conclusion that there may be a connection between the two Trojans. Zbot's source code is freely available on the Internet.