In Barely Three Months, Eight New Ransomware Surface

Earlier this year, a report by the FBI’s Internet Crime Complaint Center (IC3) revealed that ransomware losses in 2019 were over $8.9 million, i.e $5.3 million more than the losses in 2018. Moreover, the frequency of attacks and ransomware demand has drastically increased this year.

In the past few weeks, more than half-a-dozen new ransomware captured the attention of security researchers. Let’s understand how they operate and who they target in the following listicle.

1) Avaddon

  • Launched at the beginning of June, the actors behind Avaddon send emails containing subjects like "Your new photo?" or "Do you like my photo?" with a winking smiley face in the email body and an attached JavaScript downloader. 
  • It was reported as one of the largest email campaigns as it distributed over one million messages mainly targeting organizations in the U.S. in one week.
  • The ransom note demanded $800 or more in BTC for decryption.
  • It should be noted that the Avaddon operators are actively recruiting hackers and malware distributors under an affiliate program. It claims to pay affiliates 65% of any ransom payments they bring in using Avaddon.

2) AgeLocker

  • AgeLocker reportedly utilizes the 'Age' encryption tool created by Google to encrypt a victim's files instead of common algorithms, such as AES+RSA.
  • The attackers send the ransom note via email, asking 7 BTC or approximately $64,500 to decrypt the files.
  • According to researchers, it is not yet clear how the threat actors are gaining access to the victims' computers.

3) Conti

  • Seeking a similarity in codes used and dropping the same ransomware note as Ryuk’s used to, experts say the malware could be its successor.
  • The new features of Conti allow it to perform quicker — up to 32 simultaneous encryption efforts — and conduct attacks at corporate networks.
  • In a unique technique, the malware exploits Windows Restart Manager and attempts to alert the user to save their data if their file is open and unsaved, thereby maximizing the damage.

4) ThiefQuest

  • ThiefQuest is a new piece of ransomware which is distributed as a hidden threat inside pirated macOS software uploaded on torrent portals and online forums.
  • ThiefQuest goes beyond just encrypting files. It installs a keylogger, a reverse shell, and attempts to wipe off cryptocurrency wallet-related files.
  • Victims of the malware are asked for a $50 ransom in BTC within three days (72 hours). However, there’s no contact information for victims to get in touch with the attacker.
  • Just more than a week ago, researchers from SentinelOne released a free decryptor to help victims of the ThiefQuest ransomware.

5) WastedLocker

  • Detected around May, the new ransomware variant is the product of the Evil Corp Group, according to researchers.
  • It was spotted exclusively targeting Fortune 500 U.S. companies and other organizations to demand nothing less than multimillion-dollar in ransom.
  • With no data swindling functions, the ransomware typically hits file servers, database services, virtual machines, and cloud environments.

6) Try2Cry

  • This ransomware leverages infected USB flash drives and Windows shortcuts (using LNK files) to spread through the compromised systems.
  • Experts said that this behavior is similar to the technique used by the Spora ransomware and the Andromeda (Gamarue or Wauchos) botnet malware.
  • The decryptable malware was found related to the “Stupid” ransomware family (from GitHub) and uses Rijndael, the predecessor of AES, for encryption.

7) FileCry

  • Possibly named after WannaCry, the malware behaves a little amateurish; its current encryption algorithm is very plain and it’s handy to end the encryption operation.
  • In the ransom note, actors demand 0.035 BTC to decrypt the files.
  • However, FileCry’s decryption key is available for free.

8) Aris Locker

  • The ransomware uses an AES-256 encryption algorithm to lock all files and threatens the victims not to inform anyone or else their data will be deleted permanently.
  • Aris Locker can infect systems via malicious email attachments and links, hidden code on websites, external hardware such as USBs, and others.
  • Actors demand $75 ransom in BTC to be cleared within a week, else they will increase the amount to $500.

Conclusion

Undoubtedly, new threat actors are attempting to cash in on the global health crisis to wheedle unsuspecting users into opening malicious attachments. Some less effective ransomware can be dealt with existing solutions but extreme measures must be taken to prevent any data or monetary loss to organizations. Additionally, it is recommended by experts to not pay the ransom since it can double the ransomware attack recovery costs.