• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Short-Lived Crypto-Ransomware

March 18, 2016 By Jonas Spieckermann

Last week, researchers found a new crypto-ransomware variant that gave its encrypted files a .locked extension, which seems similar to the Locky ransomware. For a short time, this caused some to assume that this was a new Locky variant, and for reasons I’ll get to later, it gave them hope that we might be able to decrypt Locky files. Since I recently shared my own experiences with Locky, and how well WatchGuard appliances stop it, I was interested in this new variant and wanted to dispel any false impressions.

Unfortunately, those hopeful people’s first impressions proved wrong. This new sample is not connected to Locky. Nevertheless, it’s a great illustration that not every piece of ransomware succeeds. This sample didn’t survive long enough to get a widely known name, although it infected around 700 victims in one day.

Like other crypto-ransomware, this sample encodes files using AES encryption, and as I mentioned before, adds the .locked extension, which is likely why people confused it with Locky. However, remember that Locky uses the .locky extensions, not .locked.

Ransomware Letter
An example of this sample’s ransom note.

So why were people hopeful that we might decrypt Locky files? A few hours after the first infections, a person named Utku Sen published the decryption keys for the affected victims. How was this possible?

It turns out Sen is a researcher who developed a proof-of-concept (PoC) file-encryption project called EDA2. This new ransomware’s authors used code from the EDA2 project to encrypt their victims’ files. Fortunately for the victims, Sen built a backdoor into EDA2 to avoid malicious actors from abusing his encryption project for nefarious purposes. He simply used his backdoor to provide the decryption keys to all the victims. A few hours later, the Command & Control (C&C) servers for this crypto ransomware disappeared, probably because the attackers accepted their defeat.

Ransomware isn’t always devastating. In this case, quick help was made available to recover the victims’ files. However, not all cases are this easy. Other variants like Locky, Cryptowall, and newer TeslaCrypt variants use well-crafted encryption mechanisms, which are near impossible to crack on today’s computers in a reasonable amount of time. This is why you should keep your shields up, and use a combination of security services that offer layered protection against today’s even evolving threats.

Additionally, I  highly recommend you create regular backups of your data, and keep them in a safe and unconnected place. That way you can still restore your important data in worst case. One note; you may also want to backup any files that might get encrypted by ransomware. There’s no guarantee, but we have seen decryption tools for other crypto-malware variants published months after the first infections (e.g. Tesla Crypt 2). — Jonas Spieckermann

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use