Monthly Ransomware Activity – October 2021


Monthly Ransomware activity

Written by: Maor Huli

For October, we will introduce the following ransomware:

  1. Encriptar
  2. Apostle
  3. STOP
  4. JCrypt
  5. J3ster
  6. Foxxy
  7. Whitehorse
  8. Dharma

EXECUTIVE SUMMARY

Ransomware gangs and evolution

As we know, Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.

Many new ransomware variants that we are familiar with right now were less sophisticated in the past. As each is updated by its publisher, the name of the specific variant might change, but it is usually based on previous existing ransowmares.

Here are a few examples of ransomware evolution by variants:

Ransomware name Known names Successor of Ransomware group Group Region
REvil Sodinokibi GandCrab REvil Russia
Grief DoppelPaymer BitPaymer Evil Corp Russia
Macaw Hades & Phoenix WastedLocker Evil Corp Russia
Egregor Sekhmet Maze\ChaCha Maze Unknown
BlackMatter DarkSide DarkSide DarkSide Russia
Groove Payload Babuk\Vasa Locker Babyk Russia
XingLocker AstroLocker MountLocker Astro Locker China
Karma Nefilim Nemty Saffron-Wolf Unkown
Conti Ryuk Ryuk Wizard Spider Russia

We gathered a few articles about ransomware around the globe:

https://www.zdnet.com/article/fbi-cuba-ransomware-hit-49-critical-infrastructure-organizations/

Lately, more and more ransomware variants are using additional malware to help spread within the attacked organizations. Many of the additional malware are mostly Trojan bankers that help the exfiltration process, and some are used to spread additional attack campaigns. Overall, however, all of the attacks are being used for one main reason – money.

https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation

Bleeping Computer is the most up-to-date website that summarizes the newest ransomware variants. Cynet’s Orion Threat Research Team is an integral part of Cynet’s research efforts. The Orion team works around the clock to add more rules that help strengthen Cynet 360’s detection capabilities. Part of Orion team’s work involves following Bleeping Computer to scan for recent posts about new variant threats. Our goal is to detect every threat that emerges.

Graphical user interface, website Description automatically generated

In this article, we have summarized ransomware variants from October based on Bleeping Computer. We will present recent ransomware and how Cynet 360 platform detects them via several mechanisms.

CYNET 360 VS RANSOMWARE

Encriptar Ransomware

Cynet 360 Detections:

A screenshot of a computer Description automatically generated with medium confidence Graphical user interface, text, application, chat or text message Description automatically generated A screenshot of a computer Description automatically generated with medium confidence

 

 

 

 

Encriptar Overview

Encriptar ransomware renames the encrypted files with .solaso in the extension:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops a note as: _READ_ME_TO_RECOVER_YOUR_FILES.txt.

Upon execution, it immediately encrypts the endpoint and drops the ransomware note. The ransomware note has the Bitcoin address and the threat actors’ email, the ransom demand and the instructions on how to pay it.

Text Description automatically generated

 

STOP Ransomware

Cynet 360 Detections:

 

 

STOP Overview

STOP ransomware renames the encrypted files with a .tisc extension for each file:

Once a computer’s files have been encrypted and renamed, it drops a note as a text (.txt) file named _readme.txt. In the text file it writes instructions on how to pay to get the encrypted files back.

Graphical user interface, text, application Description automatically generated

JCrypt Ransomware

Cynet 360 Detections:

Graphical user interface, application, chat or text message Description automatically generated

JCrypt Overview (change overview)

JCrypt ransomware, much like the recent variants that are based on the same Ransomware family, renames the encrypted files with .poison in the extension for each file:

Text Description automatically generated

Once a computer’s files have been completely encrypted and renamed, it pops up a message with the ransomware note that contains the attacker’s Bitcoin and email address.

A picture containing text, sign, screenshot Description automatically generated

Graphical user interface, application Description automatically generated

 

J3ster Ransomware

Cynet 360 Detections:

 

 

J3ster Overview

After execution, J3ster ransomware renames the encrypted files with .J3ster for each file:

Text Description automatically generated

It also includes a demand for a ransom of $1000 in Bitcoin. The note contains the attacker’s Bitcoin address and the email, and the ransomware changes the background image:

Graphical user interface, text, application Description automatically generated

Foxxy Ransomware

Cynet 360 Detections:

 

 

Foxxy Overview

After execution, Foxxy ransomware renames the encrypted files with .foxxy in the extension for each file:

Text, timeline Description automatically generated with medium confidence

Once a computer’s files have been completely encrypted and renamed, it pops up a message with the ransomware note that contains the attacker’s Bitcoin and email address:

Graphical user interface, text, application Description automatically generated

Graphical user interface, text Description automatically generated

Text Description automatically generated

Whitehorse Ransomware

Cynet 360 Detections:

 

 

Whitehorse Overview

After execution, Whitehorse ransomware renames the encrypted files with .WhiteHorse in the extension for each file:

Text Description automatically generated

Once a computer’s files have been encrypted and renamed, it drops the ransomware note as a text file named #Decrypt#.txt in the victim’s encrypted folders, information on how to decrypt the files, and the attacker’s contact details.

In addition, when trying to terminate the ransomware process, Whitehorse ransomware makes it impossible to use the PC, can’t open certain folders, access files and eventually, explorer.exe stop responding.

Dharma Ransomware

Cynet 360 Detections:

 

Dharma Overview

After execution, Dharma ransomware renames the encrypted files with “.id-[A-Z0-9]{8}[email protected]” in the extension for each file:

To contact the attackers, the user needs to send an email to the address in the new file extension for more details.

CYNET VARIOUS MECHANISMS

Search results for: