Ransomware's busy week with new varieties and updates being debuted

With the massive Yahoo! data breach grabbing the cyber-security headlines of late, it might be easy to forget criminals are still busy pushing ransomware with two new varieties being recently introduced and a one older type being revamped.

Not much is known about Princess Locker other than it has been seen in the wild.
Not much is known about Princess Locker other than it has been seen in the wild.

Kaspersky Labs and Bleeping Computer officially unveiled Trojan-Ransom.Win32.Xpan and Princess Locker, respectively. Meanwhile, the firm Netskope reported on a new model of Virlock ransomware on the loose that is using the cloud as a possible method of propagation.

Trojan-Ransom.Win32.Xpan, an improved variant of an older malware, is being credited to a Brazilian group called TeamXRat. This is interesting as Brazilian cyber-gangs are normally known for their highly proficient banking Trojans, but Kaspersky noted they are quickly adding ransomware to their arsenal. TeamXRat ‘s malware is being used to infect local companies and hospitals.

TeamXRat uses a Remote Desktop Protocol brute force attack to force its way into the target server, at which point it injects the malware. Once downloaded the ransomware uses XOR-based encryption to lock up files.

TeamXRat is also using a nontraditional ransom-demand method. The ransom note, written in Brazilian Portuguese, does not ask for a specific monetary payment, but instead instructs the victim to get in contact via email. Once the two sides are in touch, a negotiation process begins and TeamXRat then demands a 1 Bitcoin payment. Also, possibly to assuage its conscience, TeamXRat insists on calling the payment a donation saying the group deserves the money because their handiwork helped increase the victim's security.

Princess Locker is a different animal all together. Bleeping Computer credits Michael Gillespie and independent researcher SenseCy with the discovery of this newcomer that once ensconced in a system demands the royal sum of 3 Bitcoins, or about US$1,800 (£1,400) to decrypt the files. Bleeping Computer Founder Lawrence Abrams told SCMagazine.com in an email that not much is known about Princess Locker.

“From what has been gathered, when a person is infected, the ransomware will encrypt the victim's files and then append a random extension to encrypted files and a unique ID is created for the victim. This ID, extension, and encryption is then most likely sent up to the ransomware's Command & Control server,” he said.

No sample of the ransomware is yet available for analysis, Abrams added.

Unlike what TeamXrat is delivering, Princess Locker is pretty straightforward with a payment site that is very similar to what is used by Cerber. Its ransom is initially set at 3 Bitcoins with the threat to double that if payment is not made.

Other cyber-criminals have been busy giving the older Virlock malware a few new tricks.

Netskope's latest analysis of the two-year old Virlock found the ransomware can now be spread through cloud storage services due to the odd nature of encryption used.

“Virlock stands out as a unique family of ransomware that not only encrypts files, but converts them into a polymorphic file infector. An infected Virlock file contains polymorphic code, malware code and embedded clean code,” NetSkope researcher Ashwin Vamshi wrote.

This means that infected files stored in the cloud can spread the ransomware through cloud sync or when shared.

“A single user infected with Virlock ransomware can infect the rest of the enterprise by way of existing shared/collaborated files,” Vamshi wrote.

Sign up to our newsletters