Ransomware Recap: Erebus Makes a Splash

The re-emergence of an Erebus ransomware variant last week became the latest high-profile ransomware attack after WannaCry. Detected by Trend Micro as RANSOM_ELFEREBUS.A, Erebus hit South Korean web hosting company NAYANA, affecting 3,400 business websites it hosts.

NAYANA posted a notice on its website on June 12, stating that the attackers demanded a ransom of 550 Bitcoins (BTC) or US$1.62 million, in exchange for the necessary decrypt keys. In an update on June 14, NAYANA negotiated a payment of 397.6 BTC (around $1.01 million as of June 19, 2017) to be paid in installments.

Erebus infected NAYANA’s Linux servers, and uses a fake Bluetooth service as part of its persistence mechanisms to make sure that the ransomware is executed even after the system or server is rebooted. It also employs UNIX cron—a utility in Unix-like operating systems that schedules jobs via commands or shell scripts—to check hourly if the ransomware is running.



Figure 1. Erebus ransom note

CryptoSpider and WinUpdatesDisabler



Hidden Tear variants are still very much alive the past week with CryptoSpider (detected by Trend Micro as Ransom_HiddenTearCSPIDER.A) and WinUpdatesDisabler (Ransom_HiddenTearWUPDIS.A).

CryptoSpider is a ransomware variant that looks to be under development. Lacking the sophisticated elements of its predecessors, the lock screen of the Hidden Tear variant does not demand any ransom from its victims. Instead, it only informs them that they have been hacked by a certain ./Mr-Ghost-C47.

Figure 2. CryptoSpider ransom note

Meanwhile, WinUpdatesDisabler was discovered in the wild asking victims to pay an unspecified amount in exchange for a decrypt key. Arriving as a Win32.exe file, its ransom note uses Bosnian language to convey its demand. It encrypts a variety of file types including Microsoft Office documents, as well as various audio and video file formats. Here are other notable ransomware stories that have surfaced: CA$HOUT Ransomware Still under development, the CA$HOUT Ransomware (detected by Trend Micro as Ransom_CASHOUT.A) is a new variant that was discovered in a malfunctioning state. Its ransom note demands a ransom of US$100 in exchange for a decrypt key.



Figure 3. CA$HOUT Ransomware ransom note

MacRansom

Detected by Trend Micro as Ransom_PROTONOSX, MacRansom is believed to be the first MacOS Ransomware-as-a-Service (RaaS). Using symmetric encryption with a hardcoded key, the ransomware asks victims to pay 0.25 BTC (US$700) in exchange for a decryptor. If payment is not made within seven days, MacRansom threatens to delete the decrypt key for the encrypted files–causing the affected files to remain encrypted permanently.

MacRansom targets files larger than eight bytes found in the active account of an infected endpoint. However, the probability of future variants that use a different behavior to target files would depend on the specifications provided to the seller.

Virus Ransomware

Virus Ransomware (detected by Trend Micro as Ransom_UCRAZY.A) is a malware that does not encrypt files. What it does is it flash annoying message boxes, and uses a My Little Pony character on a note that asks for $300 BTC from users despite its inability to hostage files.







Figure 4. Virus Ransomware lock screen