Copycat Ransomware Making Rounds

Friday, July 22, 2016 @ 10:07 AM gHale


Ransomware is a very competitive market and copycats are sprouting up on a regular basis.

Take CrypMIC, which is a newcomer to the ransomware market and it is making inroads against one of its competitors, CryptXXX.

RELATED STORIES
Ransomware Evolves with Upgrade
Ransomware Gives Away Key
Microsoft Finds New Ransomware
Ransomware Masked as Rockwell Update

Both versions of the malicious software are going out via the Neutrino exploit kit, said researchers at Trend Micro.

In addition, the new ransomware copies CryptXXX in its entry point, but also when it comes to the ransom note and payment site UI.

Other similarities between the two threats include the use of the same format for sub-versionID/botID (U[6digits] / UXXXXXX]) and the same export function name (MS1, MS2).

Both ransomware families employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers, Trend Micro said.

There are differences, though. The source code and capabilities of the two differ.

CrypMIC does not append an extension name to files it encrypts, making it trickier to determine which files have been held in ransom. They also differ in the use of compilers and obfuscation methods. CrypMIC has a VM check routine and sends that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

Like CryptXXX, CrypMIC is dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares already mapped to a drive, the researchers said. Both ransomware families demand the same ransom amount, 1.2 to 2.4 Bitcoins, researchers said.