India 21 November 2016
It’s neither a new movie nor an upcoming sitcom; it’s all about the new variants of Ransomware spreading in the wild. However, at the time of writing this blog-post, there doesn’t seem to be any relationship between the authors of these two Ransomware. Moreover, in past few days we have seen a rise in the number of variants of Ransomware, which makes us believe:
o Skiddies have entered into the Ransomware market.
o Open-source Ransomware e.g. Hidden-tear is being used to learn the tricks / tips of the trade.
o Ransomware Creation tool-kits or Ransomware as a Service might have been made available in underground networks and hopefully, one of the friendly security / malware researcher finds it.
o Affiliate Networks for spreading Ransomware are on the rise.
Dharma Ransomware
Like all the other Ransomware, this one too encrypts a select set extensions in the below mentioned format.
Extension: .dharma
Pattern : filename.ext.[email id].dharma
The sample which was detected by eScan’s PBAE technology tried to encrypt files using [mr_lock@mail.com].dharma extension.
Karma Ransomware
Similar to Dharma Ransomware, Karma doesn’t add an email-id in the file-extension, it simply uses the .karma. Moreover karma disguises itself as a Windows Optimization Program called Windows Tune-Up utility. Moreover, it’s a part of the Pay-Per-Install software monetization schema and un-suspecting victims in order to grab free software might end-up getting infected by Karma.
Extension: .karma
Pattern : filename.ext.karma
Earlier, we were used to Fake Anti-viruses luring users with fake reports and then convincing the user to download and install their “Better than the Best Antivirus Solution”, Karma Ransomware creators/distributors are following the same track , since this is no longer an exclusive market , a market which earlier ruled by the elite programmers.
Angler EK (Exploit Kit) used to distribute Locky, however in coming days we may observe a substantial rise in various Exploit Kits making a comeback with Ransomware being their major Payload, along with the other capabilities viz. stealing information, passwords etc. However, merging these Ransomware Infected systems into a botnet is not possible due to various practical reasons, viz. after the system gets infected, all the user can do is to either format the system or pay the ransom and the first thing which users do after getting infected is to isolate the infected system.
Usage of botnets to carry out Ransomware infection attacks by brute-forcing their way into the systems and exploiting vulnerabilities to gain execution privilege doesn’t seem an improbable notion. We have to simply wait and watch.
PBAE Technology has protected eScan users from Dhrama Ransomware, Karma Ransomware and all the other known Ransomware. Those users who haven’t yet updated eScan to the latest version should do so immediately.