Ransomware Variants in the Wild, Stay Alert and Prevent Infection

In the past six months, HKCERT has received a number of cases of ransomware infections, which is on the rise. Most of the cases were infected by Cerber, while GlobeImposter, CrySiS and GandCrab were also contributed to the number of infection cases. Most of the computers infected with ransomware were came from enterprise. It can be seen that the recent ransomware attacks mainly take aim at enterprise’s servers and workstations.

Ransomware / Latest Version / Ransom Message / File Extensions / Primary Infection Vector / Decryptable Versions*
Cerber / V8 / A message asks victims to buy 'Cerber Decryptor' for decryption via Tor browser. / V1-V3 is .cerber.
From V4, it is random characters which number of characters is the same as version number. / Malicious email attachments, malicious webpage advertisements, legitimate programs containing malware, exploited by Apache Struts2 vulnerability. / Cerber V1
GlobeImposter / 3.0 / A file named ”HOW_TO_BACK_FILES.txt” in encrypted folder shows ID number of victim and contact information of hacker. The message asks victims to send ID number to hacker's email address, then pay ransom money according to hacker's instruction. / In 1.0, common extension is ".CHAK".
In 2.0, common extensions are ".TRUE" and ".doc".
In 3.0, common extensions are ".Tiger4444" and ".Ox4444". / Malicious email attachments, penetration scanning, brute force Windows Remote Desktop Services (RDP). / GlobeImposter 1.0
CrySIS / Version with file extension is .arrow / A file named ”FILES ENCRYPTED.txt” in encrypted folder shows contact information of hacker. The message asks victims to communicate with hacker to pay ransom money. / Common extensions are ".java", ".arena", ".bip" and ".arrow". / Brute force Windows Remote Desktop Services (RDP). / No certain version.
GandCrab / V5 / A message asks victims to pay ransom money for decryption via Tor browser. / In V1, extension is ".GDCB".
In V2 and V3, extension is ".GRAB".
In V4, ".KRAB".
In V5, random extension. / Malicious email attachments or links, legitimate programs containing malware, brute force Windows Remote Desktop Services (RDP), brute force Tomcat Manager. / GandCrab V1, V4 and V5

We analyzed the infection vector, malware characteristics and current decryptable versions of these four ransomware family.

*You can download decryption tools in below website. HKCERT do not guarantee the tools can recover the files successfully.*

Among the infection cases we received, the number of infections of individual users’ computer did not increase significantly, however, the number of infections of enterprise computers and servers showed a significant upward trend. After analysing and investigating the main infection vector of the four kinds of ransomware, we believe that hackers have added attack methods against enterprise computers and servers in new variants of ransomware. Individual users' computers are infected with ransomware mainly because they open malicious attachments or links via spam emails, malicious advertisements on the website and legitimate programs containing malware.

For enterprise computers and servers, there are two common types of infection in ransomware variants. One is using the enterprises’ PC as a breakthrough. Sending spam emails or other ways to lure victims to execute malicious contents. After the stepping stone computer is infected, ransomware will look for the computer that turns on Windows Remote Desktop Services (RDP), and try to perform brute force attack. Because RDP services were usually turned on in the enterprise environment, a server that uses a weak RDP password will become the target. Another type is using the server as a breakthrough. The ransomware attacks the server web application by exploiting vulnerabilities or brute force, and then spreads it to other computers in the same network to expand the scope of infection.

It can be seen that hackers mainly attack the servers of large enterprises and public organizations which get lot of valuable information in order to guarantee they could get the ransom. Therefore, enterprises and public organizations need to strengthen their network and system security and improve their employee’s security awareness. HKCERT has complied a series of articles “中小企網絡安全七大攻略”(Chinese) for reference. This series is publishing currently. You can browse the following pages:

If your computer is infected with ransomware, you can refer to the “Ransomware Decryption Guideline” compiled by HKCERT for decryption:

To learn how to prevent ransomware infection, you can browse the following page:

More information about ransomware can be found here: