Video Screencast Help
Security Response

Ransomware: The Couch-Potato Vs The Backpacker

Created: 30 Nov 2012 16:38:00 GMT • Updated: 23 Jan 2014 18:11:16 GMT • Translations available: 日本語
Lionel Payet's picture
+2 2 Votes
Login to vote

Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been highly active in the wider world, particularly in the past few months.

An in-depth analysis of this month's AV detection stats for the Trojan.Ransomlock family of threats reveals two top variants: Trojan.Ransomlock.T and Trojan.Ransomlock.G.

Figure 1. Trojan.Ransomlock AV detections for the past 30 and 7 day periods

As can be seen in Figure 1, in the past 30 days Ransomlock.T has been the most active variant with Ransomlock.G following closely behind. Looking at the stats for the past seven days, we can see that Ransomlock.G has overtaken Ransomlock.T to take the number one spot. Why is this?

Let’s take a look at the following heat maps illustrating the locations where the variants have been detected in the past seven days.

Figure 2. Detections for Trojan.Ransomlock.T in the past seven days

Figure 3. Detections for Trojan.Ransomlock.G in the past seven days

We can clearly see from Figures 2 and 3 that while Ransomlock.T has decided to remain predominantly in North-America, like the proverbial couch-potato, Ransomlock.G has become an international backpacker making its way across the globe. While Ransomlock.T originated in Germany we can now safely say that it has migrated to North-America. We confirmed this by looking at detection stats for the past few months.

In the case of Ransomlock.G, the animation below illustrates just how international it has become.

Figure 4. Detections for Ransomlock.G from February to November 2012

So, why the difference? A malware's activity mostly depends on the infection vectors and social engineering methods it utilizes. Both variants are mainly delivered by exploit kits and use well-crafted scams but Ransomlock.G (also known as Reveton) seems to be doing better than other variants. It uses the latest exploit kits and quickly adopts new social engineering methods, such as the use of audio. The malware authors invest a great deal of time and resources planning the best way to spread their creation, as discussed by Gavin O’Gorman in his research paper – Ransomware: A Growing Menace.

The fraudsters responsible for Trojan.Ransomlock.G use adult advertising networks to distribute ads on pornographic websites that lead back to their exploit pack websites. Considerable investment is made into their infrastructure, with the attackers moving exploit pack websites to new addresses regularly. The amount of advertising is also substantial with at least 500,000 people clicking on their malicious ads over a period of 18 days

Kafeine also confirms the geological spread of the Reveton ransomware and discusses its latest technical enhancement, the use of audio.

We have the following protections in place for the latest versions of Trojan.Ransomlock.T and Trojan.Ransomlock.G:

Antivirus:
Trojan.Ransomlock.T

Trojan.Ransomlock.G
Trojan.Ransomlock.G!g1
Trojan.Ransomlock!g13
Trojan.Ransomlock!g14
Trojan.Ransomlock!g17
Trojan.Ransomlock!g22
Trojan.Ransomlock!g26

Intrusion Prevention System: 
System Infected: Trojan.Ransomlock.T
System Infected: Trojan.Ransomlock.T 2
System Infected: Trojan.Ransomlock.G 2

Web Attack: Trojan.Ransomlock.G Download

If you are affected by any ransomware scam—do not pay the ransom. Instead, follow our removal steps and watch our video for additional help.