本帖最后由 Eset小粉絲 于 2016-7-30 10:24 编辑
They say imitation is the sincerest form of flattery. Take the case of CrypMIC—detected by Trend Micro as RANSOM_CRYPMIC—a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX.
CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits] / UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers.
Upon closer look, CrypMIC and CryptXXX differ in source codes and capabilities. For instance, CrypMIC does not append an extension name to files it encrypts, making it trickier to determine which files have been held in ransom. They also differ in the use of compilers and obfuscation methods. CrypMIC has a VM check routine and sends that information to its C&C.
The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering other ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber.
We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via malvertising, as well as other malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001).
CryptXXX 5.001 is not a major version update, having only little changes such as the structure of information appended to encrypted files. Its encryption routine, number of targeted extensions and packet format among others is the same as 4.001.
Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks.
Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended.
Trend Micro Solutions
Enterprises can use Trend Micro solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security to block ransomware at the exposure layer—web and email. Trend Micro’s Deep Discovery Inspector detects malicious traffic, communications, and other suspicious activities associated with attempts to inject ransomware into the network.
Trend Micro’s Deep Security™ can shield applications such as browsers from exploits—which both CrypMIC and CryptXXX rely on—that facilitate the injection of ransomware into systems. At the endpoint level, Trend Micro’s Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware with its behavior monitoring, application control, vulnerability shielding and web security.
Trend Micro also provides security solutions for SMBs via Worry-Free™ Services Advanced’s cloud security, behavior monitoring and real-time web reputation for devices and emails. For home users, Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with threats like CrypMIC and CryptXXX.
CryptXXX 和 CrypMIC的分别
30/7/16 - @驭龙 @windows7爱好者
没送上人气是怎样啦 |
[复制链接]
发表于 2016-7-29 09:55:20
