Another ransomware spreading through BEDEP following an infection via Angler Exploit kit was discovered and detected by Trend Micro as Ransom_WALTRIX.

WALTRIX got its name from wallet (WAL) and wordplay on XXX (TRIX). The said ransomware can steal bitcoin wallet and CryptXXX is the folder name of the project from the source code bought by cyber-criminal groups.

According to researchers, the ransomware demands a rather lofty ransom of $500 per system—a far cry from common ransom payments seen in the past. WALTRIX is also found to possess Bitcoin-stealing abilities, aside from harvesting credentials and other personal information from its target.

WALTRIX Infection Chain

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONWORM_QAKBOT.SMOTOPR 12.3031/28/2016
INFECTIONRansom_HPWALTRIX.SMOPR 12.5535/27/2016
INFECTIONRansom_HPWALTRIX.SM2OPR 12.4954/28/2016
INFECTIONRansom_WALTRIX.SM0OPR 12.5676/3/2016
INFECTIONRansom_WALTRIX.SM1OPR 12.4894/25/2016
INFECTIONRansom_WALTRIX.SMAOPR 12.5736/6/2016
INFECTIONRansom_WALTRIX.SMLVOPR 12.5535/27/2016
INFECTIONRansom_WALTRIX.SMLV2OPR 12.5535/27/2016
INFECTIONRansom_WALTRIX.SMWOPR 12.5595/30/2016
INFECTIONRansom_WALTRIX.SMW1OPR 12.5636/1/2016
DYNAMICLNK_WALTRIX.SMOPR 12.6036/20/2016
INFECTIONRansom_WALTRIX.SM01OPR 12.5756/7/2016
INFECTIONRansom_WALTRIX.SM02OPR 12.5756/7/2016
INFECTIONRansom_WALTRIX.SM03OPR 12.5836/10/2016
INFECTIONRansom_WALTRIX.SMAOPR 12.5736/6/2016
INFECTIONRansom_WALTRIX.SMROPR 12.6096/23/2016
INFECTIONRansom_WALTRIX.SMQOPR 12.6036/20/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLScoreBlocking Date
Exposure217{blocked}.23.13.153:443C&C Server5/14/2016
Exposurehxxp://dwexgugunn.ufbusiness{blocked}.top/peculiar/gather-23256070Disease Vector5/14/2016
Exposurehxxp://fvmueiyiw.exubetween{blocked}.top/1992/11/04/creature/westward/tall/shade-clench-anxious-shoulder-work-guilty.htmlDisease Vector5/18/2016
Exposurehxxp://hrkmnkl.pointcob{blocked}.top/2003/11/07/drawer/fetch-hell-unusual.htmlVirus Accomplice5/20/2016
Exposurehxxp://jcehzvzzed.eseventhc{blocked}.top/2010/05/19/below/sacred/word/tube-split-teeth-story-wade-stream-talent-southern-slide.htmlDisease Vector5/12/2016
Exposurehxxp://mmhbvqznfx.changejax{blocked}.top/metal/enJ1bXNja3oEmerging Malware,Virus Accomplice5/20/2016
Exposurehxxp://qgtzpfedz.iseventhq{blocked}.top/1982/06/13/ball/whence/encounter/threaten-cover-lady-valentine-duck-darken-together-chain.htmlDisease Vector5/12/2016
Exposurehxxp://tigjzfsk.oninthn{blocked}.top/1991/05/19/merchant/earth-friend-handkerchief-worry-peeve-spoon-buzz-grunt-contact-monster.htmlDisease Vector5/12/2016
Exposurehxxp://toctb.womanal{blocked}.top/american/cW9sd2EDisease Vector5/16/2016
Exposurehxxp://txmdmwmqy.womanig{blocked}.top/idiot/1182166/carpet-blow-kingdom-five-hide-mineDisease Vector5/16/2016
Exposurehxxp://yafhhcef.nightgep{blocked}.top/opinion/Z3R5cXoVirus Accomplice5/20/2016
Exposurehxxp://yziugm.jamieaabundant{blocked}.top/slop/YmNiZHlzcnZrcwDisease Vector5/11/2016
Exposurehxxp://zfkkgaik.vuylynx{blocked}.top/attack/dnlhYXl5bgDisease Vector5/17/2016
Exposurehxxp://scelerataque-arriano.themartinlawgroup{blocked}.com/?y=&v=trad-lr&w=-Et-SPu_ke&h=Zag5W&g=U6zmsa5FF&k=&p=bNI1vIqp&b=SuMkY_7GIRansomware5/20/2016
Exposurehxxp://plotow-familycontract.unishadeverticalsystem{blocked}.co.uk/Malware Accomplice, Ransomware5/18/2016
Exposurehxxp://prookasieskansanlaulun.jamesaweddingphotography{blocked}.co.uk/Disease Vector5/13/2016
Exposurehxxps://{blocked}144.76.82.19/C&C Server5/20/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMICRAN4165TTMTD OPR 155106/07/16 (Batch 1)
DYNAMICRAN4169TTMTD OPR 155106/07/16 (Batch 1)
DYNAMICRAN4173TTMTD OPR 155306/14/16 (Batch 1)
DYNAMICRAN4179TTMTD OPR 155906/28/16 (Batch 1)
DYNAMICRAN4172TTMTD OPR 155306/14/16 (Batch 1)
 
Make sure to always use the latest pattern available to detect the old and new variants of
Ransom_WALTRIX.
.