Another ransomware spreading through BEDEP following an infection via Angler Exploit kit was discovered and detected by Trend Micro as Ransom_WALTRIX.
WALTRIX got its name from wallet (WAL) and wordplay on XXX (TRIX). The said ransomware can steal bitcoin wallet and CryptXXX is the folder name of the project from the source code bought by cyber-criminal groups.
According to researchers, the ransomware demands a rather lofty ransom of $500 per system—a far cry from common ransom payments seen in the past. WALTRIX is also found to possess Bitcoin-stealing abilities, aside from harvesting credentials and other personal information from its target.
Click image to enlarge.
VSAPI Pattern (Malicious File Detection)
LAYER | DETECTION | PATTERN VERSION | Release Date |
---|---|---|---|
INFECTION | WORM_QAKBOT.SMOT | OPR 12.303 | 1/28/2016 |
INFECTION | Ransom_HPWALTRIX.SM | OPR 12.553 | 5/27/2016 |
INFECTION | Ransom_HPWALTRIX.SM2 | OPR 12.495 | 4/28/2016 |
INFECTION | Ransom_WALTRIX.SM0 | OPR 12.567 | 6/3/2016 |
INFECTION | Ransom_WALTRIX.SM1 | OPR 12.489 | 4/25/2016 |
INFECTION | Ransom_WALTRIX.SMA | OPR 12.573 | 6/6/2016 |
INFECTION | Ransom_WALTRIX.SMLV | OPR 12.553 | 5/27/2016 |
INFECTION | Ransom_WALTRIX.SMLV2 | OPR 12.553 | 5/27/2016 |
INFECTION | Ransom_WALTRIX.SMW | OPR 12.559 | 5/30/2016 |
INFECTION | Ransom_WALTRIX.SMW1 | OPR 12.563 | 6/1/2016 |
DYNAMIC | LNK_WALTRIX.SM | OPR 12.603 | 6/20/2016 |
INFECTION | Ransom_WALTRIX.SM01 | OPR 12.575 | 6/7/2016 |
INFECTION | Ransom_WALTRIX.SM02 | OPR 12.575 | 6/7/2016 |
INFECTION | Ransom_WALTRIX.SM03 | OPR 12.583 | 6/10/2016 |
INFECTION | Ransom_WALTRIX.SMA | OPR 12.573 | 6/6/2016 |
INFECTION | Ransom_WALTRIX.SMR | OPR 12.609 | 6/23/2016 |
INFECTION | Ransom_WALTRIX.SMQ | OPR 12.603 | 6/20/2016 |
WRS Pattern (Malicious URL and Classification)
LAYER | URL | Score | Blocking Date |
---|---|---|---|
Exposure | 217{blocked}.23.13.153:443 | C&C Server | 5/14/2016 |
Exposure | hxxp://dwexgugunn.ufbusiness{blocked}.top/peculiar/gather-23256070 | Disease Vector | 5/14/2016 |
Exposure | hxxp://fvmueiyiw.exubetween{blocked}.top/1992/11/04/creature/westward/tall/shade-clench-anxious-shoulder-work-guilty.html | Disease Vector | 5/18/2016 |
Exposure | hxxp://hrkmnkl.pointcob{blocked}.top/2003/11/07/drawer/fetch-hell-unusual.html | Virus Accomplice | 5/20/2016 |
Exposure | hxxp://jcehzvzzed.eseventhc{blocked}.top/2010/05/19/below/sacred/word/tube-split-teeth-story-wade-stream-talent-southern-slide.html | Disease Vector | 5/12/2016 |
Exposure | hxxp://mmhbvqznfx.changejax{blocked}.top/metal/enJ1bXNja3o | Emerging Malware,Virus Accomplice | 5/20/2016 |
Exposure | hxxp://qgtzpfedz.iseventhq{blocked}.top/1982/06/13/ball/whence/encounter/threaten-cover-lady-valentine-duck-darken-together-chain.html | Disease Vector | 5/12/2016 |
Exposure | hxxp://tigjzfsk.oninthn{blocked}.top/1991/05/19/merchant/earth-friend-handkerchief-worry-peeve-spoon-buzz-grunt-contact-monster.html | Disease Vector | 5/12/2016 |
Exposure | hxxp://toctb.womanal{blocked}.top/american/cW9sd2E | Disease Vector | 5/16/2016 |
Exposure | hxxp://txmdmwmqy.womanig{blocked}.top/idiot/1182166/carpet-blow-kingdom-five-hide-mine | Disease Vector | 5/16/2016 |
Exposure | hxxp://yafhhcef.nightgep{blocked}.top/opinion/Z3R5cXo | Virus Accomplice | 5/20/2016 |
Exposure | hxxp://yziugm.jamieaabundant{blocked}.top/slop/YmNiZHlzcnZrcw | Disease Vector | 5/11/2016 |
Exposure | hxxp://zfkkgaik.vuylynx{blocked}.top/attack/dnlhYXl5bg | Disease Vector | 5/17/2016 |
Exposure | hxxp://scelerataque-arriano.themartinlawgroup{blocked}.com/?y=&v=trad-lr&w=-Et-SPu_ke&h=Zag5W&g=U6zmsa5FF&k=&p=bNI1vIqp&b=SuMkY_7GI | Ransomware | 5/20/2016 |
Exposure | hxxp://plotow-familycontract.unishadeverticalsystem{blocked}.co.uk/ | Malware Accomplice, Ransomware | 5/18/2016 |
Exposure | hxxp://prookasieskansanlaulun.jamesaweddingphotography{blocked}.co.uk/ | Disease Vector | 5/13/2016 |
Exposure | hxxps://{blocked}144.76.82.19/ | C&C Server | 5/20/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
LAYER | Detection | Pattern Version | Release Date |
---|---|---|---|
DYNAMIC | RAN4165T | TMTD OPR 1551 | 06/07/16 (Batch 1) |
DYNAMIC | RAN4169T | TMTD OPR 1551 | 06/07/16 (Batch 1) |
DYNAMIC | RAN4173T | TMTD OPR 1553 | 06/14/16 (Batch 1) |
DYNAMIC | RAN4179T | TMTD OPR 1559 | 06/28/16 (Batch 1) |
DYNAMIC | RAN4172T | TMTD OPR 1553 | 06/14/16 (Batch 1) |
Solution Map - What should customers do?
Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
---|---|---|---|---|---|---|---|
OfficeScan | 11 SP1 above | Update Pattern via web console | Turn On Ransomware Protection Feature/Update Pattern via Web console | Enable Web Reputation Service* | Update Pattern via web console | Not Applicable | Update Pattern via web console |
10.6 and above | Update Pattern via Web console | ||||||
Worry Free Business Suite | 9 SP1 above | Turn On Ransomware Protection Feature/Update Pattern via Web console | |||||
8 and above | Update Pattern via web console | Update Pattern via web console | |||||
Hosted | |||||||
Deep Security | 8.0 and above | Not Applicable | Update Pattern via web console | Not Applicable | Update Pattern via web console | ||
ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
SMD 5 and later | |||||||
InterScan Messaging | IMSVA 8.0 and above | ||||||
InterScan Web | IWSVA 6.0 and later | ||||||
Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
DDAN | |||||||
DDEI |
Recommendations
- Ransomware: Trend Micro Solutions, Best Practice Configuration and Prevention
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support