Information about the emerging threat on WALTRIX

Emerging threat on RANSOM_WALTRIX

- Updated:
- 30 Dec 2019
- Product/Version:
- Deep Security
- Interscan Web Security Virtual Appliance
- OfficeScan
- ScanMail for Exchange
- Worry-Free Business Security Advanced
- Worry-Free Business Security Standard
- Platform:
- N/A N/A

Another ransomware spreading through BEDEP following an infection via Angler Exploit kit was discovered and detected by Trend Micro as Ransom_WALTRIX.

WALTRIX got its name from wallet (WAL) and wordplay on XXX (TRIX). The said ransomware can steal bitcoin wallet and CryptXXX is the folder name of the project from the source code bought by cyber-criminal groups.

According to researchers, the ransomware demands a rather lofty ransom of $500 per system—a far cry from common ransom payments seen in the past. WALTRIX is also found to possess Bitcoin-stealing abilities, aside from harvesting credentials and other personal information from its target.

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYER	DETECTION	PATTERN VERSION	Release Date
INFECTION	WORM_QAKBOT.SMOT	OPR 12.303	1/28/2016
INFECTION	Ransom_HPWALTRIX.SM	OPR 12.553	5/27/2016
INFECTION	Ransom_HPWALTRIX.SM2	OPR 12.495	4/28/2016
INFECTION	Ransom_WALTRIX.SM0	OPR 12.567	6/3/2016
INFECTION	Ransom_WALTRIX.SM1	OPR 12.489	4/25/2016
INFECTION	Ransom_WALTRIX.SMA	OPR 12.573	6/6/2016
INFECTION	Ransom_WALTRIX.SMLV	OPR 12.553	5/27/2016
INFECTION	Ransom_WALTRIX.SMLV2	OPR 12.553	5/27/2016
INFECTION	Ransom_WALTRIX.SMW	OPR 12.559	5/30/2016
INFECTION	Ransom_WALTRIX.SMW1	OPR 12.563	6/1/2016
DYNAMIC	LNK_WALTRIX.SM	OPR 12.603	6/20/2016
INFECTION	Ransom_WALTRIX.SM01	OPR 12.575	6/7/2016
INFECTION	Ransom_WALTRIX.SM02	OPR 12.575	6/7/2016
INFECTION	Ransom_WALTRIX.SM03	OPR 12.583	6/10/2016
INFECTION	Ransom_WALTRIX.SMA	OPR 12.573	6/6/2016
INFECTION	Ransom_WALTRIX.SMR	OPR 12.609	6/23/2016
INFECTION	Ransom_WALTRIX.SMQ	OPR 12.603	6/20/2016

WRS Pattern (Malicious URL and Classification)

LAYER	URL	Score	Blocking Date
Exposure	217{blocked}.23.13.153:443	C&C Server	5/14/2016
Exposure	hxxp://dwexgugunn.ufbusiness{blocked}.top/peculiar/gather-23256070	Disease Vector	5/14/2016
Exposure	hxxp://fvmueiyiw.exubetween{blocked}.top/1992/11/04/creature/westward/tall/shade-clench-anxious-shoulder-work-guilty.html	Disease Vector	5/18/2016
Exposure	hxxp://hrkmnkl.pointcob{blocked}.top/2003/11/07/drawer/fetch-hell-unusual.html	Virus Accomplice	5/20/2016
Exposure	hxxp://jcehzvzzed.eseventhc{blocked}.top/2010/05/19/below/sacred/word/tube-split-teeth-story-wade-stream-talent-southern-slide.html	Disease Vector	5/12/2016
Exposure	hxxp://mmhbvqznfx.changejax{blocked}.top/metal/enJ1bXNja3o	Emerging Malware,Virus Accomplice	5/20/2016
Exposure	hxxp://qgtzpfedz.iseventhq{blocked}.top/1982/06/13/ball/whence/encounter/threaten-cover-lady-valentine-duck-darken-together-chain.html	Disease Vector	5/12/2016
Exposure	hxxp://tigjzfsk.oninthn{blocked}.top/1991/05/19/merchant/earth-friend-handkerchief-worry-peeve-spoon-buzz-grunt-contact-monster.html	Disease Vector	5/12/2016
Exposure	hxxp://toctb.womanal{blocked}.top/american/cW9sd2E	Disease Vector	5/16/2016
Exposure	hxxp://txmdmwmqy.womanig{blocked}.top/idiot/1182166/carpet-blow-kingdom-five-hide-mine	Disease Vector	5/16/2016
Exposure	hxxp://yafhhcef.nightgep{blocked}.top/opinion/Z3R5cXo	Virus Accomplice	5/20/2016
Exposure	hxxp://yziugm.jamieaabundant{blocked}.top/slop/YmNiZHlzcnZrcw	Disease Vector	5/11/2016
Exposure	hxxp://zfkkgaik.vuylynx{blocked}.top/attack/dnlhYXl5bg	Disease Vector	5/17/2016
Exposure	hxxp://scelerataque-arriano.themartinlawgroup{blocked}.com/?y=&v=trad-lr&w=-Et-SPu_ke&h=Zag5W&g=U6zmsa5FF&k=&p=bNI1vIqp&b=SuMkY_7GI	Ransomware	5/20/2016
Exposure	hxxp://plotow-familycontract.unishadeverticalsystem{blocked}.co.uk/	Malware Accomplice, Ransomware	5/18/2016
Exposure	hxxp://prookasieskansanlaulun.jamesaweddingphotography{blocked}.co.uk/	Disease Vector	5/13/2016
Exposure	hxxps://{blocked}144.76.82.19/	C&C Server	5/20/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYER	Detection	Pattern Version	Release Date
DYNAMIC	RAN4165T	TMTD OPR 1551	06/07/16 (Batch 1)
DYNAMIC	RAN4169T	TMTD OPR 1551	06/07/16 (Batch 1)
DYNAMIC	RAN4173T	TMTD OPR 1553	06/14/16 (Batch 1)
DYNAMIC	RAN4179T	TMTD OPR 1559	06/28/16 (Batch 1)
DYNAMIC	RAN4172T	TMTD OPR 1553	06/14/16 (Batch 1)

Make sure to always use the latest pattern available to detect the old and new variants of

Ransom_WALTRIX.

Solution Map - What should customers do?

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Antispam Pattern	Network Pattern
OfficeScan	11 SP1 above	Update Pattern via web console	Turn On Ransomware Protection Feature/Update Pattern via Web console	Enable Web Reputation Service*	Update Pattern via web console	Not Applicable	Update Pattern via web console
OfficeScan	10.6 and above		Update Pattern via Web console
Worry Free Business Suite	9 SP1 above		Turn On Ransomware Protection Feature/Update Pattern via Web console
	8 and above		Update Pattern via web console			Update Pattern via web console
	Hosted		Update Pattern via web console			Update Pattern via web console
Deep Security	8.0 and above		Not Applicable		Update Pattern via web console	Not Applicable	Update Pattern via web console
ScanMail	SMEX 10 and later				Not Applicable	Update Pattern via Web console	Not Applicable
ScanMail	SMD 5 and later
InterScan Messaging	IMSVA 8.0 and above
InterScan Web	IWSVA 6.0 and later
Deep Discovery	DDI 3.0 and later					Not Applicable	Update Pattern via web console
	DDAN
	DDEI

* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Need More Help?

Emerging threat on RANSOM_WALTRIX

VSAPI Pattern (Malicious File Detection)

WRS Pattern (Malicious URL and Classification)

AEGIS Pattern (Behavior Monitoring Pattern)

Solution Map - What should customers do?

Recommendations

Threat Report

Blog