Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging threat on RANSOM_WALTRIX

    • Updated:
    • 5 Jul 2016
    • Product/Version:
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Another ransomware spreading through BEDEP following an infection via Angler Exploit kit was discovered and detected by Trend Micro as Ransom_WALTRIX.

WALTRIX got its name from wallet (WAL) and wordplay on XXX (TRIX). The said ransomware can steal bitcoin wallet and CryptXXX is the folder name of the project from the source code bought by cyber-criminal groups.

According to researchers, the ransomware demands a rather lofty ransom of $500 per system—a far cry from common ransom payments seen in the past. WALTRIX is also found to possess Bitcoin-stealing abilities, aside from harvesting credentials and other personal information from its target.

WALTRIX Infection Chain

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONWORM_QAKBOT.SMOTOPR 12.3031/28/2016
INFECTIONRansom_HPWALTRIX.SMOPR 12.5535/27/2016
INFECTIONRansom_HPWALTRIX.SM2OPR 12.4954/28/2016
INFECTIONRansom_WALTRIX.SM0OPR 12.5676/3/2016
INFECTIONRansom_WALTRIX.SM1OPR 12.4894/25/2016
INFECTIONRansom_WALTRIX.SMAOPR 12.5736/6/2016
INFECTIONRansom_WALTRIX.SMLVOPR 12.5535/27/2016
INFECTIONRansom_WALTRIX.SMLV2OPR 12.5535/27/2016
INFECTIONRansom_WALTRIX.SMWOPR 12.5595/30/2016
INFECTIONRansom_WALTRIX.SMW1OPR 12.5636/1/2016
DYNAMICLNK_WALTRIX.SMOPR 12.6036/20/2016
INFECTIONRansom_WALTRIX.SM01OPR 12.5756/7/2016
INFECTIONRansom_WALTRIX.SM02OPR 12.5756/7/2016
INFECTIONRansom_WALTRIX.SM03OPR 12.5836/10/2016
INFECTIONRansom_WALTRIX.SMAOPR 12.5736/6/2016
INFECTIONRansom_WALTRIX.SMROPR 12.6096/23/2016
INFECTIONRansom_WALTRIX.SMQOPR 12.6036/20/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLScoreBlocking Date
Exposure217{blocked}.23.13.153:443C&C Server5/14/2016
Exposurehxxp://dwexgugunn.ufbusiness{blocked}.top/peculiar/gather-23256070Disease Vector5/14/2016
Exposurehxxp://fvmueiyiw.exubetween{blocked}.top/1992/11/04/creature/westward/tall/shade-clench-anxious-shoulder-work-guilty.htmlDisease Vector5/18/2016
Exposurehxxp://hrkmnkl.pointcob{blocked}.top/2003/11/07/drawer/fetch-hell-unusual.htmlVirus Accomplice5/20/2016
Exposurehxxp://jcehzvzzed.eseventhc{blocked}.top/2010/05/19/below/sacred/word/tube-split-teeth-story-wade-stream-talent-southern-slide.htmlDisease Vector5/12/2016
Exposurehxxp://mmhbvqznfx.changejax{blocked}.top/metal/enJ1bXNja3oEmerging Malware,Virus Accomplice5/20/2016
Exposurehxxp://qgtzpfedz.iseventhq{blocked}.top/1982/06/13/ball/whence/encounter/threaten-cover-lady-valentine-duck-darken-together-chain.htmlDisease Vector5/12/2016
Exposurehxxp://tigjzfsk.oninthn{blocked}.top/1991/05/19/merchant/earth-friend-handkerchief-worry-peeve-spoon-buzz-grunt-contact-monster.htmlDisease Vector5/12/2016
Exposurehxxp://toctb.womanal{blocked}.top/american/cW9sd2EDisease Vector5/16/2016
Exposurehxxp://txmdmwmqy.womanig{blocked}.top/idiot/1182166/carpet-blow-kingdom-five-hide-mineDisease Vector5/16/2016
Exposurehxxp://yafhhcef.nightgep{blocked}.top/opinion/Z3R5cXoVirus Accomplice5/20/2016
Exposurehxxp://yziugm.jamieaabundant{blocked}.top/slop/YmNiZHlzcnZrcwDisease Vector5/11/2016
Exposurehxxp://zfkkgaik.vuylynx{blocked}.top/attack/dnlhYXl5bgDisease Vector5/17/2016
Exposurehxxp://scelerataque-arriano.themartinlawgroup{blocked}.com/?y=&v=trad-lr&w=-Et-SPu_ke&h=Zag5W&g=U6zmsa5FF&k=&p=bNI1vIqp&b=SuMkY_7GIRansomware5/20/2016
Exposurehxxp://plotow-familycontract.unishadeverticalsystem{blocked}.co.uk/Malware Accomplice, Ransomware5/18/2016
Exposurehxxp://prookasieskansanlaulun.jamesaweddingphotography{blocked}.co.uk/Disease Vector5/13/2016
Exposurehxxps://{blocked}144.76.82.19/C&C Server5/20/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMICRAN4165TTMTD OPR 155106/07/16 (Batch 1)
DYNAMICRAN4169TTMTD OPR 155106/07/16 (Batch 1)
DYNAMICRAN4173TTMTD OPR 155306/14/16 (Batch 1)
DYNAMICRAN4179TTMTD OPR 155906/28/16 (Batch 1)
DYNAMICRAN4172TTMTD OPR 155306/14/16 (Batch 1)
 
Make sure to always use the latest pattern available to detect the old and new variants of
Ransom_WALTRIX.
.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan11 SP1 above








Update Pattern via web console		Turn On Ransomware Protection Feature/Update Pattern via Web console








Enable Web Reputation Service*




Update Pattern via web console



Not Applicable




Update Pattern via web console
10.6 and aboveUpdate Pattern via Web console
Worry Free Business Suite9 SP1 aboveTurn On Ransomware Protection Feature/Update Pattern via Web console
8 and aboveUpdate Pattern via web consoleUpdate Pattern via web console
Hosted
Deep Security8.0 and above





Not Applicable		Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10 and later



Not Applicable

Update Pattern via Web console

Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
Not Applicable		Update Pattern via web console
DDAN
DDEI
 
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Blog

Premium
Internal
Rating:
Category:
Update; SPEC
Solution Id:
1114526
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.