ThreatSTOP Releases New Ransomware Targets

The following ransomware targets have been introduced by the ThreatSTOP Security Team. It is important to update policies to include these targets for immediate increased protection from the growing number of ransomware attacks.

 Ransomware has emerged as the “hot topic threat” of the security industry, and rightfully so. Ransomware, a malicious software type that holds your system and/or data ransom, has affected millions with an estimated cost of$1 billion in damages to date.

The profitability of ransomware has made it very attractive to attackers, and they are getting creative by developing a multitude of new ransomware variants that constantly keep us on our toes. ThreatSTOP is constantly working to identify new ransomware variants to update our protection. We have developed a list of new targets based on different ransomware family types to be incorporated into your policies.

An ever-growing list of targets is curated from data supplied at the abuse.ch ransomware tracker. The new ransomware data includes the following families:

 TeslaCrypt

TeslaCrypt started out infecting computer game files, and was later updated to become a very strong mainstream ransomware. The TeslaCrypt authors gave up the encryption keys in May 2016 so if a connection to one of its indicators appears in your reports, you will need to remove the infection from the afflicted machine. This can be done using publicly available decryption tools.

TeslaCrypt indicators are included in:

• Original RPZ target – “TeslaCrypt Domains”
• Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and “Ransomware Domains”

CryptoWall

CryptoWall, which debuted in 2013, became the most prevalent ransomware variant after the fall of CryptoLocker in 2014, and remained the foremost ransomware variant in the world until mid-2016.

CryptoWall indicators are included in:

• Original RPZ target –  “CryptoWall Ransomware Domains”
• Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and “Ransomware Domains”

TorrentLocker

TorrentLocker is a ransomware variant that is distributed via targeted emails with malicious attachments or links being first observed in February 2014.

TorrentLocker indicators are included in:

• Original RPZ target – “TorrentLocker Domains”
• Original IP target – “TorrentLocker IPs”
• Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and “Ransomware Domains”
• Synthetic IP targets – “Ransomware IPs From abuse.ch” and “Ransomware IP Addresses”

Locky

Locky has become one of the most prevalent ransomware variants in 2016, and is mainly spread in vast spam email campaigns.

Locky indicators are included in:

• Original RPZ target –  “Locky Domains”
• Original IP target –“Locky IPs”
• Synthetic RPZ targets – “Ransomware Domains From abuse.ch” and “Ransomware Domains”
• Synthetic IP targets – “Ransomware IPs From abuse.ch” and “Ransomware IP Addresses”