Malware News Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit By

[Solarquest]

A new CryptoMix, or CryptFile2, variant called Revenge has been discovered by Broad Analysis that is being distributed via the RIG exploit kit. This variant contains many similarities to its predecessor CryptoShield, which is another CryptoMix variant, but includes some minor changes that are described below.

As a note, in this article I will be referring to this infection as the Revenge Ransomware as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a new version of the CryptoMix ransomware family.

How Victim's Become Infected with the Revenge Ransomware
Both BroadAnalysis.com and Brad Duncan, of Malware-Traffic-Analysis.net, have seen Revenge being distributed through web sites that have been hacked so that the RIG Exploit Kit javascript is added pages on the site. When someone visits one of these hacked sites, they will encounter the exploit kit, which will then try to exploit vulnerabilities in their computer in order to install the Revenge Ransomware without their knowledge or permission.

An example of a RIG javascript can be seen in the image below.

 

[Solarquest]

I have good and bad news...
The good one is high detection on VT
Antivirus scan for f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6 at 2017-03-16 17:14:49 UTC - VirusTotal
The bad one...
Bit/Emsi still don't detect it, at least on VT...

 

[Der.Reisende]

A new CryptoMix, or CryptFile2, variant called Revenge has been discovered by Broad Analysis that is being distributed via the RIG exploit kit. This variant contains many similarities to its predecessor CryptoShield, which is another CryptoMix variant, but includes some minor changes that are described below.

As a note, in this article I will be referring to this infection as the Revenge Ransomware as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a new version of the CryptoMix ransomware family.

How Victim's Become Infected with the Revenge Ransomware
Both BroadAnalysis.com and Brad Duncan, of Malware-Traffic-Analysis.net, have seen Revenge being distributed through web sites that have been hacked so that the RIG Exploit Kit javascript is added pages on the site. When someone visits one of these hacked sites, they will encounter the exploit kit, which will then try to exploit vulnerabilities in their computer in order to install the Revenge Ransomware without their knowledge or permission.

An example of a RIG javascript can be seen in the image below.

Thank you for the share! Ransomware is a never-stopping pain...

I have good and bad news...
The good one is high detection on VT
Antivirus scan for f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6 at 2017-03-16 17:14:49 UTC - VirusTotal
The bad one...
Bit/Emsi still don't detect it, at least on VT...

Would love to see a short (dynamic) test on it, I think I will open a thread in the Vault (https://malwaretips.com/threads/revenge-ransomware-2.69682/).
AVG IDP stops both samples I found on Hybrid instantly on run.

 

[Solarquest]

Thank you for the share! Ransomware is a never-stopping pain...


Would love to see a short (dynamic) test on it, I think I will open a thread in the Vault.
AVG IDP stops both samples I found on Hybrid instantly on run.

You read my thoughts, that would be great!
Maybe@winxpert can test Emsi..... I'm still way away from my PC...

 

[larry goes to church]

Very interesting find.

Wonder if dns blockers are acting on stickneylodge.com