The Epidemic Analysis of Ransomware in December 2019

Feb 13, 2020kate
Learn more about 360 Total Security

The spread of ransomware has brought serious security threats to businesses and individuals. 360 Security Center conducts comprehensive monitoring and defense against ransomware. Four more popular ransomware families, SpartCrypt, BRCrypt, Montserrtat and Zeppelin, were added this month.

360 Decryption Tool added decryption of MZRevenge and TRSomware family in December 2019.

Analysis of infection data

Analysis of the percentage of ransomware families this month: The GlobeImposter family accounted for 17.06%, ranking first; followed by the phobos family with 16.11%; the Crysis family ranked third with 15.64%. Compared with the data in November, the Stop family’s share has changed most significantly, from 15.18% in November to 5.21% this month.

From the proportion of infected systems: Windows 7, Windows 10, and Windows Server 2008 are still the top three systems this month. Among them, the proportion of Windows 7 rose significantly this month. From 28.94% in November to 41.14% this month.

The proportion of desktop systems and server systems in the infected systems in December shows that the main attacked systems this month are still desktop systems. Compared with the statistics in November, the proportion of desktop systems rose from 58% to 79%. The main fluctuation comes from the increase in the proportion of Windows 7 systems.

Maze ransomware family

Maze ransomware is also known as “maze ransomware virus” or “chacha ransomware virus”, and it was first transmitted in China in June 2019. The ransomware was revealed this month and threatened to disclose confidential data to victims who did not pay the ransom, forcing users to pay the ransom for profit. The victims who have been released by the data include: Southwrie (120GB), DV-GROUP (7GB), Fratelli Beretta (3GB), Canadian Insurance Company (1.5GB), Pensacola City (2GB) and other victim groups.

360 Security Center detected that the virus was mainly transmitted through webpages when it first entered China in June. According to the current domestic feedback of infection cases, it will also be transmitted through remote desktop blasting and poisoning. The virus asks the average victim for $ 2,400 worth of bitcoin (for targeted attacks, ransoms cost hundreds of thousands or even millions of dollars).

MZRevenge ransomware family

360 Security Center detected a new type of ransomware, MZRevenge, which uses a symmetric encryption algorithm modified by the author. Each file has the same encryption key. Then use the AES256 symmetric encryption algorithm key hard-coded in the virus to encrypt the key of the encrypted file. Asymmetric encryption algorithms are not used in the entire encryption process, which leads to the use of passwords hard-coded in viruses to obtain global file encryption keys from ransomware prompt files for data recovery.

The users of MZRevenge ransomware can use the 360 Decryption Tool to decrypt the encrypted files.

Cl0p ransomware family

Cl0p (also known as Clop) ransomware is a variant of the CryptoMix ransomware family, which began to appear in February 2019. This time, it is the latest variant that has been distributed in China. This variant has several optimizations compared to the previous version. For example, it will preferentially encrypt 2019 files, use the RC4 algorithm to increase the encryption speed, and use a custom algorithm to generate random numbers. And in terms of ending processes, the number of ending process lists is as high as 663. More importantly, the ransomware spreader will target specific enterprises to infiltrate the attack. The virus implanted by each attacked company is customized. You can also see the ransomware prompts left on the victim’s machine. However, the user id information is not included in the ransomware (the attacker knows every company they attack). In terms of ransom, the asking price of the ransomware is more than one million US dollars, which has a huge impact on enterprises.

Buran ransomware family

Buran ransomware was primarily transmitted by spam delivery in the early days, and new variants of the ransomware virus have been detected. The attack method used in this variant mainly uses manual brute force after violently cracking the remote desktop login password. At the same time, it also uses the compromised machine as a springboard to attack other machines on the intranet, resulting in batches of intranet machines being encrypted. The ransomware not only clears RDP connection records, system log records, but also disables event records, thereby hiding the source of the attack.

The ransomware currently has two variants, both of which are active: Variant 1 with modified file suffix [xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]; Variant 2 with modified file suffix: xxx-xxx-xxx. And leave a ransom note, let users actively contact the mailbox left by the hacker to inquire about the decryption.

The following is the hacked mailbox information collected in this month: buratin@torbox3uiot6wchz.onion rdpconnect@protonmail


System security protection data analysis

By comparing the data from November and December 2019, we found that in terms of the proportion of attacked systems, the remote desktop weak password attack suffered by Windows 7 increased from 63.18% in November to 76.22% this month, an increase of 13.04%, Which also caused a significant increase in the proportion of desktop systems being attacked this month.

An analysis of the trend of weak password attacks in December 2019 found that MSSQL weak password attacks showed a downward trend overall in December. This is in line with the overall trend of the amount of machines monitored by the 360 security center, using the MSSQL attack channel to poison.

Ransomware Keywords

This data comes from the search statistics of (Excluding WannCry, AllCry, TeslaCrypt, Satan, Kraken, Jsworm, X3m, and GandCrab families whose query volume has been greatly disturbed)

  • pig865qqz: belongs to the GlobeImposter family, because the encrypted file suffix will be modified to pig865qqz and become keywords. The ransomware virus family mainly cracked remote desktop passwords by brute force, and then manually transmitted the virus.
  • wecanhelp: belongs to the Nemesis ransomware family. The ransomware recently spread through brute force remote desktops. The ransomware generates a temp000000.txt file in the system, which contains the key used to decrypt the file. Generally, it will be deleted by hackers directly, but Infected users can try to retrieve the content of temp000000.txt in the following link:
  • rooster865qqz: same as pig865qqz.
  • belongs to the Crysis ransomware virus family. Because files are encrypted, they will be added to and become keywords. The ransomware virus family mainly cracked remote desktop passwords by brute force, and then manually transmitted the virus.
  • Readinstructions: belongs to the MedusaLocker family, because the encrypted file suffix will be modified to Readtheinstructions and become keywords. The ransomware virus family mainly cracked remote desktop passwords by brute force, and then manually transmitted the virus.
  • Harma: Same as The difference is that the file suffix is ​​changed to harma
  • Hendrix: Same as Readinstructions.
  • Wiki: Same as harma.
  • Sodinokibi: Sodinokibi is the name of the virus family. Because this ransomware modifies the encrypted file suffix to a random suffix, most users will hit Sodinokibi with the encrypted file suffix. The ransomware spreads through many channels. There are two main channels that are still being used. The first is the delivery of spam mailboxes and the second is the remote desktop brute force cracking.
  • belongs to the GlobeImposter family. This email address is used by hackers to stay in the ransomware prompts and used to talk to hackers.

360 Decryption Tool

From the statistics of decryption masters this month, GandCrab still has the largest amount of decryption this month, followed by KimChinInSev. Among them, the highest number of users who use the decryption master to decrypt files is still the Infected device of the Stop family, followed by the Crysis family of Infected devices.


Attacks on servers are still a major direction of current ransomware. Enterprises need to strengthen their own information security management capabilities-especially weak passwords, vulnerabilities, file sharing and remote desktop management, in order to deal with the threat of ransomware Here are some suggestions for administrators:

  1. Multiple machines, do not use the same account and password
  2. The login password should be of sufficient length and complexity, and the login password should be changed regularly.
  3. The shared folder of important data should be set up with access control and be backed up regularly
  4. Regularly detect security vulnerabilities in the system and software and apply patches in a timely manner.
  5. Check the server regularly for abnormalities. View scope includes:
  6. a) Are there any new accounts
  7. b) Guest is enabled
  8. c) Is there an exception in the Windows system log
  9. d) Is there any abnormal interception of antivirus software?

As for the ransomware that has re-emerged this month and launched an attack on personal computers, users are advised to:

  1. Install security software and make sure it works properly.
  2. Download and install software from regular channels.
  3. For unfamiliar software, if it has been intercepted by antivirus software, do not add trust to continue running.

In addition, neither corporate victims nor individual victims are advised to pay ransom. Paying ransom not only encourages ransomware in disguise, but the decryption process may also bring new security risks.

Many common ransomware only encrypt the file header data. For some types of files (such as database files), you can try to recover some of the losses through data repair methods. If you have to pay the ransom, you can try to negotiate with the hacker to reduce the ransom price. At the same time, during the negotiation process, you should avoid exposing your true identity information and urgency, so as to avoid the hacker asking for the price.


Learn more about 360 Total Security