Angler EK pushes unnamed ransomware

“Malware distribution campaigns based using the popular Angler exploit kit continue delivering different types of ransomware.

Last week, it was AlphaCrypt, which imitates TeslaCrypt, but operates like Cryptowall 3.0.

A few days later, the malicious payload changed: an unnamed piece of ransomware that seems to be an evolution of CryptoLocker, but shows CTB-Locker-style instructions, Brad Duncan, a security researcher at Rackspace, noted.

The message claims that all the victim’s personal files, including those on the network disks, USBs, etc., have been encrypted with a unique RSA-2048 public key, and that to decrypt them the victim will have to pay to receive the private key.

It’s interesting to note that the criminals behind this variant ask for a small amount of money (small when compared with the amount requested by previous ones, that is):

Another interesting thing is that each of the variants delivered shows a different bitcoin address for each host it infected.

The initial AV detection rate was very poor, but now most of the AV engines used by VirusTotal detect this unnamed ransomware.”