Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been highly active in the wider world, particularly in the past few months.
Figure 1. Trojan.Ransomlock AV detections for the past 30 and 7 day periods
As can be seen in Figure 1, in the past 30 days Ransomlock.T has been the most active variant with Ransomlock.G following closely behind. Looking at the stats for the past seven days, we can see that Ransomlock.G has overtaken Ransomlock.T to take the number one spot. Why is this?
Let’s take a look at the following heat maps illustrating the locations where the variants have been detected in the past seven days.
Figure 2. Detections for Trojan.Ransomlock.T in the past seven days
Figure 3. Detections for Trojan.Ransomlock.G in the past seven days
We can clearly see from Figures 2 and 3 that while Ransomlock.T has decided to remain predominantly in North-America, like the proverbial couch-potato, Ransomlock.G has become an international backpacker making its way across the globe. While Ransomlock.T originated in Germany we can now safely say that it has migrated to North-America. We confirmed this by looking at detection stats for the past few months.
In the case of Ransomlock.G, the animation below illustrates just how international it has become.
Figure 4. Detections for Ransomlock.G from February to November 2012
So, why the difference? A malware's activity mostly depends on the infection vectors and social engineering methods it utilizes. Both variants are mainly delivered by exploit kits and use well-crafted scams but Ransomlock.G (also known as Reveton) seems to be doing better than other variants. It uses the latest exploit kits and quickly adopts new social engineering methods, such as the use of audio. The malware authors invest a great deal of time and resources planning the best way to spread their creation, as discussed by Gavin O’Gorman in his research paper – Ransomware: A Growing Menace.
The fraudsters responsible for Trojan.Ransomlock.G use adult advertising networks to distribute ads on pornographic websites that lead back to their exploit pack websites. Considerable investment is made into their infrastructure, with the attackers moving exploit pack websites to new addresses regularly. The amount of advertising is also substantial with at least 500,000 people clicking on their malicious ads over a period of 18 days
We have the following protections in place for the latest versions of Trojan.Ransomlock.T and Trojan.Ransomlock.G: