With low overhead and risk of prosecution, ransomware attacks have outpaced banking Trojans in sheer number of incidents, if not profit. Ransomware’s rapidly growing popularity has spawned dozens of variants, subtypes, and families as threat actors seek to outmaneuver researchers and competitors. In this dynamic threat landscape, alongside monitoring the established ransomware families for any change in tactics, techniques, or procedures, we monitor social media and underground markets for emerging threats. Through this process, our team was alerted to and began an investigation of what is likely a new threat actor’s first attempt at ransomware design and distribution.
Recently we observed a new type of ransomware, called Alma Ransomware, being delivered via exploit kit. Often hidden on web servers, exploit kits (EK) are toolkits used by threat actors that exploit vulnerabilities in visiting users’ web browsers to deliver malicious payloads. Alma Ransomware (MD5 Hash: 92f8a916975363a371354b10070ab3e9) was observed being delivered via the RIG Exploit Kit. The malicious payload tripped only one indicator on VirusTotal at 2016-08-22 14:51:15 UTC:
Figure 1: VirusTotal indicator from day 1 of circulation.