Monthly Archives: March 2016

TA16-091A: Ransomware and Recent Variants

Original release date: March 31, 2016

Systems Affected

Networked Systems


In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.

The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.



Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.


The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”


In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.

Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.


Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.


Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.


Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.


Revision History

  • March 31, 2016: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Chemical and Hormonal Effects on STAT5b-Dependent Sexual Dimorphism of the Liver Transcriptome.

The growth hormone (GH)-activated transcription factor signal transducer and activator of transcription 5b (STAT5b) is a key regulator of sexually dimorphic gene expression in the liver. Suppression of hepatic STAT5b signaling is associated with lipid metabolic dysfunction leading to steatosis and liver cancer. In the companion paper, a STAT5b signature gene set was identified and used in a rank-based test to predict both increases and decreases in liver STAT5b activation status/function with high (> 97%) accuracy. Here, this computational approach was used to identify hormones and chemicals that activate (masculinize) or suppress (feminize) STAT5b function in a large, annotated mouse liver and primary hepatocyte gene expression compendium. Exposure to dihydrotestosterone and thyroid hormone caused liver masculinization, whereas glucocorticoids, fibroblast growth factor 15, and angiotensin II caused liver feminization. In mouse models of diabetes and obesity, liver feminization was consistently observed and was at least partially reversed by leptin or resveratrol exposure. Chemical-induced feminization of male mouse liver gene expression profiles was a relatively frequent phenomenon: of 156 gene expression biosets from chemically-treated male mice, 29% showed feminization of liver STAT5b function, while <1% showed masculinization. Most (93%) of the biosets that exhibited feminization of male liver were also associated with activation of one or more xenobiotic-responsive receptors, most commonly constitutive activated receptor (CAR) or peroxisome proliferator-activated receptor alpha (PPARα). Feminization was consistently associated with increased expression of peroxisome proliferator-activated receptor gamma (Pparγ) but not other lipogenic transcription factors linked to steatosis. GH-activated STAT5b signaling in mouse liver is thus commonly altered by diverse chemicals, and provides a linkage between chemical exposure and adverse effects on the liver. (267 words)

The Occurrence and Comparative Toxicity of Haloacetaldehyde Disinfection Byproducts in Drinking Water

The introduction of drinking water disinfection greatly reduced the incidence of waterborne diseases. However, the reaction between disinfectants and natural organic matter in the source water can lead to an unintended consequence, which is the formation of drinking water disinfection byproducts (DBPs). The haloacetaldehydes (HALs) are the third largest group by weight of identified DBPs formed in drinking water. The objective of this study was to analyze the occurrence and comparative toxicity of the emerging HAL DBPs. Ten HALs were analyzed for their in vitro cytotoxicity and genotoxicity in Chinese hamster ovary (CHO) cells. This study identified a new HAL DBP, iodoacetaldehyde (IAL), and showed that HALs are cytotoxic and genotoxic to mammalian cells. This study provided the first systematic, quantitative comparison of HAL toxicity. The rank order of cytotoxicity for the HALs is tribromacetaldehyde (TBAL) ≈ chloroacetaldehyde (CAL) > dibromoacetaldehyde (DBAL) ≈ bromochloroacetaldehyde (BCAL) ≈ dibromochloroacetaldehyde (DBCAL) > IAL > bromoacetaldehyde (BAL) ≈ bromodichloroacetaldehyde (BDCAL) > dichloroacetaldehyde (DCAL) > trichloroacetaldehyde (TCAL). The HALs were highly cytotoxic compared to other DBP chemical classes. The rank order of genotoxicity for the HALs is DBAL > CAL ≈ DBCAL > TBAL ≈ BAL > BDCAL > BCAL ≈ DCAL > IAL. TCAL was not genotoxic. Because of their toxicity and abundance, further research is needed to investigate their mode of action to protect the public health and the environment.

Nearshore marine benthic invertebrates moving north along the U.S. Atlantic coast

Numerous species have shifted their ranges north in response to global warming. We examined 21 years (1990-2010) of marine benthic invertebrate data from the National Coastal Assessment’s monitoring of nearshore waters along the US Atlantic coast. Data came from three biogeographic provinces, ranging from mid-Florida to the Canadian border: Carolinian (CP), Virginian (VP), and Acadian (AP). For each species of the 30 most common macroinvertebrates, we calculated the minimum and maximum latitudes for the earliest and latest year and used a t-test to compare the mean latitude of each species in both years. In the VP, of the seven species that had a significant (P = 0.05) change in mean latitude, six moved north and one moved south. Of the 30 most common species in the CP and VP combined, 27 had a more northern maximum latitude and 24 a more northern minimum latitude in 2010 than in the early 1990s (sign test showed both significant at P = 0.05). The boundary shifts north were small but pervasive, ranging from 0.01-6.19 degrees latitude. Water temperature, a strong driver of species ranges, likely explains the northward shift in ranges (bottom water temperatures were significantly higher by 0.9-2.0 ⁰C in the latest year versus the earliest year in the CP and VP).

Identification and prioritization of relationships between environmental stressor and adverse human health impacts

AbstractBackground: There are over 80,000 chemicals in commerce with little data available describing their impacts on human health. Biomonitoring surveys, such as the NHANES, offer one route to identifying possible relationships between environmental chemicals and health impacts, but sparse data and the complexity of traditional models makes it difficult to leverage effectively.Objective: We describe a workflow to efficiently and comprehensively evaluate and prioritize chemical-health impact relationships from the NHANES biomonitoring survey studies. Methods: Using a frequent itemset mining (FIM) approach, chemical to health biomarker and disease relationships were identified. Results: The FIM method identified 4,170 relationships between 220 chemicals and 66 health outcomes/ biomarkers. Two case studies used to evaluate the FIM rankings demonstrate that the FIM approach is able to identify published relationships. Since the relationships are derived from the vast majority of the chemicals monitored by NHANES, the resulting list of associations is appropriate for evaluating results from targeted data mining or identifying novel candidate relationships for more detailed investigation. Conclusions: The FIM approach enables ranking and prioritization on chemicals or health effects of interest, allowing the identification of most likely co-occurring relationships. Due to the computational efficiency of this method, all chemicals and health effects can be considered in a single analysis. The resulting list provides comprehensive information about the relative likelihood of any chemical/health association including those previously published in the literature.

Triple Value System Dynamics Modeling to Help Stakeholders Engage with Food-Energy-Water Problems

Triple Value (3V) Community scoping projects and Triple Value Simulation (3VS) models help decision makers and stakeholders apply systems-analysis methodology to complex problems related to food production, water quality, and energy use. 3VS models are decision support tools that use system dynamics to evaluate alternative policy approaches to problems related to the food-energy-water nexus. Through 3V scoping and modeling processes, stakeholders define models that illustrate linkages among social, environmental, and economic components of socio-environmental systems, revealing direct and indirect impacts of potential policies.3VS modeling was piloted in the Narragansett Bay watershed, where nitrogen pollution degrades water quality. The model used watershed-specific data and stakeholder input to explore environmental and socioeconomic impacts of nutrient management strategies. This model demonstrated how the 3VS approach can engage stakeholders to think strategically about how policy alternatives can impact the food-energy-water nexus at a system level.The 3V framework is also being applied to assess land-use change on the Delmarva Peninsula, where stakeholders are managing agriculture, urban, and conservation land uses to achieve social, economic, and environmental objectives. The model will consider how land-use policies and conservation influence public revenues and major resource-dependent sectors such as poultry production, commercial seafood, and tourism


Decision makers often need assistance in understanding the dynamic interactions and linkages among economic, environmental and social systems in coastal watersheds. They also need scientific input to better evaluate the potential costs and benefits of intervention options. The US Environmental Protection Agency is applying sustainability science to integrate environmental, economic, and social issues at a watershed systems scale. This “systems approach” is based on dynamic, interactive modeling tools that enable investigation of alternative strategies aimed at creating a resilient system of water resources that serves the needs and welfare of a growing population while seeking to minimize the ecological footprint. Triple Value (3V) Scoping and Modeling projects bring a systems approach to complex environmental problems to help regulators, policy makers, local decision makers, scientists, and stakeholders achieve sustainability goals.A key aspect of this systems approach is the sharing of knowledge between decision makers and stakeholders in a collaborative modeling effort that illustrates linkages among social, environmental, and economic components of human and natural systems. This participatory effort brings into focus the direct and indirect benefits and costs of potential actions. For example, potential strategies to reduce excess nutrients in coastal waters include utilization of green infrastructure, alternative water supply systems, aquaculture, constructed wetlands, improved stormwater management, alternative toilets, and use of permeable reactive barriers. Water quality degradation has impacts on local quality of life, tourist economies, and employment, while potential nutrient management options can vary widely in cost, burden, timing, and location of implementation. The shared learning and incorporation of human dimensions in the models allows deeper discussion of tradeoffs between economic, social, and environmental goals. Training in systems thinking and the process of participatory modeling has expanded decision capacity in five Regional 3V Cases: Narragansett Watershed Nutrient Management (MA/RI), Cape Cod Nutrient management (MA), Snohomish River Nutrients and Cultural Resources (WA), Delmarva Land Use and Climate Resiliency (MD/DE/VA), and Suffolk County Nutrient Management and Resilience (NY). For these cases, the goal is to create scenarios that encourage strategic dialogue about alternative water resource management policies. Stakeholder perspectives have been included in stages of 1) drafting the problem statement and policy questions, 2) developing the conceptual model, 3) collecting and examining data and models, 4) feedback and revisions, and 5) exploring scenarios. The Triple Value Framework and participatory modeling method have been developed and tested to ensure they are transferable to other locations and to other issues.


Recent data indicate that noningestion exposure to trihalomethanes (THMs), including BDCM is highly correlated with urinary THM levels. Characterizing urinary levels of drinking water disinfection byproducts (DBPs) will likely be important for understanding DBP-associated bladder cancer. Non-oral exposures contribute significantly to the amount of BDCM available for distribution to target tissues (e.g., bladder urothelium). We refined our multi-route human BDCM PBPK model to include urine production in the kidney, urine retention in bladder lumen and delivery to bladder tissue in both blood and urine. The revised model was able to adequately predict urinary BDCM concentrations from water use studies in the published literature. Predicted internal dose metrics relevant for bladder exposure are area under the curve (AUC) and maximum concentration (Cmax) for BDCM in arterial blood flow to bladder tissue, in bladder tissue and in urine. These metrics were compared for oral and shower related (inhalation + dermal) exposures to water containing 10 ppb BDCM. For all metrics, noningestion exposure (e.g., showering) resulted in 25- to 35-fold higher values compared to ingestion indicating the importance of dermal and inhalation routes of exposure as potential contributors to bladder tissue exposure. For a 10 minute shower, AUC and Cmax were 40-fold and 100-fold higher, respectively for BDCM in urine compared to bladder tissue. When a liter of water is ingested over a 10 minute period, AUC and Cmax were 45-fold and 130-fold higher, respectively, for BDCM in urine compared to bladder tissue. These data suggest the potential for BDCM delivery to bladder in the urine as an important contributor to urothelial exposure and suggests the value of measuring urinary BDCM as a toxicologically relevant measure of dose to target tissue.

Agent-Based Computational Modeling of Cell Culture: Understanding Dosimetry In Vitro as Part of In Vitro to In Vivo Extrapolation

Quantitative characterization of cellular dose in vitro is needed for alignment of doses in vitro and in vivo. We used the agent-based software, CompuCell3D (CC3D), to provide a stochastic description of cell growth in culture. The model was configured so that isolated cells assumed a “fried egg shape” but became increasingly cuboidal with increasing confluency. The surface area presented by each cell to the overlying medium varies from cell-to-cell and is a determinant of diffusional flux of toxicant from the medium into the cell. Thus, dose varies among cells for a given concentration of toxicant in the medium. Computer code describing diffusion of H2O2 from medium into each cell and clearance of H2O2 was calibrated against H2O2 time-course data (25, 50, or 75 uM H2O2 for 60 min) obtained with the Amplex Red assay for the medium and the H2O2-sensitive fluorescent reporter, HyPer, for cytosol. Cellular H2O2 concentrations peaked at about 5 min and were near baseline by 10 min. The model predicted a skewed distribution of surface areas, with between cell variation usually 2 fold or less. Predicted variability in cellular dose was in rough agreement with the variation in the HyPer data. These results are preliminary, as the model was not calibrated to the morphology of a specific cell type. Future work will involve morphology model calibration against human bronchial epithelial (BEAS-2B) cells. Our results show, however, the potential of agent-based modeling to provide a rich description of individual cell dosimetry, with average dose and variability statistics readily derivable. Parallel development of PBPK and virtual tissue models of in vivo biology would support a quantitative, biologically-based approach to the alignment of cellular doses in vitro and in vivo. This abstract does not necessarily reflect any specific policy of the US EPA.

Strain-Specific Changes in Locomotor Behavior in Larval Zebrafish Elicited by Cholinergic Challenge

Some studies have compared the baseline behavior of different strains of larval zebrafish (Danio rerio), but there is sparse information on strain-specific responses to chemical challenges. The following study examines both the basal activity and response to a pharmacological challenge in five zebrafish strains: Streisinger AB (AB), Wild India Karyotype (WIK), Tupfel long fin (TL), Sanger AB Tübingen (SAT) and our in-house wild type, out-bred strain (Z); all strains, excepting our own, were obtained from Zebrafish International Resource Center (Eugene, OR). On day 0, zebrafish embryos of each strain were plated in one of two 96-well plates (n=16/strain/plate). At 6 days post fertilization (dpf) we examined both basal locomotor activity and activity after an acute chlorpyrifos (CPF; 11.5µM) challenge in a light:dark test paradigm. CPF is a pesticide that is activated by the liver to a potent cholinesterase inhibitor. The testing paradigm consisted of dosing with chlorpyrifos, then waiting for 30 minutes followed by a 6 minute basal period in the dark, 10 minutes of light and 10 minutes of dark. During the dark periods, the controls (DMSO vehicle treated) showed marked differences in activity, with the TL strain the most active and the WIK the least active; in the light period, the controls all showed comparable activity. All strains showed hyperactivity in response to the CPF challenge, indicating that all were capable of hepatic activation of the CPF and responsive to the behavioral disruption, but there were differences in the level of activity among the strains–most notable during the basal dark period and the light period. These results indicate strain type can influence baseline activity and also activity in response to a drug challenge, and that these interactions are dependent on the light level during the testing, making strain choice an important consideration in research planning. (This abstract may not necessarily reflect official Agency policy)

Computational Modeling to Evaluate Alternative Hypotheses for the Linkage of Aromatase Inhibition to Vitellogenin Levels in Fathead Minnows

Aromatase converts testosterone to estradiol (E2). In fish, E2 concentrations control hepatic synthesis of the glycolipoprotein vitellogenin (VTG), an egg yolk precursor protein essential to oocyte development and larval survival. Fathead minnows were exposed to the aromatase inhibitor, fadrozole, for 8 days and held in control water for an additional 20 days. We observed dose-dependent reductions in plasma E2 and VTG during exposure to fadrozole. While VTG concentrations dropped as the E2 level declined at the onset of exposure, the recovery of VTG during depuration was delayed relative to that of E2. An existing computational model of the hypothalamic-pituitary-gonadal axis was modified to evaluate three alternative hypotheses regarding the regulation of VTG. The first hypothesis, describing the rate of VTG synthesis as proportional to hepatic E2, failed to describe the VTG data. In the second hypothesis, using a type I coherent feed-forward motif, hepatic synthesis of VTG involves both direct E2 signaling and an intermediate transcription factor induced by E2. The third hypothesis involves a negative feedback loop operating in the ovary where the synthesis of the ovarian VTG transporter used for uptake of VTG from the blood is negatively regulated by VTG in the ovary. For both the feedforward and feedback loops, ultrasensitivity, allowing signal amplification and threshold, was implemented using Hill equations. Both the feed-forward and feedback motifs were able to recapitulate the observed VTG dynamics, suggesting that one or both may operate in fathead minnows. While computational modeling cannot reveal the actual biological identity of the regulatory circuits, it can identify hypotheses worth of laboratory investigation. This abstract does not necessarily reflect the policy of the US EPA.