April 17, 2017
After last week, its a pleasure to have a slow week in ransomware. Nothing really big released this week other than Emsisoft releasing an updated Cry9 decryptor and the new CryptoMix variant called Mole. Otherwise, this week has been full of a lot of in development ransomware or smaller variants that most likely will never see any real distribution.
Contributors and those who provided new ransomware information and stories this week include:
@BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher , @campuscodi, @jiriatvirlab, @JAMESWT_MHT, @Seifreed, @emsisoft, @malware_traffic, @ForcepointLabs.
April 8th 2017
New In-dev Ransomware uses the Kilit Extension
A new ransomware is in development that appends the .Kilit extension to encrypted files. This ransom will download its configuration from Blogspot.
April 9th 2017
Serpent Ransom is Still Active
Michael Gillespie found a new Serpent Ransomware variant submitted to ID-Ransomware. This variant uses the extension .serp and a ransom note named README_TO_RESTORE_FILES.txt.
April 10th 2017
Updated Cry9 Decryptor Released
Emsisoft's Fabian Wosar released a new version of his Cry9 Decryptor. This version is faster, supports more variants, and saves the key for later use.
April 11th 2017
Portugese HiddenTear Variant with a GUI Discovered
A new Portugese HiddenTear variant was discovered that includes a GUI. This variant appends the .locked extension to encrypted files.
BTCWare using a new Contact Email
New Eduware Discovered That Wants you to Watch a Video
ESET researcher Jiri Kropac discovered a new educational ransomware that encrypts your files, points you to a YouTube video to watch to learn about Ransomware, and then decrypts your files.
April 12th 2017
Mole Ransomware Distributed Through Fake online Word Docs
A new ransomware called Mole was found by security researcher Brad Duncan and analyzed by BleepingComputer. This ransomware is a new CryptoMix variant that appends the .MOLE extension to encrypted files and drops a ransom note named
New Ransomware In Development by Anthony
MalwareHunterTeam discovered a new HiddenTear ransomware is being developed by "Anthony". Adds .rekt to the encrypted file.
New French Jigsaw Ransomware Variant
MalwareHunterTeam found a new Jigsaw Ransomware variant with a French ransom note. This ransomware appends .crypte to the encrypted file.
El-Diablo Ransomware Being Developed
MalwareHunterTeam found a new in-development ransomware called El-Diablo being developed by someone named SteveJenner.
New Globe v3 Variant Mimics Dharma
New Jigsaw variants Discovered
Michael Gillespie discovered new variants of the Jigsaw ransomware that use different backgrounds and append the .lcked extension to encrypted files.
Ransomware Builder Found That Provides Open Source Crapware
MalwareHunterTeam discovered a new ransomware builder that generates source code for open source crapware.
April 13th, 2017
CradleCore: Ransomware Source Code for Sale
The authors of the CradleCore, a.k.a. "Cradle Ransomware", have put up the ransomware's source code up for sale on the Dark Web. The ransomware was first spotted by Michael Gillespie on March 31, 2017. Forcepoint recently published a report on its modus operandi.
April 14th, 2017
Cerber Dominates Ransomware Landscape After Locky's Demise
The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.
Thai developer working on new Hidden-Tear-based ransomware
MalwareHunter has come across a developer based in Thailand that's been messing around with a new ransomware, based on the Hidden Tear open-source kit. Currently, the unnamed ransomware drops ransom notes titled READ_IT_FOR_GET_YOUR_FILE.txt and uses random extensions for encrypted files.