March 13, 2017
Another week and a lot more crappy ransomware released. Of particular interest is that Cerber no longer encrypts filenames, Emsisoft released a CryptON decryptor, and lots of really good technical writeups about ransomware.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @BleepinComputer, @PolarToffee, @fwosar, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @struppigel, @JAMESWT_MHT, @Seifreed, @jiriatvirlab, @mesa_matt, @SwiftOnSecurity, Kevin Douglas, @ESET, @Malwarebytes, @kaspersky, @RSAsecurity, @PaloAltoNtwks, @TalosSecurity, @CheckPointSW, and @JavelinNetworks.
March 5th 2017
Jigsaw 4.6 Ransomware Discovered
I discovered a new variant of the Jigsaw Ransomware which labels itself as version 4.6. This version includes a new lock screen, speech, and message box alerts. It does not currently encrypt anything.
March 6th 2017
Ransomware Hits Pennsylvania Senate Democrats
A ransomware infection shut down the computer network of the Pennsylvania Senate Democratic Caucus on Friday morning, officials said in a statement issued to the local press.
New Fadesoft Variant Discovered
Emsisoft researcher xXToffeeXx found a new variant of the FadeSoft Ransomware that utilizes a new ransom note.
CryptoJacky Ransomware Encrypts Files Using Aescrypt.exe
ESET security researcher Jiri Kropac discovered a new Spanish ransomware called CryptoJacky. This ransomware is bundled with a program called Aescrypt.exe that is used to perform the actual encryption.
March 7th 2017
Shamoon Disk-Wiping Malware Upgraded with Ransomware Module
Kaspersky has discovered that the Shamoon disk-wiping malware has received a major upgrade during the past few months, and now features a ransomware module, along with support for both 32-bit and 64-bit architectures.
New Enjey Ransomware Discovered
MalwareHunterTeam discovered a new ransomware called Enjey, which is based off of RemindMe.
Unlock92 Changes the Name of it's Ransom Note
MalwareHunterTeam found a new sample of Unlock92 that uses a new ransom note name. The new name is READ_ME_!.txt.
Nhtnwcuf Ransomware Discovered
Michael Gillespie found a new ransomware called Nhtnwcuf that does not encrypt your files, but just messes them up. File are destroyed. Uses ransom notes named !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt.
March 8th 2017
Someone Named Paul Working on a HiddenTear Ransomware
MalwareHunterTeam found an in-dev ransomware based on HiddenTear being created by someone named "Paul" from France. Hi Paul!
Emsisoft Releases a Decryptor for the CryptON Ransomware
Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable.
Crypt0l0cker (TorrentLocker): Old Dog, New Tricks
The Cisco Talos Group published a in-depth article about Crypt0L0cker, or TorrentLocker, and its resurgence. We also covered this last week, though not as deeply, last week.
New CryptoLocker 1.0.0 Targeting Turkish Users
MalwareHunterTeam discovered a new ransomware targeting Turkish victims called CryptoLocker 1.0.0.
March 9th 2017
New RanRan Ransomware Uses Encryption Tiers, Political Message
Researchers from Palo Alto Networks have come across a new ransomware family that combines many unique features, such as political statements, public subdomain creation, and encryption tiers.
New Cerber Ransomware Variant Released That Keeps Original Filename
Emsisoft researcher Sarah, otherwise known as xXToffeeXx, and SwiftOnSecurity found a new sample of Cerber that leaves the original filename the same and only appends a random extension as shown below.
New Vortex Ransomware Discovered
Karsten Hahn discovered a new Polish ransomware called Vortex. This ransomware appends the .aes extension to the names of encrypted files.
New VapeLauncher Ransomware Discovered
You know vaping has become too popular when a ransomware is named after it. Karsten Hahn has discovered a new CryptoWire variant called VapeLauncher.
Spora Ransomware: Understanding the HTA Infection Vector
Kevin Douglas a Senior Manager Engineering at RSA Security wrote a really detailed into Spora Ransomware and its use of the HTA infection vector. Good read for those who are interested in Spora or how ransomware utilizes different attack vectors.
March 9th 2017
PadCrypt Reached Version 3.4.0
MalwareHunterTeam found a sample of PadCrypt stating that it is now version 3.4.0.
SAMAS RansomWorm: The Next-Gen Ransomware That Stole $450,000
An interesting article by Javelin Networks explaining how the Samas/SamSam ransomware spreads throughout a network.
March 10th 2017
Explained: Spora ransomware
Malwarebytes posted an technical analysis into the Spora Ransomware. Good read for those interested in Spora.
Distributors of Sage also Spread the August Stealer
A twitter conversation between ProofPoint researcher Matthew Mesa and MalwareHunterTeam about how the distributors of Sage are also known for distributing the file and information stealer called August Stealer.
Android Adware and Ransomware Found Preinstalled on High-End Smartphones
Two companies have discovered that someone had covertly installed malware on 38 devices used by their employees. Check Point Software has states that they've identified two malware families on the infected phonesas Loki adware/infostealer and Slocker mobile ransomware.