News

May 8, 2017

Wow! What a brutal week. This week we have 36 ransomware stories, with 10 of them being on May 1st alone. Most of the new ransomware releases continue to be real crap, but together they add up to a wave of garbage that can do some serious harm. We also saw previously small distributions gearing up with larger MALSPAM campaigns, such as GlobeImposter.

The good news, is that we also have an updated decryptor released by Emsisoft for the CryptON ransomware and decryptor for BTCWare released by ​​​Michael Gillespie.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @struppigel, @demonslay335, @DanielGallagher, @malwrhunterteam, @fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @malware_traffic, @FraMauronz, @JaromirHorejsi, @emsisoft, @sec_panda, @drProct0r, @TrendMicro, @McAfee, and @RecordedFuture.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

April 29th 2017

New HiddenTear variant called Mini Ransomware

BleepingComputer discovered a new in-development HiddenTear called Mini Ransomware. This ransomware appends the .maya extension to encrypted files and drops a ransom note named READ ME.txt.
C l0LTAW0AIoUKq1

April 30th 2017

New Ransomware called RSAUtil

Emsisoft malware researcher xXToffeeXx discovered a new ransomware called RSAUtil ransomware. The ransomware appends the This email address is being protected from spambots. You need JavaScript enabled to view it. extension to encrypted files and creates a ransom note named How_return_files.txt. Uses payment email addresses of This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..
C rKn6hXUAAgtIQ2

New DeadSec-Crypto v2.1 Ransomware Found

BleepingComputer found a new in-developer ransomware targeting Brazillian victims called DeadSec-Crypto v2.1 Ransomware. It currently does not do much other than display a form and delete some test files.
C stw2bXcAA7SOJ3

May 1st 2017

New version of the CryptoMix Ransomware Using the Wallet Extension

R0bert R0senb0rg discovered a new CryptoMix, or CryptFile2, variant that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET​ extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., and This email address is being protected from spambots. You need JavaScript enabled to view it..

ransom note

MIKOYAN Ransomware Discovered

​​MalwareHunterTeam discovered a new in-development ransomware called MIKOYAN. It appends the .MIKOYAN extension to encrypted files. Uses an email address of mikoyanThis email address is being protected from spambots. You need JavaScript enabled to view it..C uoxf8WsAI7w6p4

Extractor Ransomware Discovered

xXToffeeXx discovered a ransomware called Extractor that appends the .xxx extension to encrypted files and creates a ransom note named ReadMe_XXX.txt. Uses a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it..

C vNJiEXcAAaCBL5

Ruby Ransomware Discovered

​​MalwareHunterTeam spotted a dev named Hayzam Sherif working Ruby ransomware. The ransomware will append the .ruby extension to encrypted files and create a ransom note on the desktop called rubyLeza.html.
C vZVeuXsAEdDvR6

Troldesh Channeling some James Bond With Its New Extension

Avast malware researcher Jakub Kroustek found a sample of Troldesh that uses the .crypted000007 for encrypted files.
C w4ZB9W0AAGBbz7

New Maykolin Discovered

Malware researched SecPanda discovered a new ransomware called Maykolin. This ransomware will append the .[This email address is being protected from spambots. You need JavaScript enabled to view it.] extension to encrypted files and drop a ransom note named This email address is being protected from spambots. You need JavaScript enabled to view it.. Has a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it.

C w xv7XsAEzlca8

New Amnesia Ransomware Discovered

xXToffeeXx discovered a new ransomware that appends the .amnesia extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT. Uses a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it..


C xabxmXcAEVVUe9

 

Sample of FileFrozr Ransomware Discovered

Jakub Kroustek discovered a sample of the new FileFrozr RaaS that uses the Windows Cipher.exe tool to wipe free space in order to make it harder to recover files. Drops a ransom note named READ_ME.txt.
C xLyzhXYAA9 PS10

Remove Cry128 ransomware with Emsisoft’s free decrypter

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the most recent strain from the CryptON ransomware family, ‘Cry128’. Victims can now decrypt files for free!

CRYPTOBOSS Amnesia Variant

A member of the BleepingComputer forums posted about what appears to be another variant of the Amnesia ransomware discovered earlier this week. This one scrambles an encrypted file's name and then appends the .CRYPTBOSS extension.

May 2nd 2017

New GlobeImposter Variant Tells You to Stay Calm!

MalwareHunterTeam discovered a new variant of GlobeImposter that uses the extension .keepcalm.
C zYVC5XsAAE5pK11

New F*!kTheSystem Ransomware Variant

Karsten Hahn discovered a new ransomware that appends the .anon extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.
C zio33WAAA0zQi12

Russian vCrypt Ransomware Discovered

MalwareHunterTeam discovered the vCrypt ransomware that is targeting Russian victims. The ransomware appends the .vCrypt1 extension to encrypted files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.

PEC 2017 Ransomware Discovered

xXToffeeXx discovered the Italian PEC 2017 ransomware. PEC 2017 appends the .pec extension to encrypted files and creates a ransom note named AIUTO_COME_DECIFRARE_FILE.html.
C 18HEvW0AIJOTE13

Haters Ransomware Discovered

Malwaresbyte malware researcher Marcelo Rivero discovered the Haters Ransomware. This ransomware will append the .haters extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.
C 2H0XnXYAAFw7U14

Xncrypt Ransomware Discovered

Avast malware analyst JaromirHorejsi discovered a new ransomware that appends the .xncrypt extension to encrypted files. You can unlock the screenlocker and decrypt the files by entering 20faf12b60854f462c8725b18614deac. You can use StupidDecryptor to decrypts file affected by this ransomware.
C 0jh3XXcAAFtbt15

Spyware + Ransomware Combo Discovered

G Data malware researcher Karsten Hahn discovered that someone is developing malware that incorporates both spyware and a ransomware into it.

May 3rd 2017

Cerber Ransomware Version 6 Gets Anti-VM and Anti-Sandboxing Features

Researchers at Trend Micro and McAfee have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.
Cerber wallpaper

New Variant of BTCWare Discovered

Karsten Hahn discovered a new BTCWare variant that utilizes the .cryptowin extension.

Screenlocker in Development

Karsten Hahn discovered a new in-dev screenlocker. The unlock code is KUrdS12@!#.
C zkMX5XoAAfG9f17

New ShellShock Variant Called X0LZS3C

MalwareHunterTeam discovered a new ShellShock variant called X0LZS3C. This variant appends the .x0lzs3c extension to encrypted files.
C 5jvuJXUAE561E18

BTCWare Decryptor Released

​​​Michael Gillespie and Francesco Muroni joined forces to release a decryptor for BTCWare that supports the free decryption of files with the cryptowin, .cryptobyte, and .btcware extensions.
C 6PalVXsAERs3K19

Clouded Ransomware Discovered

BleepingComputer discovered a new ransomware called Clouded Ransomware. This ransomware appends the .cloud extension to encrypted files.
C 6b01gXYAEi5zI20

"BLANK SLATE" MALSPAM STARTS PUSHING GLOBEIMPOSTER RANSOMWARE VARIANT

Palo Alto Networks researcher ​Brad Duncan discovered a MALSPAM campaign that is pushing the GlobeImposter ransomware. The distributed variant appends the .crypt extension to encrypted files and drop a ransom note called How_to_back_files.html.
2017 05 03 blank slate malspam image 031

May 4th 2017

New Ransomware called Rans0mLocker

BleepingComputer discovered a new ransomware called Rans0mLocked. This ransomware appends the .owned extension to encrypted files. Communicates with the Commadn & Control server through a downloaded TOR client.
Rans0mLocked

 

Anti-DDOS ScreenLocker/Ransowmare Discovered

MalwareHunterTeam discovered another open source junk based screenlocker/ransomware. You can use StupidDecryptor to decrypts file affected by this ransomware.
C 7qe1XgAAp Qr21

May 5th 2017

New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum

According to threat intelligence firm Recorded Future a new Ransomware-as-a-Service (RaaS) portal is being advertised on an underground hacking forum, primarily used by Russian-speaking criminals.
Fatboy dashboard

New Jigsaw Variant Masquerading as a Credit Card Generator

MalwareHunterTeam found a new variant of Jigsaw masquerading as a credit card generator. It appends the .fun extension and uses the following background.
C FCCyoW0AA639 22

 

NewHT Ransomware Discovered

A new ransomware was discovered by Karsten Hahn called NewHT. Could NewHT mean New HiddenTear. Will have to see. Regardless, the ransomware appends the .htrs extension to encrypted files and drops a ransom note named readme.txt. Has some rudimentary virtual machine detection.
ransom note 23

New ZipLocker Variant Discovered

Karsten Hahn discovered a new variant of the ZipLocker ransomware. This ransomware will zip up the targeted files into a password protected zip file that are named [original_file_name]+ locked.zip. It will also drop a ransom note named UnlockMe.txt. The current password for the zip file is Destroy.
C DC4N7XsAABV1k24

News Courtesy :  https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-5th-2017-wallet-globeimposter-and-cerber/