News

The Week in Ransomware - April 14th 2017 - Mole, Cerber, and Crapware

April 17, 2017

After last week, its a pleasure to have a slow week in ransomware. Nothing really big released this week other than Emsisoft releasing an updated Cry9 decryptor and the new CryptoMix variant called Mole. Otherwise, this week has been full of a lot of in development ransomware or smaller variants that most likely will never see any real distribution.

Contributors and those who provided new ransomware information and stories this week include:
@BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335,  @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher , @campuscodi, @jiriatvirlab, @JAMESWT_MHT, @Seifreed, @emsisoft, @malware_traffic, @ForcepointLabs.

April 8th 2017

New In-dev Ransomware uses the Kilit Extension
A new ransomware is in development that appends the .Kilit extension to encrypted files. This ransom will download its configuration from Blogspot.

April 9th 2017

Serpent Ransom is Still Active

​​Michael Gillespie found a new Serpent Ransomware variant submitted to ID-Ransomware. This variant uses the extension .serp and a ransom note named README_TO_RESTORE_FILES.txt.

April 10th 2017

Updated Cry9 Decryptor Released

Emsisoft's Fabian Wosar released a new version of his Cry9 Decryptor. This version is faster, supports more variants, and saves the key for later use.

April 11th 2017

Portugese HiddenTear Variant with a GUI Discovered
A new Portugese HiddenTear variant was discovered that includes a GUI. This variant appends the .locked extension to encrypted files.

C9HP BkXsAAnsTM1

BTCWare using a new Contact Email
​​MalwareHunterTeam found a new sample of BTCWare that uses the email address This email address is being protected from spambots. You need JavaScript enabled to view it..">This email address is being protected from spambots. You need JavaScript enabled to view it..

New Eduware Discovered That Wants you to Watch a Video
ESET researcher Jiri Kropac discovered a new educational ransomware that encrypts your files, points you to a YouTube video to watch to learn about Ransomware, and then decrypts your files.

C9KLdqNUMAAQtHm1

April 12th 2017

Mole Ransomware Distributed Through Fake online Word Docs

A new ransomware called Mole was found by security researcher Brad Duncan and analyzed by ​BleepingComputer. This ransomware is a new CryptoMix variant that appends the .MOLE extension to encrypted files and drops a ransom note named
INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT.

ransom note

New Ransomware In Development by Anthony

​​MalwareHunterTeam discovered a new HiddenTear ransomware is being developed by "Anthony". Adds .rekt to the encrypted file.

New French Jigsaw Ransomware Variant

​​MalwareHunterTeam found a new Jigsaw Ransomware variant with a French ransom note. This ransomware appends .crypte to the encrypted file.

C9MfVt XUAAG O1C9MfVt XUAAG O1

El-Diablo Ransomware Being Developed

​​MalwareHunterTeam found a new in-development ransomware called El-Diablo being developed by someone named SteveJenner.

C9OUsUxXsAAdGpT1

 New Globe v3 Variant Mimics Dharma

Malware researcher xXToffeeXx found a new Globe v3 variant that mimics Dharma and uses an extension .[This email address is being protected from spambots. You need JavaScript enabled to view it.].wallet.

New Jigsaw variants Discovered

​​Michael Gillespie discovered new variants of the Jigsaw ransomware that use different backgrounds and append the .lcked extension to encrypted files.

C9OshniXoAEv7JM1

Ransomware Builder Found That Provides Open Source Crapware

​MalwareHunterTeam discovered a new ransomware builder that generates source code for open source crapware.

C9TeBIwXUAExtSF1

April 13th, 2017

CradleCore: Ransomware Source Code for Sale

The authors of the CradleCore,  a.k.a. "Cradle Ransomware", have put up the ransomware's source code up for sale on the Dark Web. The ransomware was first spotted by Michael Gillespie on March 31, 2017. Forcepoint recently published a report on its modus operandi.

CraddleCore

April 14th, 2017

Cerber Dominates Ransomware Landscape After Locky's Demise

The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.

Cerber Malwarebytes

Thai developer working on new Hidden-Tear-based ransomware

MalwareHunter has come across a developer based in Thailand that's been messing around with a new ransomware, based on the Hidden Tear open-source kit. Currently, the unnamed ransomware drops ransom notes titled READ_IT_FOR_GET_YOUR_FILE.txt and uses random extensions for encrypted files.

News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-14th-2017-mole-cerber-and-crapware/