February 27, 2017
Lots of small little ransomware infections released this week that will most likely never make it into major circulation. The stories of interest this week are the Avast decryptor for offline CryptoMix infections, Trump Locker, and a new macOS ransomware called Packer.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @DanielGallagher, @campuscodi, @BleepinComputer, @struppigel, @malwareforme, @jorntvdw, @FourOctets, @JAMESWT_MHT, @Seifreed, @nyxbone, @_odisseus, @JakubKroustek, @MsmCode, @ESET, @avast_antivirus, and @symantec.
February 20th 2017
New XYZWare Ransomware Discovered
MalwareHunterTeam discovered a new in-development HiddenTear based ransomware called XYZWare. This ransomware will drop a ransom note name Readme.tx.
CryptConsole Using a new Contact Email
Michael Gillespie noticed that the CryptConsole ransomware started using the contact email address of This email address is being protected from spambots. You need JavaScript enabled to view it..
Updated Decryptor for the MRCR Ransomware Released
Fabian Wosar of Emsisoft has released an updated MRCR Ransomware decryptor in order to support the latest variants.
February 21st 2017
8 Trends in Android Ransomware, According to ESET
The report, published by ESET yesterday and titled Trends in Android Ransomware, provides a look at how ransomware threats evolved during the past year in the Android ecosystem.
Sage 2.2 Ransomware Released
MalwareHunterTeam has noticed that Sage 2.2 Ransomware has been released.
Source: Odisseus
New Samas Variant Discovered
Michael Gillespie found a new Samas/SamSam variant that appends the .weencedufiles extension to encrypted files and drops a ransom note named READ-READ-READ.html.
Avast Releases a Decryptor for Offline Versions of the CryptoMix Ransomware
Today, Avast released a decryptor for CryptoMix victim's that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victim's computer while there is no Internet connection or the computer cannot connect to the ransomware's Command & Control server.
February 22nd 2017
New Trump Locker Ransomware Is a Fraud, Just VenusLocker in Disguise
I found a new ransomware called Trump Locker that appears to be based off of Venus Locker. Trump Locker drops a ransom note called What happen to my files.txt and encrypts files with either the .TheTrumpLockerf or .TheTrumpLockerfp extensions.
New Crypt888 Ransomware Released
Jakub Kroustek discovered a new variant of the Crypt888 Ransomware was released with no ransom notes and only the below background. This ransomware will prepend the Lock. string to encrypted files and can be decrypted using Avast's decryptor.
New Python Ransomware Discovered
Jakub Kroustek discovered a new ransomware written in Python that has been named PyL33T. This ransomware appends the .d4nk extension to encrypted files.
New macOS Patcher Ransomware Locks Data for Good, No Way to Recover Your Files
A newly discovered ransomware family calling itself Patcher is targeting macOS users, but according to security researchers from ESET, who discovered the ransomware last week, Patcher bungles the encryption process and leaves affected users with no way of recovering their files.
February 23 rd 2017
New Unlock26 Ransomware Wants You To Solve Math Problem
MalwareHunterTeam has discovered a new ransomware that does not contain a name or provide any contact info. Requires you to solve a math problem before making a payment.
Android Ransomware Asks Victims to Speak Unlock Code
Symantec found a new variant of the Lockdroid Android ransomware has chosen a unique way of unlocking devices by asking users to speak a code provided after paying the ransom.
New Pickles Ransomware Discovered
Jakub Kroustek discovered another Python ransomware called Pickles. This ransomware is called pickles based on that string being used as the static password when encrypting files. This ransomware creates ransom notes named READ_ME_TO_DECRYPT.txt and changes files names to %random%.EnCrYpTeD.
New Go Ransomware called Vanguard
JAMESWT discovered a new ransomware written in Go called Vanguard. As the Command & Control server is down or there are other issues, we do not have a lot of info on it.
February 24th 2017
Latest CryptoMix Variant Uses CRYPTOSHIEL Extension
msm, a security researcher at CERT Polska, discovered that CryptoMix is now using the .CRYPTOSHIEL extension for encrypted files. It is unsure if this is a bug in their code as the previous version used the .CRYPTOSHIELD extension when encrypting files.
News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/