February 06, 2017
Ransomware, ransomware, ransomware. It never seems to end. This week we see lots of little ransomware infections being developer or distributed. The good news is that we also have seen quite a few decryptors released to help those who were infected.
The big news the continued distribution of Spora by some of the bigger players and introduction of a new exploit kit driven ransomware called CryptoShield 1.0.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @campuscodi, @BleepinComputer, @struppigel, @JAMESWT_MHT, @Seifreed, @nyxbone,@jiriatvirlab, @GovCERT_CH, @emsisoft, @JakubKroustek, @Malwarebytes, @kafeine, @DecrypterFixer, @hypoweb, @_ddoxer, @malware_traffic, @NCA_UK, and @GrujaRS.
January 27th 2017
New Jigsaw Variant Discovered
January 28th 2017
Final Version of the Hitler Ransomware Released
Jiri Kropac discovered that some idiot released the final version of the Hitler Ransomware. It is amazing what schmucks there are in the world.
New RansomPlus Ransomware Discovered
January 29th 2017
Ransomware Infects Electronic Door Locking System at Austrian Hotel
A ransomware infection has wreaked havoc at Romantik Seehotel Jägerwirt, a four-star hotel in the Austrian Alps, on the lip of the Turracher Höhe mountain lake.
The incident took place earlier this month and hit the computer managing the hotel's electronic key lock system, reservation system, and the cash desk system, according to local media.
New XCrypt Ransomware Discovered
Avast security researcher Jakub Kroustek discovered the XCrypt Ransomware with ransom notes written in Cyrillic and developer contact via ICQ. The ransom note is named Xhelp.jpg and encrypted files are not renamed.
January 30th 2017
Emsisoft Website Hit by DDoS Attack as Company Releases Ransomware Decrypter
In the past week, two security firms, Dr.Web and Emsisoft, suffered DDoS attacks at the hands of cyber-criminals who attempted to bring down their websites as payback for meddling with their illegal activities. On January 28, Emsisoft suffered DDOS attack to the section of the company's portal that hosts ransomware decrypters.
Saga 2.0 comes with IP Generation Algorithm (IPGA)
The Swiss Government Computer Emergency Response Team (GovCERT.ch) put together a great analysis of the Sage 2.0 Ransomware. If you are interested in the inner workings of this ransomware, it is a must read.
Zyka Ransomware Discovered
Independent security researcher CyberSecurity discovered the Zyka ransomware, which appends the .locked extension to encrypted files. Victims can download Michael Gillespie's StupidDecryptor to decrypt encrypted files.
January 31st 2017
Rogue Netflix App Spreads Ne tix Ransomware That Targets Windows 7 and 10 Users
Karsten Hahn discovered a new ransomware family named Netix (RANSOM_NETIX.A) is targeting users who use special applications to access hacked Netflix accounts, locking their files and demanding a ransom payment of $100.
Fake Chrome Font Pack Update Alerts Infecting Visitors with Spora Ransomware
Yesterday, Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, wrote a blog article discussing how the EITest Chrome Font Update campaign is now distributing the Spora Ransomware.
CryptoMix variant named CryptoShield 1.0 Ransomware Distributed by Exploit Kits
A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered by ProofPoint security researcher Kafeine being distributed via EITest and the RIG exploit kit.
New Jigsaw Ransomware Variant Discovered
Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .gefickt extension to encrypted files. Michael's Jigsaw Decryptor has been updated for this variant.
Evil-JS Ransomware Switches to a new Extension
xXToffeeXx noticed that Evil-JS ransomware switched to the .evillock extension since the January 25th and slightly modified the ransom note.
Locky Bart ransomware and backend server analysis
Malwarebytes posted a article that describes the backend of the Bart Ransomware server and how Malwarebytes was able to access the decryption keys stored on it.
February 1st 2017
New Samas Ransomware Variant Discovered
Michael Gillespie discovered a new variant of the Samas/SamSam Ransomware that uses the .letmetrydecfiles extension for encrypted files and creates a ransom note called LET-ME-TRY-DEC-FILES.html.
February 2nd 2017
Avast releases Three more Decryption Tools for Ransomware Victims
Avast released decryptors for the HiddenTear, Jigsaw, and Stampado/Philadelphia ransomware infections.
February 3rd 2017
Ransomware Incident Shuts Down County's Government Infrastructure
A ransomware infection that took root on late Tuesday night, January 31, affected several services provided by the local Licking County (Ohio) government infrastructure.
Two Arrested in London for Infecting Washington's CCTV Network with Ransomware
UK's National Crime Agency said today that officers arrested two suspects for hacking the Washington CCTV network and installing ransomware.
Ranion Ransomware-as-a-Service Available on the Dark Web for 'Educational Purposes'
A new Ransomware-as-a-Service (RaaS) portal that recently launched on the Dark Web is peddling access to a fully-working ransomware distribution network for extremely low prices. Called Ranion, this new RaaS service was discovered by Radware security researcher Daniel Smith, who found it indexed on a Dark Web URL indexing service.
"Educational" YourRansom Ransomware Discovered
Sample of the LambdaLocker Ransomware Discovered
xXToffeeXx discovered a sample of the LambdaLocker Ransomware that Michael Gillespie was looking for. The LambdaLocker Ransomware will append the .lambda_locked extension to encrypted files and create a ransom note named READ_IT.hTmL. Also includes a Chinese section in the ransom note.