January 19, 2017
The ransomware scourge does not want to let up. This week we have seen lots of small ransomware infections released as well as a very professional looking payment site from the Spora Ransomware.
The big news is the continuing relentless attack on unsecured MongoDB databases, the new attacks on ElasticSearch databases, and a big time ransomware payout by a school.
The good news is that we also had a bunch of decryptors released this week to help those victims who were affected by the Marlboro and Merry X-Mas Ransomware infections.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @fwosar, @campuscodi, @demonslay335, @BleepinComputer, @struppigel, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @0xDUDE, @nmerrigan, @jiriatvirlab, @malware_traffic, @synhershko, @alienvault, @actionfrauduk, @emsisoft, @MacKeeper, @elastic, @binaryedgeio, @MongoDB.
January 7th 2017
Educational Ocelot Ransomware Released
MalwareHunterTeam discovered the Ocelot Ransomware, which does not encrypt anything, but rather tries to teach you a lesson and provides links to protect yourself.
MongoDB Apocalypse Is Here as Ransom Attacks Hit 10,000 Servers
According to recent statistics compiled by Niall Merrigan and Victor Gerves, two security researchers that have kept a close eye on the attacks, hackers have now hit around 10,500 MongoDB servers. That's about 25% of all MongoDB databases accessible via the Internet.
Crooks Cold-Calling UK Schools and Tricking Staff Into Installing Ransomware
The "ActionFraud" UK National Fraud & Cyber Crime Reporting Center has issued an alert this week to UK educational institutes, warning against cyber-criminals cold-calling British schools and tricking staffers into installing ransomware on the school's computers.
In-Dev CryptoRansomware Does Not Realize Its Impolite to Curse.
MalwareHunterTeam discovered the in-dev CryptoRansomware that needs to wash its mouth out with soap.
In-Dev VBRansom coded in Visual Basic .NET
I discovered the in-development VBRansom 7 Ransomware that is programmed in Visual Basic .NET. Adds .VBRANSOM to files, but does not actually encrypt.
January 9th 2017
MongoDB Apocalypse: Professional Ransomware Group Gets Involved, Infections Reach 28K Servers
The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.
In-dev Ramsomeer Ransomware Discovered
MalwareHunterTeam discovered a new ransomware called Ramsomeer that is based on the DUMB ransomware. Yeah, these ransomware infections are actually named by the author this way. Go figure.
"Merry Christmas" Ransomware Now Steals User Private Data via DiamondFox Malware
A new variant of the Merry Christmas ransomware was discovered by Brad Duncan that changes the ransom note theme to use the evil Robot Santa Claus from Futurama. Soon after MalwareHunterTeam discovered that recent variants of the "Merry Christmas" ransomware, also known as Merry X-Mas, are also dropping the DiamondFox malware on infected computers, which is used by the ransomware's operators to collect data from infected hosts, such as passwords, sensitive files, and others.
New Evil Ransomware discovered that is coded in Javascript
Jiri Kropac discovered the Evil Ransomware, which is coded in Javascript. Encrypted files will have the .file0locked extension appended to them. They are also told to email This email address is being protected from spambots. You need JavaScript enabled to view it. for payment instructions.
January 10th 2017
Minor Changes to the Cerber Ransomware
Emsisoft malware analyst xXToffeeXx discovered that Cerber switched their ransom note names to _HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg and .hta notes.
Los Angeles Valley College Pays a Whopping $30,000 in Ransomware Incident
The Los Angeles Community College District (LACCD) agreed to pay a ransom demand of $28,000 to crooks who managed to infect the computer network of the Los Angeles Valley College (LAVC) with ransomware.
Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet
A new ransomware family was discovered by MalwareHunterTeam called Spora, the Russian word for "spore." This new ransomware's most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we've seen from ransomware authors as of yet.
January 11th 2017
Kraken Group Puts MongoDB Hijacking Script Up for Sale
As the amount of unsecured MongoDB go down, the largest group involved with this ransom attempt is selling their hijacking script. The Kraken group is trying to monetize the last thing at its disposal, before the market collapses, by selling its script for $200 USD.
January 12th 2017
Decryptor released for the Merry Christmas or Merry X-Mas Ransomware
Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, RMCM1 appended to them. The decryptor can be downloaded here.
Marlboro Ransomware Defeated in One Day
A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours.
Discovered by MalwareHunterTeam and _operations6_, first signs of this threat appeared yesterday evening when a spam campaign started distributing Word files that would download and install the ransomware on users' computers.
Emsisoft releases a decryptor for Marlboro Ransomware
Super decryptor maker, Fabian Wosar of Emsisoft does it again with the release a decryptor for the Marlboro Ransomware. This decryptor will decrypt files that have the .oops extension appended to the filename. The decryptor can be downloaded here.
January 13th 2017
MongoDB Hijackers Move on to ElasticSearch Servers
As predicted by BleepingComputer.com Security Editor Catalin Cimpanu, after days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms.
The first wave of attacks hit ElasticSearch server owners yesterday, with some of the victims complaining on the ElasticSearch forums.
New version of ODCODCDecoder Released
BloodDolly has released a new version of his ODCODC Ransomware decryptor. The decryptor can be downloaded from here.
New in-developer Kaandsona Ransomware Discovered
I discovered the new in-dev ransomware called Käändsõna, Kaandsona, or RansomTroll. Crashes before it encrypts. Adds .kencf to encrypted files. Most likely created to troll researchers.
News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-13th-2017-mongodb-apocalypse-spora-decryptors-and-more/