January 30, 2017

This week we continue to see lots of little ransomware being developed and new variants of existing ones. The big news is Spora and Sage 2.0 now being distributed by actors that normally distribute Locky and Cerber. This has caused a greater distribution of both of these ransomware infections.

Furthermore, when Spora was first released it was initially only targeting Russian victims. This may have been a test run as we are now seeing world wide distribution of Spora.

Last, but not least, it appears that ransomware developers are running out of names to call their ransomware. To illustrate this, we have a ransomware this week called Potato. I wonder if next week we will have one named Broccoli?

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @campuscodi, @BleepinComputer, @struppigel, @JAMESWT_MHT, @Seifreed, @nyxbone,@jiriatvirlab, @malware_traffic, @emsisoft, @CheckPointSW, @JakubKroustek, @DecrypterFixer, Malwarebytes, @gmail

January 21st 2017

In-Developer called CloudSword Discovered

I discovered a new ransomware called CloudSword that will create a ransom note named Warning??.html.

C2qm1V XcAI3UWH1

January 22nd 2017

Apocalypse/Al-Namrood Ransomware Variant Switches Contact Email

xXToffeeXx discovered a new variant of the Apocalypse/Al-Namrood Ransomware that is using the email address This email address is being protected from spambots. You need JavaScript enabled to view it.,">This email address is being protected from spambots. You need JavaScript enabled to view it.

January 23th 2017

Sage 2.0 Ransomware Gearing up for Possible Greater Distribution

ISC Handler and security researcher Brad Duncan posted a new ISC diary entry. In his diary entry, Brad discussed how a new ransomware called Sage 2.0 is now being distributed via SPAM emails. What is even more disconcerting is that the current Sage 2.0 distributor also appears to be one of the actors that we commonly see distributing Cerber, Locky, and now Spora. This means that there is a good potential that there may be an increased distribution of the Sage 2.0 ransomware in the future.

sage header

New Samas Variant Discovered

Michael Gillespie discovered a new SamSam/Samas ransomware variant that uses the extension .weareyourfriends for encrypted files and creates a ransom note named TRY-READ-ME-TO-DEC.html.

New Jigsaw Variant Discovered

Michael Gillespie discovered a new Jigsaw Ransomware variant that uses the .paytounlock extension for encrypted files. Michael's decryptor has already been updated for this version.

CryptoMix switches to the RDMK Extension

xXToffeeXx noticed that CryptoMix has switched to using the .rdmk extension for encrypted files. The pattern of an encrypted file will be *filename*.email[*email*]_id[*id*].rdmk,

January 24 t h 2017

And So It Begins: Spo r a Ransomware Starts Spreading Worldwide

According to data gathered via the ID-Ransomware service, what all of us had predicted is now happening; Spora Ransomware has started to spread to new territories outside former Soviet states. To illustrate this, Daniel Gallagher has imported the data from ID-Ransomware to generate a heat map of infection locations as seen below.

spora splunk                                                    Spora Heat Map over the past 7 DaysCourtesy of Daniel Gallagher

Ransomware called RussianRoulette Discovered

GData malware analyst Karsten Hahn discovered a new ransomware called RussianRoulette. This ransomware is actually a variant of the Philadelphia ransomware.


New vxLock Ransomware Family Discovered

Jiri Kropac found a new ransomware family called vxLock that appends the .vxLock extension to encrypted files.

January 25 t h 2017

Charger Android Ransomware Reaches Google Play Store

Check Point Software has discovered a new Android ransomware family named Charger. The app's name is EnergyRescue, an app that posed as a battery-saving application, but which secretly stole a user's SMS messages and contact list, uploaded the data to the crooks' servers, and later locked the user's device. Google has since removed the app from the Google Play Store.

Gmail will Block JS Attachments for Security Reasons Starting February 13

While this is not strictly about ransomware, Gmail will start blocking JS files from being accessed or attached in emails. As many ransomware distributors use JS SPAM attachments as an attack vector, this may help increase security in that area.


New Samas Ransomware Variant Discovered

Michael Gillespie discovered a new Samas/SamSam variant that uses the .otherinformation extension for encrypted files and creates ransom notes named 000-IF-YOU-WANT-DEC-FILES.html.

Potato Ransomware Discovered

Michael Gillespie was notified of a new ransomware called Potato. Yup..potato. This ransomware adds the extension .potato to encrypted files and leaves ransom notes named README.png or README.html.


January 26th 2017

Police Department Loses Years Worth of Evidence in Ransomware Incident

Police in Cockrell Hill, Texas admitted yesterday in a press release that they lost years worth of evidence after the department's server was infected with ransomware. Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents.

CryptConsole Ransomware Discovered that Only Renames Files

xXToffeeXx has discovered a new ransomware called CryptConsole that impersonates the Globe Ransomware. When executed, CryptConsole will not actually encrypt files, but just encrypt the filenames to This email address is being protected from spambots. You need JavaScript enabled to view it._[encrypted_filename] or This email address is being protected from spambots. You need JavaScript enabled to view it._[encrypted_filename]. For example, test.jpg may be renamed as This email address is being protected from spambots. You need JavaScript enabled to view it._95032A2E1D28B13A40D3C53BECED4945FAAA1F0327D458AD07A545DD8844A1B7. It also drops a ransom note named How decrypt files.hta.

encrypted files

VirLocker Ransomware Returns Just as Virulent as Ever

The VirLocker ransomware made a comeback this past week with a new and very virulent version, but the Malwarebytes security team says there's a way for victims to recover files by entering a special code in the payment field. Furthermore, Malwarebytes malware analyst Nathan Scott has come up with a way to get a victim's files back for free.


MRCR1 or Merry X-Mas Ransomware Campaign Started

xXToffeeXx noticed that a new campaign appears to have started for the MRCR1 or Merry X-Mas Ransomware based on stats from ID-Ransomware.

CryptoConsole Decryptor Released

Michael Gillespie released a decryptor for the CryptoConsole Ransomware/Renamed. Information on how to use it can be found here.


January 27th 2017

Emsisoft Released an Updated Decryptor for the Merry X-Mas Ransomware

Emsisoft has released an updated decryptor for the Merry X-Mas Ransomware. This update handles the variant that drops the MERRY_I_LOVE_YOU_BRUCE.HTA ransom notes. The decryptor can be found here.

News Courtesy :