March 21, 2017
This week we had some rather large or interesting ransomware infections released. We have a new CryptoMix variant called Revenge being distributed via RIG exploit kits and we have someone modifying Petya in order to get their own ransomware without having to create their own ransomware. We also have a Star Trek themed ransomware called Kirk Ransomware.
Some good news is that Fabian Wosar of Emsisoft released a decryptor for the Damage Ransomware and an update decryptor for CryptON.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @hasherezade, @siri_urz, @jiriatvirlab, @Malwarebytes, @Jan0fficial, @kaspersky, @msftmmpc, @BroadAnalysis, and @BleepinComputer.
March 11th 2017
ID-Ransom can now Identify Files Encrypted by Spora
ID-Ransomware can now identify files encrypted by Spora Ransomware due to analysis of the filemarker posted by @hasherezade,
New SamSam Variant Discovered
Michael Gillespie discovered a Samas/SamSam variant that appends the .iaufkakfhsaraf to encrypted files and drops a ransom note named IF_WANT_FILES_BACK_PLS_READ.html.
Emsisoft Releases a Decryptor for the Damage Ransomware
Fabian Wosar of Emsisoft live streamed his analysis of the Damanage Ransomware and was able to build a decryptor while people were watching. This Damage decryptor is available here.
RozaLocker Ransomware Discovered
Jiri Kropac discovered a new Russian ransomware called RozaLocker that requesting 10.000 Rubles to decrypt victim's files. RozaLocker appends the .ENC extension to encrypted files.
March 12th 2017
New French Ransomware Discovered
Malwarebytes researcher S!Ri discovered a new ransomware targeting French victims.
March 13th 2017
Embittered Enjey Ransomware Developer Launches DDoS Attack on ID Ransomware
The ID Ransomware service was hit by two DDoS attacks launched by the author of the Enjey ransomware, embittered after ID Ransomware's creator, Michael Gillespie, had found a way to decrypt his ransomware.
Ŧl๏tєгค гคภร๏๓ฬคгє Discovered
MalwareHunterTeam discovered a new ransomware called Ŧl๏tєгค гคภร๏๓ฬคгє. Appears to be a renamed version of Vortex.
PadCrypt is now Version 3.4.1
MalwareHunterTeam found a sample of the PadCrypt ransomware that is now at version 3.4.1. For a ransomware that is hardly distributed, the devs still continuously develop it.
Ransomware Hunt for Project34 Ransomware Initiated
March 14th 2017
PetrWrap Ransomware Is a Petya Offspring Used in Targeted Attacks
Kaspersky Lab discovered a heavily modified, but "unauthorized" version of the Petya ransomware being used in targeted attacks on a small number of organizations.
Named PetrWrap, this Petya offspring is part of the arsenal of a new threat actor that's hacking corporate networks and then using the Windows PsExec utility to install PetrWrap on vulnerable servers and endpoints.
Malwarebytes Researchers Hack into Soon-to-be-Launched RaaS Portal
Malwarebytes disrupted a ransomware author's plans to launch a RaaS portal after they managed to infiltrate the crook's command and control server, hosted on a common shared hosting provider.
Spora Ransomware Utilizing a New Domain
MalwareHunterTeam noticed that Spora has added a new domain yesterday called torifyme[.]com.
New Jigsaw Variant Released
Michael Gillespie discovered a new variant of the Jigsaw Ransomware that appends the .nemo-hacks.at.sigaint.org extension to encrypted files.
Hermes Ransomware Version 2.0 Released
Michael Gillespie noted that someone uploaded a file from the Hermes v2 ransomware to ID-Ransomware.
Decryptor for the Hermes Ransomware Released
Michael Gillespie published a decrypter for the Hermes Ransomware with help Fabian Wosar of Emsisoft.
Russian Educational Screenlocker Found
MalwareHunterTeam found an Russian educational screenlocker sample which tries to teach the victim a lesson.
New Karmen RaaS Discovered
A new in-development Ransomware as a Service, or Raas, called Karmen has been discovered by MalwareHunterTeam.
March 15th 2017
Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit
Broad Analysis discovered a new CryptoMix, or CryptFile2, variant called Revenge that is being distributed via the RIG exploit kit. This variant appends the .REVENGE extension to encrypted files and drops a ransom note named # !!!HELP_FILE!!! #.txt.
A Turkish Fake CTB-Locker Discovered
Avast malware researcher Jakub Kroustek discovered a Turkish ransomware that impersonates CTB-Locker. This ransomware appends the .encrypted extension to encrypted files and drops a ransom note named Beni Oku.txt.
HiddenTear Variants Wants People to Post on Facebook
GData malware analyst Karsten Hahn found a HiddenTear variant that is created by someone named Anony and requires them to post to Facebook to get a decryption key.
March 16th 2017
Trend: Ransomware Hidden in NSIS Installers Harder to Detect
Microsoft's Malware Protection Center has recently observed a change in the way malware authors deploy malicious code via NSIS installers. The changes are at the lowest levels of the installers, at how files are arranged and named inside it. These changes are 100% invisible to end users but are enough to break common security threat detection systems.
Recent activity with new model of NSIS installers (via MMPC)
Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!
Jakub Kroustek discovered a new ransomware called Kirk Ransomware. Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?
This ransomware appends the .Kirked extension to encrypted files and drop a note called RANSOM_NOTE.txt.
Lick Ransomware, a variant of Kirk Ransomware, Discovered
Jakub Kroustek discovered another variant of the Kirk Ransomware called Lick Ransomware. This variant works pretty much the same way as Kirk, but also uploads a copy of the encrypted key and other information to PasteBin. This ransomware appends the ..Licked extension to encrypted files and drop a note called RANSOM_NOTE.txt.
CryptoDevil Screenlocker Discovered
A very ugly screen locker called "Ramsomware.CryptoDevil" was discovered by MalwareHunterTeam. The unlock code is kjkszpj. The file properties state it was created by someone going by the alias of "mutr0l".
RoshaLocker 2.0 Stores Files in Password Encrypted RAR Files
Malwarebytes malware researcher S!Ri found RoshaLocker 2.0, which stores your files in a password protected RAR file and then demands a ransom to get the archive password.
CryptON Decryptor Updated
Fabian Wosar of Emsisoft released an updated decryptor for CryptON to handle the latest variant. The decryptor can be downloaded here.
March 17th 2017
New ZinoCrypt Ransomware - 2017 Edition
MalwareHunterTeam discovered a new ransomware called ZinoCrypt Ransomware - 2017 Edition. ZinoCrypt drops a ransom note named ZINO_NOTE.TXT and appends the extension .ZINO to encrypted files.@demonslay335
New Crptxxx Ransomware
A new ransomware was discovered by MalwareHunterTeam that appends the .crptxxx extension to encrypted files and drops a ransom note named HOW_TO_FIX_!.txt.
New Jigsaw Variant Discovered with New Background
Jakub Kroustek discovered a new variant of the Jigsaw ransomware that utilizes a new background.
DH_File_Locker Ransomware Builder Discovered
Jªn Poulsen discovered a builder for the DH_File_Locker Ransomware.
Trident File Locker Ransomware Builder Discovered
Jªn Poulsen discovered a builder for the Trident File Locker.
New MacAndChess HiddenTear Variant
Karsten Hahn discovered a new HiddenTear variant called MacAndChess Ransomware.
March 18th 2017
BranCrypt Ransomware Released