March 27, 2017

Lots and lots of little crappy ransomware released this week with nothing new or innovative. We do have some interesting Spora stats, lots of new Jigsaw variants, a story on the decline of Locky, and of course an updated decryptor by Fabian Wosar who continues to kick ransomware in the buttocks. Other than that, not really any of significance.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @BleepinComputer, @erpscan, @barklyprotects.

March 18th 2017

New MOTD Ransomware Discovered
A BleepingComputer member posted a new topic in the support forums about the new MOTD ransomware. This ransomware will encrypt files and append the .enc extension and drop ransom notes named motd.txt.

March 19th 2017

In-Dev CryptoDevil Ransomware Adds Basic File Encryption
Emsisoft security researcher xXToffeeXx discovered a new variant of the in-development CryptoDevil ransomware that has started encrypted files. This variant will encrypt files under subfolders under the the folder it runs from. When encrypting a file it will add the .devil extension to the encrypted file's name.


A Jigsaw Ransomware Variant was Discovered Translated to Vietnamese

Michael Gillespie found a Jigsaw Ransomware that was translated to Vietnamese.


March 20th 2017

Numbers Show Locky Ransomware Is Slowly Fading Away
This article discusses how the number of Locky ransomware infections have been going down over the last 6 months and have reached an all-time low this month in March.

Indiana Ransomware Bill Would Send Crooks to Prison for up to 6 Years
A new Indiana bill plans to make ransomware attacks a crime on its own punishable with a sentence from one to six years in prison, and a maximum fine of up to $10,000. House Bill 1444 was proposed last year by State Rep. Christopher Judy’s (R-Fort Wayne), passed the Indiana House of Representatives in late February, and will be heard tomorrow in the Senate Corrections and Criminal Law Committee, one of the few final steps before reaching the governer's desk.

PadCrypt is now Version 3.4.4
MalwareHunterTeam found a sample of the PadCrypt ransomware that is now at version 3.4.4. This is the ransomware that doesn't really infect many people, but keeps on chugging.

New Samas Variant Discovered
Michael Gillespie spotted a new Samas/SamSam ransomware uploaded to ID Ransomware that appends the extension .cifgksaffsfyghd and drops ransom notes named READ_READ_DEC_FILES.html.

March 21st 2017

New LLTP Ransomware Appears to be a Rewritten Venus Locker
A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

SAP Infrastructure Could Be Used to Deploy Ransomware on Enterprise Networks
ERPScan discovered a remote code execution flaw in the SAP Windows client that opens the door for ransomware attacks targeting enterprises that rely on various SAP products to manage and keep track of their business operations. SAP, a German company that makes enterprise software used by over 335,000 customers in 190 countries, has patched the issue last week.

March 22nd 2017

We've Seen the Future of Ransomware and It's... User Friendly?
Barkly created an article about how Spora Ransomware has one of the most user-friendly payment systems.

Zorro Ransomware Released
BleepingComputer has discovered the Zorry Ransomware that appends the .zorro extension to encrypted files and drops a ransom note named Take_Seriously (Your saving grace).txt.

HiddenTear Variant Called AngleWare Discovered
BleepingComputer discovered a new HiddenTear/MafiaWare variant called AngleWare that appends .AngleWare to encrypted files.


Modified Jigsaw Ransomware that puts the Payment Instruction in the Extension
Jakub Kroustek found a modified Jigsaw Ransomware, being dubbed Monument, that adds payment instructions as the extension for encrypted files. MalwareHunterTeam also noted that this ransomware is bundled with the Imminent Monitor RAT.

This extension is .To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours.


New Meteoritan Ransomware Targets Polish Victims
MalwareHunterTeam discovered a new ransomware called that targets Polish victims. This ransomware will drop a ransom notes named where_are_your_files.txt & readme_your_files_have_been_encrypted.txt.

Updated Version of the Globe3 Decryptor Released
Fabian Wosar of Emsisoft released a new version of the Globe3 decrypter to support the latest variants. The decryptor can be downloaded here.

March 23rd 2017

Monument Jigsaw Ransomware Variant Bundling NSFW Screen Locker
MalwareHunterTeam discovered that the Monument Jigsaw variant is now using the DarkLocker 5 porn screenlocker.


Statistics on the   Amount of Files Encrypted by Spora on 646 Victims Released
MalwareHunterTeam analyzing the files encrypted by 646 Spora victims and released his analysis.

C7oNh nWsAEn S41

New HiddenTear Variant called LK Encryptor
MalwareHunterTeam discovered a new HiddenTear variant called LK Encryption.

March 24th 2017

New BTCWare Ransomware Released
MalwareHunterTeam is on fire with the discovery of the BTCWare ransomware. This appears to be a new CrptXXX variant. According to MHT, one person has already made a ransom payment.
C7q t1oVAAEUuXS1

SADStory Ransomware Released
And we end with a crappy ransomware discovered by MalwareHunterTeam called SADStory. This ransomware may be a variant of CryPy and uses an email address of This email address is being protected from spambots. You need JavaScript enabled to view it., which used to be associated with KimcilWare.
C7tM 9RXgAAL3oY1
News Courtesy :