May 8, 2017
Wow! What a brutal week. This week we have 36 ransomware stories, with 10 of them being on May 1st alone. Most of the new ransomware releases continue to be real crap, but together they add up to a wave of garbage that can do some serious harm. We also saw previously small distributions gearing up with larger MALSPAM campaigns, such as GlobeImposter.
The good news, is that we also have an updated decryptor released by Emsisoft for the CryptON ransomware and decryptor for BTCWare released by Michael Gillespie.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @struppigel, @demonslay335, @DanielGallagher, @malwrhunterteam, @fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @malware_traffic, @FraMauronz, @JaromirHorejsi, @emsisoft, @sec_panda, @drProct0r, @TrendMicro, @McAfee, and @RecordedFuture.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
April 29th 2017
New HiddenTear variant called Mini Ransomware
BleepingComputer discovered a new in-development HiddenTear called Mini Ransomware. This ransomware appends the .maya extension to encrypted files and drops a ransom note named READ ME.txt.
April 30th 2017
New Ransomware called RSAUtil
Emsisoft malware researcher xXToffeeXx discovered a new ransomware called RSAUtil ransomware. The ransomware appends the This email address is being protected from spambots. You need JavaScript enabled to view it. extension to encrypted files and creates a ransom note named How_return_files.txt. Uses payment email addresses of This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..
New DeadSec-Crypto v2.1 Ransomware Found
BleepingComputer found a new in-developer ransomware targeting Brazillian victims called DeadSec-Crypto v2.1 Ransomware. It currently does not do much other than display a form and delete some test files.
May 1st 2017
New version of the CryptoMix Ransomware Using the Wallet Extension
R0bert R0senb0rg discovered a new CryptoMix, or CryptFile2, variant that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it., and This email address is being protected from spambots. You need JavaScript enabled to view it..
MIKOYAN Ransomware Discovered
MalwareHunterTeam discovered a new in-development ransomware called MIKOYAN. It appends the .MIKOYAN extension to encrypted files. Uses an email address of mikoyanThis email address is being protected from spambots. You need JavaScript enabled to view it..
Extractor Ransomware Discovered
xXToffeeXx discovered a ransomware called Extractor that appends the .xxx extension to encrypted files and creates a ransom note named ReadMe_XXX.txt. Uses a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it..
Ruby Ransomware Discovered
MalwareHunterTeam spotted a dev named Hayzam Sherif working Ruby ransomware. The ransomware will append the .ruby extension to encrypted files and create a ransom note on the desktop called rubyLeza.html.
Troldesh Channeling some James Bond With Its New Extension
Avast malware researcher Jakub Kroustek found a sample of Troldesh that uses the .crypted000007 for encrypted files.
New Maykolin Discovered
Malware researched SecPanda discovered a new ransomware called Maykolin. This ransomware will append the .[This email address is being protected from spambots. You need JavaScript enabled to view it.] extension to encrypted files and drop a ransom note named This email address is being protected from spambots. You need JavaScript enabled to view it.. Has a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it.
New Amnesia Ransomware Discovered
xXToffeeXx discovered a new ransomware that appends the .amnesia extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT. Uses a payment email of This email address is being protected from spambots. You need JavaScript enabled to view it..
Sample of FileFrozr Ransomware Discovered
Jakub Kroustek discovered a sample of the new FileFrozr RaaS that uses the Windows Cipher.exe tool to wipe free space in order to make it harder to recover files. Drops a ransom note named READ_ME.txt.
Remove Cry128 ransomware with Emsisoft’s free decrypter
Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the most recent strain from the CryptON ransomware family, ‘Cry128’. Victims can now decrypt files for free!
CRYPTOBOSS Amnesia Variant
A member of the BleepingComputer forums posted about what appears to be another variant of the Amnesia ransomware discovered earlier this week. This one scrambles an encrypted file's name and then appends the .CRYPTBOSS extension.
May 2nd 2017
New GlobeImposter Variant Tells You to Stay Calm!
MalwareHunterTeam discovered a new variant of GlobeImposter that uses the extension .keepcalm.
New F*!kTheSystem Ransomware Variant
Karsten Hahn discovered a new ransomware that appends the .anon extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.
Russian vCrypt Ransomware Discovered
MalwareHunterTeam discovered the vCrypt ransomware that is targeting Russian victims. The ransomware appends the .vCrypt1 extension to encrypted files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.
PEC 2017 Ransomware Discovered
xXToffeeXx discovered the Italian PEC 2017 ransomware. PEC 2017 appends the .pec extension to encrypted files and creates a ransom note named AIUTO_COME_DECIFRARE_FILE.html.
Haters Ransomware Discovered
Malwaresbyte malware researcher Marcelo Rivero discovered the Haters Ransomware. This ransomware will append the .haters extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.
Xncrypt Ransomware Discovered
Avast malware analyst JaromirHorejsi discovered a new ransomware that appends the .xncrypt extension to encrypted files. You can unlock the screenlocker and decrypt the files by entering 20faf12b60854f462c8725b18614deac. You can use StupidDecryptor to decrypts file affected by this ransomware.
Spyware + Ransomware Combo Discovered
G Data malware researcher Karsten Hahn discovered that someone is developing malware that incorporates both spyware and a ransomware into it.
May 3rd 2017
Cerber Ransomware Version 6 Gets Anti-VM and Anti-Sandboxing Features
Researchers at Trend Micro and McAfee have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.
New Variant of BTCWare Discovered
Karsten Hahn discovered a new BTCWare variant that utilizes the .cryptowin extension.
Screenlocker in Development
Karsten Hahn discovered a new in-dev screenlocker. The unlock code is KUrdS12@!#.
New ShellShock Variant Called X0LZS3C
MalwareHunterTeam discovered a new ShellShock variant called X0LZS3C. This variant appends the .x0lzs3c extension to encrypted files.
BTCWare Decryptor Released
Michael Gillespie and Francesco Muroni joined forces to release a decryptor for BTCWare that supports the free decryption of files with the cryptowin, .cryptobyte, and .btcware extensions.
Clouded Ransomware Discovered
BleepingComputer discovered a new ransomware called Clouded Ransomware. This ransomware appends the .cloud extension to encrypted files.
"BLANK SLATE" MALSPAM STARTS PUSHING GLOBEIMPOSTER RANSOMWARE VARIANT
Palo Alto Networks researcher Brad Duncan discovered a MALSPAM campaign that is pushing the GlobeImposter ransomware. The distributed variant appends the .crypt extension to encrypted files and drop a ransom note called How_to_back_files.html.
May 4th 2017
New Ransomware called Rans0mLocker
BleepingComputer discovered a new ransomware called Rans0mLocked. This ransomware appends the .owned extension to encrypted files. Communicates with the Commadn & Control server through a downloaded TOR client.
Anti-DDOS ScreenLocker/Ransowmare Discovered
MalwareHunterTeam discovered another open source junk based screenlocker/ransomware. You can use StupidDecryptor to decrypts file affected by this ransomware.
May 5th 2017
New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum
According to threat intelligence firm Recorded Future a new Ransomware-as-a-Service (RaaS) portal is being advertised on an underground hacking forum, primarily used by Russian-speaking criminals.
New Jigsaw Variant Masquerading as a Credit Card Generator
MalwareHunterTeam found a new variant of Jigsaw masquerading as a credit card generator. It appends the .fun extension and uses the following background.
NewHT Ransomware Discovered
A new ransomware was discovered by Karsten Hahn called NewHT. Could NewHT mean New HiddenTear. Will have to see. Regardless, the ransomware appends the .htrs extension to encrypted files and drops a ransom note named readme.txt. Has some rudimentary virtual machine detection.
New ZipLocker Variant Discovered
Karsten Hahn discovered a new variant of the ZipLocker ransomware. This ransomware will zip up the targeted files into a password protected zip file that are named [original_file_name]+ locked.zip. It will also drop a ransom note named UnlockMe.txt. The current password for the zip file is Destroy.
News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-5th-2017-wallet-globeimposter-and-cerber/