November 14 , 2016

Another week of annoying little ransomware programs. There was really nothing significant released this week, which is good news for a change. Hopefully it will stay that way.

Contributors and those who provided new ransomware info this week include: @BleepinComputer. @JakubKroustek, @struppigel, @malwrhunterteam, @campuscodi, @siri_urz, @fwosar, @demonslay335, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @campuscodi, @nyxbone, @kaspersky, @PhishMe.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

November 5th 2016
New Clock.Win32.Ransomware Scareware Discovered
Avast malware analyst Jakub Kroustek discovered a fake ransomware that is more scareware called Clock.Win32.Ransomware. Does not encrypt anything.

November 7th 2016
Cerber 4.1.4 being Distributed. Uses 3 IP ranges for UDP Stats
Cerber 4.1.4 is currently being distributed using Word documents with malicious macros that download and install the ransomware. These Word docs are being sent as zipped email attachments in emails with subjects like RE : Invoice 257224.

ransom note

NoobCrypt Discovered with an evaluation Obfuscation
MalwareHunterTeam discovered a new version of NoobCrypt that uses evaluation copy of a C# obfuscator. This causes not to be able to run after October 5th 2016. Another side effect is that the obfuscator messed up the file so an unlock key is not necessary.

CerberTear Ransomware based off of Hidden Tear impersonates Cerber
GData malware analyst Karsten Hahn has discovered a new HiddenTear ransomware called CerberTear that impersonates Cerber.

fake cerber hidden tear

New French Jigsaw Ransomware variant Discovered
Michael Gillespie discovered a new Jigsaw Ransomware variant has a French ransom note. Files encrypted by this variant will have the .encrypted extension added to encrypted files. This ransomware can be decrypted.

November 8th 2016
FSociety Ransomware Discovered
Malwarebytes security researcher S!Ri discovered a ransomware called FSociety, which is based off the RemindMe ransomware. When infected, this ransomware will encrypted victim's files and append the .dll extension to encrypted files and create ransom notes named DECRYPT_YOUR_FILES.HTML.


Fake PaySafe Card Generator Silently Encrypts your Files
Avast malware analyst Jakub Kroustek discovered a program that pretends to be a PaySafe card generator, but is actually a ransomware that encrypts your files in the background. When it encrypts your files it will insert the string .cry_ before the extension. For example test.jpg would become test.cry_jpg. This ransomware is highly destructive as it will also encrypt executables.

fake paysafecardgenerator

AiraCrop Ransomware Discovered
A new ransomware called AiraCrop was discovered by xXToffeeXx that adds the ._AiraCropEncrypted extension to encrypted files and generates ransom notes named How to decrypt your files.txt.

Cww L WgAAqZo01

iRansom being sold on the Darkweb
A new ransomware called iRansom is being actively sold on the darkweb. I was approached by this developer a few weeks ago to test out a new ransomware he was making. During emails back and forth he stated that it was just an experiment in coding and that he was not going to actively distribute it. I guess he lied.

When iRansom encrypts files it will append the .Locked extension to encrypted files and then prompt victims to email This email address is being protected from spambots. You need JavaScript enabled to view it. once a ransom payment has been made.


November 9th 2016
Heimdall Open-Source PHP Ransomware Targets Web Servers
A Brazilian developer named Lenon Leite has released proof-of-concept code for a ransomware family coded in PHP that will allow an attacker to encrypt the contents of web servers.

Telecrypt Ransomware Uses Telegram as C&C Server
Security researchers from Kaspersky Lab have come across a new ransomware variant that they named Telecrypt, which uses Telegram channels as C&C (command-and-control) servers.

Telecrypt GUI Ransom 1

Gingerbread Ransomware (?) Discovered
I was not sure what we are calling this one, so I decided on Gingerbread Ransomware. This ransomware was discovered JAMESWT and does not appear to be active anymore, but does have an interesting background.


November 10th 2016
Locky Spam Wave Poses as OPM Bank Fraud Alert
PhishMe wrote an article about how the operators of the Locky ransomware have been spotted using a cleverly designed spam lure to trick their victims into downloading their payload and running it on their computers.

OPM Ransomware Nov 2016

News Courtesy :