November 28, 2016

Lots of ransomware stories this week. We have two new decryptors, quite a few new ransomware infections, PadCrypt being hidden inside a fake credit card generator, and a few new variants. The biggest news is two new variants of the Locky ransomware that append the .zzzzz and .aesir extensions for encrypted files.

I would also like to take this time to tell anyone who thinks they are coming up with this grand idea of making an open source ransomware in order to improve ransomware that they STOP NOW! Releasing open source malware does not help anyone except the criminals who are going to use it to harm innocent victims.

And for those who don't want to listen to reason, maybe this will make you hesitate:
malware ransomwarePlease no more open source ransomware!

Contributors and those who provided new ransomware info this week include: @BleepinComputer, @dvk01uk, @Bry_Campbell, @hasherezade, @fwosar, @demonslay335, @JakubKroustek, @struppigel, @malwrhunterteam, @TalosSecurity, @DecrypterFixer, @campuscodi, @siri_urz, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @jiriatvirlab, @bartblaze, @peterkruse, @Seifreed, @nyxbone.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

November 19th 2016
PadCrypt 3.0 Ransomware hidden in fake Visa Credit Card generator
I discovered the PadCrypt 3.0 Ransomware disguised as a fake Visa Credit Card generator. When a user ran the program, it would display the fake card generator, but in the background will extract and execute PadCrypt on the computer.

credit card generator

November 21st 2016
Facebook Spam Campaign Spreading Nemucod Downloader and Locky Ransomware
An ongoing Facebook spam campaign was discovered by Bart Blaze and Peter Kruse that is spreading the Nemucod malware downloader among users, which in some cases was seen downloading the Locky ransomware at later stages. This campaign is in the form of spam messages spread via Facebook's IM system

Facebook spam message

New Version of the Crypt888 Ransomware Released
Avast security researcher Jakub Kroustek discovered a new variant of the Crypt888 ransomware. You can use the Avast Decryption Tool to decrypt your files for free.

Locky Ransomware now using the Aesir Extension for Encrypted Files
Early this morning, security researcher Derek Knight discovered a new Locky campaign spewing out emails that pretend to be an ISP complaint stating that SPAM has been detected coming from the computer. After testing the installation of Locky from this new campaign, MalwareHunterTeam discovered that Locky had also changed the extension for encrypted files to .AESIR. This new extension continues to stay within the Norse god mythology, with the previous variant using the Thor extension.

encrypted files

New ransomware called Vindows Locker Discovered
A new ransomware called Vindows Locker was discovered by Avast security researcher Jakub Kroustek. Appends the .vindows extension to encrypted files.


November 22nd 2016
Decryptor Available for Princess Locker Ransomware
Polish security researcher hasherezade has found a way to help victims of the Princess Locker ransomware by cracking the ransomware's encryption system and releasing a free decryptor.

princess keygen

November 23rd 2016
Telecrypt Ransomware Cracked, Free Decryptor Released by Malwarebytes
Nathan Scott, a malware analyst for Malwarebytes, was able to crack the encryption system used by the Telecrypt ransomware, discovered two weeks ago by researchers from Kaspersky Lab.
TelecryptDecrypterCould the Next Locky Spam Wave Switch to MHT Files?
The Cisco Talos Group says it may be possible that in the upcoming future we may see the group behind the Locky ransomware use MHT (MHTML) files as email attachments and deliver their malicious payload to victims' machines.

mht spam message

New Thanksgiving Ransomware Discovered
I discovered a new ransomware that appears to be currently in development that contains a big picture of a turkey. One of its ransom notes contains the email address This email address is being protected from spambots. You need JavaScript enabled to view it...

Cx9zm 0XAAAeH0K1

New Ransomware called OzozaLocker Discovered
MalwareHunterTeam discovered a new ransomware called OzozaLocker. This ransomware appends the .Locked extension to encrypted files and associated the extension with a VBS file. This causes the VBS file to display a messagebox when you double-click on an encrypted file.

Fabian Wosar‏ of Emsisoft has created a decryptor for this ransomware, which can be downloaded here.


November 24th 2016
Locky Ransomware putting us to sleep with the ZZZZZ Extension
On November 24th, MalwareHunterTeam discovered the new Locky extension being submitted to ID-Ransomware and then security researcher Derek Knight discovered a new Locky campaign spewing out emails that pretend to be an order receipts. After installation of the attached ZIP files it was determined that Locky switched to the .zzzzz extension. It should also be noted that there are also still reports of the .aesir variant currently being distributed as well

zzzzz locky encrypted files

Cerber Ransomware 5.0 Released with a Few Changes
Cerber 5.0 has been spotted by security researcher Bryan Campbell being distributed via RIG-V exploit kits. These exploit kits allow the ransomware to be installed on a victim's computer without their knowledge when they browse to a compromised web site or possibly through malvertising. I am sure Cerber 5.0 is also being distributed via email campaigns, but at this time I do not have a sample of these emails.

cerber 5 0 ransom note

New HiddenTear Ransomware with the Jigsaw Background
Karsten Hahn discovered a new HiddenTear based ransomware that utilizes the Jigsaw Ransomware background.


New Lomix Ransomware discovered that is based off of the open-source CryptoWire
Malwarebytes security researcher S!Ri discovered a new ransomware called Lomix that is based on the idiotic open-source ransomware called CryptoWire.


New ransomware discovered called CockBlocker.
Security researcher Jiri Kropac discovered an in-development ransomware known as RansomwareDisplay or Cockblocker.

encrypting screen

November 25th 2016
Cerber Ransomware changes its ransom note to _README_.hta
bleep cerberNews Courtesy :