October 21, 2016
Lots of smaller ransomware infections released with no big updates from the larger players. Of particular note is a new program by the Cisco Talos Group that prevents the Master Boot Record from being modified by ransomware.
Contributors and those who provided new ransomware info this week include: @malwrhunterteam, @TalosSecurity, @hasherezade, @Fortinet, @fwosar, @demonslay335, @PolarToffee, @TalosSecurity, @BleepinComputer, @struppigel, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
October 15th 2016
Decryptor for the XPTLock5.0/DMALocker Variant Released
Malwarebyte analyst hasherezade released a decryptor for the latest DMALocker ransomware. This ransomware now uses the XPTLOCK5.0 marker in encrypted files. It is not currently known if it is a full rebranding of the ransomware.
New version of NoobCrypt Discovered
A new version of the NoobCrypt was discovered by Emsisoft malware analyst PolarToffee being sold on underground criminal sites. The funny thing is that NoobCrypt was not the name the developer gave to their program, but was actually given by AVG researcher Jakub Kroustek. It seems the malware devs liked it enough to keep it and thank him in their lock screen.
New Support.Code Anubis Ransomware Discovered
October 17th 2016
New non-encrypting Screen Locker Ransomware Discovered
A new screenlocker that does not encrypt your files was discovered by Malwrhunterteam. This screen locker is programmed in .NET and demands a 10 Euro Paysafecard to remove the locker. These types of infections are typically easy to remove, so noone should pay the ransom.
October 18th 2016
New Decryptor for the 7ev3n Ransomware Released
Malwarebyte analyst hasherezade released a new decryptor for the 7ev3n ransomware.
October 19th 2016
In-Development Ransomware Encrypts while Pretending to be a Click Me Game
Yesterday, GData malware analyst Karsten Hahn discovered an in-development ransomware disguised as a click me game. When executed the ransomware will launch a screen that contains a Click Me button that a user chases around the screen with their mouse cursor while trying to click on it. In the background, though, the ransomware will be silently encrypting the data on the drive.
October 20th 2016
"JapanLocker": An Excavation to its Indonesian Roots
Fortinet has discovered a new open-source PHP ransom malware that has been targeting web sites using a simple encryption algorithm that is effective enough to really frighten web server owners. What is more interesting, however, is the information we have uncovered regarding the possible roots of the attacks/attackers.
Testing MBRFilter against Ransomware that modify the Master Boot Record
Cisco Talos has released a Windows disk filter driver called MBRFilter that listens for programs trying to modify the Master Boot Record and blocks them. This effectively blocks these types of ransomware from being installed and encrypting the MBR.