October 21, 2016

Lots of smaller ransomware infections released with no big updates from the larger players. Of particular note is a new program by the Cisco Talos Group that prevents the Master Boot Record from being modified by ransomware.

Contributors and those who provided new ransomware info this week include: @malwrhunterteam, @TalosSecurity, @hasherezade, @Fortinet, @fwosar, @demonslay335, @PolarToffee, @TalosSecurity, @BleepinComputer, @struppigel, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

October 15th 2016

Decryptor for the XPTLock5.0/DMALocker Variant Released

Malwarebyte analyst hasherezade released a decryptor for the latest DMALocker ransomware. This ransomware now uses the XPTLOCK5.0 marker in encrypted files. It is not currently known if it is a full rebranding of the ransomware.

New version of NoobCrypt Discovered

A new version of the NoobCrypt was discovered by Emsisoft malware analyst PolarToffee being sold on underground criminal sites. The funny thing is that NoobCrypt was not the name the developer gave to their program, but was actually given by AVG researcher Jakub Kroustek.  It seems the malware devs liked it enough to keep it and thank him in their lock screen.

New Support.Code Anubis Ransomware Discovered

A new EDA2 ransomware was discovered by Michael Gillespie that encrypts data and appends the .coded extension to encrypted files. It will then create a ransom note called Decryption Instructions that contains instructions to email This email address is being protected from spambots. You need JavaScript enabled to view it. for payment instructions.


October 17th 2016

New non-encrypting Screen Locker Ransomware Discovered

A new screenlocker that does not encrypt your files was discovered by Malwrhunterteam. This screen locker is programmed in .NET and demands a 10 Euro Paysafecard to remove the locker. These types of infections are typically easy to remove, so noone should pay the ransom.

October 18th 2016

New Decryptor for the 7ev3n  Ransomware Released

Malwarebyte analyst hasherezade released a new decryptor for the 7ev3n ransomware.

Cu YIPEWgAA5o6u1

October 19th 2016

In-Development Ransomware Encrypts while Pretending to be a Click Me Game

Yesterday, GData malware analyst Karsten Hahn discovered an in-development ransomware disguised as a click me game.  When executed the ransomware will launch a screen that contains a Click Me button that a user chases around the screen with their mouse cursor while trying to click on it. In the background, though, the ransomware will be silently encrypting the data on the drive.

October 20th 2016

"JapanLocker": An Excavation to its Indonesian Roots

Fortinet has discovered a new open-source PHP ransom malware that has been targeting web sites using a simple encryption algorithm that is effective enough to really frighten web server owners. What is more interesting, however, is the information we have uncovered regarding the possible roots of the attacks/attackers.


Testing MBRFilter against Ransomware that modify the Master Boot Record

Cisco Talos has released a Windows disk filter driver called MBRFilter that listens for programs trying to modify the Master Boot Record and blocks them. This effectively blocks these types of ransomware from being installed and encrypting the MBR.

News Courtesy :