News

The Week in Ransomware - October 28 2016 - Locky, Angry Duck, and More!

OCTOBER 31, 2016

Lots and lots of little ransomware and in-dev variants released this week. Of particular note is the quick release of two Locky variants that used .sh*t and then a day later the .thor extension for encrypted files.

Contributors and those who provided new ransomware info this week include: @struppigel, @malwrhunterteam, @JakubKroustek, @fwosar, @demonslay335, @PolarToffee, @avast_antivirus, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @BleepinComputer. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

October 22nd 2016
Lock93 Ransomware Discovered
MalwareHunterTeam has discovered a new ransomware that appends the Lock93 extension to encrypted files.

CvY0cgAXgAA0vTw1

October 23rd 2016
Quack Quack! The Angry Duck Ransomware was Discovered
A new ransomware called Angry Duck was discovered Michael Gillespie by that demands 10BTC to get the decryption key. When it encrypts files it will append the .adk extension to encrypted files.

CvfTgv WcAA6IFY1

October 24th 2016
New variant of the n1n1n1 Ransomware
A new variant of the n1n1n1 ransomware was discovered by Michael Gillespie that uses a new filemarker of 999999. It also has a ransom note called decrypt explanations.html.

CvjOHc9XgAQ4wr81

Locky Ransomware's new .SHIT Extension shows that you can't Polish a Turd
To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous variants, this ransomware is installed using a DLL that is executed by Rundll32.exe. Once executed, it will encrypt targeted file types and append the .shit extension to the name of encrypted files.

encrypted files

New variant of the Bart Ransomware released that uses the .Perl Extension
A new variant of the Bart Ransomware was discovered by Avast security researcher Jakub Kroustek that uses the .perl extension for encrypted files.

CvjFOjAWEAAdOEC1

October 25th 2016
Locky Ransomware switches to THOR Extension after being a Bad Malware
New variants of Locky are being released at a rapid rate lately. Yesterday, we had a new variant that appends the .SH*T extension to encrypted files and today they switched to using the .THOR extension. Maybe Locky had its mouth washed out with soap for cursing? Regardless of the reasons for the switch, I am happy as I won't have posts with curse words all over the forums.

encrypted files 1

Hucky Ransomware: A Hungarian Locky Wannabe
Avast Threat Labs has discovered a new Hungarian ransomware sample that is imitating Locky. This ransomware is named Hucky, which is an abbreviation for Hungarian Locky, as they suspect that this ransomware originated from a Hungarian developer.

011                                                                                             Source: Avast

October 27th 2016
In-Dev Ransomware forces you do to Survey before unlocking Computer
As if surveys aren't already annoying, a new ransomware utilizes the FileIce survey platform to force you to do surveys before unlocking your computer. First discovered by GData security researcher Karsten Hahn, this ransomware is currently in development and is most likely not being actively distributed at this time.

survey screen

Epic Fail: Ransomware Keys go for Sale to Researcher who already has Them
It is not uncommon for malware developers to communicate with security researchers whether it be to taunt them or praise them. It is a lot less common, though, when a ransomware developer reaches out to a security researcher and tries to sell them the encryption keys for their ransomware.

CvvJynDW8AARfs61

New cuzimvirus Screenlocker Easily Defeated
A new screenlocker was discovered by GData security researcher Karsten Hahn that instructed victims to contact This email address is being protected from spambots. You need JavaScript enabled to view it. in order to get a code to unlock the computer. The program is not coded very well and can easily be defeated by entering Unlock in the first field and 16wsmc51Ktxcvl3 in the second field.

CvwZRKBWcAEHXsV1

CryptoWire ransomware Discovered
A new ransomware based on an open source "educational" CryptoWire ransomware was discovered by GData security researcher Karsten Hahn. It is unsure if this sample is being actively distributed or just a test/dev version as it appeared incomplete.

CvwqiJ WIAAtv651

Onyx Ransomware discovered with log based on Spirited Away Character
GData security researcher Karsten Hahn is on a role as he found another ransomware called Onyx. This ransomware uses the face of a spirit called No-Face from the Spirited Away anime movie. The text in the ransom note appears to be Georgian.

Cvwtd0ZWAAEyben1

IFN643 Ransomware Discovered
Karsten Hahn keeps em coming with another ransomware called IFN643. Appears to be a development version.

Cvw KGXWYAE7UuI1

Jack.Pot Ransomware Discovered
Guess who found another ransomware today? You guessed it! Karsten Hahn brings us the Jack.pot ransomware, which demands 3 bitcoins to get the decryption key. This ransomware does not make sense at all as their is no contact information and even though they request bitcoins, as Warren Mercer points out, they provided a Litecoin address. Go figure.

Cvx3SF W8AAsMge1

News Courtesy : http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/