After last week, its a pleasure to have a slow week in ransomware. Nothing really big released this week other than Emsisoft releasing an updated Cry9 decryptor and the new CryptoMix variant called Mole. Otherwise, this week has been full of a lot of in development ransomware or smaller variants that most likely will never see any real distribution.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher , @campuscodi, @jiriatvirlab, @JAMESWT_MHT, @Seifreed, @emsisoft, @malware_traffic, @ForcepointLabs.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
A new ransomware is in development that appends the .Kilit extension to encrypted files. This ransom will download its configuration from Blogspot.
Emsisoft's Fabian Wosar released a new version of his Cry9 Decryptor. This version is faster, supports more variants, and saves the key for later use.
A new Portugese HiddenTear variant was discovered that includes a GUI. This variant appends the .locked extension to encrypted files.
ESET researcher Jiri Kropac discovered a new educational ransomware that encrypts your files, points you to a YouTube video to watch to learn about Ransomware, and then decrypts your files.
A new ransomware called Mole was found by security researcher Brad Duncan and analyzed by BleepingComputer. This ransomware is a new CryptoMix variant that appends the .MOLE extension to encrypted files and drops a ransom note named INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT.
Malware researcher xXToffeeXx found a new Globe v3 variant that mimics Dharma and uses an extension .[firstname.lastname@example.org].wallet.
The authors of the CradleCore, a.k.a. "Cradle Ransomware", have put up the ransomware's source code up for sale on the Dark Web. The ransomware was first spotted by Michael Gillespie on March 31, 2017. Forcepoint recently published a report on its modus operandi.
The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.
MalwareHunter has come across a developer based in Thailand that's been messing around with a new ransomware, based on the Hidden Tear open-source kit. Currently, the unnamed ransomware drops ransom notes titled READ_IT_FOR_GET_YOUR_FILE.txt and uses random extensions for encrypted files.