• Home
  • News
  • Security
  • The Week in Ransomware - April 14th 2017 - Mole, Cerber, and Crapware

The Week in Ransomware - April 14th 2017 - Mole, Cerber, and Crapware

  • April 14, 2017
  • 10:15 AM
  • 2

After last week, its a pleasure to have a slow week in ransomware. Nothing really big released this week other than Emsisoft releasing an updated Cry9 decryptor and the new CryptoMix variant called Mole. Otherwise, this week has been full of a lot of in development ransomware or smaller variants that most likely will never see any real distribution.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@malwrhunterteam@PolarToffee@fwosar@struppigel@demonslay335,  @malwareforme@jorntvdw, @FourOctets@DanielGallagher , @campuscodi, @jiriatvirlab@JAMESWT_MHT, @Seifreed, @emsisoft@malware_traffic, @ForcepointLabs.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

April 8th 2017

New In-dev Ransomware uses the Kilit Extension

A new ransomware is in development that appends the .Kilit extension to encrypted files. This ransom will download its configuration from Blogspot.

April 9th 2017

Serpent Ransom is Still Active

​​Michael Gillespie found a new Serpent Ransomware variant submitted to ID-Ransomware. This variant uses the extension .serp and a ransom note named README_TO_RESTORE_FILES.txt.

April 10th 2017

Updated Cry9 Decryptor Released

Emsisoft's Fabian Wosar released a new version of his Cry9 Decryptor. This version is faster, supports more variants, and saves the key for later use.

April 11th 2017

Portugese HiddenTear Variant with a GUI Discovered

A new Portugese  HiddenTear variant was discovered that includes a GUI. This variant appends the .locked extension to encrypted files.

BTCWare using a new Contact Email

MalwareHunterTeam found a new sample of BTCWare that uses the email address lineasupport@protonmail.com.

New Eduware Discovered That Wants you to Watch a Video

ESET researcher Jiri Kropac discovered a new educational ransomware that encrypts your files, points you to a YouTube video to watch to learn about Ransomware, and then decrypts your files.


April 12th 2017

Mole Ransomware Distributed Through Fake online Word Docs

A new ransomware called Mole was found by security researcher Brad Duncan and analyzed by BleepingComputer. This ransomware is a new CryptoMix variant that appends the .MOLE extension to encrypted files and drops a ransom note named INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT.

New Ransomware In Development by Anthony

MalwareHunterTeam discovered a new HiddenTear ransomware is being developed by "Anthony". Adds .rekt to the encrypted file.

New French Jigsaw Ransomware Variant

MalwareHunterTeam found a new Jigsaw Ransomware variant with a French ransom note. This ransomware appends .crypte to the encrypted file.

El-Diablo Ransomware Being Developed

MalwareHunterTeam found a new in-development ransomware called El-Diablo being developed by someone named SteveJenner.

New Globe v3 Variant Mimics Dharma

Malware researcher xXToffeeXx found a new Globe v3 variant that mimics Dharma and uses an extension .[no.torp3da@protonmail.ch].wallet.

New Jigsaw variants Discovered 

​​Michael Gillespie discovered new variants of the Jigsaw ransomware that use different backgrounds and append the .lcked extension to encrypted files.

Ransomware Builder Found That Provides Open Source Crapware

MalwareHunterTeam discovered a new ransomware builder that generates source code for open source crapware.

April 13th, 2017

CradleCore: Ransomware Source Code for Sale

The authors of the CradleCore,  a.k.a. "Cradle Ransomware", have put up the ransomware's source code up for sale on the Dark Web. The ransomware was first spotted by Michael Gillespie on March 31, 2017. Forcepoint recently published a report on its modus operandi.

CradleCore source code on the Dark Web

April 14th 2017

Cerber Dominates Ransomware Landscape After Locky's Demise

The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.

Ransomware stats for Q1 2017

Thai developer working on new Hidden-Tear-based ransomware

MalwareHunter has come across a developer based in Thailand that's been messing around with a new ransomware, based on the Hidden Tear open-source kit. Currently, the unnamed ransomware drops ransom notes titled READ_IT_FOR_GET_YOUR_FILE.txt and uses random extensions for encrypted files.

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

Lawrence Abrams
Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.


Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Latest Downloads


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.