Was a good week as not a lot of news when it comes to ransomware. Some more in-dev crap and nothing really new this week. The biggest news is that Cerber is now being distributed via MALSPAM that utilizes CVE-2017-0199 in the attached DOC files.

Contributors and those who provided new ransomware information and stories this week include:  @fwosar@malwareforme@jorntvdw, @FourOctets@BleepinComputer, @malwrhunterteam, @demonslay335, @PolarToffee, @DanielGallagher, @campuscodi, @struppigel, @JAMESWT_MHT, @Seifreed, @matthew_d_green, @JakubKroustek, @jiriatvirlab, @malware_traffic, @bartblaze, @PaloAltoNtwks, and @kaspersky

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

April 22nd 2017

JeepersCrypt Ransomware Discovered

BleepingComputer discovered a Brazilian ransomware called JeepersCrypt. This ransomware appends the .jeepers extension. Can be decrypted if anyone becomes infected.

April 23rd 2017

ID-Ransomware Adds New Searching Capabilities

Michael Gillespie's ID-Ransomware now has the ability to search for email addresses, bitcoin addresses, and urls in a ransom note.

AES-NI Sample Discovered

Emsisoft malware analyst xXToffeeXx discovered a sample of the AES-NI ransomware. The ransomware injects into svchost.exe, appends the .aes_ni_0day extension to encrypted files, and drops a ransom note named !!! READ THIS - IMPORTANT !!!.txt.

Ransomware, fala sério!

Security researcher Bart discovered a new CryptoWire variant dubbed Hopeless ransomware due to the Sem Solução of the ransomware screen. When encrypting files, the ransomware appends the .encrypted extension. Bart goes on to say that the ransomware can be decrypted simply using the password of 123.

April 24th 2017

XPan, I am your father

Kaspersky​ discusses how they are able to decrypt Xpan versions with the .one extension appended to encrypted files.

Getrekt Jigsaw Variant Decrypted

A new variant of the Jigsaw Ransomware was discovered by Michael Gillespie that appends the .getrekt extension to encrypted files. It was quickly added to Michael's Jigsaw Decryptor.

PshCrypt Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called PshCrypt. This ransomware appends the .psh extension to encrypted files. Thankfully, it can be decrypted simply by entering HBGP into the serial code field.

FailedAccess Ransomware Decrypted

You have to love when ransomware infections are decrypted before they are even released.  Bonehead ransomware devs. This is the case with a new in-dev ransomware found by Michael Gillespie that appends the .FailedAccess extension to encrypted files. Currently it only encrypts files located in the C:\Users\houcemjouini\Desktop\projet sans fils\test folder. It can easily be decrypted using Michael's StupidDecryptor.

April 25th 2017

CTF Ransomware Discovered

MalwareHunterTeam discovered a new ransomware that appears to be part of a CTF challenge. If nothing else, has a nice screenlocker background. Key is generated using the MD5 of the computer's MAC address. Appends .CTF to encrypted files.

New pyteHole Variant

MalwareHunterTeam discovered a new variant of the pyteHole ransomware that appends the .adr extension to encrypted files.

Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics

Palo Alto Networks' Unit 42 researcher Brad Duncan wrote an interesting article on the Mole Ransomware and malware distributors changing tactics:

On April 11th 2017, we saw a new malicious spam campaign using United States Postal Service (USPS)-themed emails with links that redirected to fake Microsoft Word online sites. These fake Word sites asked victims to install malware disguised as a Microsoft Office plugin.

This campaign introduced a new ransomware called Mole, because names for any encrypted files by this ransomware end with .MOLE. Mole appears to be part of the CryptoMix family of ransomware since it shares many characteristics with the Revenge and CryptoShield variants of CryptoMix.

The campaign quickly changed tactics and increased complexity.

April 26th 2017

Sample of the NM4 Ransomware Discovered

MalwareHunterTeam found a sample of NMoreira 4, otherwise known as NM4 Ransomware. This ransomware appends the .NM4 extension to encrypted files and drops a ransom note named Recovers your files.html.

April 27th 2017

Cerber Changes Ransom Note Names

MalwareHunterTeam noticed that Cerber changed their ransom note names to _!!!_README_!!!_%random%_.hta and _!!!_README_!!!_%random%_.txt. The current sample is distributed using CVE-2017-0199 to install Cerber.

In-Dev Internation Police Association Ransomware 

MalwareHunterTeam found a sample of a new in-dev ransomware that will be titled International Police Association. This ransomware will zip up files into password protected archives and then append the " .locked" extension. Notice the space is intentional. The password to the archives is currently ddd123456.

New Jigsaw Variant Released

Michael Gillespie found a new Jigsaw Ransomware variant that appends the .Contact_TarineOZA@Gmail.com extension to encrypted files. This variant can be decrypted with Jigsaw Decryptor.


Brad Duncan wrote an article about how Cerber is now using CVE-2017-0199 to distribute Cerber via Malspam.

April 28th 2017

Mordor Ransomware Sample Discovered

MalwareHunterTeam found a sample of the Mordor Ransomware. The only thing interesting about it is that it is named Mordor.  This is a HiddenTear variant that has been modified to be part of a RaaS. When encrypting a file it appends the .mordor extension and drops a ransom note named READ_ME.html.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - December 14th 2018 - Slow Week

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware