Not a lot out this week other than some new variants of CryptoMix, Crysis, and someone paying homage to security researcher Karsten Hahn.  Of particular interest is an Android application that allows anyone to generate a fully-working Android ransomware just by filling in a form and pushing a few buttons.

Contributors and those who provided new ransomware information and stories this week include: @FourOctets, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @malwareforme, @demonslay335, @campuscodi, @DanielGallagher, @BleepinComputer, @jorntvdw, @Seifreed, @fwosar, @struppigel, @ChristiaanBeek, @issp_info, @MalwareResearch, & @proofpoint.

August 21st 2017

Cyron Ransomware Discovered

GData malware researcher Karsten Hahn discovered the Cyron Ransomware. This ransomware appends the .CYRON extension to encrypted files.

Kappa Ransomware Discovered

Karsten Hahn discovered a new Oxar variant called Kappa.This ransomware appends the .OXR extension to encrypted files.


Trojan Dz Ransomware Discovered

Karsten Hahn discovered another ransomware called Trojan Dz that is a CyberSplitter variant. This ransomware will append the .Isis extension to encrypted files.

Another Oxar Variant Released

Karsten Hahn discovered another Oxar variant that utilizes animated text and appends the .OXR extension to encrypted files.

Fanboy sends a message to Karsten using HiddenTear Variant

Even ransomware devs know that Karsten is a ransomware hunting machine and wanted to say "Hello". MalwareHunterTeam & researcher Elise discovered this program based off of HiddenTear that shows his picture. This does not encrypt and prob made by a fan :)

30% of Ransomware Detected by McAfee is HiddenTear

McAfee's Christiaan Beek tweeted that 30% of the ransomware McAfee detected in June was based off of HiddenTear. Hey, it was only "educational".

August 22nd 2017

Xolzsec Ransomware Released

Karsten Hahn discovered a ransomware written by self proclaimed script kiddies that should really be considered trollware. Based off of EDA2 and appends the .xolzsec extension to encrypted files.

New French HiddenTear Variant Discovered

MalwareHunterTeam discovered a French HiddenTear variant that has very detailed payment instructions.  Appends the .locked extension and drops ransom notes named TUTORIEL.bmp and READ_IT_FOR UNLOCK.txt.



August 23rd 2017

Ukraine Fears Second Ransomware Outbreak as Another Accounting Firm Got Hacked

Ukrainian authorities and businesses are on alert after local security firm ISSP reported that another accounting software maker got hacked and its servers were being used to spread malware.

FlatChestWare Ransomware Discovered

Karsten Hahn discovered a new HiddenTear variant called FlashChestWare that appends the .flat extension to encrypted files. This ransomware is decryptable.

Another French HiddenTear Variant Discovered

Karsten Hahn discovered another French HiddenTear variant called VideoBelle that appends the .locked extension to encrypted files. This ransomware is decryptable.

Manual Encryption Tool for the Cryakl Ransomware Discovered

Karsten Hahn found the manual encryption tool for the Cryakl Ransomware.

August 24th 2017

In-Dev Cypher Ransomware Discovered

MalwareHunterTeam discovered a new in-development Python ransomware called Cypher.  This ransomware appends the .enc extension to encrypted files.

In-Dev Wooly Ransomware Discovered

MalwareHunterTeam discovered a new in-development .NET ransomware that downloads and installs TOR. While currently in-development, it will append the .wooly extension to encrypted files.

August 25th 2017

New EMPTY CryptoMix Ransomware Variant Released

Yesterday, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses empty, it is clear that the developers are running out of ideas for extensions.

Chinese DIY App Allows Anyone to Create Android Ransomware

Symantec android malware researcher Dinesh Venkatesan discovered that Chinese malware developers have created a specialized Android application that allows anyone to generate a fully-working Android ransomware just by filling in a form and pushing a few buttons.

PA-SIEM Ransomware Discovered

MalwareHunterTeam found a new in-development ransomware called PA-SIEM.  This ransomware appends the .PA-SIEM extension to encrypted files.

New Arena Crysis Ransomware Variant Released

Yesterday, ID-Ransomware's Michael Gillespie discovered a new variant of the Crysis/Dharma ransomware that is appending the .arena extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware.

Defray - New Ransomware Targeting Education and Healthcare Verticals

Proofpoint discovered a new ransomware called Defray that is targeting healthcare, education, manufacturing, and technology veriticals.

Proofpoint threat researchers recently analyzed Defray Ransomware, a previously undocumented ransomware strain. So far in August, we have observed only two small and selectively targeted attacks distributing this ransomware. One was primarily aimed at Healthcare and Education verticals; another targeted Manufacturing and Technology verticals. We selected the name “Defray” based on the command and control (C&C) server hostname from the first observed attack.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

New Brrr Dharma Ransomware Variant Released

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More