This week's article is going out a bit early today due to time constraints. Anything released later will be added to next weeks article.

This week we have 1 new ransomware variants, 3 new ransomware infections, and 1 new distribution campaign. The big news is that the Cerber Ransomware released a new version with some significant updates. 

Contributors and those who provided new ransomware info this week include: @malwrhunterteam@Malwarebytes@fwosar, @fuzzerDOTcn@DanielGallagher, @nyxbone@demonslay335, @PolarToffee, @JAMESWT_MHT, @BleepinComputer@JakubKroustek, , @Seifreed, and @TrendMicro. If you are interested in ransomware, I suggest you follow all of them on Twitter.

July 31st 2016

Razy Ransomware discovered that offers no hope of Decryption

The Razy Ransomware was discovered by Jakub Kroustek and encrypts your data with AES encryption. Once a file is encrypted it will append the .razy extension to the encrypted filename. This ransomware will target all files, regardless of extension, on the victim's Desktop, Documents, Videos, Pictures, and Music folders.

Unfortunately, this ransomware does not save the decryption key anywhere, so there is no way for a victim to decrypt the files once they are encrypted. This twitter account states that they created this ransomware for educational purposes and have no idea how it has been distributed.

August 1st 2016

Zepto Ransomware Locky Variant being distributed via WSF Attachments

Over the past week or so, a new distribution campaign for the Locky variant dubbed the Zepto Ransomware has been underway. Previously, the Zepto Ransomware installer was being distributed using zipped JS files. Now the installer are being sent as zipped WSF files in emails that pretend to be banking reports, invoices, or shipping information.

Email containing a Zepto Installer
Email containing a Zepto Installer

August 3rd 2016

New educational ShinoLocker Ransomware Project Released

The road to Hell is paved with good intentions when security researchers release "educational" ransomware. We saw this when Utku Sen released the hidden-tear and EDA2 ransomware source code on Github, which led to a sudden onslaught of script kiddies using it to make ransomware.  Now we may possibly see it with a new educational ransomware called ShinoLocker that was developed by security researcher Shota Shinogi as a means for people to test their security performance and utilities.

50% of U.S. Orgs Targeted by Ransomware in Past Year, Reveals Survey

50 percent of organizations based in the United States have been targeted by ransomware attacks over the past 12 months. That's just one of the major findings of Understanding the Depth of the Ransomware Problem in the United States, a report commissioned by security firm Malwarebytes and conducted by Osterman Research.

August 4th 2016

Cerber Ransomware version 2 Released, Uses .Cerber2 Extension

A new variant of the Cerber Ransomware was discovered by panicall, a security researcher for Trend Micro, that has some significant changes in how it was programmed. According to Panicall, Cerber Ransomware version 2 contains numerous internal changes as well as changes that will be apparent to the victim.

New Venus Locker Ransomware Discovered. 

A new ransomware called Venus Locker, which is EDA2 variant, was discovered by Michael Gillespie. According to Michael, this ransomware will encrypt files with AES-256 and append ".Venusf" to filenames. The AES key is generated with a cryptographically-strong random generator, and encrypted with an embedded RSA-2048 public key before being sent to the criminal's server.

More analysis of the Venus Locker Ransomware can also be found in this article by Mosh.


That's it for this week! Hope everyone has a ransomware free weekend.

Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection