It has been a busy ransomware week with lots of small and some bigger variants released. This week we had a new CryptoMix, a new BTCWare, and a few new malspam campaigns for GlobeImposter and Sigma. Even better, we had a few new and updated decryptors released so that people can recover their files for free.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @hexwaxwing, @BleepinComputer, @fwosar, @struppigel, @LawrenceAbrams, @DanielGallagher, @demonslay335, @malwareforme, @campuscodi, @FourOctets, @malwrhunterteam, @jorntvdw, @PolarToffee, @emsisoft, @leotpsc@zscaler, @GrujaRS, @dvk01uk, @Farenain

November 25th 2017

ExoBuilder Ransomware Builder Discovered

Leo discovered a ransomware builder called ExoBuilder. According to Karsten Hahn it appends the .exo extension to encrypted files and has a ransom note of UnlockYourFiles.txt.

November 27th 2017

StorageCrypt Ransomware Targeting NAS Devices

A new ransomware being dubbed StorageCrypt is targeting WD MyCloud NAS devices as reporting in a topic at When encrypted, files will have the extension .locked and a ransom note will be dropped named _READ_ME_FOR_DECRYPT.txt.

New Samas/SamSam Variant

Michael Gillespie discovered a new Samas/SamSam variant submitted to ID-R that appends the .areyoulovemyrans extension to encrypted files.

New Variant of the Magniber Ransomware found

Michael Gillespie found another variant of the Magniber Ransomware that appends the .vpgvlkb extension and drops a ransom note named read me for decrypt.txt.

Unknown French Ransomware discovered

Michael Gillespie initiated a ransomware hunt for a ransomware that appends the .locked extension to encrypted files and drops a ransom note named READ_ME_FOR_ALL_YOUR_FILES.txt.

November 28th 2017

HC6 Ransomware Decryptor Released

Michael Gillespie released a decryptor for the hc6 ransomware. 

New Crypton variant masquerades as a Keygen

MalwareHunterTeam discovered a new variant of Crypton that is masquerading as a keygen for EaseUS Data Recovery.  This ransomware appends the .encrptd extension to encrypted files. A decryptor for this ransomware was created by Fare9.

Crypt12 Decryptor Updated

Michael Gillespie discovered a new variant of the Crypt12 ransomware and updated his decryptor to handle it.

Ransomware hunt for MaxiCrypt

Michael Gillespie initiated a ransomware hunt for the MaxiCrypt ransomware. This ransomwar appends the extension .[].maxicrypt and drops a ransom note named How to restore your data.TXT.

November 29th 2017

WannaPeace Ransomware Discovered

MalwareHunterTeam discovered a new in-development Brazilian ransomware called WannaPeace that replaces the extension with _enc+extension. So test.jpg would be renamed as test_encjpg. Currently only encrypts the c:\testes folder.

New variant of the Crypt888 Ransomware Released

GrujaRS discovered a new variant of the Crypt888 Ransomware that uses the email address

November 30th 2017

Hunt Initiated for Ransomware that Appends .GOTYA

Michael Gillespie is looking for a sample of the hc7 Ransomware that may be appending the .GOTYA extension to encrypted files.

Ongoing ACCDFISA campaign targeting Brazil

Based on data from ID-Ransomware, MalwareHunterTeam has noticed that there is an ongoing ACCDFISA campaign targeting Brazilian victims. 

A Real Dangerous Not-Ransomware

MalwareHunterTeam discovered a new ransomware that had a filename of REAL DANGEROUS RANSOMWARE.exe. Thankfully, it does not encrypt and simply is a basic screenlocker.

Necurs botnet malspamming globeimposter ransomware via fake invoices

Derek of MyOnlineSecurity discovered that Necurs started a malspam campaign that was distributing the GlobeImposter Ransomware.

December 1st 2017

Test Cryptomix Ransomware Variant Released

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware was discovered today that appends the .TEST extension to encrypted files and changes the contact emails used by the ransomware.  

Halloware Ransomware on Sale on the Dark Web for Only $40

Catalin Cimpanu discovered that a malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.

New Shadow BTCware Ransomware Variant Released

A new variant of the BTCWare ransomware was discovered by Michael Gillespie, that appends the .[email]-id-id.shadow extension to encrypted files. The BTCWare family of ransomware infections targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.

New Globe2 Variant Discovered

Michael Gillespie discovered a new variant of the Globe 2 ransomware that utilizes the .abc extension for encrypted files. This should not be confused with the TeslaCrypt variant, which is decryptable. The good news, is that variant is decryptable as well with Emsisoft's decryptor

ClicoCrypter Ransomware Test Program

Karsten Hahn found a sample of the ClicoCrypter, which according to this site is a ransomware that was developed to test products from CheckPoint Software.

New Magniber Ransomware Variant

Michael Gillespie discovered a new variant of the Magniber Ransomware on ID Ransomware. This variant appends the .dlenggrl extension to encrypted files.

A look at two ransomware strains using open source code

Zscaler wrote an article about the analysis of two .NET based ransomware strains using open source code repository


That's it for this week! Hope everyone has a nice weekend!


Related Articles:

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Company Pretends to Decrypt Ransomware But Just Pays Ransom