Lots of small ransomware infections / screenlockers this week, but no major infections were discovered. Thankfully, security researchers were able to create a bunch of decryptors and make them available for victim's to recover their files. Of particular note was the San Francisco MTA getting hit hard by the HDDCryptor ransomware, which caused them to provide rail service for free for a day or so. 

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@fwosar, @demonslay335, @JakubKroustek, @struppigel, @malwrhunterteam, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @jiriatvirlab, @Seifreed, @nyxbone, @avast_antivirus, @malwarebread,  @TheWack0lian, @hasherezade@Malwarebytesand @rommeljoven17.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

November 26th 2016

Your computer is locked screenlocker discovered

Security researcher Jiri Kropac discovered a new screenlocker that states that the computer is locked because viruses have been detected.  Victim's can use the password 01548764GHEZG784 to unlock the screen. A removal guide can be found here: Your computer is locked Screenlocker Removal Guide.

Brazilian Ransomware called Crypter Discovered

Security researcher Jiri Kropac discovered a new ransomware called Crypter that targets Brazilian victims. This ransomware does not actually encrypt the files, but simply renames them.

Your computer hasbeen banned screenlocker discovered

I discovered a new screenlocker from the same family as the one discovered by Jiri Kropac called Your Windows Hasbeen Banned. The code to unlock the screen is 123456. A removal guide can be found here: Your Windows Hasbeen Banned Screenlocker Removal Guide.

November 28th 2016

The Kangaroo Ransomware not only Encrypts your Data but tries to Lock you out of Windows

The Kangaroo ransomware is the latest ransomware from the developer behind the Apocalypse RansomwareFabiansomware, and Esmeralda. What makes this version stand out a bit more is the use of a legal notice as a ransom note that is displayed to all victims before they login to their computer. This makes it so a victim has to view the ransom note before they are able to login to Windows.

VindowsLocker Ransomware Mimics Tech Support Scam, Not the Other Way Around

Malwarebytes and independent security researcher @TheWack0lian have released free decryptors for a new ransomware variant that appeared last week, which mimics a tech support scam and employs the Pastebin API to save decryption keys. Turns out that this ransomware was actually created by 

Ransomware Hits San Francisco Public Transit System, Asks for $73,000

Ransomware known as HDDCryptor (or Mamba) has infected 2,112 computers belonging to the San Francisco Municipal Railway system (nicknamed Muni). The infection took place over the weekend and Muni officials had to allow locals to ride the railway system for free after they couldn't issue tickets.

New PowerShell based Ransomware Discovered

Security researcher Jiri Kropac discovered a new PowerShell based ransomware.

New HTCryptor Ransomware Discovered

I discovered a new in-development ransomware based off of Hidden-Tear called HTCryptor. This ransomware includes a feature to disable the victim's windows firewall.

November 29th 2016

San Francisco SFMTA Denies That Hacker Stole 30GB of Data from Its Servers

The San Francisco Municipal Transportation Agency (SFMTA, also nicknamed Muni) has published a statement denying rumors that the hacker who infected their systems with ransomware might have stolen data from its servers.

Fabian Wosar releases decryptor for the NMoreira/XPan Ransomware

Emsisoft security researcher Fabian Wosar released a decryptor for the  NMoreira/XPan ransomware that uses AiraCrop and Maktub extensions. The decryptor can be downloaded here.

Carleton University dealing with a Ransomware Outbreak asking for 39 Bitcoins

Large ransomware outbreaks seem to be a theme this week with first the San Francisco MTA getting hit by HDDCryptor and now Carleton University in Canada being affected by an unknown ransomware. Starting this morning at 8:51am EST, Carleton's Computing and Communications Services department started tweeting updates about networking and computer issues that were impacting the services at the college.

November 30th 2016

Fake Electrum Coin Adder also gives you the Jigsaw Ransomware

MalwareHunterTeam discovered a fake Electrum Coin Adder that silently installs the Jigsaw Ransomware in the background.

The Zeta Ransomware switches to the .rmd extension

Avast security researcher Jakub Kroustek discovered a new variant of the Zeta ransomware that now uses the .rmd extension for encrypted files.

New version of TorrentLocker Released

Security researcher xXToffeeXx discovered a new version of Torrentlocker/Crypt0l0cker that uses random 6 lower alphabetic characters as the extension and uses ransom note named HOW_TO_RESTORE_FILES.txt/html.

New version of PrincessLocker Discovered

Security researcher xXToffeeXx discovered a new version of PrincessLocker that has ransom notes named !_HOW_TO_RESTORE_*id*.txt and a .*id* extension, where ID is 4-6 characters a-z (lowercase), 0-9.

December 1st 2016

The Matrix Ransomware uses GnuPG to encrypt a victim's data

Rommel Joven discovered a new ransomware called Matrix that utilizes GnuPG to encrypt a victim's data.

Avast Releases Four Free Ransomware Decryptors

Avast released decryptors for the Alcatraz Locker, CrySiS, Globe, and NoobCrypt ransomware infections.

December 2nd 2016

Alpha Locker Ransomware being sold on Underground Criminal Forums

Malware Bread discovered a new ransomware called Alpha Locker being sold for $65 on underground criminal and hacking forums.

NMoreira/XPan developer sends Security Researcher a message

After Emsisoft security researcher Fabian Wosar created a decryptor for their ransomware, the developer of NMoreira/Xpan sent him a message in a newer variant.

New In-development Phoenix Ransomware

A new Hidden-Tear ransomware is in development called Phoenix Ransomware. It currently only targets the Important folder on the logged in user's desktop. When it encrypts files it will append the .R.i.P extension and creates a ransom note called Important!.txt.