2016 is almost over and it has been a crazy year in ransomware. Thankfully, the last week of the year has been slow with even the criminals taking time off for the holidays. There wasn't any big news released this week, but of particular note are the released decryptors, an LG TV being infected with ransomware, and MalwareTech's article on why open source ransomware doesn't help anyone.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@fwosar, @demonslay335, @struppigel, @malwrhunterteam, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone@MalwareTechBlog, @CyberX_Labs, and @JakubKroustek.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

Hope everyone has a safe and happy New Year!

December 24th 2016

Decryption released for .Crypt and HOW_OPEN_FILES.hta Globe Imposter

Fabian Wosar of Emsisoft has released a decrytor for the Globe Imposter that uses the .Crypt extension for encrypted files and a ransom named named HOW_OPEN_FILES.hta. The decryptor can be downloaded here.

New DeriaLock Ransomware Active on Christmas, Includes An 'Unlock All' Command

On Christmas Eve, G Data malware analyst Karsten Hahn has come across a new ransomware family named DeriaLock, which locks your screen and requests a payment of $30.

New variant of Cerber released with Minor Changes

MalwareHunterTeam has discovered a new variant of the Cerber ransomware that has some minor changes. This version now uses the 1.22.15.0/27, 2.23.16.0, and 91.239.24.0/23 IP ranges for UDP statistics. It also changed the ransom note filename to _{RAND}_README.hta and _{RAND}_README.jpg.

December 25th 2016

New BadEncriptor Ransomware Discovered

Michael Gillespie discovered a new ransomware called BadEncript that appends the .bript extension to encrypted files and creates a ransom note named More.html.

Jigsaw Ransomware updated to use the Hush Extension

Avast researcher Jakub Kroustek discovered a new variant of the Jigsaw Ransomware that appends the .hush extension to encrypted files.

Decryptor for the NMoreira Ransomware Released

Fabian Wosar of Emsisoft updated his decrytor for the NMoreira ransomware so that it can decrypt the .maktub variant. The decryptor can be downloaded here.

December 27th 2016

ODCOD Ransomware Is Back

xXToffeeXx found a new sample of the ODCODC ransomware from the 17th.  This ransomware has not been seen in a while, so it comes as a surprise to see a new variant floating around. This version uses a ransom note title HOW_TO_RESTORE_FILES.txt and renames files to C-email-[email_address]-[original_filename].odcodc.

December 28th 2016

Android Ransomware Infects LG Smart TV

Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs.

The latest incident involving ransomware on a smart TV involves software engineer Darren Cauthon, who revealed that the LG smart TV of one of his family members was infected with ransomware right on Christmas day.

New Ransomware that appends -opentoyou@india.com to encrypted Files

MalwareHunterTeam found a new ransomware that appends the -opentoyou@india.com extension to encrypted files. It also drops a ransom note called !!!.txt.

December 29th 2016

KillDisk Disk-Wiping Malware Adds Ransomware Component

According to CyberX, the KillDisk malware family previously used to sabotage computers by deleting and rewriting files has added a ransomware component, now encrypting files and demanding a huge ransom.

It's Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software

According to security researcher MalwareHunterTeam, he has been finding ransomware being installed via fake installers for the ESET anti-virus program or a crack for AVG.

Dharma Ransomware switches to HTA Ransom Notes

xXToffeeXx found a new variant of the Dharma Ransomware that switched to using the Info.hta ransom note.

December 30th 2016

New Samas variant using the .Whereisyourfiles Extension

Michael Gillespie discovered a new Samas/SamSam variant whose ransom note was uploaded to ID-Ransomware. This variant adds the .Whereisyourfiles extension to encrypted files and drops the WHERE-YOUR-FILES.html ransom note.

Why Open Source Ransomware is Such a Problem

MalwareTech create a great blog post about the idiocy behind open source ransomware. His article illustrates how open source ransomware provides absolutely no benefit to the advancement of computer security and only provides a platform that criminals can easily adopt to attack people.

Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message