A bunch of small ransomware variants were released, but we did have a new release of the Locky Osiris variant and Popcorn Time, which takes scumbaggery to a new level. To me the most interesting story is Popcorn Time as they offer victims the ability to get a free decryption key if they can get two other people infected and have them pay the ransom.  

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@fwosar, @demonslay335, @JakubKroustek, @struppigel, @malwrhunterteam, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @jiriatvirlab, @Seifreed, @nyxbone, @drProct0r@GarWarner, and @hasherezade.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

December 3rd 2016

PadCrypt 3.1.2 Released

MalwareHunterTeam discovered that PadCrypt has been upgraded to version 3.1.2. No significant changes were made.

December 4th 2016

Ransomware Author "Pornopoker" Arrested in Russia

Russian authorities have arrested a man suspected of writing and distributing ransomware. The suspect, whose name hasn't been released yet, goes by the nickname of Pornopoker.

Emsisoft released a decryptor for the latest Nemucod variant

Fabian Wosar of Emsisoft has released a decryptor for the latest Nemucod campaign that is underway. The decryptor can be downloaded from here.

New version of the Apocalypse Ransomware Released

Emsisoft security researcher xXToffeeXx discovered a new version of the Apocalypse Ransomware that uses ransom note named [md5].txt and files will be encrypted as [filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]

New Globe ransomware released that uses the .lovewindows extension

Security researcher Michael Gillespie discovered a new variant of the Globe Ransomware that apppends the .lovewindows extension to encrypted files. It also uses the email address bahij2@india.com as a point of contact.

December 5th 2016

Kelihos Botnet Delivering Shade (Troldesh) Ransomware with No_More_Ransom Extension

Over the last two weeks, the Kelihos spam botnet has been busy spreading the latest version of the Shade ransomware (also known as Troldesh), which now appends the ".no_more_ransom" extension at the end of each encrypted file.

Their gesture is a sign of irony, as the NoMoreRansom project has released a free decrypter over the summer that can help victims unlock files encrypted by this threat.

New screenlocker with File Encryption Discovered

GData malware analyst Karsten Hahn has discovered a new screen locker that also encrypts files.  Appears to be buggy as it does not appear to encrypt anything, but does contain an decryption routine. It is supposed to encrypt files and append the .encrypted extension to encrypted files.

Locky Ransomware switches to Egyptian Mythology with the Osiris Extension

Once again, the developers of the Locky Ransomware have decided to change the extension of encrypted files.  This time, the ransomware developers moved away from Norse gods and into Egyptian mythology by using the .osiris extension for encrypted files.

December 6th 2016

Petya Ransomware Returns with GoldenEye Version, Continuing James Bond Theme

The author of the Petya-Mischa ransomware combo has returned with a new version that uses the name GoldenEye Ransomware, continuing the malware's James Bond theme. Malwarebytes' researcher hasherezade has also posted some analysis.

December 8th 2016

New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key

Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.

New HACKED Jigsaw Ransomware Variant Discovered

Security researcher Michael Gillespie discovered a new Jigsaw Ransomware variant called HACKED. You can use Michael's Jigsaw Decryptor to get decrypt your files for free.

New SamSam Ransomware variant Discovered

Security researcher Michael Gillespie discovered a new variant of the SamSam Ransomware. This variant uses the .VforVendetta extension for encrypted files and a ransom note called 000-PLEASE-READ-WE-HELP.html.

Modified EDA2/Hidden-Tear Ransomware For Sale

Security researcher Jiri Kropac discovered a modified version of the EDA2/HiddenTear Ransomware for sale on underground criminal sites.

December 9th 2016

"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families

A new open-source ransomware project called CryptoWire was uploaded on GitHub as a "proof of concept," has now spawned three new ransomware families that are infecting users in real-life.

New CryptoWire-based UltraLocker Discovered

GData malware analyst Karsten Hahn discovered a new variant of the open-source AutoIT ransomware CryptoWire ransomware was discovered called UltraLocker.

CyberSplitter Ransomware 2.0 Released

GData malware analyst Karsten Hahn discovered version 2.0 of the CyberSplitter ransomware. This ransomware is based off of the Hidden-Tear open source ransomware.

New Locked-In Ransomware Discovered

GData malware analyst Karsten Hahn is on fire with the discovery of the new Locked-In ransomware. This ransomware will encrypt your files and create ransom notes called RESTORE_CORUPTED_FILES.HTML. Personally I think the devs screwed up when they made this ransomware as it prob should have been called Locked-Out.


Related Articles:

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High