A bunch of small ransomware variants were released, but we did have a new release of the Locky Osiris variant and Popcorn Time, which takes scumbaggery to a new level. To me the most interesting story is Popcorn Time as they offer victims the ability to get a free decryption key if they can get two other people infected and have them pay the ransom.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @demonslay335, @JakubKroustek, @struppigel, @malwrhunterteam, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @jiriatvirlab, @Seifreed, @nyxbone, @drProct0r, @GarWarner, and @hasherezade.
If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
MalwareHunterTeam discovered that PadCrypt has been upgraded to version 3.1.2. No significant changes were made.
Russian authorities have arrested a man suspected of writing and distributing ransomware. The suspect, whose name hasn't been released yet, goes by the nickname of Pornopoker.
Emsisoft security researcher xXToffeeXx discovered a new version of the Apocalypse Ransomware that uses ransom note named [md5].txt and files will be encrypted as [filename].ID-*8characters+countrycode[email@example.com].[random7characters]
Security researcher Michael Gillespie discovered a new variant of the Globe Ransomware that apppends the .lovewindows extension to encrypted files. It also uses the email address firstname.lastname@example.org as a point of contact.
Over the last two weeks, the Kelihos spam botnet has been busy spreading the latest version of the Shade ransomware (also known as Troldesh), which now appends the ".no_more_ransom" extension at the end of each encrypted file.
Their gesture is a sign of irony, as the NoMoreRansom project has released a free decrypter over the summer that can help victims unlock files encrypted by this threat.
GData malware analyst Karsten Hahn has discovered a new screen locker that also encrypts files. Appears to be buggy as it does not appear to encrypt anything, but does contain an decryption routine. It is supposed to encrypt files and append the .encrypted extension to encrypted files.
Once again, the developers of the Locky Ransomware have decided to change the extension of encrypted files. This time, the ransomware developers moved away from Norse gods and into Egyptian mythology by using the .osiris extension for encrypted files.
The author of the Petya-Mischa ransomware combo has returned with a new version that uses the name GoldenEye Ransomware, continuing the malware's James Bond theme. Malwarebytes' researcher hasherezade has also posted some analysis.
Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.
Security researcher Michael Gillespie discovered a new variant of the SamSam Ransomware. This variant uses the .VforVendetta extension for encrypted files and a ransom note called 000-PLEASE-READ-WE-HELP.html.
Security researcher Jiri Kropac discovered a modified version of the EDA2/HiddenTear Ransomware for sale on underground criminal sites.
A new open-source ransomware project called CryptoWire was uploaded on GitHub as a "proof of concept," has now spawned three new ransomware families that are infecting users in real-life.
GData malware analyst Karsten Hahn is on fire with the discovery of the new Locked-In ransomware. This ransomware will encrypt your files and create ransom notes called RESTORE_CORUPTED_FILES.HTML. Personally I think the devs screwed up when they made this ransomware as it prob should have been called Locked-Out.