It is another week and more ransomware to alert everyone about. 

The biggest news this week is the release of Serpent Ransomware, which is a new version of the Wildfire Ransomware that was  previously taken down by the National High Tech Crime Unit of the Dutch police. Other news is the continued rise of Spora Ransomware as major player in the ransomware threat landscape.

ID-Ransomware has also hit a milestone with support over 300 different ransomware families now. 

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw@malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @DanielGallagher, @campuscodi, @BleepinComputer, @struppigel, @malwareforme@FourOctets@JAMESWT_MHT, @CryptoInsane@Seifreed, @nyxbone,@jiriatvirlab, @JakubKroustek, @_ddoxer@symantec@proofpoint, @siri_urz, @TrendMicro

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

February 4th 2017

PadCrypt Ransomware Affiliate System Discovered

David Montenegro discovered the affiliate  system behind the PadCrypt Ransomware. Though this ransomware is not in wide distribution, it has been around for quite some time.

YourRansom Is the Latest in a Long Line of Prank and Educational Ransomware

According to Roland Dela Paz, YourRansom was coded on top of an open-source ransomware project of the same name, written in Go and released on GitHub last month by a Chinese developer. This once again shows why open-sourcing ransomware kits are and will remain a big problem.

February 6th 2017

Spora Ransomware Sets Itself Apart with Top-Notch PR, Customer Support

The Spora ransomware is slowly making a name for itself as one of the most well-run ransomware operations on the market, with a very well-designed ransom payment portal, some solid customer support, and also efforts to improve the ransomware's reputation among victims.

Android Ransomware Borrows One More Trick from Desktop Counterparts

According to Symantec, the infamous Lockdroid ransomware has gained a new feature, a banality among desktop malware, but a never-before-seen trick for Android ransomware. This new feature is the usage of a dropper component that scouts infected devices and then delivers the appropriate ransomware payload, based on the results.

February 7th 2017

CryptoShield version 1.1 Released

MalwareHunterTeam found a sample of the CryptoShield 1.1. This version uses new emails, which are,, and

Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment

A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. While at this time, it is not currently known how Erebus is being distributed, analysis of the ransomware shows some interesting features. The first, and most noticeable features, is the low ransom amount of ~$90 USD being requested by the ransomware. Another interesting features is its use of a UAC bypass that allows the ransomware to run at elevated privileges without displaying a UAC prompt.

JobCrypter Ransomware has Started Circulating Again

MalwareHunterTeam has discovered that the JobCrypter Ransomware has started circulating again.

Aw3s0m3Sc0t7 Ransomware Discovered

Karsten Hahn found a dev named Scott that has put out a new a new ransomware dubbed Aw3s0m3Sc0t7. It is not sure if this is TrollWare or an in-dev ransomware, but it encrypts files and appends to the .enc extension to them. 

Ransomware Discovered that Steals Private Keys and Certificates

Jiri Kropac discovered a ransomware that steals private keys and cert files (ie5/key/pem/ppk) and then requests a 1 bitcoin ransom.

February 8th 2017

New Portuguese Ransomware Discovered

Avast malware researcher Jakub Kroustek discovered a new Portuguese ransomware that appends id-%X%_steaveiwalker@india.com_ to encrypted files and drops ransom notes named COMO_ABRIR_ARQUIVOS.txt. 

ID-Ransomware now Detects 300 Ransomware Families

In an almost sad milestone, ID-Ransomware, created by Michael Gillespie,  now detects 300 ransomware families.

February 9th 2017

Serpent Ransoware Wants to Sink Its Fangs Into Your Data

Yesterday, Proofpoint posted about their discovery of a new ransomware called Serpent that is being distributed via SPAM emails. It was further determined that this ransomware appears to be a new variant of the HadesLocker and Wildfire ransomware family.

DynA-Crypt not only Encrypts Your Files, but Also Steals Your Info

A new ransomware called DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim's computer. Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of steaming **** that just makes a mess of a victim's programs and data.

New Digisom HiddenTear Ransomware Discovered

xXToffeeXx discovered a modified Digisom HT ransomware encrypting files with filename.extension[A-Za-z0-9]{3}.x and a ransom note named Digisom Readme0.txt (0 to 9).

Fadesoft Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Fadesoft. This ransomware using the logo from Resident Evil's Umbrella Corporation. Downloads Privoxy and TOR to communicate with the TOR command & control servers.

February 10th 2017

SerbRansom 2017 Discovered

MalwareHunterTeam discovered a new ransomware called SerbRansom 2017 that appends the .velikasrbija extension to encrypted files. It was further discovered that this ransomware is generated via a builder where various settings, including the extension, can be changed.

Ransomware Discovered that Appends the .Wcry Extension to Encrypted Files

A  new ransomware has been discovered by Malwarebytes researcher S!Ri that encrypts your data and appends the .wcry extension to encrypted files.

Number of RDP Brute-Force Attacks Spreading Crysis Ransomware Doubles in 6 Months

According to Trend Micro, RDP Brute-force attacks being used to spread the Crysis Ransomware have doubled in January 2017, compared to previous months.

Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

Gamma, Bkp, & Monro Dharma Ransomware Variants Released in One Week

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

New Brrr Dharma Ransomware Variant Released