Lots of small little ransomware infections released this week that will most likely never make it into major circulation. The stories of interest this week are the Avast decryptor for offline CryptoMix infections, Trump Locker, and a new macOS ransomware called Packer.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @DanielGallagher, @campuscodi, @BleepinComputer, @struppigel, @malwareforme, @jorntvdw, @FourOctets, @JAMESWT_MHT, @Seifreed, @nyxbone, @_odisseus, @JakubKroustek, @MsmCode, @ESET, @avast_antivirus, and @symantec.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
MalwareHunterTeam discovered a new in-development HiddenTear based ransomware called XYZWare. This ransomware will drop a ransom note name Readme.tx.
MalwareHunterTeam has noticed that Sage 2.2 Ransomware has been released.
Today, Avast released a decryptor for CryptoMix victim's that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victim's computer while there is no Internet connection or the computer cannot connect to the ransomware's Command & Control server.
I found a new ransomware called Trump Locker that appears to be based off of Venus Locker. Trump Locker drops a ransom note called What happen to my files.txt and encrypts files with either the .TheTrumpLockerf or .TheTrumpLockerfp extensions.
Jakub Kroustek discovered a new variant of the Crypt888 Ransomware was released with no ransom notes and only the below background. This ransomware will prepend the Lock. string to encrypted files and can be decrypted using Avast's decryptor.
A newly discovered ransomware family calling itself Patcher is targeting macOS users, but according to security researchers from ESET, who discovered the ransomware last week, Patcher bungles the encryption process and leaves affected users with no way of recovering their files.
MalwareHunterTeam has discovered a new ransomware that does not contain a name or provide any contact info. Requires you to solve a math problem before making a payment.
Symantec found a new variant of the Lockdroid Android ransomware has chosen a unique way of unlocking devices by asking users to speak a code provided after paying the ransom.
Jakub Kroustek discovered another Python ransomware called Pickles. This ransomware is called pickles based on that string being used as the static password when encrypting files. This ransomware creates ransom notes named READ_ME_TO_DECRYPT.txt and changes files names to %random%.EnCrYpTeD.
JAMESWT discovered a new ransomware written in Go called Vanguard. As the Command & Control server is down or there are other issues, we do not have a lot of info on it.
msm, a security researcher at CERT Polska, discovered that CryptoMix is now using the .CRYPTOSHIEL extension for encrypted files. It is unsure if this is a bug in their code as the previous version used the .CRYPTOSHIELD extension when encrypting files.