Lots of small little ransomware infections released this week that will most likely never make it into major circulation. The stories  of interest this week are the Avast decryptor for offline CryptoMix infections, Trump Locker, and a new macOS ransomware called Packer.

Contributors and those who provided new ransomware information and stories this week include:  @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @DanielGallagher, @campuscodi, @BleepinComputer, @struppigel, @malwareforme@jorntvdw, @FourOctets@JAMESWT_MHT, @Seifreed, @nyxbone@_odisseus@JakubKroustek, @MsmCode@ESET, @avast_antivirus, and @symantec

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

February 20th 2017

New XYZWare Ransomware Discovered

MalwareHunterTeam discovered a new in-development HiddenTear based ransomware called XYZWare. This ransomware will drop a ransom note name Readme.tx.

CryptConsole Using a new Contact Email

Michael Gillespie noticed that the CryptConsole ransomware started using the contact email address of something_ne@india.com.

Updated Decryptor for the MRCR Ransomware Released

Fabian Wosar of Emsisoft has released an updated MRCR Ransomware decryptor in order to support the latest variants.

February 21st 2017

8 Trends in Android Ransomware, According to ESET

The report, published by ESET yesterday and titled Trends in Android Ransomware, provides a look at how ransomware threats evolved during the past year in the Android ecosystem. 

Sage 2.2 Ransomware Released

MalwareHunterTeam has noticed that Sage 2.2 Ransomware has been released. 

Source: Odisseus

New Samas Variant Discovered

Michael Gillespie found a new Samas/SamSam variant that appends the .weencedufiles extension to encrypted files and drops a ransom note named READ-READ-READ.html.

Avast Releases a Decryptor for Offline Versions of the CryptoMix Ransomware

Today, Avast released a decryptor for CryptoMix victim's that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victim's computer while there is no Internet connection or the computer cannot connect to the ransomware's Command & Control server.

February 22nd 2017

New Trump Locker Ransomware Is a Fraud, Just VenusLocker in Disguise

I found a new ransomware called Trump Locker that appears to be based off of Venus Locker. Trump Locker drops a ransom note called What happen to my files.txt and encrypts files with either the .TheTrumpLockerf or .TheTrumpLockerfp extensions.

New Crypt888 Ransomware Released

Jakub Kroustek discovered a new variant of the Crypt888 Ransomware was released with no ransom notes and only the below background. This ransomware will prepend the Lock. string to encrypted files and can be decrypted using Avast's decryptor.

New Python Ransomware Discovered

Jakub Kroustek discovered a new ransomware written in Python that has been named PyL33T. This ransomware appends the .d4nk extension to encrypted files.

New macOS Patcher Ransomware Locks Data for Good, No Way to Recover Your Files

A newly discovered ransomware family calling itself Patcher is targeting macOS users, but according to security researchers from ESET, who discovered the ransomware last week, Patcher bungles the encryption process and leaves affected users with no way of recovering their files.

February 23rd 2017

New Unlock26 Ransomware Wants You To Solve Math Problem

MalwareHunterTeam has discovered a new ransomware that does not contain a name or provide any contact info. Requires you to solve a math problem before making a payment.

Android Ransomware Asks Victims to Speak Unlock Code

Symantec found a new variant of the Lockdroid Android ransomware has chosen a unique way of unlocking devices by asking users to speak a code provided after paying the ransom.

New Pickles Ransomware Discovered

Jakub Kroustek discovered another Python ransomware called Pickles. This ransomware is called pickles based on that string being used as the static password when encrypting files. This ransomware creates ransom notes named READ_ME_TO_DECRYPT.txt and changes files names to %random%.EnCrYpTeD.

New Go Ransomware called Vanguard

JAMESWT discovered a new ransomware written in Go called Vanguard. As the Command & Control server is down or there are other issues, we do not have a lot of info on it.

February 24th 2017

Latest CryptoMix Variant Uses CRYPTOSHIEL Extension

msm, a security researcher at CERT Polska, discovered that CryptoMix is now using the .CRYPTOSHIEL extension for encrypted files. It is unsure if this is a bug in their code as the previous version used the .CRYPTOSHIELD extension when encrypting files.

Related Articles:

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

Thanatos Ransomware Decryptor Released by the Cisco Talos Group

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

New Backup Cryptomix Ransomware Variant Actively Infecting Users

Vaccine Available for GandCrab Ransomware v4.1.2