2017 is here and ransomware continues to pump out at a rapid pace. We have a lot of little variants popping up this week, with a special emphasis on malware devs adopting the FSociety brand name. We also have some new decryptors, a Christmas related ransomware, a great analysis of CryptoMix/CryptFile2, and plenty of small ransomware infections. 

Contributors and those who provided new ransomware information and stories this week include: , @fwosar, @demonslay335, @BleepinComputer@malwrhunterteam, @struppigel@campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @0xDUDE, @dvk01uk, @jiriatvirlab, @Techhelplistcom, @CERT_Polska_en, @malware_traffic, @PaloAltoNtwks, @JaromirHorejsi, @ESET, and @JakubKroustek.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

December 31st 2017

New EdgeLocker Ransomware Discovered

I discovered a new ransomware called EdgeLocker that appends .edgel extension to encrypted files.

January 1st 2017

New Samas Ransomware variant Discovered

Michael Gillespie through ID Ransomware discovered a new Samas/SamSam Ransomware variant that uses the extension .helpmeencedfiles and a ransom note named HELP-ME-ENCED-FILES.html.

C/C++ Version of the Globe Ransomware Discovered

Jiri Kropac discovered that the Globe Ransomware was ported to C/C++. Appends the .locked extension to encrypted files.

New FirstRansomware Discovered

A new ransomware was discovered by Avast analyst Jaromir Horejsi that goes by the filename firstransomware.exe. The ransom screen will have a title of Death Bitches. Uses the .locked extension and a ransom note named \Desktop\test\READ_IT.txt.

RedAlert Ransomware Discovered

Avast analyst Jaromir Horejsi discovered the Red Alert ransomware that is based off of Hidden Tear Offline.

January 2nd 2017

New N-Splitter Ransomware Discovered

Avast researcher Jakub Kroustek discovered a new Hidden Tear variant called N-Splitter Ransomware. N-Splitter will append the .кибер разветвитель extension to encrypted files.

New EDA2 Ransomware Variant Discovered

I discovered a new EDA2 ransomware variant that appends .L0CKED to encrypted files and drops a ransom note called DecryptFile.txt ransom note. Uses a TOR payment site.

New Cyber Hub Ransomware Discovered

I discovered a new in-dev Russian Koolova variant called кибер разветвитель (Cyber Hub). This ransomware adds .кибер разветвитель to encrypted files.

January 3rd 2017

MongoDB Databases Held for Ransom by Mysterious Attacker

An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a Bitcoin ransom to return the data. These attacks have been happening for more than a week and have hit servers all over the world. The first one to notice the attacks was security researcher Victor Gevers, who, as part of Project 366 with the GDI Foundation, has been busy searching for unprotected MongoDB servers and alerting companies about their status.

Real World FSociety Malware Is Giving Mr. Robot a Bad Name

In the past few weeks, more or less talented malware authors have resorted to naming their newly launched threats using the "FSociety" brand, made famous by the Mr. Robot TV series.

January 4th 2017

Merry Christmas Ransomware and its dev, ComodoSecurity, not bringing Holiday Cheer

The Merry X-Mas Ransomware is here and it's not bringing you any presents. First discovered by @dvk01uk with the help of @Techhelplistcom, it is being named the Merry Christmas, or Merry X-Mas, Ransomware due to the title of the infection's ransom note. Encrypted files will have one of the .PEGS1.MRCR1, or .RARE1 extensions appended to it and the ransom note is named YOUR_FILES_ARE_DEAD.hta.

Pseudo-Darkleech Actors Behind a Large Chunk of Ransomware Attacks in 2016

A cyber-crime infrastructure known in infosec circles as pseudo-Darkleech has been the source of many ransomware infections during the past year, either by malicious spam attachments or via automated attacks carried out via exploit kits. This article discussed various research done by Palo Alto Networks and Brad Duncan of Malware-Traffic-Analysis.net.

Emsisoft releases a decryptor for version 3 of the Globe Ransomware

Once again, Fabian Wosar of Emsisoft has come to the rescue and released a decrypter for version 3 of the Globe Ransomware. This decryptor will decrypt the Globe Ransomware variants that commonly append the .decrypt2017 and .hnumkhotep extensions to encrypted files. This ransomware will also display a ransom note similar to the one below.

FireCrypt Ransomware Comes With a DDoS Component

A ransomware family named FireCrypt was discovered by MalwareHunterTeam that will encrypt the user's files, but also attempt to launch a very feeble DDoS attack on a URL hardcoded in its source code. Appends the .firecrypt extension to encrypted files and creates a ransom note named [random_chars]-READ_ME.html. 

Technical analysis of CryptoMix/CryptFile2 ransomware

The Computer Emergency Readiness Team of Poland has published an analysis of the CryptoMix/CryptFile2 ransomware family.

January 5th 2017

New California Law Makes Ransomware a Standalone Crime

On January 1, 2017, a new law went into effect in California that makes ransomware use a standalone crime. Technically, ransomware usage was an illegal activity before, but all people engaged in such activities were trialed based on state extortion laws or computer hacking and money laundering charges.

This new law makes ransomware use a standalone crime, allowing prosecutors to charge suspects much easier, without having to spend time proving the suspect was involved in a money laundering operation.

KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption

ESET has discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files.

New version of the iLock Ransomware Discovered

I discovered a new version of the iLock Ransomware that bundles TOR, Live Chat, & an encryptor as individual files. TOR site is currently down.

SkyName Ransomware Discovered

MalwareHunterTeam discovered a new in-dev ransomware called SkyName that targets Czech victims. It is based on HiddenTear.

New Depsex or MafiaWare Ransomware Discovered

I discovered a new new HiddenTear variant called depsex or MafiaWare. Appends .Locked-by-Mafia to encrypted files and drops a ransom note named READ_ME.txt.

January 6th 2016

Malware discovered that converts Desktop shortcuts to possible Ransomware Targets

GData researchers Karsten Hahn has discovered a malware that converts desktop shortcuts into shortcuts to malware that includes the Hidden Tear ransomware.

New HiddenTear variant Discovered that contains a Backdoor Shell

Karsten Hahn discovered a HiddenTear variant that also includes a remote shell. The ransom note is README.txt and appends .locked to encrypted files. Appears to in development.

That is it for this week! See you next Friday!