It has been a slow week in terms of new releases, which is always a good thing. Still lots of small crapware being released that will never have much wide distribution. Of greatest note in terms of new ransomware, a new version of CryptoMix was released that uses the .Exte extension.

We also have some good news, which is the release of a NemucodAES decryptor by Emsisoft. This allows victims of this ransomware to get their files back for free.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @siri_urz, @FraMauronz, @MarceloRivero, @JakubKroustek@emsisoft, and @McAfee.

July 10th 2017

LeakerLocker Ransomware Found in Two Apps on the Google Play Store

Google has removed two apps that contained a new strain of ransomware named LeakerLocker. Discovered by security researchers from McAfee's mobile division, the ransomware didn't encrypt users' files, but only locked their device and threatened to send the user's private data to friends from his contact list.

The First Petya Immitation was Released

​​Lawrence Abrams discovered a Petya imitation called Petya+ that is written .NET. It does not currently encrypt, but does come with a ascii image a skull with a bite out of it :)

Scorpio Ransomware Discovered

Malwarebytes malware researcher Marcelo Rivero discovered a new version of the Scarab ransomware was found called Scorpio. The Scorpio ransomware will append the [Help-Mails@Ya.Ru].Scorpio extension to encrypted files and drops a ransom note named IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT.

Locked In/Oxar Ransomware Discovered

Marcelo Rivero also discovered the Oxar Ransomware, which is based on HiddenTear. This variant will append the .OXR extension to encrypted files. This ransomware should not be confused with the previous Locked In Ransomware that was discovered.

Bit Paymer Sample Found

ID-Ransomware's ​Michael Gillespie found a sample of the Bit Paymer Ransomware. This ransomware appends the .locked extension to encrypted files and drops a ransom note named .readme_txt.

July 11th 2017

Australian Man Arrested for Helping Group of Tech Support & Ransomware Operators

Australian police have arrested a man from the city of Mackay on allegations of laundering money for the operators of a tech support and ransomware scheme. According to a statement from Queensland police, the yet unnamed 75-year-old man had entered a partnership with a group of tech support scammers operating a fake computer company.

July 12th 2017

Decrypted: Emsisoft Releases a Decryptor for NemucodAES Ransomware

Fabian Wosar of Emsisoft released a decryptor for the NemucodAES Ransomware. This allows all victims to get their files back for free!

AslaHora Ransomware Discovered

​Malwarebytes security researcher Marcelo Rivero discovered a new HiddenTear variant called AslaHora Ransomware. This ransomware appends the .Malki extension to encrypted files and has an unlock code of MALKIMALKIMALKI​.

July 13th 2017

Dcry Ransomware Decryptor Released

Ransomware researchers ​Michael Gillespie & Francesco Muroni released a decryptor for the Dcry Ransomware. For those victims who have had their files encrypted and the .dcry extension appended to the file names, you can use this decryptor to get your files back for free.

Blackout Ransomware Discovered

Malwarebyte's security researcher S!Ri discovered a new ransomware called Blackout. When encrypting files it will change the filename to its Base64 equivalent.

Keep Calm Ransomware Discovered

MalwareHunterTeam discovered a new EDA2 based ransomware that appends the .locked extension to encrypted files. Sets an interesting wallpaper :)

Purge Ransomware Discovered

GData security researcher Karsten Hahn discovered the Purge Ransomware. This ransomware is buggy and crashes due to only decrypting a test folder. Appends the .purge extension to encrypted files. The unlock code is TotallyNotStupid.

Your All Data Encrypt Screenlocker

I wish I could give ransomware developers mandatory spelling & grammar lessons. You can see why in the image of the the latest screenlocker discovered by Karsten Hahn below. To close the screen, just use Alt+F4. Does not have an unlock code programmed into the source.

In-Dev BrainLag Ransomware Discovered

When Karsten Hahn is on fire, he is on fire! Karsten found a new in-dev ransomware called BrainLag. In-dev, so does not encrypt, but has a fun lock screen.

Ransed Ransomware Uses Hardcoded MySQL Credentials

Bleeping Computer's ​​Lawrence Abrams discovered Ransed Ransomware, which connects to a MySQL server directly from the app. This means that the servers login credentials are built into the ransomware executed. When encrypting files it will append the .Ransed extension.

July 14th 2017

New Jigsaw Ransomware Variant with the .Kill Extension

​​Lawrence Abrams discovered a new Jigsaw Ransomware variant that utilizes the .kill extension for encrypted files.

New SamSam Variant Discovered

MalwareHunterTeam discovered a new SamSam/Samas variant that appends the .country82000 extension to encrypted files.

Fake ENDcrypt0r Screenlocker Discovered

MalwareHunterTeam discovered a new fake screenlocker that someone created as a joke. The passcode is A01B.

Fuacked Ransomware Discovered

Avast security researcher Jakub Kroustek discovered a new ransomware called Fuacked. It's disturbing enough that we do not need to go into it anymore.

That's it for this week! Hope everyone has a nice & safe weekend.

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message