Looks like the ransomware devs are taking a break during the summer as thankfully new ransomware has slowed down. This week we have 2 new variants of existing ransomware, the discovery of a new ransomware being sold on the dark web, increased distribution of WildFire Locker, and the bizarre release of free decryption keys for certain variants of CryptXXX.
Contributors and those who provided new ransomware info this week include: @BleepinComputer, @demonslay335, @fwosar, @opendns, @HeimdalSecurity, @JAMESWT_MHT, @malwrhunterteam, @PolarToffee, @DanielGallagher, @nyxbone, and @Seifreed, If you are interested in ransomware, I suggest you follow all of them on Twitter.
Michael Gillespie discovered a new version of the Unlock92 ransomware that switched its encryption algorithm to RSA-2048 and now uses the encrypted extension of .CCCRRRPPP. Due to these changes, the ransomware is unfortunately no longer able to be decrypted for free. For those who need support or wish to discuss this ransomware, you can do so in the Unlock92 Ransomware Support and Help Topic.
A new ransomware called CTB-Faker was discovered that pretends to be the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim's files, it will move them instead into a password protected ZIP archive. CTB-Faker will then demand a ransom of ~.08 bitcoins, which equates to approximately $50 USD, in order to get the password for your files.
Victims can contact me on the site for possible ways to get your files back.
Michael Gillespie discovered that a new variant of the Xorist Ransomware is appending the .Cerber extension to encrypted files in order to impersonate the Cerber Ransomware. You can tell the difference between the Xorist version and the real Cerber, as the Xorist ransom note will not contain links to a TOR site.
OpenDNS published a detailed article on how the WildFire Locker has seen a dramatic increase in distribution, which they attribute to the Kelihos botnet. Unfortunately, at this time there is still no way to decrypt files encrypted by this ransomware, but if you wish to discuss it, you can do so in our WildFire Locker Help and Suppot Topic.
Heimdal Security discovered a new ransomware being sold on the Dark Web called Stampado. This ransomware is being sold for the small price of $39 USD and states that "files will be encrypted with AES-256 with an Unique ID based on the machine, and the ".locked" extension will be added."
At this time, Stampado has not been seen in circulation, but as of July 14th two people have purchased the program. Therefore we should expect to see it circulating soon.
It has been discovered that the payment servers for the CryptXXX ransomware are providing free decryption keys for those who have not paid the ransomware. These free keys are only available for certain encrypted file extensions such as .Crypz and Cryp1, but some people have been able to get keys for other versions as well.
In my test, I was able to get a free key for a random extension version, while others were not able to. I suggest everyone who is infected with CryptXXX go through the list in the posted article and check each server with your ID to see if one provides your key.