Looks like the ransomware devs are taking a break during the summer as thankfully new ransomware has slowed down. This week we have 2 new variants of existing ransomware, the discovery of a new ransomware being sold on the dark web, increased distribution of WildFire Locker, and the bizarre release of free decryption keys for certain variants of CryptXXX.

Contributors and those who provided new ransomware info this week include: @BleepinComputer@demonslay335@fwosar@opendns@HeimdalSecurity@JAMESWT_MHT, @malwrhunterteam@PolarToffee@DanielGallagher, @nyxbone, and @Seifreed, If you are interested in ransomware, I suggest you follow all of them on Twitter.

July 9th 2016

The Unlock92 Ransomware updates Encryption and is no longer Decryptable

Michael Gillespie discovered a new version of the Unlock92 ransomware that switched its encryption algorithm to RSA-2048 and now uses the encrypted extension of .CCCRRRPPP.  Due to these changes, the ransomware is unfortunately no longer able to be decrypted for free. For those who need support or wish to discuss this ransomware, you can do so in the .

Unlock92 Ransomware

July 11th 2016

CTB-Faker Ransomware does a poor job imitating CTB-Locker

A new ransomware called CTB-Faker was discovered that pretends to be the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim's files, it will move them instead into a password protected ZIP archive.  CTB-Faker will then demand a ransom of  ~.08 bitcoins, which equates to approximately $50 USD, in order to get the password for your files.

Victims can contact me on the site for possible ways to get your files back.

CTB Faker Ransom Screen

The ODCODC Ransomware is able to be Decrypted

If you are infected with the ODCODC Ransomware, BloodDolly has figured out a way to decrypt the files for free.  Please see this post for more information.

July 12th 2016

New Xorist Ransomware pretends to be Cerber

Michael Gillespie discovered that a new variant of the Xorist Ransomware is appending the .Cerber extension to encrypted files in order to impersonate the Cerber Ransomware.  You can tell the difference between the Xorist version and the real Cerber, as the Xorist ransom note will not contain links to a TOR site.

Fabian Wosar's Xorist Decryptor is able to decrypt this variant.  For support using the decryptor, you can use the .


Fake Cerber Xorist

July 13th 2016

OpenDNS sees increased distribution of WildFire Locker

OpenDNS published a detailed article on how the WildFire Locker has seen a dramatic increase in distribution, which they attribute to the Kelihos botnet. Unfortunately, at this time there is still no way to decrypt files encrypted by this ransomware, but if you wish to discuss it, you can do so in our .

New $39 USD Stampado Ransomware being sold on the Dark Web

Heimdal Security discovered a new ransomware being sold on the Dark Web called Stampado.  This ransomware is being sold for the small price of $39 USD and states that "files will be encrypted with AES-256 with an Unique ID based on the machine, and the ".locked" extension will be added."

At this time, Stampado has not been seen in circulation, but as of July 14th two people have purchased the program. Therefore we should expect to see it circulating soon.

Stampado Ransom Screen

July 14th 2016

CryptXXX providing free keys for .Crypz and .Cryp1 Versions

It has been discovered that the payment servers for the CryptXXX ransomware are providing free decryption keys for those who have not paid the ransomware.  These free keys are only available for certain encrypted file extensions such as .Crypz and Cryp1, but some people have been able to get keys for other versions as well.

In my test, I was able to get a free key for a random extension version, while others were not able to. I suggest everyone who is infected with CryptXXX go through the list in the posted article and check each server with your ID to see if one provides your key.

Free Decryption Key