Really slow week, which is great. We did have some decryptors and updated decryptors released this week, which is always great. Of particular concern is the increase releasing of new CryptoMix variants. Thankfully, these variants do not seem to be netting to many victims at this time.
Otherwise, it was all crappy little releases like every week.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwareforme, @demonslay335, @fwosar, @FourOctets, @PolarToffee, @campuscodi, @LawrenceAbrams, @malwrhunterteam, @struppigel, @BleepinComputer, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @MarceloRivero, @JakubKroustek, @emsisoft, and @TrendLabs.
ID-Ransomware's Michael Gillespie released a decryptor for the Striked Ransomware.
According to TrendLabs, a new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims.
MalwareHunterTeam discovered a new variant of the Stupid Ransomware that appends the .alosia extension to encrypted files. The unlock & decryption code is CREATEDBYMR403FORBIDDEN.
MalwareHunterTeam discovered a new Jigsaw Ransomware variant that uses the .korea extension and has a new background
Emsisoft security researcher xXToffeeXx discovered a new ransomware called Reyptson that is targeting Spanish victims. Since then, we have seen increased activity in the ransomware's developmen. Today security researcher MalwareHunterTeam took a deeper look and noticed that Reyptson conducts its own spam distribution campaign directly from a victim's configured Thunderbird email account.
MalwareHunterTeam discovered a new ransomware called Viro. Viro appends the .locked extension to encrypted files and drops a ransom note named Has an interesting background.
GData malware researcher Karsten Hahn discovered the Oops Ransomware. This ransomware will append the .oops extension to encrypted files.
Karsten Hahn discovered a new HiddenTear variant called Explorer. This ransomware appends the .explorer extension to encrypted files and has a contact email of firstname.lastname@example.org.
Malwarebytes security researcher Marcelo Rivero discovered a new variant of GlobeImposter that appends the .s1crypt and .au1crypt extension to encrypted files and drops a ransom note named how_to_back_files.html.
US-based and international courier delivery service FedEx admitted on Monday that some of its systems were significantly affected by the NotPetya ransomware, and some of the damage may be permanent.
A month after it suffered a mysterious cyber attack, details emerged that San Francisco’s public TV and radio station, KQED, was the victim of a ransomware incident from which it has yet to fully recover.
Emsisoft's Fabian Wosar released an updated decryptor for the NemucodAES ransomware to handle large database files.
Avast security researcher Jakub Kroustek discovered a new Chinese ransomware called China-YunLong. This ransomware will append the .yl extension to encrypted files.
CryptoMix is releasing new variants very quickly now and is reminiscent of how the Locky developers used to distribute Locky. Yesterday, ID-Ransomware's Michael Gillespie & Malwarebytes malware researcher Marcelo Rivero discovered two new variants of the CryptoMix ransomware being distributed within a week or two of each other. These variants append either the NOOB or ZAYKA extension to encrypted files, but use the same contact email of email@example.com for payment instructions.
Michael Gillespie released an updated decryptor for the Striked ransomware to handle newer variants.
MalwareHunterTeam found a new HiddenTear ransomware named Matroska.This ransomware will append the .HUSTONWEHAVEAPROBLEM@KEEMAIL.ME extension to encrypted files.
Marcelo Rivero discovered a new CryptoMix variant that appends the .CK extension to encrypted files and drops a note called _HELP_INSTRUCTION.TXT.
MalwareHunterTeam discovered a new Jigsaw Ransomware variant that appends the .afc extension to encrypted files.
Lawrence Abrams discovered a new HiddenTear variant called Symbiom Ransomware. This ransomware appends the .symbiom_ransomware_locked extension to encrypted files and drops a ransom note name README_Ransomware_Symbiom.txt.
MalwareHunterTeam discovered a new ransomware called Bitshifter. This ransomware tries to steal cryptocurrency wallets and other information. It drops a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt.
Michael Gillespie discovered a new variant of the GlobeImposter that appends the .skunk extension to encrypted files.
Jakub Kroustek discovered two in-development Python ransomware infections called SnakeLocker. One appends the .snake' and '.TGIF'. and both drop a ransom note named INSTRUCTIONS-README.html. Has a horrendous looking ransom note. Contrasts!