Really slow week, which is great. We did have some decryptors and updated decryptors released this week, which is always great. Of particular concern is the increase releasing of new CryptoMix variants. Thankfully, these variants do not seem to be netting to many victims at this time.

Otherwise, it was all crappy little releases like every week.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwareforme, @demonslay335, @fwosar, @FourOctets, @PolarToffee, @campuscodi, @LawrenceAbrams, @malwrhunterteam, @struppigel, @BleepinComputer, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @MarceloRivero, @JakubKroustek, @emsisoft, and @TrendLabs.

July 15th 2017

Striked Ransomware Decryptor Released

ID-Ransomware's Michael Gillespie released a decryptor for the Striked Ransomware.

July 17th 2017

GhostCtrl Is an Android RAT That Also Doubles as Ransomware

According to TrendLabs, a new Android RAT (Remote Access Trojan) detected under the name of GhostCtrl can lock mobile device by resetting their PIN and display a ransom note to infected victims.

New Alosia Team Stupid Ransomware Variant

MalwareHunterTeam discovered a new variant of the Stupid Ransomware that appends the .alosia extension to encrypted files. The unlock & decryption code is CREATEDBYMR403FORBIDDEN.

New Jigsaw Variant is Quite Smiley

MalwareHunterTeam discovered a new Jigsaw Ransomware variant that uses the .korea extension and has a new background devil

Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts

Emsisoft security researcher xXToffeeXx discovered a new ransomware called Reyptson that is targeting Spanish victims. Since then, we have seen increased activity in the ransomware's developmen. Today security researcher MalwareHunterTeam took a deeper look and noticed that Reyptson conducts its own spam distribution campaign directly from a victim's configured Thunderbird email account.

Viro Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Viro. Viro appends the .locked extension to encrypted files and drops a ransom note named Has an interesting background.

Oops Ransomware Discovered

GData malware researcher Karsten Hahn discovered the Oops Ransomware. This ransomware will append the .oops extension to encrypted files.

Explorer Ransomware Released

Karsten Hahn discovered a new HiddenTear variant called Explorer. This ransomware appends the .explorer extension to encrypted files and has a contact email of

New GlobeImposter Variants Released

Malwarebytes security researcher Marcelo Rivero discovered a new variant of GlobeImposter that appends the .s1crypt and .au1crypt extension to encrypted files and drops a ransom note named how_to_back_files.html.

July 18th 2017

FedEx Says Some Damage From NotPetya Ransomware May Be Permanent

US-based and international courier delivery service FedEx admitted on Monday that some of its systems were significantly affected by the NotPetya ransomware, and some of the damage may be permanent.

July 19th 2017

Radio and TV Station Still Recovering From Ransomware Infection One Month Later

A month after it suffered a mysterious cyber attack, details emerged that San Francisco’s public TV and radio station, KQED, was the victim of a ransomware incident from which it has yet to fully recover.

Updated NemucodAES Decryptor Released

Emsisoft's Fabian Wosar released an updated decryptor for the NemucodAES ransomware to handle large database files.

China-YunLong Ransomware Discovered

Avast security researcher Jakub Kroustek discovered a new Chinese ransomware called China-YunLong.  This ransomware will append the .yl extension to encrypted files.

July 20th 2017

The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession

CryptoMix is releasing new variants very quickly now and is reminiscent of how the Locky developers used to distribute Locky. Yesterday, ID-Ransomware's Michael Gillespie & Malwarebytes malware researcher Marcelo Rivero discovered two new variants of the CryptoMix ransomware being distributed within a week or two of each other. These variants append either the NOOB or ZAYKA extension to encrypted files, but use the same contact email of for payment instructions.

Striked Ransomware Decrypted Updated

Michael Gillespie released an updated decryptor for the Striked ransomware to handle newer variants.

Matroska Ransomware Discovered

MalwareHunterTeam found a new HiddenTear ransomware named Matroska.This ransomware will append the .HUSTONWEHAVEAPROBLEM@KEEMAIL.ME extension to encrypted files.

July 21st 2017

New CK CryptoMix Variant Discovered

Marcelo Rivero discovered a new CryptoMix variant that appends the .CK extension to encrypted files and drops a note called _HELP_INSTRUCTION.TXT.

New Jigsaw Variant Released

MalwareHunterTeam discovered a new Jigsaw Ransomware variant that appends the .afc extension to encrypted files.

New HiddenTear Symbion Ransomware

​​Lawrence Abrams discovered a new HiddenTear variant called Symbiom Ransomware. This ransomware appends the .symbiom_ransomware_locked extension to encrypted files and drops a ransom note name README_Ransomware_Symbiom.txt.

Bitshifter Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Bitshifter. This ransomware tries to steal cryptocurrency wallets and other information. It drops a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt.

New GlobeImposter Wants to Skunk You

Michael Gillespie discovered a new variant of the GlobeImposter that appends the .skunk extension to encrypted files.

In-Dev SnakeLocker Variants Discovered

Jakub Kroustek discovered two in-development Python ransomware infections called SnakeLocker. One appends the .snake' and '.TGIF'. and both drop a ransom note named INSTRUCTIONS-README.html. Has a horrendous looking ransom note. Contrasts!

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message