This week we have leaked keys, analysis of a new family, 1 new ransomware variants, 3 new ransomware infections, and 1 new ransomware decryptor. It was a big week for the Petya and Mischa devs as they opened their Ransomware as a Service to the public and leaked 3,500 decryption keys for the Chimera Ransomware.

Contributors and those who provided new ransomware info this week include: @DanielGallagher@kaspersky@BleepinComputer, @demonslay335, @fwosar, @JAMESWT_MHT, @malwrhunterteam, @JakubKroustek, @PolarToffee@Seifreed, and @TrendMicro@nyxbone. If you are interested in ransomware, I suggest you follow all of them on Twitter.

July 25th 2016

Side-by-side comparisons of the CrypMIC and CryptXXX Ransomware Infections

TrendMicro has discovered that there is a new family of ransomware called CrypMIC that appears very similar to the CryptXXX ransom family. At this time it is unknown if this is just a new ransomware trying to benefit from CryptXXX success or if its a split in the CryptXXX development tree.  This article shows side-by-side differences between the two ransomware families.


New Simple_Encoder Ransomware Discovered

The Simple_Encoder, or Tilde Ransomware, is a ransomware discovered by Michael Gillespie that will encrypt your data using AES encryption and then adds a tilde, or  .~ extension, to encrypted files.  For each folder that a file is encrypted, it will create a _RECOVER_INSTRUCTIONS.ini ransom note, which is shown below. If you are affected by this ransomware, please post in the Simple_Encoder Ransomware Help & Support Topic as we may be able to help.

The NoMoreRansom Project goes Public

A new project called NoMoreRansom was created by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab, and Intel Security was developed and announced to help victims of ransomware.  This site contains info about ransomware, some decryptors, and a way of identifying what ransomware has infected you.

July 26th 2016

Chimera Ransomware Decryption Keys Released by Petya Devs

The devs behind the Mischa and Petya ransomware have leaked approximately 3500 RSA decryption keys for the Chimera Ransomware. These keys are in hex format, but can be converted back to their normal format and used within a decryptor by a security company or professional.


Petya and Mischa Ransomware Affiliate System Publicly Released

Today, the Petya and Mischa Ransomware devs have made their Ransomware as a Service, or RaaS, open to the public. For the past few months, the Petya & Mischa RaaS has been been in testing with a limited amount of supposed high volume distributors. As of today, any would-be criminal can signup and become an official distributor. Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware.


New Jager Ransomware Discovered

A new ransomware was discovered by AVG malware analyst Jakub Kroustek called Jager Ransomware.  The command & control server for the ransomware was disabled fairly quickly, so it does not appear that this ransomware very widespread.

July 28th 2016

Turkish Ransomware called Uyari Discovered

This was posted a while back, but hadn't heard about it so adding it to this weeks article. The Uyari Ransomware is a ransomware discovered by Michael Gillespie whose ransom notes are written in Turkish and demands 2 bitcoins as a ransom. When encrypting files it will append the .locked extension to encrypted files and create a ransom note called DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html  on the desktop. Further analysis of this ransomware was done by Mosh. 

This ransomware can be decrypted and any victim's should ask for help in the 

July 29th 2016

We Are Anonymous Jigsaw Ransomware Variant Discovered

A new variant of the Jigsaw Ransomware has been discovered by Michael Gillespie that uses a new Anonymous themed background for the ransom note. Though there has been a previous variant of Jigsaw that included a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware.  The ransom screen's background now states "We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.". The good news is that Jigsaw continues to be easily decrypted and Michael's Jigsaw Decryptor has been updated to decrypt this variant.


Kaspersky rakhnidecryptor.exe to decrypt the Chimera Ransomware

Kaspersky has updated their RakhniDecryptor tool to include support for decrypting the Chimera Ransomware. This tool only supports the 3,500 keys that were leaked by the Petya Devs.

That's it for this week. Have a nice weekend!

Related Articles:

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New FilesLocker Ransomware Offered as a Ransomware as a Service

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

New Ransomware using DiskCryptor With Custom Ransom Message