Been a great week for victims, with decryptors coming out for BTCWare, Cryptomix, Executioner, and the release of the original Petya key. Otherwise, it has been a lot of NotPetya news and numerous smaller variants being released.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @Malware_Blocker, @ESET, @codelancer, @kaspersky, @antonivanovm, @FireEye @avtestorg, @mavsec1337, @charleycelice, and @MarceloRivero.

July 1st 2017

Security Firms Find Thin Lines Connecting NotPetya to Ukraine Power Grid Attacks

On Friday, three cyber-security firms, Kaspersky, Eset, and FireEye, have come forward with reports or statements that link the NotPetya ransomware outbreak to a cyber-espionage group known for a large number of past cyber-attacks, such as the one on Ukraine's power grid in December 2015.

Lalabitch Ransomware in the Wild

​Michael Gillespie discovered a ransomware uploaded to ID-Ransomware that base64 encodes a filename and then appends .lalabitch extension to encrypted files and drops a ransom note named lalabitch.php.

In-Development Takeom Ransomware Discovered

Lawrence Abrams of discovered the Takeom Ransomware, which is being developed by someone named Liam. Does not currently encrypt.

RansRans Ransomware Discovered

Lawrence Abrams discovered a new HiddenTear based ransomware called RanRans. This ransomware appends the .ranrans extension. Very buggy & crashes alot. Decryptors already been removed by sites.

New Ransomware called Hell or Radiation

Lawrence Abrams discovered an in-development ransomware called Hell or Radiation depending GUI or wallpaper. This ransomware trashes files due to crappy code.

July 2nd 2017

BTCWare Switches to the Aleta Extension

​Michael Gillespie noted that BTCWare switched to the .[].aleta extension for encrypted files.

Unikey Ransomware Being Developed

Lawrence Abrams discovered that someone named Nhan developing a HiddenTear based Unikey Ransomware.

July 3rd 2017

New variant of the Cry36 Ransomware Released 

Malwarebytes security researcher Marcelo Rivero discovered a new variant of the Cry36 ransomware that appends the .63vc4 extension and drops a ransom note named ### DECRYPT MY FILES ###.txt.

July 4th 2017

Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread

Bleeping Computer was told today that Ukrainian Police seized the servers from where the NotPetya ransomware outbreak first started to spread. The servers belonged to Intellect Service, a Ukrainian company that sells accounting software under the names of IS-pro and M.E.Doc. A former Intellect Service employee confirmed the raid to Bleeping Computer today.

New Version of the ShellLocker Ransomware Discovered

GData security researcher Karsten Hahn a new version of the ShellLocker Ransomware. This version scrambles the file name and then appends the .L0cked extension to encrypted files 

ZeroRansom Ransomware Discovered

Karsten Hahn discovered ZeroRansom. This ransomware appends the .z3r0 extension to encrypted files and drops a ransom note named EncryptNote_README.txt.

J-Ransomware Released

GData security researcher Karsten Hahn found a ransomware called J-Ransomware that is based off of ZeroRansom. This ransomware appends the .LoveYou extension to encrypted files and has a static password of password.


zScreenlocker Discovered

Karsten is banging them out today with the discovery for the zScreenlocker. Enter Kate8Zlord and press Alt+S to close.

CryptoMix briefly switches to the .Mole00 Extension

​Michael Gillespie discovered that CryptoMix briefly switched to the .Mole00 extension. This was spotted by both Malware Blocker and MalwareHunterTeam.

Crypter 1.0 Jokeware (?) Being Developed

Lawrence Abrams discovered a possible joke ransomware called Crypter 1.0. Messages shown do not make much sense. Does not encrypt as of yet.

July 5th 2017

NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web

The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. This group starting moving bitcoins to different accounts and posted a proposition on the dark web.

New Report Calls Ransomware a "Marginal Phenomenon"

The AV-TEST GmbH Security Report 2016/2017 published today is calling ransomware a "marginal phenomenon," highlighting that only 0.94% of all malware deployed in 2016 was a blackmail trojan.

Decryptor Released for the Mole02 CryptoMix Ransomware Variant

It is always great to be able to announce a free decryptor for victim's who have had their files encrypted by a ransomware. This is the case today, where we have a decryptor being released for the Mole02 CryptoMix Ransomware variant.  This decryptor was created by security researcher M AV of STIGroup, Ltd. and with the help of Secarma Threat Intel team's Charley Celice 

Chinese Police Arrest Ransomware Devs Spreading WannaCry Lookalike for Android

Chinese authorities have arrested two men who have distributed a version of the SLocker Android ransomware that was customized to look like WannaCry, the Windows ransom-worm that spread across the world in the middle of May.

New Azer CryptoMix Ransomware Variant Released

MalwareHunterTea discovered a new version of the Cryptomix ransomware that utilizes the .Azer extension. This article provides further analysis performed by

New BTCWare Ransomware Decrypter Released for the Master Variant

Security researcher ​Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. The BTCWare author announced this leak on the Bleeping Computer forum thread that offers support for victims of BTCWare infections. 

July 6th 2017

New versions of the Executioner Ransomware can still be Decrypted

New versions of the Executioner Ransomware continue to be released. ​Michael Gillespie can still decrypt victims who are affected.

In-dev CountLocker Screenlocker Discovered

Karsten Hahn discovered a new in-development screenlocker that I dubbed CountLocker. Attempts to delete all of the files on the C:\ drive after 72 hours. Looks like it plans to include actual file encryption as it bundles the HiddenTear decryptor as a resource.

Fenrir Ransomware Discovered

MalwareHunterTeam discovered a ransomware called Fenrir. This ransomware appends an extension composed of the first 10 characters of the computer's HWID and drops a ransom note named Ransom.rtf.

New ElmersGlue_3 Screenlocker

Lawrence Abrams discovered a new screenlocker called ElmersGlue_3. It does not encrypt and the password to close the locker is 83502631947189478135791649134973.

July 7th 2017

Author of Original Petya Ransomware Publishes Master Decryption Key

The author of the original Petya ransomware — a person/group going by the name of Janus Cybercrime Solutions — has released the master decryption key of all past Petya versions. This key will not help with the recent NotPetya infection. Kaspersky Lab's Anton Ivanov has confirmed that this key works for all versions of the original Petya, including GoldenEye.

New SurveyLocker Discovered

A new screenlocker that requires you to do surveys to unlock the computer has been discovered by Karsten Hahn. This program is currently not working properly.

Random6 Ransomware is Actually a Variant of Fantom

MalwareHunterTeam noted that the Random6 Ransomware discovered last week is actually a variant of Fantom.


Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware