Been a great week for victims, with decryptors coming out for BTCWare, Cryptomix, Executioner, and the release of the original Petya key. Otherwise, it has been a lot of NotPetya news and numerous smaller variants being released.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @Malware_Blocker, @ESET, @codelancer, @kaspersky, @antonivanovm, @FireEye @avtestorg, @mavsec1337, @charleycelice, and @MarceloRivero.
On Friday, three cyber-security firms, Kaspersky, Eset, and FireEye, have come forward with reports or statements that link the NotPetya ransomware outbreak to a cyber-espionage group known for a large number of past cyber-attacks, such as the one on Ukraine's power grid in December 2015.
Michael Gillespie discovered a ransomware uploaded to ID-Ransomware that base64 encodes a filename and then appends .lalabitch extension to encrypted files and drops a ransom note named lalabitch.php.
Malwarebytes security researcher Marcelo Rivero discovered a new variant of the Cry36 ransomware that appends the .63vc4 extension and drops a ransom note named ### DECRYPT MY FILES ###.txt.
Bleeping Computer was told today that Ukrainian Police seized the servers from where the NotPetya ransomware outbreak first started to spread. The servers belonged to Intellect Service, a Ukrainian company that sells accounting software under the names of IS-pro and M.E.Doc. A former Intellect Service employee confirmed the raid to Bleeping Computer today.
GData security researcher Karsten Hahn a new version of the ShellLocker Ransomware. This version scrambles the file name and then appends the .L0cked extension to encrypted files
Karsten Hahn discovered ZeroRansom. This ransomware appends the .z3r0 extension to encrypted files and drops a ransom note named EncryptNote_README.txt.
GData security researcher Karsten Hahn found a ransomware called J-Ransomware that is based off of ZeroRansom. This ransomware appends the .LoveYou extension to encrypted files and has a static password of password.
Karsten is banging them out today with the discovery for the zScreenlocker. Enter Kate8Zlord and press Alt+S to close.
The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. This group starting moving bitcoins to different accounts and posted a proposition on the dark web.
The AV-TEST GmbH Security Report 2016/2017 published today is calling ransomware a "marginal phenomenon," highlighting that only 0.94% of all malware deployed in 2016 was a blackmail trojan.
It is always great to be able to announce a free decryptor for victim's who have had their files encrypted by a ransomware. This is the case today, where we have a decryptor being released for the Mole02 CryptoMix Ransomware variant. This decryptor was created by security researcher M AV of STIGroup, Ltd. and with the help of Secarma Threat Intel team's Charley Celice
Chinese authorities have arrested two men who have distributed a version of the SLocker Android ransomware that was customized to look like WannaCry, the Windows ransom-worm that spread across the world in the middle of May.
MalwareHunterTea discovered a new version of the Cryptomix ransomware that utilizes the .Azer extension. This article provides further analysis performed by BleepingComputer.com.
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. The BTCWare author announced this leak on the Bleeping Computer forum thread that offers support for victims of BTCWare infections.
New versions of the Executioner Ransomware continue to be released. Michael Gillespie can still decrypt victims who are affected.
Karsten Hahn discovered a new in-development screenlocker that I dubbed CountLocker. Attempts to delete all of the files on the C:\ drive after 72 hours. Looks like it plans to include actual file encryption as it bundles the HiddenTear decryptor as a resource.
MalwareHunterTeam discovered a ransomware called Fenrir. This ransomware appends an extension composed of the first 10 characters of the computer's HWID and drops a ransom note named Ransom.rtf.
The author of the original Petya ransomware — a person/group going by the name of Janus Cybercrime Solutions — has released the master decryption key of all past Petya versions. This key will not help with the recent NotPetya infection. Kaspersky Lab's Anton Ivanov has confirmed that this key works for all versions of the original Petya, including GoldenEye.
A new screenlocker that requires you to do surveys to unlock the computer has been discovered by Karsten Hahn. This program is currently not working properly.