Lots of ransomware news this week with 3 new infections, 7 new Jigsaw ransomware variants, 3 new decryptors, a new variant to Nemucod, and an interesting article about the Crysis ransomware. I would like to thank everyone who monitors and analyzes new ransomware infections in Twitter and through other sources.

Contributors and those who provided new ransomware info this week include: Michael GillespieFabian Wosar , myself, ESET, FortinetCisco's Talos Group@malwrhunterteam@DanielGallagher@nyxbone@Seifreed@hasherezade,@malekal_morte@malwareforme@Antelox@hahn_katja@nullandnull@cyb3rops, and@bartblaze.

June 4th 2016

Cooking Up Autumn (Herbst) Ransomware

Fortinet has discovered a new ransomware called Herbst that targets German victims. This ransomware will encrypt data files with AES encryption and append the .herbst extension to encrypted files. It will then demand approximately ~$50 USD to get a decryption key.

Herbst Ransomware

June 5th 2016

New Russian cripttt or .criptokod Ransomware

Michael Gillespie discovered that there was a decryptor available for a ransomware that targets Russian speaking victims. This decryptor can be found here.

June 6th 2016

Slew of new Jigsaw Ransomware Variants Discovered

Quite a few new variants of the Jigsaw Ransomware was discovered that utilize the  .payms, .paymst, .pays, .paym, .paymrss, .payrms, and .paymts extensions for encrypted files. Michael Gillespie has updated his Jigsaw Ransomware Decryptor to handle them. 

New Crysis Ransomware variant was released that appends .centurion_legion@aol.com.xtbl to Encrypted Files

I discovered a new variant of the Crysis ransomware that encrypts your data and appends the .centurion_legion@aol.com.xtbl extension to encrypted files. This ransomware then displays a ransom note that states you must email mailrepa.lotos@aol.com or goldman0@india.com in order to get payment instructions.

Crysis Background

June 7th 2016

ESET warns thats the Crysis Ransomware family is starting to increase Distribution

A day after finding the new Legion Crysis variant, ESET published an article discussing how the Crysis family is starting to fill the void left by the closing of TeslaCrypt.  In their article ESET explains that the Crysis family is spread through email spam with attachments containing double file extensions or via Trojans that pretend to be legitimate applications.

We are currently analyzing this family and as more information is available, we will post it on the site.

June 9th 2016

New variant of the Nemucod Ransomware uses PHP to Encrypt Files

A new variant of the Nemucod ransomware was discovered that downloads PHP and utilizes it to encrypt a victim's data and append the .crypted extension.  Fabian Wosar of Emisoft was able to update his decryptor to handle this variant as well.  

Instructions on how to decrypt Nemucod variants can be found in this article: Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware.

June 10th 2016

Cisco's Talos Group releases an all-in-one TeslaCrypt Decryption Tool

When TeslaCrypt closed shop they released their master decryption key.  This allowed victim's to decrypt files encrypted by Version 3 and Version 4 of TeslaCrypt.  It is also possible to decrypt earlier variants, but they required other tools, such as TeslaDecoder, to do so. 

Cisco's new decryption utility allows a victim to decrypt all the variants of TeslaCrypt from one tool.  This makes it easier for those who do not know what version they have to decrypt their files.