Lots of ransomware news this week with 3 new infections, 7 new Jigsaw ransomware variants, 3 new decryptors, a new variant to Nemucod, and an interesting article about the Crysis ransomware. I would like to thank everyone who monitors and analyzes new ransomware infections in Twitter and through other sources.
Contributors and those who provided new ransomware info this week include: Michael Gillespie, Fabian Wosar , myself, ESET, Fortinet, Cisco's Talos Group, @malwrhunterteam, @DanielGallagher, @nyxbone, @Seifreed, @hasherezade,@malekal_morte, @malwareforme, @Antelox, @hahn_katja, @nullandnull, @cyb3rops, and@bartblaze.
Fortinet has discovered a new ransomware called Herbst that targets German victims. This ransomware will encrypt data files with AES encryption and append the .herbst extension to encrypted files. It will then demand approximately ~$50 USD to get a decryption key.
Quite a few new variants of the Jigsaw Ransomware was discovered that utilize the .payms, .paymst, .pays, .paym, .paymrss, .payrms, and .paymts extensions for encrypted files. Michael Gillespie has updated his Jigsaw Ransomware Decryptor to handle them.
I discovered a new variant of the Crysis ransomware that encrypts your data and appends the .email@example.com extension to encrypted files. This ransomware then displays a ransom note that states you must email firstname.lastname@example.org or email@example.com in order to get payment instructions.
A day after finding the new Legion Crysis variant, ESET published an article discussing how the Crysis family is starting to fill the void left by the closing of TeslaCrypt. In their article ESET explains that the Crysis family is spread through email spam with attachments containing double file extensions or via Trojans that pretend to be legitimate applications.
We are currently analyzing this family and as more information is available, we will post it on the site.
A new variant of the Nemucod ransomware was discovered that downloads PHP and utilizes it to encrypt a victim's data and append the .crypted extension. Fabian Wosar of Emisoft was able to update his decryptor to handle this variant as well.
Instructions on how to decrypt Nemucod variants can be found in this article: Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware.
When TeslaCrypt closed shop they released their master decryption key. This allowed victim's to decrypt files encrypted by Version 3 and Version 4 of TeslaCrypt. It is also possible to decrypt earlier variants, but they required other tools, such as TeslaDecoder, to do so.
Cisco's new decryption utility allows a victim to decrypt all the variants of TeslaCrypt from one tool. This makes it easier for those who do not know what version they have to decrypt their files.