What a crazy week. The biggest news is that we had a hosting company who actually paid a 1 million dollar (think Dr. Evil) ransomware payment. We then had the return of Locky, which at one point was the preminent ransomware being distributed. We will have to wait and see if it can become king of the hill again.

Other than that, its mostly been small ransomware variants being released that will probably never make it into any real distribution.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @MarceloRivero, @jiriatvirlab, @zackwhittaker, @hackerfantastic, @TalosSecurity, @VK_Intel, @FBI.

June 17th 2017

Jigsaw variant that uses the .Sux Extension

MalwareHunterTeam discovered a new variant of the Jigsaw Ransomware that uses the .sux extension for encrypted files.

Wana Decrypt0r Trojan-Syria Editi0n Ransomware Discovered

MalwareHunterTeam discovered a HiddenTear variant called Wana Decrypt0r Trojan-Syria Editi0n. This ransomware is currently in development, but when done is intended to append the .Wana Decrypt0r Trojan-Syria Editi0n extension to encrypted files.

June 18th 2017

WinBamboozle Ransomware Discovered

BleepingComputer discovered the in-development WinBamboozle Ransomware. Currently only encrypts the test subfolder and appends a random 5 character extension to encrypted files.

June 19th 2017

SkullLocker Screenlocker Discovered

GData security researcher Karsten Hahn discovered a screenlocker called SkullLocker. You can use Alt+F4 to close it. Not very effective.

Polish Varian of the Dumb Ransomware Discovered

BleepingComputer discovered a Polish variant of the Dumb Ransomware.

SamSam is Back

SamSam is starting to be distributed again. Michael Gillespie & MalwareHunterTeam spotted variants using the .breeding123, .mention9823, and .suppose666 extension.

In-Dev DecrptOr 3.2/Decrypto 3.2 Ransomware

BleepingComputer discovered a new in-development ransomware called DecrptOr 3.2/Decrypto 3.2. Does not encrypt.

NSMF Ransomware Discovered

BleepingComputer discovered a new HiddenTear variant called NSMF Ransomware. This ransomware only encrypts the desktop. When encrypting files it appends .nsmf extension and creates a ransom note named readme.txt.

June 20th 2017

South Korean Web Hosting Provider Pays $1 Million in Ransomware Demand

Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers.

Kuntzware Discovered

Karsten Hahn discovered a new ransomware called Kuntzware. Currently crashes when executed, but will append .kuntzware. Attempts to encrypt files to the cloud. May lock screen. 

Turkish Zilla Ransomware Discovered

Karsten Hahn discovered a new Turkish ransomware called Zilla. This ransomware appends the .zilla extension to encrypted files and drops a ransom note named @@BurayaBak.txt.

Gansta Ransomware Discovered

Isn't it supposed to be Gangsta?  Regardless, ​Karsten Hahn discovered the "Gansta Ransomware".  Appends the .enc extension. 

New Screenlocker being Developed that Asks for Credit Cards

MalwareHunterTeam discovered a new screenlocker that asks a victim to input their credit card. 

New Crypt888 Samples Prepends Lock. to the Filename

Malwarebytes security researcher Marcelo Rivero discovered a new variant of the Crypt888 Ransomware that prepends the Lock. string to an encrypted file name and uses a new background.

June 21st 2017

One Month Later, WannaCry Ransomware Is Still Shutting Down Factories

On Monday, Honda was forced to temporarily shut down its car plant in Sayama, Japan, after some of its computer systems were infected with the infamous WannaCry ransomware, reported Reuters today.

TeslaWare Plays Russian Roulette with your Files

TeslaWare is currently being promoted and sold through black hat/criminal sites for 35 to 70 Euros depending on the customizations the buyer want in the ransomware.  The good news is that this ransomware is decryptable.

Searching for a Sample of the aZaZeL Ransomware

Michael Gillespie is looking for a sample of the aZaZeL Ransomware after a ransom note was uploaded to ID Ransomware. This ransomware appends the .Encrypted extension and drops a ransom note named File_Encryption_Notice.txt.

New Ruby Ransomware Discovered

ESET malware analyst Jiri Kropac discovered a new ransomware written in Ruby that possibly uses a domain generation algorithm and an online C2.

In-Dev OneCrypt Ransomware Discovered

MalwareHunterTeam discovered a new ransomware that appears to be in-dev or not properly built.  Currently being called onecrypt.

June 22nd 2017

WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia

Fifty-five speed and red-light cameras in the Australia's state of Victoria were infected with the WannaCry ransomware.

Locky Ransomware Returns, but Targets Only Windows XP & Vista

The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking files only on older Windows XP & Vista machines.

CryptoDark Trollware Discovered

Lawrence Abrams of BleepingComputer discovered a new Trollware called CryptoDark. This does not encrypt and looks like it intentionally tries to troll the victim.

Fake Cerber Ransomware Discovered

Karsten Hahn discovered a new ransomware that pretends to be Cerber. Appends the .encrypted extension to encrypted files. 

AlixSpy tries to Steal Growtopia Logins

MalwareHunterTeam discovered a malware called AlixSpy that tries to steal the Growtopia save.dat, which contains the user's logins. It then displays a lock screen.

QuakeWay Ransomware is Decryptable

MalwareHunterTeam discovered a ransomware called QuakeWay that adds the extension .org and leaves a ransom note named __iWasHere.txt. According to  Michael Gillespie it is decryptable.

June 23rd 2017

FBI: Victims Aren't Reporting Ransomware Attacks

Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report, released yesterday by the FBI’s Internet Crime Complaint Center (IC3).

Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

ZDNet security editor Zack Whittaker wrote a great article on why you should never call an operating system 100% secure from anything. The articles details how Hacker House co-founder Matthew Hickey was able to bypass security in Windows S to get system level access. From there, if he wished he would have been able to potentially install ransomware on the system that Microsoft has stated is immune to it.

Reetner Ransomware using a Moduler System

Karsten Hahn discovered a new ransomware that appears to use a moduler system, where each process of the ransomware is handled by a different executable. For example, there is one executable that displays the ransom note, another than encrypts, etc.  Karsten is still looking for the main dropper or the crypter executable, so if you find it, please let us know.

 

Screenlocker just Trolling Victims

Looks like Trollware is making a come back. This is seen with a new screenlocker found by MalwareHunterTeam that locks your screen, but doesn't ask for money. Basically, they are just doing it to be a pain in the ass.

EyLamo Ransomware Discovered

MalwareHunterTeam discovered a new HiddenTear variant called EyLamo. This ransomware will append the .lamo extension to encrypted files and drop a ransom  note named READ_IT.txt.

Kryptonite Ransomware Disguised as Game of Snake

The PC Security Channel's Leo found a ransomware called Kryptonite ransomware, which is disguised as a game of Snake. Currently crashes when I launch it. MalwareHunterTeam found a sample earlier this week, but that crashed immediately, so this appears to be in development.