This has been a week of pure junk ransomware releases and decryptors. As most of these smaller ransomware variants never make it into actual distribution, I call this a win for the good guys. The big news this week is the release of the master decryption key for XData and an updated decryptor for Amnesia2. 

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @emsisoft@siri_urz, @Malwarebytes, @MarceloRivero@kryptoslogic, @avast_antivirus, and @CERT_Polska_en

If you are interested in ransomware or infosec, I suggest you follow them on Twitter.

May 27th 2017

Dviide Ransomware Discovered

MalwareHunterTeam found a new ransomware called Dviide that appends the .dviide extension to encrypted files.

Screenlocker Targeting Chinese Victims

BleepingComputer discovered a new screenlocker that is targeting Chinese Victims.  Does not encrypt.

May 28th 2017

New LockedByte Ransomware Discovered

BleepingComputer found a new decryptable ransomware called LockedByte. It uses XOR and appends a random extension to encrypted files. Has a horrible ransom note as shown below.

May 29th 2017

Anonymous Member Playing with Houdini RAT and MoWare Ransomware

A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware.

BlackSheep Ransomware Discovered

BleepingComputer discovered a new ransomware called BlackSheep. Appends the .666 extension to encrypted files. StupidDecrypter by Michael Gillespie can decrypt it.

1337Locker Ransomware Discovered

GData security researcher Karsten Hahn discovered  a new variant of MyLittleRansomwar called 1337Locker. When encrypting file names it scrambles the file names and appends the .adr extension.

New HiddenTear Variant called DolphinTear

Karsten Hahn discovered  a new HiddenTear variant called DolphinTear. Appends the .dolphin extension to encrypted files.

Ransomware that Utilizes WinRar In Development

Karsten Hahn discovered a new in-dev ransomware that uses WinRar to store files in encrypted archives.

New CryPy Variant called SintaLocker

Karsten Hahn continues to pump them out with a new CryPy variant called SintaLocker. SintaLocker drops a ransom note named README_FOR_DECRYPT.txt.

Your Files have been Blocked Ransomware

MalwareHunterTeam found a new in-development ransomware that shows a screenlocker that "files have been blocked".

New Jigsaw Variant with a Creepy Clown

Karsten Hahn discovered a new Jigsaw Ransomware variant that sports a creepy clown background. Michael Gillespie's Jigsaw Decrypter can decrypt this variant.

Im Sorry Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Im Sorry. This ransomware will drop a ransom note named Read me for help thanks.txt and append the .imsorry extension to encrypted files.

ID Ransomware can now detect 400 Families

Another milestone for ID Ransomware. It can now detect over 400 ransomware infections.

Decryptors for BTCWare, Mole, and AES_NI Released

Decryptors for BTCWare, Mole, and AES_NI were released thanks to CERT Polska & Avast Software.

R3store Ransomware Discovered

Malwarebytes researcher Marcelo Rivero discovered the R3store Ransomware, which is based on HiddenTear. This ransomware will drop a ransom note named READ_IT.txt and append the .r3store extension to encrypted files.

A stolen version of DMA Locker is making the rounds

Malwarebytes has a blog post about how someone has been patching DMALocker and utilizing it for their own purposes.  Interesting read.

May 30th 2017

New Data Shows Most WannaCry Victims Are From China, Not Russia

Data released yesterday by Kryptos Logic reveals that most WannaCry victims are located in China, and not Russia, as various antivirus vendors have announced during the WannaCry ransomware outbreak.

XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor.

In what has become a welcome trend, another ransomware master decryption key was released on This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. Using these keys, Kaspersky, Avast, and ESET have all released decryptors.

Bloopers Screenlocker Released

Karsten Hahn discovered a new screenlocker called Bloopers Encrypter 1.0. This does not actually encrypt anything and you can just close the window.

New Andonio Ransomware 

New In-dev Adonio Ransomware based on HiddenTear. This ransomware appends the .andonio extension to encrypted files and creates a ransom note named READ ME.txt. Targets desktop only.

Crypt888 + GUI = GrodexCrypt

Avast researcher Jakub Kroustek discovered that someone has added a GUI on top of Crypt888 and renamed it GrodexCrypt. It is still decryptable.

OoPS Ramenware Discovered

Security researcher Jack discovered a ransomware called OoPS Ramenware. This ransomware will move target files into password protected .zip file with the extension .ramen

New Amnesia2 Variant Appends .TRMT

Marcelo Rivero discovered a new Amnesia2 variant that appends the .TRMT extension and creates ransom notes named HOW TO RECOVER ENCRYPTED FILES.TXT.

New BrickR Ransomware Discovered

Marcelo Rivero discovered a new ransomware called BrickR. This ransomware appends the .brickr extension to encrypted files and creates a ransom note called READ_DECRYPT_FILES.txt.

Resurrection-Ransomware Plays Music

BleepingComputer discovered a new HiddenTear based ransomware called Resurrection-Ransomware. This ransomware appends [rand].resurrection to encrypted files and creates ransom notes named Readme.html. The ransom note plays funky Halloween+Harry Potteresque music. It is decryptable.

May 31st 2017

New KillSwitch Ransomware

Malwarebytes security researcher S!Ri discovered a new ransomware called KillSwitch. This ransomware appends the .switch extension to encrypted files. Currently in-development as it only encrypted files located in %USERPROFILE%\Documents\test\.

Luxnut Ransomware Discovered

Jack discovered a EDA2 based ransomware named Luxnut. It uses the below wallpaper background and appends the .locked extension to encrypted files.

Ransomware that Pretends to be Microsoft Security Essentials

BleepingComputer discovered a in-dev ransomware that pretends to be Microsoft Security Essentials and imitates the WannaCry interface. Does not currently encrypt.

June 1st 2017

BlueHowl Lockscreen Discovered

Karsten Hahn discovered the BlueHowl screenlocker. This screenlocker speaks and shows The Final Countdown video.

Emsisoft releases an updated Amnesia Decryptor

Emsisoft has released an updated decryptor to tackle the newer version of Amensia, called Amnesia 2.

June 2nd 2017

Hadoop Servers Expose Over 5 Petabytes of Data

Initially, 124 Hadoop servers were ransomed, a number which eventually grew to almost 500. According to Matherly, there are still 207 HDFS-based clusters that still feature ransom demands, albeit it's unclear if these are leftovers from the January attacks, or servers are being hijacked even as we speak.

CainXPii Ransomware Discovered

Karsten Hahn discovered CainXPii screenlocker, which is from the same family as Hitler Ransomware. This ransomware does not encrypt a victim's files, but will delete a random file if you close it down.

Joksy Screenlocker

Karsten Hahn discovered a Lithuanian called Joksy that demands payment via Paypal.

New LockCrypt Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called LockCrypt. This ransomware scrambles the filename and then appends the ID [id].lock extension to encrypted files and creates ransom notes named ReadMe.txt.

That is it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection