This has been a week of pure junk ransomware releases and decryptors. As most of these smaller ransomware variants never make it into actual distribution, I call this a win for the good guys. The big news this week is the release of the master decryption key for XData and an updated decryptor for Amnesia2.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @emsisoft, @siri_urz, @Malwarebytes, @MarceloRivero, @kryptoslogic, @avast_antivirus, and @CERT_Polska_en
If you are interested in ransomware or infosec, I suggest you follow them on Twitter.
MalwareHunterTeam found a new ransomware called Dviide that appends the .dviide extension to encrypted files.
BleepingComputer discovered a new screenlocker that is targeting Chinese Victims. Does not encrypt.
BleepingComputer found a new decryptable ransomware called LockedByte. It uses XOR and appends a random extension to encrypted files. Has a horrible ransom note as shown below.
A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware.
GData security researcher Karsten Hahn discovered a new variant of MyLittleRansomwar called 1337Locker. When encrypting file names it scrambles the file names and appends the .adr extension.
Karsten Hahn discovered a new HiddenTear variant called DolphinTear. Appends the .dolphin extension to encrypted files.
Karsten Hahn discovered a new in-dev ransomware that uses WinRar to store files in encrypted archives.
Karsten Hahn continues to pump them out with a new CryPy variant called SintaLocker. SintaLocker drops a ransom note named README_FOR_DECRYPT.txt.
MalwareHunterTeam found a new in-development ransomware that shows a screenlocker that "files have been blocked".
MalwareHunterTeam discovered a new ransomware called Im Sorry. This ransomware will drop a ransom note named Read me for help thanks.txt and append the .imsorry extension to encrypted files.
Another milestone for ID Ransomware. It can now detect over 400 ransomware infections.
Malwarebytes researcher Marcelo Rivero discovered the R3store Ransomware, which is based on HiddenTear. This ransomware will drop a ransom note named READ_IT.txt and append the .r3store extension to encrypted files.
Malwarebytes has a blog post about how someone has been patching DMALocker and utilizing it for their own purposes. Interesting read.
In what has become a welcome trend, another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. Using these keys, Kaspersky, Avast, and ESET have all released decryptors.
Karsten Hahn discovered a new screenlocker called Bloopers Encrypter 1.0. This does not actually encrypt anything and you can just close the window.
New In-dev Adonio Ransomware based on HiddenTear. This ransomware appends the .andonio extension to encrypted files and creates a ransom note named READ ME.txt. Targets desktop only.
Security researcher Jack discovered a ransomware called OoPS Ramenware. This ransomware will move target files into password protected .zip file with the extension .ramen.
Marcelo Rivero discovered a new Amnesia2 variant that appends the .TRMT extension and creates ransom notes named HOW TO RECOVER ENCRYPTED FILES.TXT.
BleepingComputer discovered a new HiddenTear based ransomware called Resurrection-Ransomware. This ransomware appends [rand].resurrection to encrypted files and creates ransom notes named Readme.html. The ransom note plays funky Halloween+Harry Potteresque music. It is decryptable.
Malwarebytes security researcher S!Ri discovered a new ransomware called KillSwitch. This ransomware appends the .switch extension to encrypted files. Currently in-development as it only encrypted files located in %USERPROFILE%\Documents\test\.
Jack discovered a EDA2 based ransomware named Luxnut. It uses the below wallpaper background and appends the .locked extension to encrypted files.
BleepingComputer discovered a in-dev ransomware that pretends to be Microsoft Security Essentials and imitates the WannaCry interface. Does not currently encrypt.
Karsten Hahn discovered the BlueHowl screenlocker. This screenlocker speaks and shows The Final Countdown video.
Emsisoft has released an updated decryptor to tackle the newer version of Amensia, called Amnesia 2.
Initially, 124 Hadoop servers were ransomed, a number which eventually grew to almost 500. According to Matherly, there are still 207 HDFS-based clusters that still feature ransom demands, albeit it's unclear if these are leftovers from the January attacks, or servers are being hijacked even as we speak.
Karsten Hahn discovered CainXPii screenlocker, which is from the same family as Hitler Ransomware. This ransomware does not encrypt a victim's files, but will delete a random file if you close it down.
Karsten Hahn discovered a Lithuanian called Joksy that demands payment via Paypal.
MalwareHunterTeam discovered a new ransomware called LockCrypt. This ransomware scrambles the filename and then appends the ID [id].lock extension to encrypted files and creates ransom notes named ReadMe.txt.
That is it for this week! Hope everyone has a nice weekend!