This week we had some rather large or interesting ransomware infections released.  We have a new CryptoMix variant called Revenge being distributed via RIG exploit kits and we have someone modifying Petya in order to get their own ransomware without having to create their own ransomware. We also have a Star Trek themed ransomware called Kirk Ransomware.

Some good news is that Fabian Wosar of Emsisoft released a decryptor for the Damage Ransomware and an update decryptor for CryptON.

Contributors and those who provided new ransomware information and stories this week include: @struppigel@malwrhunterteam@demonslay335@PolarToffee@fwosar@malwareforme@jorntvdw, @FourOctetsDanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek@hasherezade@siri_urz@jiriatvirlab@Malwarebytes@Jan0fficial@kaspersky, @msftmmpc, @BroadAnalysis, and @BleepinComputer

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

March 11th 2017

ID-Ransom can now Identify Files Encrypted by Spora

ID-Ransomware can now identify files encrypted by Spora Ransomware due to analysis of the filemarker posted by @hasherezade,

New SamSam Variant Discovered

Michael Gillespie discovered a Samas/SamSam variant that appends the .iaufkakfhsaraf to encrypted files and drops a ransom note named IF_WANT_FILES_BACK_PLS_READ.html.

Emsisoft Releases a Decryptor for the Damage Ransomware

Fabian Wosar of Emsisoft live streamed his analysis of the Damanage Ransomware and was able to build a decryptor while people were watching. This Damage decryptor is available here

RozaLocker Ransomware Discovered

Jiri Kropac discovered a new Russian ransomware called RozaLocker that requesting 10.000 Rubles to decrypt victim's files. RozaLocker appends the .ENC extension to encrypted files.

March 12th 2017

New French Ransomware Discovered

Malwarebytes researcher S!Ri discovered a new ransomware targeting French victims.


March 13th 2017

Embittered Enjey Ransomware Developer Launches DDoS Attack on ID Ransomware

The ID Ransomware service was hit by two DDoS attacks launched by the author of the Enjey ransomware, embittered after ID Ransomware's creator, Michael Gillespie, had found a way to decrypt his ransomware.

Ŧl๏tєгค гคภร๏๓ฬคгє Discovered

MalwareHunterTeam discovered a new ransomware called Ŧl๏tєгค гคภร๏๓ฬคгє.  Appears to be a renamed version of Vortex.

PadCrypt is now Version 3.4.1

MalwareHunterTeam found a sample of the PadCrypt ransomware that is now at version 3.4.1.  For a ransomware that is hardly distributed, the devs still continuously develop it. 

Ransomware Hunt for Project34 Ransomware Initiated

Michael Gillespie set off a ransomware hunt for a ransomware called Project34. This ransomware prepends to filenames and drops a note called ПАРОЛЬ.txt.

March 14th 2017

PetrWrap Ransomware Is a Petya Offspring Used in Targeted Attacks

Kaspersky Lab discovered a heavily modified, but "unauthorized" version of the Petya ransomware being used in targeted attacks on a small number of organizations.

Named PetrWrap, this Petya offspring is part of the arsenal of a new threat actor that's hacking corporate networks and then using the Windows PsExec utility to install PetrWrap on vulnerable servers and endpoints.

Malwarebytes Researchers Hack into Soon-to-be-Launched RaaS Portal

Malwarebytes disrupted a ransomware author's plans to launch a RaaS portal after they managed to infiltrate the crook's command and control server, hosted on a common shared hosting provider.

Spora Ransomware Utilizing a New Domain

MalwareHunterTeam noticed that Spora has added a new domain yesterday called torifyme[.]com.

New Jigsaw Variant Released

Michael Gillespie discovered a new variant of the Jigsaw Ransomware that appends the extension to encrypted files.

Hermes Ransomware Version 2.0 Released

Michael Gillespie noted that someone uploaded a file from the Hermes v2 ransomware to ID-Ransomware. 

Decryptor for the Hermes Ransomware Released

Michael Gillespie published a decrypter for the Hermes Ransomware with help Fabian Wosar of Emsisoft.

Russian Educational Screenlocker Found

MalwareHunterTeam found an Russian educational screenlocker sample which tries to teach the victim a lesson.

New Karmen RaaS Discovered

A new in-development Ransomware as a Service, or Raas, called Karmen has been discovered by MalwareHunterTeam.

March 15th 2017

Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit

Broad Analysis discovered a new CryptoMix, or CryptFile2, variant called Revenge that is being distributed via the RIG exploit kit.  This variant appends the .REVENGE extension to encrypted files and drops a ransom note named # !!!HELP_FILE!!! #.txt.

A Turkish Fake CTB-Locker Discovered

Avast malware researcher Jakub Kroustek discovered a Turkish ransomware that impersonates CTB-Locker. This ransomware appends the .encrypted extension to encrypted files and drops a ransom note named Beni Oku.txt.

HiddenTear Variants Wants People to Post on Facebook

GData malware analyst Karsten Hahn found a HiddenTear variant that is created by someone named Anony and requires them to post to Facebook to get a decryption key.

March 16th 2017

Trend: Ransomware Hidden in NSIS Installers Harder to Detect

Microsoft's Malware Protection Center has recently observed a change in the way malware authors deploy malicious code via NSIS installers. The changes are at the lowest levels of the installers, at how files are arranged and named inside it. These changes are 100% invisible to end users but are enough to break common security threat detection systems.

Recent activity with new model of NSIS installers (via MMPC)
Recent activity with new model of NSIS installers (via MMPC)

Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!

Jakub Kroustek discovered a new ransomware called Kirk Ransomware.  Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?

This ransomware appends the .Kirked extension to encrypted files and drop a note called RANSOM_NOTE.txt.

Lick Ransomware, a variant of Kirk Ransomware, Discovered

Jakub Kroustek discovered another variant of the Kirk Ransomware called Lick Ransomware. This variant works pretty much the same way as Kirk, but also uploads a copy of the encrypted key and other information to PasteBin. This ransomware appends the ..Licked extension to encrypted files and drop a note called RANSOM_NOTE.txt.

Lick Ransomware

CryptoDevil Screenlocker Discovered

A very ugly screen locker called "Ramsomware.CryptoDevil" was discovered by MalwareHunterTeam. The unlock code is kjkszpj. The file properties state it was created by someone going by the alias of "mutr0l".

CryptoDevil Sceenlocker

RoshaLocker 2.0 Stores Files in Password Encrypted RAR Files

Malwarebytes malware researcher S!Ri found RoshaLocker 2.0, which stores your files in a password protected RAR file and then demands a ransom to get the archive password.

CryptON Decryptor Updated 

Fabian Wosar of Emsisoft released an updated decryptor for CryptON to handle the latest variant. The decryptor can be downloaded here.

March 17th 2017

New ZinoCrypt Ransomware - 2017 Edition

MalwareHunterTeam discovered a new ransomware called ZinoCrypt Ransomware - 2017 Edition. ZinoCrypt drops a ransom note named ZINO_NOTE.TXT and appends the extension .ZINO to encrypted files.@demonslay335

New Crptxxx Ransomware

A new ransomware was discovered by MalwareHunterTeam that appends the .crptxxx extension to encrypted files and drops a ransom note named HOW_TO_FIX_!.txt.

New Jigsaw Variant Discovered with New Background

Jakub Kroustek discovered a new variant of the Jigsaw ransomware that utilizes a new background.

DH_File_Locker Ransomware Builder Discovered

Jªn Poulsen discovered a builder for the DH_File_Locker Ransomware.

Trident File Locker Ransomware Builder Discovered

Jªn Poulsen discovered a builder for the Trident File Locker.

New MacAndChess HiddenTear Variant

Karsten Hahn discovered a new HiddenTear variant called MacAndChess Ransomware. 

March 18th 2017

BranCrypt Ransomware Released

Michael Gillespie released a decryptor for the BrainCrypt Ransomware. This decryptor will decrypt files that have the following string appended to them: .[].braincrypt. The decryptor can be downloaded here.

Related Articles:

The Week in Ransomware - December 14th 2018 - Slow Week

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 23rd 2018 - STOP, Dharma, and More

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

Company Pretends to Decrypt Ransomware But Just Pays Ransom