Lots and lots of little crappy ransomware released this week with nothing new or innovative. We do have some interesting Spora stats, lots of new Jigsaw variants, a story on the decline of Locky, and of course an updated decryptor by Fabian Wosar who continues to kick ransomware in the buttocks. Other than that, not really any of significance.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam@PolarToffee@fwosar@struppigel@demonslay335,  @malwareforme@jorntvdw, @FourOctetsDanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek@BleepinComputer@erpscan, @barklyprotects

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

March 18th 2017

New MOTD Ransomware Discovered

A BleepingComputer member posted a new topic in the support forums about the new MOTD ransomware. This ransomware will encrypt files and append the .enc extension and drop ransom  notes named motd.txt.

March 19th 2017

In-Dev CryptoDevil Ransomware Adds Basic File Encryption

Emsisoft security researcher xXToffeeXx discovered a new variant of the in-development CryptoDevil ransomware that has started encrypted files. This variant will encrypt files under subfolders under the the folder it runs from. When encrypting a file it will add the .devil extension to the encrypted file's name.

A Jigsaw Ransomware Variant was Discovered Translated to Vietnamese

Michael Gillespie found a Jigsaw Ransomware that was translated to Vietnamese.

March 20th 2017

Numbers Show Locky Ransomware Is Slowly Fading Away

This article discusses how the number of Locky ransomware infections have been going down over the last 6 months and have reached an all-time low this month in March.

Indiana Ransomware Bill Would Send Crooks to Prison for up to 6 Years

A new Indiana bill plans to make ransomware attacks a crime on its own punishable with a sentence from one to six years in prison, and a maximum fine of up to $10,000. House Bill 1444 was proposed last year by State Rep. Christopher Judy’s (R-Fort Wayne), passed the Indiana House of Representatives in late February, and will be heard tomorrow in the Senate Corrections and Criminal Law Committee, one of the few final steps before reaching the governer's desk.

PadCrypt is now Version 3.4.4

MalwareHunterTeam found a sample of the PadCrypt ransomware that is now at version 3.4.4. This is the ransomware that doesn't really infect many people, but keeps on chugging.

New Samas Variant Discovered

Michael Gillespie spotted a new Samas/SamSam ransomware uploaded to ID Ransomware that appends the extension .cifgksaffsfyghd and drops ransom notes named READ_READ_DEC_FILES.html.

March 21st 2017

New LLTP Ransomware Appears to be a Rewritten Venus Locker

A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

SAP Infrastructure Could Be Used to Deploy Ransomware on Enterprise Networks

ERPScan discovered a remote code execution flaw in the SAP Windows client that opens the door for ransomware attacks targeting enterprises that rely on various SAP products to manage and keep track of their business operations. SAP, a German company that makes enterprise software used by over 335,000 customers in 190 countries, has patched the issue last week.

March 22nd 2017

We've Seen the Future of Ransomware and It's... User Friendly?

Barkly created an article about how Spora Ransomware has one of the most user-friendly payment systems. 

Zorro Ransomware Released

BleepingComputer has discovered the Zorry Ransomware that appends the .zorro extension to encrypted files and drops a ransom note named Take_Seriously (Your saving grace).txt.

HiddenTear Variant Called AngleWare Discovered

BleepingComputer discovered a new HiddenTear/MafiaWare variant called AngleWare that appends .AngleWare to encrypted files.

Modified Jigsaw Ransomware that puts the Payment Instruction in the Extension

Jakub Kroustek found a modified Jigsaw Ransomware, being dubbed Monument, that adds payment instructions as the extension for encrypted files. MalwareHunterTeam also noted that this ransomware is bundled with the Imminent Monitor RAT.

This extension is .To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours.

New Meteoritan Ransomware Targets Polish Victims

MalwareHunterTeam discovered a new ransomware called that targets Polish victims. This ransomware will drop a ransom notes named where_are_your_files.txtreadme_your_files_have_been_encrypted.txt.

Updated Version of the Globe3 Decryptor Released

Fabian Wosar of Emsisoft released a new version of the Globe3 decrypter to support the latest variants. The decryptor can be downloaded here

March 23rd 2017

Monument Jigsaw Ransomware Variant Bundling NSFW Screen Locker

MalwareHunterTeam discovered that the Monument Jigsaw variant is now using the DarkLocker 5 porn screenlocker.

Statistics on the Amount of Files Encrypted by Spora on 646 Victims Released

MalwareHunterTeam analyzing the files encrypted by 646 Spora victims and released his analysis.

New HiddenTear Variant called LK Encryptor

MalwareHunterTeam discovered a new HiddenTear variant called LK Encryption.

March 24th 2017

New BTCWare Ransomware Released

MalwareHunterTeam is on fire with the discovery of the BTCWare ransomware. This appears to be a new CrptXXX variant.  According to MHT, one person has already made a ransom payment.

SADStory Ransomware Released

And we end with a crappy ransomware discovered by MalwareHunterTeam called SADStory. This ransomware may be a variant of CryPy and uses an email address of tuyuljahat@hotmail.com, which used to be associated with KimcilWare.


Related Articles:

The Week in Ransomware - June 1st 2018 - From Russia with Love and a Facepalm

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

Decryptor Released for the Everbe Ransomware

Sigrun Ransomware Author Decrypting Russian Victims for Free

The Week in Ransomware - May 18th 2018 - Mostly Small Variants