Typical week in ransomware with a lot of small little variants released and resurgence of activity from Crypt0L0cker. The biggest news this week is that someone posted the master decryption keys for the Dharma Ransomware in the BleepingComputer.com forums. These keys were analyzed by various anti-virus vendors and used to create decryptors for the Dharma Ransomware.

Contributors and those who provided new ransomware information and stories this week include:  @fwosar@malwareforme@jorntvdw, @FourOctets@BleepinComputer, @malwrhunterteam, @demonslay335, @PolarToffee, DanielGallagher, @campuscodi, @struppigel, , @JAMESWT_MHT, @Seifreed, @matthew_d_green@JakubKroustek, @jiriatvirlab@ESET, @avast_antivirus, @Malwarebytes@ransomware_it@DynamicAnalysis@kaspersky, and @msftmmpc

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

February 25th 2017

Database Ransom Attacks Have Now Hit MySQL Servers

After the ransacking of MongoDBElasticSearchHadoop, CouchDB, and Cassandra servers, attackers are now hijacking hundreds of MySQL databases, deleting their content, and leaving a ransom note behind asking for a 0.2 Bitcoin ($235) payment.

New Damage Ransomare Discovered

Michael Gillespie found a sample of a new ransomware called Damage. This ransomware will encrypt files and append the .damage extension to the filename,

HiddenTear Based BarRax Ransomware has a Support Forum

Michael Gillespie found a HiddenTear based ransomware called BarRax. This ransomware will encrypt files and append the .BarRax extension to them. The bizarre part of this infection is that it also has a support forum. That's a good way to get busted.

New RaaS Portal Preparing to Spread Unlock26 Ransomware

A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week. First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.

February 26th 2017

In-Dev Sardoninir Ransomware Includes 100 Email Account Credentials

I discovered a new in-dev ransomware called Sardoninir that includes 100 different email accounts that are used to send information about the victim to the ransomware developer. It appends the .enc extension to encrypted files.

Attenzione, il ransomware Crypt0l0cker arriva via PEC

Italian ransomware site Ransomware.it discusses how Crypt0L0cker, aka TorrentLocker, is digitally signing their SPAM emails using posta elettronica certificata (PEC),

Source: http://www.ransomware.it

February 28th 2017

A Few Thoughts on Cryptographic Engineering

Johns Hopkins cryptography professor Matthew Green wrote an interesting article about potential future methods of ransomware payment and key delivery. Definitely an interesting read.

New Ransomware called FileLocker Targeting Czech Victims

ESET malware analyst Jiri Kropac discovered a new Czech-o-Slovak ransomware called FileLocker. When encrypting files it will append the .ENCR extension to the filenames.

Decrypting after a Findzip ransomware infection

Malwarebytes wrote an article on how to decrypt files encrypted by the macOS Findzip ransomware. 

March 1st 2017

Crypt0L0cker Ransomware is Back with Campaigns Targeting Europe

The Crypt0L0cker ransomware, otherwise known as Torrentlocker or Teerac, was a common ransomware infection that mostly targeted Australia and European countries in 2014. Towards the middle of 2015, though, this ransomware slowly started dying off to the point that it was hardly distributed anymore.

Fast forward to the beginning of February 2017 where we are now seeing Crypt0L0cker making a strong come back and targeting European countries once again.

Locky Ransomware Variant is Digitally Signed

Microsoft MMPC spotted a sample of the Locky Ransomware being distributed that is digitally signed. This variant continues to append the .OSIRIS extension to encrypted files.

Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com

Out of the blue, someone posted in the BleepingComputer.com forums the supposed master decryption keys for the Dharma Ransomware. This post was created at 1:42 PM EST by a member named gektar in the Dharma Ransomware Support Topic and contained a Pastebin link to a C header file that supposedly contains these master decryption keys.

In-Development KRider Ransomware Discovered

MalwareHunterTeam discovered a new in-development ransomware called KRider. This ransomware appends the .kr3 extension to encrypted files.

It is Getting Harder to Tell Ransomware Apart

Avast researcher Jakub Kroustek‏ shows that it is becoming harder and harder to tell what ransomware familar a new variant belongs to. Jakub has discovered a new variant that appends the .SN-%ID%-info@kraken.cc_worldcza@email.cz extension to encrypted files. Is this a new Crysis variant? Who knows.

Podcast: ID Ransomware creator offers expert advice on how to defeat cybercriminals

ID-Ransomware creator Michael Gillespie was a guest on Carbonite's Fight Ransomware podcast.


Malware Breakdown discovered that the ASN1 ransomware is being distributed by the RIG exploit kit. This ransomware will create ransom notes named !!!!!readme!!!!!.htm, but no extensions are appended to encrypted files.

Source: https://malwarebreakdown.com

March 2nd 2017

Kaspersky Releases Decryptor for the Dharma Ransomware

Kaspersky has tested the keys that were released for Dharma and has determined that they are indeed legitimate. Using these keys, Kaspersky updated their RakhniDecryptor so that it can decrypt Darhama encrypted files. I tested this and the decryption worked flawlessly. Soon after, ESET and Avast released decryptors for Dharma as well. 

Cerber Ransom Note Found in Two Android Apps on Google Play Store

ESET discovered that the ransom notes from Cerber ransomware infections have been found inside the source code of two Android applications available on the official Google Play Store.

New Ransomware Based on MafiaWare Source Code

MalwareHunterTeam found a sample of a new ransomware being developed that is based off the MafiaWare source.

March 3rd 2017

New HiddenTear Ransomware called FabSysCrypto Discovered

GData security researched Karsten Hahn a new HiddenTear based ransomware called FabSysCrypto, This ransomware copies Locky's ransom note.


Related Articles:

New Brrr Dharma Ransomware Variant Released

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma