What a crazy end of the week we had with the WanaCrypt0r RansomApocaGeddonWare! This ransomware literally took the entire world by storm by utilizing the NSA EternalBlue SMBv1 exploit to install ransomware on many high profile victims.

While that was definitely the big news of the week, we also saw a bunch of decryptors released, some new smaller variants released, and a new ransomware called Jaff being distributed by Necurs. All-in-all, this has been a pretty crappy week when it comes to ransomware and its victims. 

Contributors and those who provided new ransomware information and stories this week include: @MalwareTechBlog , @BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @siri_urz, @malware_traffic, @ Malwarebytes, @ CryptoInsane, @emsisoft, and @wandera.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

May 6th 2017

New variant of the Enjey Ransomware Discovered

Michael Gillespie discovered a new variant of the Enjey ransomware that uses the extension .encrypted.decrypter_here@freemail.hu.enjey for encrypted files.

Amnesia Decryptor Released

Emsisoft's CTO Fabian Wosar released a decryptor for the Amnesia Ransomware. The decryptor can be downloaded here.

New Variant of the Jigsaw Ransomware Uses the Pay Extension

Michael Gillespie found a new sample of the Jigsaw Ransomware that uses the extension .PAY for encrypted files. Michael's Jigsaw Decryptor has been updated to support this variant.

FrozrLock Ransomware Advertised on the Dark Web As "Great Security Tool"

Bleeping Computer's security editor Catalin Cimpanu, with the help of David Montenegro and Jakub Kroustek, take a look at a new Ransomware-as-a-Service that has become available on the Dark Web, named FrozrLock, This new RaaS is available for only $220, and advertised under the tagline of "great security tool that encrypts most of your files in several minutes."

May 7th 2017

Crypto-Blocker Ransomware Released & Decrypted

Malwarebytes malware researcher S!Ri discovered a new ransomware called CryptoBlocker. Use code 01001 to unlock and decrypt or use StupidDecryptor.

Taiwan Forum was Distributing the ThunderCrypt Ransomware

A BleepingComputer member posted about a Taiwan forum called eyny that was distributing a ransomware called ThunderCrypt. 

May 8th 2017

Victimized by ransomware, law firm sues insurer for $700K in lost billings

ABA Journal had a story on how a company filed a lawsuit against its insurer over coverage for a ransomware attack that locked down the firm’s computer files for three months.

News Brief: BitKangoroo Ransomware Deletes Your Files If You Do not Pay

​​BleepingComputer found a new ransomware called BitKangoroo. In summary, this ransomware will encrypt a victim's files using AES-256 encryption and append the .bitkangoroo extension to encrypted files. It will then display a 60 minute countdown that when reached will cause the ransomware to delete one encrypted file. Once it deletes a file, it will reset the timer back to 60 minutes.  Most importantly, this ransomware can be decrypted for free using Michael Gillespie's BitKangarooDecrypter.

May 9th 2017

The Gruxer Ransomware Packs a 3-in-1 Punch

​​BleepingComputer discovered a new ransomware that is delivered by a loader that includes the Gruxer screenlocker, a copy of HiddenTear, and image infector that injects a PNG file into JPG files.  Bizarre little program.

New Variant of the BTCWare Released

​​MalwareHunterTeam​ found a new sample of BTCWare that utilizes the .[sql772@aol.com].theva extension for encrypted files.

NemeS1S RaaS Is PadCrypt Ransomware's Affiliate System

A portal hidden on the Dark Web is responsible for the small deluge of recent PadCrypt ransomware versions that have been spotted almost on a monthly basis in the past year.

RSAUtil Ransomware (.helppme@india.com) Installed Via Hacked Remote Desktop Services

Today we are going to take a quick look at a new ransomware called RSAUtil that was discovered by Emsisoft malware researcher xXToffeeXx. RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself. 

May 10th 2017

The vCrypt Ransomware Discovered

​​MalwareHunterTeam​ discovered a new ransomware called vCrypt. The ransomware will append the .vCrypt1 extension to encrypted files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.

South Korean Election Themed Screenlocker Discovered

​​MalwareHunterTeam​ discovered a prank screenlocker whose theme is the candidates of the South Korean election..

New Locky Variant Continues the Norse Mythology Theme

Emsisoft security researcher xXToffeeXx discovered a new variant of Locky that continues the Norse mythology theme for encrypted file extensions. This variant appends the .loptr extension to encrypted files and drops a ransom note named loptr-*4characters*.htm.

Updated Amnesia Decryptor Released

Emsisoft's Fabian Wosar released an updated Amnesia decryptor that supports all existing variants of the ransomware.

May 11th 2017

Jaff Ransomware Distributed via Necurs MALSPAM and asking for a $3,700 Ransom

A new ransomware was found today by MalwareHunterTeam called Jaff Ransomware. In general, there is nothing special about this ransomware other than it is being heavily distributed and that they stole the payment site html from Locky.  Otherwise, Jaff is your garden variety ransomware that encrypts files using AES encryption and appends the .jaff extension to encrypted files.

Jaff ransomware: The new Locky?

Emsisoft posted a blog about the new Jaff Ransomware.

Jaff is written in C and is packed using a custom malware obfuscator. Obfuscators are tools that are used by malware authors to hide malware underneath potentially multiple layers of encryption and compression in order to make their analysis more difficult.

SLocker Android Ransomware Makes Furious Comeback with 400 New Variations

The SLocker Android ransomware is back with a new wave of infections, after previously wreaking havoc in the summer of 2016. This recent wave of infections was spotted by security firm Wandera, who reported yesterday about a new wave of infections that targeted users towards the start of the year.

May 12th 2017

GruXer Switches to a Matrix Like Background for the Lock Screen

​​MalwareHunterTeam​ found a new sample of GruXer that uses a Matrix-like background for the lock screen. Still does not ecnrypt.

aCrypt Ransomware Rebrands as bCrypt.  Huh?

First it was vCrypt. Then they changed to aCrypt. Now ​​MalwareHunterTeam founds that it switched to bCrypt?  These devs are clearly watching Sesame Street.

Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak

The day started with a new version of an older ransomware that was making a large number of victims in Spain...

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

... but then turned into the biggest ransomware outbreak the Internet has ever seen, courtesy of NSA exploits leaked by the Shadow Brokers last month. The ransomware's name is Wana Decrypt0r, also known as WannaCry, WanaCrypt0r, WannaCrypt, and WCry. At the time of writing, victims had passed 57,000 and growing.

Wana Decryptor / WanaCrypt0r Technical Nose Dive

What's a massive ransomware outbreak without a technical nose dive. In this article we answer some questions about WanaCrypt0r and explain how it encrypts a computer.


Global WannaCry ransomware outbreak uses known NSA exploits

Emsisoft has some good technical reading about Wcry and the various key files that it utilizes. A good read for those who want to get more technical info about this ransomware.

Animated Map of How Tens of Thousands of Computers Were Infected With Ransomware

The The New York Times took the data collected by MalwareTech and made a time-lapsed heat map of WannaCry victims.  Really interesting to see.

The worm that spreads WanaCrypt0r

Malwarebytes has some great technical coverage about the worm that spread Wana Decrypt0r.

May 13th 2017

Wana Decrypt0r Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).

Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r

Following the massive Wana Decrypt0r ransomware outbreak from yesterday afternoon, Microsoft has released an out-of-bound patch for older operating systems to protect them against Wana Decrypt0r's self-spreading mechanism.

Related Articles:

The Week in Ransomware - August 24th 2018 - Hermes, Fox, and Ryuk

The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection