Another busy week in ransomware with kidz continuing to create WannaCry knockoffs and HiddenTear variants. While most of the ransomware we have seen this week will never be distributed, we did see a new variant of the Jaff ransomware that shows they are putting more time and effort into how their ransomware looks. Jaff is definitely a ransomware we need to keep an eye on.

This has also been a good week for the good guys as the author of AES-NI has decided to stop his project and release the master decryption keys. We have also seen updated decryptors for BTCWare, the "Stupid Ransomware" family, and a Avast decryptor that utilizes the released AES-NI keys.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @emsisoft@siri_urz, @malware_traffic, @Malwarebytes, @MarceloRivero@LadislavZezula@MichalCebak@MichalCebak@drProct0r, and @avast_antivirus.

If you are interested in ransomware or infosec, I suggest you follow them on Twitter.

May 10th 2017

Updated BTCWare Decryptor Released

Updated BTCWare decryptor that supports the .theva and .onyon extensions was released by Michael Gillespie, with the help of @FraMauronz.

Another In-Dev WannaCry Imitation

BleepingComputer discovered a WannaCry imitator that goes by the name of Wana Decrypt0r 3.0. It does not currently encrypt anything.

May 20th 2017

In-Dev Ransomware Exfiltrates Image Files

​​MalwareHunterTeam found a new variant of an in-dev ransomware that is sending images to the dev's email address.

May 21st 2017

WannaCry Imitations Keep Coming

BleepingComputer found another WannaCry imitation that uses the original name of Wana Decrypt0r 2.0. Does not encrypt.

New In-Dev Ransomware called Decryption Assistant

BleepingComputer discovered a new in-dev ransomware called Decryption Assistant. It appends the .pwned extension to encrypted files. It only encrypts c:\chicken folder. Wimp.

D2+D Ransomware Discovered

BleepingComputer found an in-dev ransomware called the D2+D Ransomware. This does not encrypt and the unlock password is 215249148.

In-Dev Screenlocker called Unidentified

BleepingComputer found a new in-dev screenlocker called Unidentified, The unlock password is aSFDDJGFffhsfcksggFffuygRFFJFffyhFFRYHCDTFJGFjg4257427544,

BTCWare Decryptor Update

Michael Gillespie updated his decryptor so that if it cannot find the key for the .onyon variant it can still try and decrypt files under a certain size.

May 22nd 2017

North Korea Denies Involvement in WannaCry Ransomware Outbreak

On Friday, North Korea denied allegations that it was somehow responsible for the WannaCry ransomware outbreak that affected over 240,000 computers in nearly 200 countries across the globe. Speaking at a press conference, Kim In Ryong, North Korea's deputy ambassador to the United Nations, called the allegations ridiculous and unfounded.

Another WannaCry Imitator Discovered

​​MalwareHunterTeam discovered another WannaCry decrypter clone. Come on you silly ransomware devs. Make this more interesting. Add a different logo or something.

Ransom Hunt on for VMola Ransomware

Michael Gillespie initiated a ransomware hunt for a ransomware that adds ( to a filename and drops a ransom note named Ransom.rtf.

May 23rd 2017

Jaff Ransomware Switches to the WLU Extension and Gets a New Design

A new variant of the Jaff ransomware was discovered by security researchers Brad Duncan & Marcelo Rivero that includes an updated design for the ransom note and the new WLU extension for encrypted files. Like the first variant of Jaff, this new version continues to be distributed through MALSPAM campaigns that utilize malicious documents and macros to download and install the ransomware.

New CVLocker Discovered

GData researcher Karsten Hahn discovered a new in-dev ransomware called CVLocker. This ransomware does not currently encrypt.

In-dev Widia Screenlocker Discovered

BleepingComputer found a new screenlocker called Widia. It is written in Romanian and states "De la Sorin pt voi", which translates to "From Sorin to you". Just Alt+F4 it.


MemeWare Screenlocker Discovered

Someone named AlecK is designing the Memeware Screenlocker. You can use the unlock code of: 290134884

May 24th 2017

New Elmer's Glue Locker v1.0 Discovered

Karsten Hahn discovered a screenlocker called Elmer's Glue Locker. Yeah, we do not make up these names. Just boot to safe mode with networking and remove.

HiddenTear Variant called Deos Ransomware Discovered

Karsten Hahn discovered a HiddenTear variant called Deos. Like most HiddenTear crap, its broken.

.NET Version of Cryptowall Discovered

Karsten Hahn discovered a .NET version of CryptoWall that appends the .wtdi extension to encrypted files. This ransomware can be decrypted.

Tech Support Scammers Are Exploiting Mass Hysteria Surrounding WannaCry

As everyone expected, scammers are attempting to cash in on the mass hysteria currently surrounding the WannaCry ransomware outbreak, a mass-infection took place over the weekend of May 12 and 14, and whose effects we still feel today.

MoWare HiddenTear Variant Discovered

Karsten Hahn discovered another HiddenTear variant called MoWare. MoWare will append the .H_F_D_locked extension to encrypted files.

Avast Releases a BTCWare Decryptor

Avast Software released a decryptor for the BTCWare Ransomware.

Xorist Ransomware Variant Spoofing XData

Michael Gillespie found a Xorist sample that is pretending to be XData by using the .xdata extension for encrypted files. Can be decrypted using Emsisoft's Xorist Decryptor.

Adonis Ransomware Scareware Discovered

​​MalwareHunterTeam found a sample of a AutoIT scareware called Adonis Ransomware. When analyzed by security researcher Jack, it was discovered that it does not encrypt files, but does drop ransom notes named EN.html and DE.html.

Thor Ransomware Discovered

These ransomware names are getting ridiculous. BleepingComputer discovered a new in-dev ransomware that encrypts files, but does not append a new extension. Sets the background to a picture of Thor.

Mother of All Viruses Trashes a Computer

BleepingComputer discovered a fake ransomware that creates a batch files that formats the hard drives in a computer.

4rw5w Ransomware Tries to Imitate WannaCry

BleepingComputer discovered the 4rw5w Ransomware, which really wants to imitate WanaCry. This ransomware contains a kill switch, similar file names for storing data and keys, and appends the .4rwcry4w extension to encrypted files.

May 25th 2017

AES-NI Ransomware Dev Releases Decryption Keys Amid Fears of Being Framed for XData Outbreak

The author of the AES-NI Ransomware has told BleepingComputer that he has decided to stop his "project" and release the master decryption keys for his ransomware. As promised, he has already released the keys for one variant and another master decryption key for the offline variant. He has told BleepingComputer that more decryption keys will be coming soon.

Linguistic Analysis Suggests WannaCry Ransomware Is the Work of a Chinese-Speaking Crook

According to a linguistic analysis of the WannaCry ransom notes, the ransomware appears to be the work of a Chinese-speaking author, according to Jon Condra and John Costello, two Flashpoint researchers. After analyzing each of WannaCry's localized ransom notes, available in 28 different languages, the two feel pretty confident the ransom note was written by persons fluent in Chinese, but also in English.

LightningCrypt Ransomware Discovered

​​MalwareHunterTeam discovered a new ransomware called Lightning Crypt. This ransomware will append the .LIGHTNING extension to encrypted files.

CrystalCrypt Ransomware Discovered

MalwareHunterTeam discovered a different variant of the above ransomware, but it's now called CrystalCrypt. This variant appends the .blocked extension to encrypted files.

Mancros+AI4939 Screenlocker

​​MalwareHunterTeam discovered a screenlocker called Mancros+AI4939.

BTCWare Switches to the .Xfile Extension

Michael Gillespie noticed that BTCWare changed the extension for encrypted files to .xfile and updated his decryptor to support it!

New Variant of DMALocker 3 Discovered

xXToffeeXx discovered that someone is using DMA Locker 3, asking for 1 BTC, and then instructing victims to email for payment instructions. Uses the !Encrypt! filemarker in encrypted files.

May 26th 2017

Avast Releases Decryptor for the AES-NI Ransomware

Avast Software has released a decryptor for the AES-NI Ransomware based on the master decryption keys released this week. Thx Ladislav Zezula & Jakub Kroustek!

New In-Dev Ransomware called WanaDie

MalwareHunterTeam discovered  a new ransomware that appends the .WINDIE extension to encrypted files. Can be decrypted by Michael's StupidDecryptor.


StupidDecryptor Updated to Handle New Variants

Michael Gillespie has updated his StupidDecrypter to support the ransomware variants that append the .WINDIE and .fucking extensions to encrypted files.

New In-Development Crying Ransomware

BleepingComputer found a new in-development HiddenTear variant called Crying Ransomware or Cry Ransomware. This ransomware will encrypt files and append the .crying extension to encrypted files. It also drops a ransom note called READ_IT.txt that tells you to keep running the program until you see the form. Note to Dev: Remove Application.Exit().

Roblocker X Screenlocker Doesn't Like Roblox

ESET researcher Michal Cebak discovered a in-development screenlocker called Roblocker X that states it encrypts Roblox files. At this point it doesn't do anything but show the lock screen, which has a passcode of PooPoo. This screenlocker does not display the below lockscreen if a cmd prompt is open.

New Variant of GlobeImposter uses the .write_us_on_email Extension

R0bert R0senb0rg found a new variant of the GlobeImposter Ransomware that appends the .write_us_on_email extension to encrypted files.

That's it for this week. Hope everyone has a nice weekend!