Wow! What a brutal week. This week we have 36 ransomware stories, with 10 of them being on May 1st alone. Most of the new ransomware releases continue to be real crap, but together they add up to a wave of garbage that can do some serious harm. We also saw previously small distributions gearing up with larger MALSPAM campaigns, such as GlobeImposter.

The good news, is that we also have an updated decryptor released by Emsisoft for the CryptON ransomware and decryptor for BTCWare released by Michael Gillespie.  

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @struppigel@demonslay335@DanielGallagher@malwrhunterteam@fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer@campuscodi@JAMESWT_MHT, @Seifreed, @JakubKroustek, @malware_traffic, @FraMauronz, @JaromirHorejsi, @emsisoft, @sec_panda, @drProct0r, @TrendMicro, @McAfee, and @RecordedFuture.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

April 29th 2017

New HiddenTear variant called Mini Ransomware 

BleepingComputer discovered a new in-development HiddenTear called Mini Ransomware. This ransomware appends the .maya extension to encrypted files and drops a ransom note named READ ME.txt.

April 30th 2017

New Ransomware called RSAUtil

Emsisoft malware researcher xXToffeeXx discovered a new ransomware called RSAUtil ransomware. The ransomware appends the .helppme@india.com.ID83994902  extension to encrypted files and creates a ransom note named How_return_files.txt. Uses payment email addresses of helppme@india.com and hepl1112@aol.com.

New DeadSec-Crypto v2.1 Ransomware Found

BleepingComputer found a new in-developer ransomware targeting Brazillian victims called DeadSec-Crypto v2.1 Ransomware. It currently does not do much other than display a form and delete some test files.

May 1st 2017

New version of the CryptoMix Ransomware Using the Wallet Extension

R0bert R0senb0rg discovered a new CryptoMix, or CryptFile2, variant that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET​ extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are shield0@usa.com, admin@hoist.desi, and crysis@life.com.

MIKOYAN Ransomware Discovered

​​MalwareHunterTeam discovered a new in-development ransomware called MIKOYAN. It appends the .MIKOYAN extension to encrypted files. Uses an email address of mikoyan.ironsight@outlook.com.

Extractor Ransomware Discovered

xXToffeeXx discovered a ransomware called Extractor that appends the .xxx extension to encrypted files and creates a ransom note named ReadMe_XXX.txt. Uses a payment email of serverrecovery@mail.ru.

Ruby Ransomware Discovered

​​MalwareHunterTeam spotted a dev named Hayzam Sherif working  Ruby ransomware. The ransomware will append the .ruby extension to encrypted files and create a ransom note on the desktop called rubyLeza.html.

Troldesh Channeling some James Bond With Its New Extension

Avast malware researcher Jakub Kroustek found a sample of Troldesh that uses the .crypted000007 for encrypted files.

New Maykolin Discovered

Malware researched SecPanda discovered a new ransomware called Maykolin. This ransomware will append the .[maykolin1234@aol.com] extension to encrypted files and drop a ransom note named README.maykolin1234@aol.com.txt. Has a payment email of maykolin1234@aol.com.

New Amnesia Ransomware Discovered

xXToffeeXx discovered a new ransomware that appends the .amnesia extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT. Uses a payment email of  s1an1er111@protonmail.com.

Sample of FileFrozr Ransomware Discovered

Jakub Kroustek discovered a sample of the new FileFrozr RaaS that uses the Windows Cipher.exe tool to wipe free space in order to make it harder to recover files. Drops a ransom note named READ_ME.txt.

Remove Cry128 ransomware with Emsisoft’s free decrypter

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the most recent strain from the CryptON ransomware family, ‘Cry128’. Victims can now decrypt files for free!

CRYPTOBOSS Amnesia Variant

A member of the BleepingComputer forums posted about what appears to be another variant of the Amnesia ransomware discovered earlier this week. This one scrambles an encrypted file's name and then appends the .CRYPTBOSS extension.

May 2nd 2017

New GlobeImposter Variant Tells You to Stay Calm!

MalwareHunterTeam discovered a new variant of GlobeImposter that uses the extension .keepcalm. 

New F*!kTheSystem Ransomware Variant

Karsten Hahn discovered a new ransomware that appends the .anon extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.

Russian vCrypt Ransomware Discovered

MalwareHunterTeam discovered the vCrypt ransomware that is targeting Russian victims. The ransomware appends the .vCrypt1 extension to encrypted files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.

PEC 2017 Ransomware Discovered

xXToffeeXx discovered the Italian PEC 2017 ransomware. PEC 2017 appends the .pec extension to encrypted files and creates a ransom note named AIUTO_COME_DECIFRARE_FILE.html.

Haters Ransomware Discovered

Malwaresbyte malware researcher Marcelo Rivero discovered the Haters Ransomware. This ransomware will append the .haters extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.

Xncrypt Ransomware Discovered

Avast malware analyst JaromirHorejsi discovered a new ransomware that appends the .xncrypt extension to encrypted files. You can unlock the screenlocker and decrypt the files by entering 20faf12b60854f462c8725b18614deac. You can use StupidDecryptor to decrypts file affected by this ransomware.

Spyware + Ransomware Combo Discovered

G Data malware researcher Karsten Hahn discovered that someone is developing malware that incorporates both spyware and a ransomware into it.

May 3rd 2017

Cerber Ransomware Version 6 Gets Anti-VM and Anti-Sandboxing Features

Researchers at Trend Micro and McAfee have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.

New Variant of BTCWare Discovered

Karsten Hahn discovered a new BTCWare variant that utilizes the .cryptowin extension.

Screenlocker in Development

Karsten Hahn discovered a new in-dev screenlocker. The unlock code is KUrdS12@!#.

New ShellShock Variant Called X0LZS3C

MalwareHunterTeam discovered a new ShellShock variant called X0LZS3C. This variant appends the .x0lzs3c extension to encrypted files.

BTCWare Decryptor Released

Michael Gillespie and Francesco Muroni joined forces to release a decryptor for BTCWare that supports the free decryption of files with the cryptowin, .cryptobyte, and  .btcware extensions.

Clouded Ransomware Discovered

BleepingComputer discovered a new ransomware called Clouded Ransomware. This ransomware appends the .cloud extension to encrypted files.

"BLANK SLATE" MALSPAM STARTS PUSHING GLOBEIMPOSTER RANSOMWARE VARIANT

Palo Alto Networks researcher Brad Duncan discovered a MALSPAM campaign that is pushing the GlobeImposter ransomware. The distributed variant appends the .crypt extension to encrypted files and drop a ransom note called How_to_back_files.html.

May 4th 2017

New Ransomware called Rans0mLocker

BleepingComputer discovered a new ransomware called Rans0mLocked. This ransomware appends the .owned extension to encrypted files. Communicates with the Commadn & Control server through a downloaded TOR client.

Anti-DDOS ScreenLocker/Ransowmare Discovered

MalwareHunterTeam discovered another open source junk based screenlocker/ransomware. You can use StupidDecryptor to decrypts file affected by this ransomware.

 

May 5th 2017

New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum

According to threat intelligence firm Recorded Future a new Ransomware-as-a-Service (RaaS) portal is being advertised on an underground hacking forum, primarily used by Russian-speaking criminals. 

New Jigsaw Variant Masquerading as a Credit Card Generator

MalwareHunterTeam found a new variant of Jigsaw masquerading as a credit card generator. It appends the .fun extension and uses the following background.


NewHT Ransomware Discovered

A new ransomware was discovered by Karsten Hahn called NewHT. Could NewHT mean New HiddenTear. Will have to see. Regardless, the ransomware appends the .htrs extension to encrypted files and drops a ransom note named readme.txt. Has some rudimentary virtual machine detection.

New ZipLocker Variant Discovered

Karsten Hahn discovered a new variant of the ZipLocker ransomware. This ransomware will zip up the targeted files into a password protected zip file that are named [original_file_name]+ locked.zip. It will also drop a ransom note named UnlockMe.txt. The current password for the zip file is Destroy.


Whew. Thankfully that's over as it has been a rough week with ransomware. Hope everyone has a nice and safe weekend!