Very busy ransomware week. We have two new ransomware infections being pushed out by exploit kits, some decryptors, and lots of small variants being released. The big news is the release of the master decryption keys for the CrySiS ransomware and Kaspersky's Rakhnidecryptor being updated to use them.

Contributors and those who provided new ransomware info this week include: @kafeine@malware_traffic@proofpoint, @msftmmpc, @fwosar, @demonslay335@kaspersky, @jorntvdw, @executemalware, @hasherezade@JakubKroustek, @struppigel, @TheWack0lian, @malwrhunterteam, @campuscodi, @siri_urz@PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @BleepinComputer.

If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

November 14th 2016

Master Decryption Keys and Decryptor for the CrySiS Ransomware Released.

In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,

These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim's files.

Researcher finds the Karma Ransomware being distributed via Pay-per-Install Network

A security researcher named slipstream/RoL has discovered the Karma Ransomware, which pretends to be a Windows optimization program called Windows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet.

PadCrypt 3.0 released with new Affiliate System

MalwareHunterTeam discovered version 3.0 of Padcrypt, which now includes an affiliate system.

Angela Merkel ransomware Released

The Angela Merkel ransomware was discovered by MalwareHunterTeam. This ransomware will encrypt your files and add the .angelamerkel extension to encrypted files.

November 15th 2016

Ransoc Ransomware Extorts Users Who Accessed Questionable Content

A new ransomware variant nicknamed Ransoc is currently distributed via malvertising campaigns and exploit kits, locking the user's desktop, searching for sensitive content, and employing the found information in an attempt to extort users who accessed questionable content into paying a ransom fee, disguised as a "penalty notice."

CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits

A new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine that is being distributed via the RIG-E exploit kit. While it has become common to see new ransomware variants being distributed daily, it is not as common to find new ransomware infections being distributed via exploit kits.  Seeing this type of activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of victims.

New "demo" ransomware discovered

GData security researcher Karsten Hahn discovered a new demo ransomware that only encrypts .jpg files. When it encrypts a file it will append the .encrypted extension to the file name and creates ransom notes called HELP_YOUR_FILES.txt.

November 16th 2016

Ransomware Developer Asks Security Researcher for Help in Fixing Broken Crypto

Fabian Wosar, Emsisoft security researcher, is facing a moral dilemma like very few security researchers have faced before.

Wosar, who is also a user of the Bleeping Computer forums where he's been active for the past few years helping ransomware victims, has received a private message from a user that has identified himself as one of the people who coded the Apocalypse ransomware.

During their exchange, the ransomware coder has asked Wosar to help their crew fix a bug in the ransomware's encryption process that causes files to be overwritten with junk data.

Old CryptoLocker Copycat Named PClock Resurfaces with New Attacks

A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone.

The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums.

Decryptor for Princess Locker being Created

Malwarebytes security researcher hasherezade has started working on a decryptor for Princess Locker. A experimental version can be found here.

November 17th 2016

Fabian Wosar released an updated Decryptor for the Globe Ransomware

Fabian stated on Twitter: "Just released an update for the Globe2 decrypter to support the newest variants like .zendr4. It's available here:"

Locky Ransomware being Distributed through Fake Flash Player Update Sites

Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware.  When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to  be spelled right.

Crypton Ransomware Is Here and It's "Not So Bad"

Security researcher MalwareHunterTeam has discovered a new ransomware family that its creators have named Crypton.

After a flood of poorly coded .NET-based ransomware families have invaded VirusTotal, Crypton is a little bit more complex.

"It's a 'good' one," MalwareHunterTeam told Bleeping Computer on Twitter. "At least compared to the latest .NET ones, this is not bad."

November 17th 2016

New ransomware called ShellLocker Discovered

Avast security researcher Jakub Kroustek discovered a new ransomware called ShellLocker. ShellLocker will append the .L0cked extension to encrypted files.

New Dharma Ransomware appears to be a CrySiS Variant

As CrySiS released their master decryptor keys this week, it is strange to find a new strain being circulated. According to Emsisoft security researcher xXToffeeXx, a new CrySiS variant is out that appends the .[email_address].DHARMA extension to encrypted files.

November 18th 2016

Seven Months Later, ID Ransomware Can Detect 238 Ransomware Families

Ever since it launched in April 2016, the ID Ransomware service has been slowly, but surely, becoming the default destination for victims looking for information to aid them in solving their ransomware infections.

If you haven't heard of it by now, ID Ransomware, sometimes referred to just as IDR, allows ransomware victims to upload a copy of their ransom note along with an encrypted file to a specialized website.

RIG-E Exploit Kit now distributing New CHIP Ransomware

Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, is well known for monitoring exploit kit activity and the payloads that are being distributed by them. In an article posted yesterday, Brad shows how the RIG-E (Empire) exploit kit has started to distribute a new ransomware called CHIP.

New Deadly Ransomware Sample Found

MalwareHunterTeam has discovered a new variant of the Deadly Ransomware. Though this variant now encrypts files, it does not save the key properly, so victim's files get trashed without the ability to recover the key.