Very busy ransomware week. We have two new ransomware infections being pushed out by exploit kits, some decryptors, and lots of small variants being released. The big news is the release of the master decryption keys for the CrySiS ransomware and Kaspersky's Rakhnidecryptor being updated to use them.
Contributors and those who provided new ransomware info this week include: @kafeine, @malware_traffic, @proofpoint, @msftmmpc, @fwosar, @demonslay335, @kaspersky, @jorntvdw, @executemalware, @hasherezade, @JakubKroustek, @struppigel, @TheWack0lian, @malwrhunterteam, @campuscodi, @siri_urz, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @BleepinComputer.
If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,
These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim's files.
A security researcher named slipstream/RoL has discovered the Karma Ransomware, which pretends to be a Windows optimization program called Windows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet.
MalwareHunterTeam discovered version 3.0 of Padcrypt, which now includes an affiliate system.
The Angela Merkel ransomware was discovered by MalwareHunterTeam. This ransomware will encrypt your files and add the .angelamerkel extension to encrypted files.
A new ransomware variant nicknamed Ransoc is currently distributed via malvertising campaigns and exploit kits, locking the user's desktop, searching for sensitive content, and employing the found information in an attempt to extort users who accessed questionable content into paying a ransom fee, disguised as a "penalty notice."
A new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine that is being distributed via the RIG-E exploit kit. While it has become common to see new ransomware variants being distributed daily, it is not as common to find new ransomware infections being distributed via exploit kits. Seeing this type of activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of victims.
GData security researcher Karsten Hahn discovered a new demo ransomware that only encrypts .jpg files. When it encrypts a file it will append the .encrypted extension to the file name and creates ransom notes called HELP_YOUR_FILES.txt.
Fabian Wosar, Emsisoft security researcher, is facing a moral dilemma like very few security researchers have faced before.
Wosar, who is also a user of the Bleeping Computer forums where he's been active for the past few years helping ransomware victims, has received a private message from a user that has identified himself as one of the people who coded the Apocalypse ransomware.
During their exchange, the ransomware coder has asked Wosar to help their crew fix a bug in the ransomware's encryption process that causes files to be overwritten with junk data.
A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone.
The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums.
Fabian stated on Twitter: "Just released an update for the Globe2 decrypter to support the newest variants like .zendr4. It's available here:"
Fake Flash Player update sites have long been a favorite distribution method for adware and other unwanted programs. Today, a fake Flash update site was discovered by ExecuteMalware that is pushing the Locky ransomware. When someone visits the site they will be presented with a page that states that Flash Player is out of date and then automatically downloads an executable. If you look carefully at the URL in the browser's address you can see that the domain of fleshupdate.com does not seem to be spelled right.
Security researcher MalwareHunterTeam has discovered a new ransomware family that its creators have named Crypton.
After a flood of poorly coded .NET-based ransomware families have invaded VirusTotal, Crypton is a little bit more complex.
"It's a 'good' one," MalwareHunterTeam told Bleeping Computer on Twitter. "At least compared to the latest .NET ones, this is not bad."
Avast security researcher Jakub Kroustek discovered a new ransomware called ShellLocker. ShellLocker will append the .L0cked extension to encrypted files.
As CrySiS released their master decryptor keys this week, it is strange to find a new strain being circulated. According to Emsisoft security researcher xXToffeeXx, a new CrySiS variant is out that appends the .[email_address].DHARMA extension to encrypted files.
Ever since it launched in April 2016, the ID Ransomware service has been slowly, but surely, becoming the default destination for victims looking for information to aid them in solving their ransomware infections.
If you haven't heard of it by now, ID Ransomware, sometimes referred to just as IDR, allows ransomware victims to upload a copy of their ransom note along with an encrypted file to a specialized website.
Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, is well known for monitoring exploit kit activity and the payloads that are being distributed by them. In an article posted yesterday, Brad shows how the RIG-E (Empire) exploit kit has started to distribute a new ransomware called CHIP.
MalwareHunterTeam has discovered a new variant of the Deadly Ransomware. Though this variant now encrypts files, it does not save the key properly, so victim's files get trashed without the ability to recover the key.