There was quite a bit more ransomware activity this week compared to last week. Like usual, this week has been dominated mostly by small variants that most likely will never make it into distribute. We did, though, see a new CryptoMix and Locky variant released, that are actively distributed. The biggest news was the discovery of a new Android ransomware called DoubleLocker, which uses some new and interesting techiques.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @fwosar, @jorntvdw, @FourOctets, @hexwaxwing, @BleepinComputer, @PolarToffee, @malwareforme, @struppigel, @Seifreed, @LawrenceAbrams, @DanielGallagher, @campuscodi, @demonslay335, @dvk01uk@LukasStefanko, @ESET@siri_urz, @CarbonBlack_Inc .

October 8th 2017

Website Job Application fake resume delivers GlobeImposter Ransomware

My Online Security wrote a detailed article on how fake job application resume spam was delivering a GlobeImposter ransomware variant.

October 9th 2017

LockOn Ransomware Discovered

MalwareHunterTeam discovered a ransomware called LockOn. This ransomware is currently in-development, but will append the .lockon extension to encrypted files.

October 10th 2017

New Brazilian BugWare Ransomware

MalwareHunterTeam discovered a new Brazilian ransomware called BugWare. This ransomware will append the .[SLAVIC@SECMAIL.PRO].BUGWARE extension to encrypted files.

Locky Ransomware Switches to the Asasin Extension via Broken Spam Campaigns

Today a new Locky Ransomware variant was released that now uses the .asasin extension for encrypted files. 

New Your Windows Has Been Banned Screenlocker

MalwareHunterTeam found a new sample of a crappy "Your Windows Has Been Banned" screenlocker.

AnonCrack Ransomware Discovered

MalwareHunterTeam discovered a new HiddenTear variant called AnonCrack. This ransomware appends the .crack extension to encrypted files.

New RotorCrypt Ransomware Variant Discovered

Michael Gillespie discovered a new variant of the RotorCrypt Ransomware. This variant appends the extension ! and drops an oddly named ransom note of DOCTOR.

New Atchbo Rnasomware Discovered

MalwareHunterTeam found a ransomware called Atchbo Ransomware2.0v. This ransomware appends the ExoLock extension to encrypted files.

October 11th 2017

Ransomware Dark Web Economy Increased by 2,502%

A report released today by US cyber-security firm Carbon Black highlights a 2,502% growth in the ransomware Dark Web economy, compared to the previous year.

New Payday BTCware Ransomware Variant Released

A new variant of what appears to be BTCWare ransomware is currently targeting victims and appending the .[email]-id-id.payday extension to encrypted files. This family of ransomware targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.

October 12th 2017

New BugWare Variant Discovered

MalwareHunterTeam discovered a new version of the BugWare ransomware that changes the GUI a bit and now uses the [SLAVIC@SECMAIL.PRO].CRIPTOGRAFADO extension for encrypted files. It also now only targets certain countries.  Personally, I liked the original GUI better.

October 13th 2017

Android DoubleLocker Ransomware Activates Every Time You Hit Home Button

ESET malware researcher Lukas Stefanko discovered a new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Android's Accessibility service and reactivates itself every time the user presses the phone's Home button.

New x1881 CryptoMix Ransomware Variant Released

Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .x1881 extension to encrypted file names.

New Anubi Ransomware In the Wild

A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[].anubi extension to encrypted files. 


CCord SystemLocker Discovered

Karsten Hahn discovered a new screenlocker called CCord SystemLocker. The key for the screenlocker can be downloaded from This may be part of a CTF or crackme.


That's it for this week! Hope everyone has a nice weekend!


Related Articles:

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

Cryptojacking Android Apps Continue To Plague Google Play Store