Lots of new in development and smaller ransomware variants released this week. The biggest ransomware news this week is the release of a decryptor for version 2 of the DXXD Ransomware and the release of LockyDump.
Contributors and those who provided new ransomware info this week include: @fwosar, @demonslay335, @malwrhunterteam, @Antelox, @malwareforme, @PolarToffee, @TalosSecurity, @BleepinComputer, @struppigel, @DanielGallagher, , @JAMESWT_MHT, @Seifreed, @nyxbone. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
A new in-the-wild ransomware was discovered by security researcher Jack that targets Czech victims. When files are encrypted, they will have the .k0stya extension appended to them.
A new Fantom variant called Comrade Circle was discovered by Michael Gillespie that appends the .comrade extension to encrypted files and then displays a ransom note called RESTORE-FILES![id]. Like the previous Fantom, the Comrade Circle ransomware will display a fake Windows update screen while performing the encryption.
A new variant of the Enigma Ransomware was discovered by Michael Gillespie that uses the .1txt extension and a ransom note called enigma_info.txt.
MalwareHunterTeam discovered a new ransomware called Deadly for a Good Purpose that is set to only encrypt files in 2017.
Security researcher Antelox discovered a ransomware called VenisRansomware that encrypts your data and then prompts you to contact VenisRansom@protonmail.com for payment instructions. This ransomware looks interesting as it also downloads various modules that appear to be used for other purposes such as enabling remote desktop, password stealing, and possibly spreading of the ransomware via Facebook.
Doctor Web’s specialists have discovered the first ransomware program written in Go. The Trojan, dubbed Trojan.Encoder.6491, appends encrypted files with the .enc extension. Doctor Web’s security researchers have developed a method for decrypting files compromised by this malware program.
Michael Gillespie was able to create a decryptor for this new variant. This decryptor was being distributed to victims privately in order to prevent the ransomware developer from learning the weaknesses in their encryption method. If you are encrypted by the DXDD ransomware, you can register an account and reply to the DXXD Help and Support topic to receive help.
MalwareHunterTeam discovered an updated version of the Nuke Ransomware that uses the .nuclear55 extension.
Cisco's Talos Group has released a Locky configuration extractor, which they have named 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.
Note: This is not a decryptor, but rather a tool that can be used by security researchers who monitor Locky samples.
The Exotic Ransomware is a new infection released by a malware developer going by the alias of EvilTwin or Exotic Squad. Discovered on October 12th by MalwareHunterTeam, the Exotic Ransomware will encrypt all files, including executables, in targeted folders on a victim's computer. When finished it will display a Jigsaw Ransomware-like ransom note that demands $50 USD to decrypt the files.