Lots of new in development and smaller ransomware variants released this week. The biggest ransomware news this week is the release of a decryptor for version 2 of the DXXD Ransomware and the release of LockyDump.

Contributors and those who provided new ransomware info this week include: @fwosar@demonslay335@malwrhunterteam@Antelox@malwareforme@PolarToffee@TalosSecurity@BleepinComputer@struppigel@DanielGallagher, ,  @JAMESWT_MHT, @Seifreed@nyxbone. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

October 1st 2016

Kostya Ransomware targets Czech Victims

A new in-the-wild ransomware was discovered by security researcher Jack that targets Czech victims.   When files are encrypted, they will have the .k0stya extension appended to them.

The Comrade Circle Ransomware uses a fake Windows Update Screen while Encrypting

A new Fantom variant called Comrade Circle was discovered by Michael Gillespie that appends the .comrade extension to encrypted files and then displays a ransom note called RESTORE-FILES![id]. Like the previous Fantom, the Comrade Circle ransomware will  display a fake Windows update screen while performing the encryption.

October 10th 2016

New variant of the Enigma Ransomware was Released

A new variant of the Enigma Ransomware was discovered by Michael Gillespie that uses the .1txt extension and a ransom note called enigma_info.txt

Deadly for a Good Purpose Ransomware only encrypts in 2017

MalwareHunterTeam discovered a new ransomware called Deadly for a Good Purpose that is set to only encrypt files in 2017.

October 11th 2016

VenisRansomware downloads Modules for Further Attacks

Security researcher Antelox discovered a ransomware called VenisRansomware that encrypts your data and then prompts you to contact VenisRansom@protonmail.com for payment instructions. This ransomware looks interesting as it also downloads various modules that appear to be used for other purposes such as enabling remote desktop, password stealing, and possibly spreading of the ransomware via Facebook. 

 

October 13th 2016

Doctor Web discovers first encoder written in Go and develops decryption technique

Doctor Web’s specialists have discovered the first ransomware program written in Go. The Trojan, dubbed Trojan.Encoder.6491, appends encrypted files with the .enc extension. Doctor Web’s security researchers have developed a method for decrypting files compromised by this malware program.

Decryptor for Version 2 of the DXXD Ransomware is Available

Michael Gillespie was able to create a decryptor for this new variant. This decryptor was  being distributed to victims privately in order to prevent the ransomware developer from learning the weaknesses in their encryption method. If you are encrypted by the DXDD ransomware, you can register an account and reply to the DXXD Help and Support topic to receive help.

New variant of the Nuke Ransomware uses the .nuclear55 Extension

MalwareHunterTeam discovered an updated version of the Nuke Ransomware that uses the .nuclear55 extension. 

October 14th 2016

Cisco's Talos Group releases the LockyDump Tool for Researchers

Cisco's Talos Group has released a Locky configuration extractor, which they have named 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.

Note: This is not a decryptor, but rather a tool that can be used by security researchers who monitor Locky samples.

EvilTwin's Exotic Ransomware targets Executable Files

The Exotic Ransomware is a new infection released by a malware developer going by the alias of EvilTwin or Exotic Squad. Discovered on October 12th by MalwareHunterTeam, the Exotic Ransomware will encrypt all files, including executables, in targeted folders on a victim's computer. When finished it will display a Jigsaw Ransomware-like ransom note that demands $50 USD to decrypt the files.