It has been another week of mostly small little in-dev ransomware that will never make it to distribution. In other news, Locky continues to send out large spam campaigns as it tries to become a major player again. Otherwise, not much to report, which we are always happy about.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @malwrhunterteam, @PolarToffee, @campuscodi, @LawrenceAbrams, @fwosar, @malwareforme, @hexwaxwing, @struppigel, @demonslay335, @FourOctets, @jorntvdw, @Seifreed, @leotpsc, and @siri_urz.
Security researcher Leo discovered a new ransomware written in Delphi. This ransomware is a console based program that is most likely run by the developer after hacking into a computer. When encrypting files it will encrypt the file name and appends the .[firstname.lastname@example.org].locked_file extension to encrypted files and drops a ransom note named !HOW_TO_UNLOCK_FILES!.html.
Today, a victim of a new ransomware called Paradise posted in the BleepingComputer.com forums and uploaded a sample so we could take a look at it. While this ransomware is not revolutionary by any means, since it is in active distribution and a Ransomware as a Service (RaaS), I thought I would provide a brief analysis of how this ransomware works.
MalwareHunterTeam discovered a new ransomware called ExoLock. This ransomware will append the .exolocked extension to encrypted files.
ID-Ransomware's Michael Gillespie discovered two new Jigsaw Ransomware variants that append the .pablukCRYPT or .pabluk300CrYpT! extensions to encrypted files. Also uses a new background image.
BleepingComputer.com's Lawrence Abrams discovered the Blackhat Ransomware. 31337. THis ransomware appends .H_F_D_locked and is based off of MoWare_H.F.D. It uses XOR encryption.
Lawrence Abrams discovered the SoF*cked Ransomware. This ransomware appends the .fff extension to encrypted files & drops a note named READTHISHIT.txt.
MalwareHunterTeam discovered a new in-dev ransomware called Happy Crypter. This ransomware does encrypt, but does not append a new extension.
MalwareHunterTeam discovered a new ransomware called PayOrDie. This ransomware is currently in development and only targets the C:\Users\ZaviY\Desktop folder. Does not add a new extension, but the file name is encrypted and then base64 encoded.
Michael Gillespie found a new GlobeImposter variant that continues with the US president theme when appending extensions. This variant appends the .reaGAN extension to encrypted files and uses a contact email of Ronald_Reagan@derpymail.org.
MalwareHunterTeam discovered a new ransomware called Mystic that does not append an extension when encrypting files. It will drop a ransom note named ransom.txt.
Emsisoft security researcher xXToffeeXx found a new version of the DCry ransomware that appends the .dian extension to encrypted files. It also sends a shout out to Michael Gillespie.
Michael Gillespie discovered an in-dev ransomware called RestoLocker that is based off of HiddenTear. This ransomware will append .HeroesOftheStorm extension to encrypted files.
MalwareHunterTeam discovered the RBY Ransomware.
MalwareHunterTeam discovered that the PSCrypt ransomware has changed its extension to .paxynok.
GData security researcher Karsten Hahn discovered an in-development ransomware called HTA Virus.
Malwarebytes security researcher Siri discovered a new ransomware that appends the .bud extension to encrypted files. Ths is possibly a Jigsaw Ransomware variant.