It has been another week of mostly small little in-dev ransomware that will never make it to distribution. In other news, Locky continues to send out large spam campaigns as it tries to become a major player again. Otherwise, not much to report, which we are always happy about.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @malwrhunterteam, @PolarToffee, @campuscodi, @LawrenceAbrams, @fwosar, @malwareforme, @hexwaxwing, @struppigel, @demonslay335, @FourOctets, @jorntvdw, @Seifreed, @leotpsc, and @siri_urz.

September 10th 2017

New Locked_File Ransomware Discovered

Security researcher Leo discovered a new ransomware written in Delphi. This ransomware is a console based program that is most likely run by the developer after hacking into a computer. When encrypting files it will encrypt the file name and appends  the .[].locked_file extension to encrypted files and drops a ransom note named !HOW_TO_UNLOCK_FILES!.html.

September 11th 2017

Paradise Ransomware Uses RSA Encryption to Encrypt Your Files

Today, a victim of a new ransomware called Paradise posted in the forums and uploaded a sample so we could take a look at it. While this ransomware is not revolutionary by any means, since it is in active distribution and a Ransomware as a Service (RaaS), I thought I would provide a brief analysis of how this ransomware works.

ExoLock Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called ExoLock. This ransomware will append the .exolocked extension to encrypted files. 

New Jigsaw Ransomware Variant Discovered

ID-Ransomware's Michael Gillespie discovered two new Jigsaw Ransomware variants that append the .pablukCRYPT or .pabluk300CrYpT! extensions to encrypted files. Also uses a new background image.

Ranion Ransomware is HiddenTear

Six months ago, BleepingComputer published an article about the Ranion Ransomware RaaS. Today, MalwareHunterTeam found a sample of the ransomware and it was discovered it was HiddenTear. 

September 12th 2017

Blackhat Ransomware Discovered's Lawrence Abrams discovered the Blackhat Ransomware. 31337. THis ransomware appends .H_F_D_locked and is based off of MoWare_H.F.D. It uses XOR encryption.

SoFucked Ransomware Discovered

Lawrence Abrams discovered the SoF*cked Ransomware. This ransomware appends the .fff extension to encrypted files & drops a note named READTHISHIT.txt.

Happy Crypter Ransomware Discovered

MalwareHunterTeam discovered a new in-dev ransomware called Happy Crypter. This ransomware does encrypt, but does not append a new extension.

New Variant of the Locked_File Ransomware Discovered

Lawrence Abrams discovered a new variant of the DelphiConsoleCrypt ransomware discovered by Leo this past Saturday. This variant changes the extension to [].locked_file.

PayOrDie Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called PayOrDie.  This ransomware is currently in development and only targets the C:\Users\ZaviY\Desktop folder. Does not add a new extension, but the file name is encrypted and then base64 encoded.

GlobeImposter Continuing with the President Theme

Michael Gillespie found a new GlobeImposter variant that continues with the US president theme when appending extensions. This variant appends the .reaGAN extension to encrypted files and uses a contact email of

September 13th 2017

Mystic Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Mystic that does not append an extension when encrypting files. It will drop a ransom note named ransom.txt.

DCry Ransomware Sends a Messages to Michael Gillespie 

Emsisoft security researcher xXToffeeXx found a new version of the DCry ransomware that appends the .dian extension to encrypted files. It also sends a shout out to Michael Gillespie.

RestoLocker Ransomware Discovered

Michael Gillespie discovered an in-dev ransomware called RestoLocker that is based off of HiddenTear. This ransomware will append .HeroesOftheStorm extension to encrypted files.

September 14th 2017

Ransomware Rebrands as RBY Ransomware

MalwareHunterTeam discovered the RBY Ransomware.

PSCrypt Changes the Extension to .paxynok

MalwareHunterTeam discovered that the PSCrypt ransomware has changed its extension to .paxynok.

September 15th 2017

German HTA Virus Ransomware Discovered

GData security researcher Karsten Hahn discovered an in-development ransomware called HTA Virus. 

Bud Ransomware Discovered

Malwarebytes security researcher Siri discovered a new ransomware that appends the .bud extension to encrypted files. Ths is possibly a Jigsaw Ransomware variant.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New FilesLocker Ransomware Offered as a Ransomware as a Service

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment