Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. 

Contributors and those who provided new ransomware info this week include: @struppigel@JakubKroustek@fwosar, @malwrhunterteam@PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed@nyxbone, @BleepinComputer, and @Avira. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

September 12th 2016

NoobCrypt Ransomware Dev shows Noobness by using Same Password for Everyone

It is a good day when a ransomware programmer channels their noobness and releases an insecure ransomware. This is the case with a new variant of the NoobCrypt Ransomware that was discovered by security researcher Jakub Kroustek. Living up to its name, the developer of NoobCrypt uses the same encryption key for every victim. This allowed Jakub to easily retrieve the password and post it on Twitter for victims to use.

A new ransomware called LockLock was Discovered

The LockLock ransomware encrypts files with AES-256, and appends the extension ".locklock" to encrypted files. A ransom note named READ_ME.TXT is created that asks the victim to contact the criminals at the email address locklockrs@aol.com, or the Skype address "locklockrs". It is a variant of the ever-popular previous open-source EDA2 Ransomware. For those who need help with this ransomware you can visit the LockLock Ransomware Help & Support. You can also private message Demonslay335 for possible decryption help.

September 14th 2016

Shark Ransomware Rebrands as Atom for a Fresh Start

The Shark Ransomware Project that appeared in July 2016 has rebranded as the Atom Ransomware Affiliate Program, offering an improved service for crooks that want to start a life in cyber-crime. Just like Shark, the service is still available on the public Internet, which is strange because most of its rivals prefer the anonymity and safety provided by the Tor network.

Updated decryptor released for new version of Stampado

Fabian Wosar of Emsisoft released an updated decryptor for the Stampado ransomware. For those who are affected by this ransomware, you can use this decryptor to get your files back for free.

Locky ransomware goes on Autopilot

An Avira post with Moritz Kroll explaining how the latest configurations of Locky ransomware have an improved Autopilot functionality that completely cuts out network communication and let it encrypt victim files without directions from its Command and Control centers.

September 15th 2016

Stampado: Taking Ransomware Scumbaggery to the Next Level

While working on his Stampado decryptorFabian Wosar of Emsisoft found that a new version of Stampado has additional targeted extensions that correspond to ransomware encrypted files. That means that if someone is already dealing with a ransomware infection and becomes infected by Stampado, they will now have to pay twice to get the same files back.

New Razy variant discovered that emulates the Jigsaw Ransom Note Screen

MalwareHunterTeam discovered a new variant of the Razy ransomware that encrypts your files and then demands a 10 euro PaySafeCard as a ransom payment. This variant uses a ransom note screen similar to the Jigsaw Ransomware, but does not delete any files.

New Fantom Ransomware Variant no longers communicates with C2 Servers

MalwareHunterTeam discovered a new variant of the Fantom Ransomware that has added some new features.  These new features include offline encryption, network share enumeration and encryption, and different ransom values and payment addresses based on the filename.