Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor.
Contributors and those who provided new ransomware info this week include: @struppigel, @JakubKroustek, @fwosar, @malwrhunterteam, @PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed, @nyxbone, @BleepinComputer, and @Avira. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
It is a good day when a ransomware programmer channels their noobness and releases an insecure ransomware. This is the case with a new variant of the NoobCrypt Ransomware that was discovered by security researcher Jakub Kroustek. Living up to its name, the developer of NoobCrypt uses the same encryption key for every victim. This allowed Jakub to easily retrieve the password and post it on Twitter for victims to use.
The LockLock ransomware encrypts files with AES-256, and appends the extension ".locklock" to encrypted files. A ransom note named READ_ME.TXT is created that asks the victim to contact the criminals at the email address firstname.lastname@example.org, or the Skype address "locklockrs". It is a variant of the ever-popular previous open-source EDA2 Ransomware. For those who need help with this ransomware you can visit the LockLock Ransomware Help & Support. You can also private message Demonslay335 for possible decryption help.
The Shark Ransomware Project that appeared in July 2016 has rebranded as the Atom Ransomware Affiliate Program, offering an improved service for crooks that want to start a life in cyber-crime. Just like Shark, the service is still available on the public Internet, which is strange because most of its rivals prefer the anonymity and safety provided by the Tor network.
An Avira post with Moritz Kroll explaining how the latest configurations of Locky ransomware have an improved Autopilot functionality that completely cuts out network communication and let it encrypt victim files without directions from its Command and Control centers.
While working on his Stampado decryptor, Fabian Wosar of Emsisoft found that a new version of Stampado has additional targeted extensions that correspond to ransomware encrypted files. That means that if someone is already dealing with a ransomware infection and becomes infected by Stampado, they will now have to pay twice to get the same files back.
MalwareHunterTeam discovered a new variant of the Razy ransomware that encrypts your files and then demands a 10 euro PaySafeCard as a ransom payment. This variant uses a ransom note screen similar to the Jigsaw Ransomware, but does not delete any files.
MalwareHunterTeam discovered a new variant of the Fantom Ransomware that has added some new features. These new features include offline encryption, network share enumeration and encryption, and different ransom values and payment addresses based on the filename.