The big news this week is a new variant of the Locky ransomware and its distributors continuing to use massive spam campaigns to distribute it. In other news, we had some small variants that will never make it into distribution or are jokes, but have an interesting "twist" to them. The first is nRansom, which instead of asking for money, asks for 10 nude pictures from the victim. The second one is InfinityLocker that uses a fake Windows command prompt that has commends being typed into it to pretend to be a hacker encrypting the computer.

Otherwise, its been a week of new variants or other smaller ransomware that will never be released.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @PolarToffee, @struppigel, @Seifreed, @LawrenceAbrams, @jorntvdw, @malwrhunterteam, @demonslay335, @FourOctets, @DanielGallagher, @hexwaxwing, @malwareforme, @BleepinComputer, @campuscodi, @Fortinet@barklyprotects@barracuda@dvk01uk, @coldshell@malware_traffic, @leotpsc, @Anomali, & @FlashpointIntel.

September 17th 2017

Hackers Invasion Ransomware Discovered

BleepingComputer's Lawrence Abrams discovered an in-dev ransomware called Hackers Invasion. This another stupid ransomware variant and has a comical ransom note. When encrypting files it appends the .Doxes extension and is decryptable.

Stupid Ransomware Variant Discovered

Lawrence Abrams discovered a Stupid Ransomware variant that pretends to be from the FBI. When encrypting files, this ransomware will append .XmdXtazX to encrypted files. The passcode to decrypt is 666444QSW6842QSW666444.

September 18th 2017

Locky Ransomware Switches to the Ykcol Extension for Encrypted Files

Today a new Locky Ransomware variant was discovered by security researcher Derek Knight and then quickly followed by Stormshield malware analyst coldshell that switches to the .ykcol extension for encrypted files. For those who may not have noticed it the first time, like myself, ykcol is locky spelled backwards.

Sample of the Pendor Ransomware Discovered

MalwareHunterTeam discovered a sample of the Pendor Ransomware that had remained elusive for quite some time. May be decryptable.

ZONEware Ransomware Discovered

Lawrence Abrams discovered a new ransomware called ZONEware. This in-dev ransomware appends the .ZW extension to encrypted files. The GUI is reminiscent of TeslaWare.

New Samas Ransowmare Variant

Michael Gillespie discovered a new Samas/SamSam variant uploaded to ID-Ransomware that appends the .myransext2017 extension to encrypted files and drops a ransom note named 005-DO-YOU-WANT-FILES.html.

September 19th 2017

New FBI screenlocker Discovered

A possible in-dev screenlocker was discovered by Lawrence Abrams  that locks your screen until you input the code rhc@12345.

Hitler Ransomware Resurfaces

GData security researcher Karsten Hahn discovered that some scumbag created a new variant of Hitler Ransomware. Pretends to be a a Minecraft Account Dispenser.

September 20th 2017

Underground Hacking Forum Admins Having Second Thoughts About Selling Ransomware

Administrators of various underground hacking forums hosted on both the public Internet and Dark Web are having serious discussions about the "good idea" of allowing the sale of ransomware via their platforms.

The Shark CryptoMix Ransomware Variant Smells Blood in the Water

Lawrence Abrams discovered a new variant of the CryptoMix ransomware that is appending the.SHARK extension to encrypted file names. This family of ransomware usually releases a new version almost every week, if not sooner, so it is a bit surprising to see them take almost three weeks to release this variant.

New RotoCrypt Variant Discovered

Michael Gillespie discovered a new variant of the RotorCrypt Ransomware that appends the extension !-=solve a

September 21st 2017

CyberDrill2 Ransomware Discovered

Karsten Hahn discovered the CyberDrill 2 ransomware. This ransomware is based on HiddenTear and appends the .cyberdrill extension to encrypted files. Has a WannaCryish GUI.

Technicy Ransomware Discovered

Karsten Hahn discovered a new Polish ransomware that is based on HiddenTear and appends the .technicy extension to encrypted files.

September 22nd 2017

Multiple Spam Waves Detected Pushing New Locky Ransomware Version

Reports are coming in from multiple security researchers and security firms about increased activity from one of the groups spreading the Locky ransomware. These spam waves have started on September 18 and are pushing the new Locky ransomware variant that encrypts files with the .ykcol extension, which was also released on the same day.

nRansom Joke Locker Demands Nude Pics as Payment

Discovered by MalwareHunterTeam, nRansom locks your computer and then demands that the victim send 10 nude pictures of themselves to a listed email address in order to unlock their computer.

New ScreenLocker Discovered

Karsten Hahn discovered a new in-development screenlocker.

In-Dev Message of Death Ransomware Variant Discovered

Lawrence Abrams discovered an updated version of the Message of Death ransomware. Currently in-dev and only encrypts the C:\Users\Tushar\Desktop\Tushar folder. Appends the .locked extension to encrypted files.

CyberSoldier Ransomware Discovered

Karsten Hahn discovered a new ransomware called CyberSoldier that appends .CyberSoldiersST to encrypted files. Very buggy.

New Wyvern BTCWare Ransomware Released

A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[email]-id-[id].wyvern extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services.

InfinityLock Ransomware Pretends to Issue Commands to Encrypt Computers

I examine almost every new ransomware that is released and after a while they all start to become a blur. Once in a while, though, a ransomware is released that shows a bit of innovation or creativity and is worth discussing. This is the case with the InfinityLock ransowmare discovered this week by security researcher Leo.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits