The big news this week is a new variant of the Locky ransomware and its distributors continuing to use massive spam campaigns to distribute it. In other news, we had some small variants that will never make it into distribution or are jokes, but have an interesting "twist" to them. The first is nRansom, which instead of asking for money, asks for 10 nude pictures from the victim. The second one is InfinityLocker that uses a fake Windows command prompt that has commends being typed into it to pretend to be a hacker encrypting the computer.
Otherwise, its been a week of new variants or other smaller ransomware that will never be released.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @PolarToffee, @struppigel, @Seifreed, @LawrenceAbrams, @jorntvdw, @malwrhunterteam, @demonslay335, @FourOctets, @DanielGallagher, @hexwaxwing, @malwareforme, @BleepinComputer, @campuscodi, @Fortinet, @barklyprotects, @barracuda, @dvk01uk, @coldshell, @malware_traffic, @leotpsc, @Anomali, & @FlashpointIntel.
BleepingComputer's Lawrence Abrams discovered an in-dev ransomware called Hackers Invasion. This another stupid ransomware variant and has a comical ransom note. When encrypting files it appends the .Doxes extension and is decryptable.
Lawrence Abrams discovered a Stupid Ransomware variant that pretends to be from the FBI. When encrypting files, this ransomware will append .XmdXtazX to encrypted files. The passcode to decrypt is 666444QSW6842QSW666444.
Today a new Locky Ransomware variant was discovered by security researcher Derek Knight and then quickly followed by Stormshield malware analyst coldshell that switches to the .ykcol extension for encrypted files. For those who may not have noticed it the first time, like myself, ykcol is locky spelled backwards.
MalwareHunterTeam discovered a sample of the Pendor Ransomware that had remained elusive for quite some time. May be decryptable.
Lawrence Abrams discovered a new ransomware called ZONEware. This in-dev ransomware appends the .ZW extension to encrypted files. The GUI is reminiscent of TeslaWare.
Michael Gillespie discovered a new Samas/SamSam variant uploaded to ID-Ransomware that appends the .myransext2017 extension to encrypted files and drops a ransom note named 005-DO-YOU-WANT-FILES.html.
A possible in-dev screenlocker was discovered by Lawrence Abrams that locks your screen until you input the code rhc@12345.
GData security researcher Karsten Hahn discovered that some scumbag created a new variant of Hitler Ransomware. Pretends to be a a Minecraft Account Dispenser.
Administrators of various underground hacking forums hosted on both the public Internet and Dark Web are having serious discussions about the "good idea" of allowing the sale of ransomware via their platforms.
Lawrence Abrams discovered a new variant of the CryptoMix ransomware that is appending the.SHARK extension to encrypted file names. This family of ransomware usually releases a new version almost every week, if not sooner, so it is a bit surprising to see them take almost three weeks to release this variant.
Michael Gillespie discovered a new variant of the RotorCrypt Ransomware that appends the extension !-=solve a firstname.lastname@example.org=-.PRIVAT66.
Karsten Hahn discovered the CyberDrill 2 ransomware. This ransomware is based on HiddenTear and appends the .cyberdrill extension to encrypted files. Has a WannaCryish GUI.
Karsten Hahn discovered a new Polish ransomware that is based on HiddenTear and appends the .technicy extension to encrypted files.
Reports are coming in from multiple security researchers and security firms about increased activity from one of the groups spreading the Locky ransomware. These spam waves have started on September 18 and are pushing the new Locky ransomware variant that encrypts files with the .ykcol extension, which was also released on the same day.
Discovered by MalwareHunterTeam, nRansom locks your computer and then demands that the victim send 10 nude pictures of themselves to a listed email address in order to unlock their computer.
Karsten Hahn discovered a new in-development screenlocker.
Lawrence Abrams discovered an updated version of the Message of Death ransomware. Currently in-dev and only encrypts the C:\Users\Tushar\Desktop\Tushar folder. Appends the .locked extension to encrypted files.
Karsten Hahn discovered a new ransomware called CyberSoldier that appends .CyberSoldiersST to encrypted files. Very buggy.
A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[email]-id-[id].wyvern extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services.
I examine almost every new ransomware that is released and after a while they all start to become a blur. Once in a while, though, a ransomware is released that shows a bit of innovation or creativity and is worth discussing. This is the case with the InfinityLock ransowmare discovered this week by security researcher Leo.