This has been the slowest ransomware week in a long time! Thank you devs for giving me some time to do other things! For this week we have some smaller ransomware releases as well as new updates to existing ransomware. We also have the continuing saga of Fabian smacking the Stampado and Apocalypse devs around with new decryptors. Last, but not least, we have a major distribution campaign being conducted by a new Cerber affiliate.

Contributors and those who provided new ransomware info this week include: @MalwareTechBlog@struppigel@JakubKroustek@fwosar, @malwrhunterteam@PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed@nyxbone, @BleepinComputer, and @Avira. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

September 17th 2016

New Ransomware called FenixLocker adds love note every Encrypted File

Fabian Wosar of Emsisoft discovered that the new FenixLocker leaves a love note in every encrypted file. This love note states "FenixILoveyou!!".

September 18th 2016

HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools

​HDDCryptor, sometimes spelled HDD Cryptor and also identified as Mamba, is a new ransomware variant discovered by Morphus Labs that rewrites a computer's MBR (Master Boot Record) boot sectors and locks users out of their PCs. While we might hurry to classify this as a Petya clone, HDDCryptor predates both Petya and Satana, being spotted on the Bleeping Computer forums at the end of January this year.

Emsisoft releases a Decryptor for FenixLocker

Fabian Wosar of Emsisoft has a released a decryptor for FenixLocker. This decryptor can be downloaded from Emsisoft's site.

September 21st 2016

Fantom Ransomware derives Ransom Amount and Address from Filename

A new variant of the Fantom Ransomware was discovered last week by MalwareHunterTeam that added some very interesting features. The new features include network share enumeration and encryption, randomly generated desktop wallpapers, and offline encryption. By far the most interesting feature, though, is the ransomware's ability to set a ransom amount and a payment email based upon the name of the file.

September 22nd 2016

Fabian Wosar of Emsisoft continues to release decryptors for Apocalypse and Stampado

It is almost entertaining watching Fabian release decryptors for each version of Apocalypse and Stampado that are released as the malware devs leave him little notes in their programs. This week we had two new versions of Stampado and Fabiansomware (Apocalypse), but Fabian was able to release updated decryptors to support them. These decryptors can be found at Emsisoft's decryptor page.

Locky takes the wheel again

Avira posted a new article where Kroll, an Avira malware specialist, stated:

Locky has stepped back from running in an offline-only mode, as Locky affiliates transition back to including Command and Control (CnC) information in their configuration, with an accompanying drop in the number of affiliates working in an offline-only mode.

A major distribution campaign for Cerber is underway

According to MalwareTech, Cerber has picked up in distribution with:

Cerber ransomware group seem to have a new affiliate. Now hitting around 80,000 infections per day compared to only 6,000/day last month.


September 23rd 2016

A new ransomware called Cyber SpLiTTer Vbs Discovered

A new ransomware called Cyber SpLiTTer Vbs was discovered by GData security researcher Karsten Hahn.  Currently this ransomware appears to be in development as there is no functions written to actually encrypt anything. When you run the sample, it only displays the following lock screen.

A new ransomware called UnblockUPC was Discovered

A new ransomware called UnblockUPC was reported in the forums.   When infected, it will create a ransom note called Files encrypted.txt that contains a unique ID for the victim and payment sites that a user must visit to get payment instructions. These payment sites, shown below, ask for .18 btc, or approximately 100 Euro.

Unfortunately, we have not been able to get our hand on a sample of the installer, but . For those who are infected with this ransomware, please post in the  so that we can try and recover a sample of the installer.