This week we have 6 new ransomware, 1 distasteful ransom note, 2 decryptors, and an update to Locky. Of particular note is the CryLocker Ransomware, which uses Imgur.com to store information about its victims. We also have a new ransomware being sold, an update to Locky, and security researchers fighting back!

Contributors and those who provided new ransomware info this week include: @struppigel@JakubKroustek@0xtadavie@fwosar, @malwrhunterteam@PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed@nyxbone, and @BleepinComputer. If you are interested in ransomware or security, I suggest you follow all of them on Twitter.

September 5th 2016

The CryLocker Ransomware Communicates using UDP and stores data on Imgur.com

A new infection called the CryLocker Ransomware, which pretends to be from a fake organization called the Central Security Treatment Organization, has been discovered by security researcher MalwareHunterTeam.  When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim's files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.

Payment Site

September 6th 2016

Locky now using Embedded RSA Key instead of contacting Command & Control Servers

According to security researcher Timothy Davies, a new version of the Locky Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key and no longer communicates with C2 servers.

RSA Key

RarVault Ransomware puts files into a Password Protected Rar Archive

A new ransomware called RarVault targeting Russian victims was discovered by BleepingComputer.com helper B-boy/StyLe/ when helping a user at Kaldata.com. This ransomware will move all of a victim's data files into a password protected Rar archive located at C:\RarVault\Arh_.rar.  The ransom note that is created is called RarVault.htm.

It may be possible decrypt these files, so if anyone is infected with RarVault they should post for help in our Ransomware Help & Tech Support forum.

RarVault Ransom Note

September 7th, 2016

New KawaiiLocker Ransomware targeting Russian Victims

A new ransomware called KawaiiLocker was discovered by Thyrex and with a writeup by Amigo-A. This ransomware appears to be targeting Russian victims. It will create a ransom note called How Decrypt Files.txt. A decryptor has been created by Thyrex, which can be downloaded from here.

KawaiiLocker Ransom Note

September 8th 2016

The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals

A new version of the Stampado ransomware called Philadelphia has started being sold for $400 USD by a malware developer named The Rainmaker,  According to Rainmaker, Philadelphia is being sold as a low cost ransomware solution that allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or complexity.

Philadelphia Headquarters Management Console

New Flyper Ransomware Campaign Underway

A new version of the Flyper Ransomware was discovered by MalwareHunterTeam that appends the .locked extension to encrypted files. It then demands a ransom of .5 bitcoins to get your file back. The associated email address for this ransomware is flyper01@sigaint.org.

Flyper Wallpaper

September 9th 2016

The CryPy Python Ransomware encrypts each file with its own Key

A new ransomware written in Python was discovered by Jakub Kroustek ‏that encrypts your data using AES encryption. In the README_FOR_DECRYPT.txt ransom note, it instructions the victim to email m4n14k@sigaint.org or blackone@sigaint.org for payment instructions.

When files are encrypted, the name of the file is sent to the Command & Control server. The C2 server will then reply with a new name for the file and key that should be used to encrypt it. An example of an encrypted filename is CRYJHL59FH8A289HO2S0LHT69FKFD2A282HFHD5VI9IAKIHJES22IT82KG4P88ULW0GT4H.cry

 

CryPy Ransom Note

September 10th 2016

Decryptor for the Philadelphia Ransomware Released

A decryptor for the Philadelphia Ransomware was released by Emsisoft security researcher Fabian Wosar

To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. Due to the file name encryption this can be a bit tricky. The best way is to simply compare file sizes. Encrypted files will have the size of the original file rounded up to the next 16 byte boundary. So if a the original file was 1020 bytes large, the encrypted file will be 1024. Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.

Ransomware devs sink to new lows by pretending to help the Homeless

Michael Gillespie found a new ransom note where the ransomware developers pretend to be helping homeless people. Looks to be a Crysis variant and files will be renamed to a name like test.jpg.id-5492B6BC.(helphomeless@india.com).crypt.

Helphomeless Ransomware