This week we have 6 new ransomware, 1 distasteful ransom note, 2 decryptors, and an update to Locky. Of particular note is the CryLocker Ransomware, which uses Imgur.com to store information about its victims. We also have a new ransomware being sold, an update to Locky, and security researchers fighting back!
Contributors and those who provided new ransomware info this week include: @struppigel, @JakubKroustek, @0xtadavie, @fwosar, @malwrhunterteam, @PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed, @nyxbone, and @BleepinComputer. If you are interested in ransomware or security, I suggest you follow all of them on Twitter.
A new infection called the CryLocker Ransomware, which pretends to be from a fake organization called the Central Security Treatment Organization, has been discovered by security researcher MalwareHunterTeam. When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim's files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.
According to security researcher Timothy Davies, a new version of the Locky Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key and no longer communicates with C2 servers.
A new ransomware called RarVault targeting Russian victims was discovered by BleepingComputer.com helper B-boy/StyLe/ when helping a user at Kaldata.com. This ransomware will move all of a victim's data files into a password protected Rar archive located at C:\RarVault\Arh_
It may be possible decrypt these files, so if anyone is infected with RarVault they should post for help in our Ransomware Help & Tech Support forum.
A new ransomware called KawaiiLocker was discovered by Thyrex and with a writeup by Amigo-A. This ransomware appears to be targeting Russian victims. It will create a ransom note called How Decrypt Files.txt. A decryptor has been created by Thyrex, which can be downloaded from here.
A new version of the Stampado ransomware called Philadelphia has started being sold for $400 USD by a malware developer named The Rainmaker, According to Rainmaker, Philadelphia is being sold as a low cost ransomware solution that allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or complexity.
A new version of the Flyper Ransomware was discovered by MalwareHunterTeam that appends the .locked extension to encrypted files. It then demands a ransom of .5 bitcoins to get your file back. The associated email address for this ransomware is email@example.com.
A new ransomware written in Python was discovered by Jakub Kroustek that encrypts your data using AES encryption. In the README_FOR_DECRYPT.txt ransom note, it instructions the victim to email firstname.lastname@example.org or email@example.com for payment instructions.
When files are encrypted, the name of the file is sent to the Command & Control server. The C2 server will then reply with a new name for the file and key that should be used to encrypt it. An example of an encrypted filename is CRYJHL59FH8A289HO2S0LHT69FKFD2A282HFHD5VI9IAKIHJES22IT82KG4P88ULW0GT4H.cry
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. Due to the file name encryption this can be a bit tricky. The best way is to simply compare file sizes. Encrypted files will have the size of the original file rounded up to the next 16 byte boundary. So if a the original file was 1020 bytes large, the encrypted file will be 1024. Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.
Michael Gillespie found a new ransom note where the ransomware developers pretend to be helping homeless people. Looks to be a Crysis variant and files will be renamed to a name like test.jpg.id-5492B6BC.(firstname.lastname@example.org).crypt.