Wow..lots of crap, I mean small ransomware infections released this week. Of particular note is Kaspersky's update of their RannohDecryptor to be able to decrypt the crypt, .cryp1, and .crypz variants of the CryptXXX ransomware.
If you are a CryptXXX Ransomware victim who didn't pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you are in luck. Today, Kaspersky announced that they updated their RannohDecryptor program to decrypt CryptXXX encrypted files that have the .crypt, .cryp1 and .crypz extensions.
Last week, TrendMicro blogged about a new ransomware family called CrypMIC that was impersonating CryptXXX. At first glance, CrypMIC looks so much like CryptXXX that when I thought it was a just a new CryptXX variant. In this article I have provided a side-by-side comparison of screens a victim may see so they can tell the difference
This week we have 3 new ransomware variants, 2 new ransomware infections, and 4 new ransomware decryptors. Stampado finally popped its head out of its hole, but was quickly squashed and a slew of new decryptors were released. Overall, a good week for the good guys.
A new variant of the CryptXXX ransomware has been released that is not only modifying the extension of encrypted files, but is now renaming the entire file. When installed, my file's names were completely scrambled to a seemingly random filename and extension.
The ransomware devs are taking a break during the summer as new ransomware has slowed down. This week we have 2 new variants of existing ransomware, the discovery of a new ransomware being sold on the dark web, increased distribution of WildFire Locker, and the release of free decryption keys for certain variants of CryptXXX.
Free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz and .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free. If you are infected with these variants of CryptXXX, you should log in and get your free key before they fix it.
This was a slow ransomware week in the beginning, but picked up steam towards the end. This week we had 1 new decryptor, 4 new ransomware infections, a new variant of CrytpXXX, and the reemergence of PadCrypt.
A new version of the CryptXXX Ransomware was discovered by Brad Duncan that includes changes to encrypted file names, uses modified ransom note names, a new template, and a new TOR payment site description. With this release, the ransom notes are now named README.html, README.bmp, and README.txt.
This was a big week for ransomware news primarily because the Necurs Botnet returned with a new campaign for the Locky ransomware. This week we also have 5 new ransomware infections, a change in the CryptXXX extension, and to end on a good note, a couple of decryptors.
A new version of the CryptXXX/UltraCrypter ransomware was released today that switched from the .crypz extension to random one consisting of 5 characters. This new version now encrypts files on a computer using a random 5 hexadecimal character extension.
CryptXXX, or now UltraCrypter, have had a buggy history since they launched. In the latest of a long list of issues, victims are reporting that they are not receiving the decryptor after making a ransom payment. Possibly to resolve these types of issues, the developers have launched a Helpdesk system on their payment site.
This week in ransomware brings 3 new ransomware infections (BadBlock, Black Shades, and JuicyLemon), 3 new variants of previously released ransomware infections, and a decryptor by Emsisoft.
A new update to the CryptXXX Ransomware has made significant design changes to both the ransom notes and the TOR payment site. Previously, CryptXXX just copied the layout and design of CryptoWall. With this recent update, they have now created their own design and template and renamed the decryptor to UltraDeCrypter.
We had 3 new ransomware infections called BadBlock, Zcrypt, and ODCOC, updates for Zyklon and CryptXXX, and one TeslaCrypt news item this week, but for the most part there was nothing that interesting released.
CryptXXX has been updated to version 3.0 and Kaspersky's decryptor no longer works. Unfortunately, this upgrade also appears to have broken the malware developers own decryptor based on multiple reports from paid victims.
This week ProofPoint announced that the CryptXXX ransomware was updated to version 2.0 and that Kaspersky's descryptor no longer worked. Today Kaspersky announced that they have released an updated decryptor that can now decrypt version 2.0 encrypted files as well.
A new ransomware called CryptXXX was discovered by Kafeine last week. Based on his analysis it was determined that CryptXXX is affiliated with the developers of the Angler Exploit Kit as well as the Reveton ransomware family. Thankfully Kaspersky was able to release a free decryptor so victims can get their files back.