The WildFire Locker ransomware has risen from the dead and rebranded itself using the name of Hades Locker. Its previous incarnation was shutdown after authorities seized the command & control servers. Unfortunately, the ransomware developers were not apprehended and have been biding their time before releasing a new ransomware.
Late last week, a new version ofÂ Cerber RansomwareÂ was released that included some new features. The most notable change is the switch fromÂ the staticÂ .Cerber3 extension for encrypted filesÂ to a random 4 character extension, the use of a HTA file as the ransom note, and the termination of various database processesÂ before encryption.
This week really picked up when it comes to ransomware news. Lots of new variants, new decryptors, and new ransomware. Of particular interest this week is Locky switching to using the ODIN extension and for security companies releasing a lot of decryptors this week.Â
Kaspersky posted a great articleÂ about theirÂ TeamXratÂ RansomwareÂ analysisÂ and how they were able to create a decryptor for its victims. Â Reported back in mid September in our forums, I and other security researchers were never able to find an actual sample of the malware.
Today we bring you Princess Locker; the ransomware only royalty could love. Â First discovered by Michael Gillespie, Princess Locker encrypts a victim's data and then demands a hefty ransom amount of 3 bitcoins, or approximately $1,800 USD, to purchase a decryptor.
Today aÂ new Locky Ransomware variant was discovered byÂ @dvk01ukÂ that now uses theÂ .ODIN extension for encrypted files. It is important to note that if you are infected with this ransomware, you are not infected with the Odin Ransomware. You are instead infected by Locky,Â which is using the .ODIN extension. There is a difference.
With all the buzz around tonight'sÂ Presidential Debate between Hillary Clinton and Donald Trump, I decided to see if I could find any malware based around these polarizing candidates. Though I did not find anything related to Hillary Clinton, I did stumble upon a development version of the Donald Trump Ransomware.
The Nagini Ransomware was discovered that takes its name from pet snake belonging to the the Harry Potter villain Voldemort. The addition of pop culture themes into ransomware infections has become a popular theme over the past month.
This has been the slowest ransomware week in a long time! Thank you devs for giving me some time to do other things!Â For this week we have some smaller ransomwareÂ releases as well as new updates to existing ransomware. We also have the continuing saga of Fabian smacking the Stampado and Apocalypse devs around with new decryptors.
A new variant of the Fantom Ransomware was discovered last week that added some new features. These features includeÂ network share encryption, random desktop wallpapers, and offline encryption. By far the most interesting feature is the ransomware's ability to set a ransom amount and a payment address based upon the name of the file.
Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor.Â
A new version of the Stampado ransomware has taken ransomware development to a new low by encrypting files already encrypted by other ransomware.
The Shark Ransomware Project that appeared in July 2016 has rebranded as the Atom Ransomware Affiliate Program, offering an improved service for crooks that want to start a life in cyber-crime. Just like Shark, the service is still available on the public Internet, which is strange because most of its rivals prefer anonymity.
It is a good day when aÂ ransomware programmer channels their noobness andÂ releases an insecureÂ ransomware.Â This is the case with a new variant of the NoobCrypt RansomwareÂ that was discovered byÂ security researcherÂ Jakub Kroustek. Living up to its name, the developer of NoobCryptÂ uses the same encryption key for every victim.
A new version of the StampadoÂ ransomware called Philadelphia is being sold on underground criminal sites by a malware developer named The Rainmaker for $400 USD, Â According to Rainmaker, Philadelphia is being sold as a low cost ransomware solution that allows any wannabe criminal to get an advanced campaign up and running easily.
A new ransomwareÂ called CryLocker, which pretends to be from a fake organization called the Central Security Treatment Organization, has been discovered that communicates via UDP, tries to find your location via nearby wireless networks, and uses a popular image hosting service to store information about the victims.
This week we have 8Â stories, new ransomware, scams, taunts, and decryptors. Of particular note is the Fairware Ransomware scam being installed via hacked LinuxÂ RedisÂ server. We also have malware developers taunting security researchers, a new CerberÂ version, and a new ransomwareÂ that uploads info about the computer.
A new DetoxCryptoÂ RansomwareÂ variant called the Nullbyte RansomwareÂ has been discovered by Emsisoft security researchedÂ xXToffeeXxÂ that pretends to be the popular Pokemon Go bot application calledÂ NecroBot, When infected, the ransomware will encrypt a victim's files and then demand .1 bitcoins to decrypt the files.
An articleÂ was published today that details how insecure Redis instances on the Internet were being hacked to install a fake ransomware. Â After reading this article, I saw that there were striking similarities between the ransom notes that Duo Security describedÂ and the ones that were being created by the Fairware ransomware.
A new version of the Cerber Ransomware has been discovered by AVG security researcherÂ Jakub KroustekÂ that switches from theÂ .CERBER2Â extension to .CERBER3Â for encrypted files. Â When testing the new sample, there was some minor differencesÂ between this version and the previous version.