Free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz and .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free. If you are infected with these variants of CryptXXX, you should log in and get your free key before they fix it.
A new ransomware called CTB-Faker was discovered that pretends to be the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim's files, it will move them instead into a password protected ZIP archive. CTB-Faker will then demand a ransom of $50 USD in bitcoins.
A new version of the CryptXXX Ransomware was discovered by Brad Duncan that includes changes to encrypted file names, uses modified ransom note names, a new template, and a new TOR payment site description. With this release, the ransom notes are now named README.html, README.bmp, and README.txt.
Security researcher BloodDolly recently discovered a new file encrypter called Alfa Ransomware, or Alpha Ransomware, which is from the developers of Cerber. At this time, not much is known about this ransomware. Preliminary reports, though, indicate that it is not possible to decrypt encrypted files for free.
Wow, it has been a busy week for ransomware. This week we have a new offline ransomware called Bart from the makers of Locky, 5 other new ransomware infections, a new verison of Locky, and quite a few new decryptors.
Recently, researcher Mosh shared his analysis on a new ransomware called MicroCop that TrendMicro discovered. When installed, this ransomware will encrypt your data using DES encryption and then demand an outrageous 48.48 bitcoins!
A new ransomware called Satana was discovered by Malwarebytes security researcher S!Ri that packs a 2 in one punch. When installed, the Santana Ransomware will encrypt your files using a standard file crypter and then also install a bootlocker to prevent you from logging into Windows.
A new version of the Locky Ransomware was released yesterday that uses a new naming scheme that appends the .zepto extension to encrypted files. With this new version, Locky will rename files to a name similar to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto.
A new ransomware (eduware?) called EduCrypt was discovered by AVG security researcher Jakub Kroustek that tries to teach its victims a lesson about ransomware. Like other encrypting malware, EduCrypt will encrypt a victim's files, but instead of demanding a ransom, it gives the victim the password for free along with a reprimand.
The Bart Ransomware is an offline ransomware infection that turns all of your files into password protected zip files. This ransomware shares many similarities with Locky and may be distributed by the same developers.
This was a big week for ransomware news primarily because the Necurs Botnet returned with a new campaign for the Locky ransomware. This week we also have 5 new ransomware infections, a change in the CryptXXX extension, and to end on a good note, a couple of decryptors.
In the beginning of the June, the Necurs botnet went offline, which also caused its Dridex and Locky malware campaigns to disappear as well. On monday, ProofPoint detected a multi-million email Locky spam campaign, which appears to be originating from the Necurs botnet, which is back online.
A new ransomware was discovered that is written in Python and targets the Zimbra enterprise collaboration software. Reported by one of our visitors, this ransomware targets the Zimbra email message store folder and encrypts all of the files located within it. It then creates a ransom note in /root/how.txt that demands 3 bitcoins.
A new version of the CryptXXX/UltraCrypter ransomware was released today that switched from the .crypz extension to random one consisting of 5 characters. This new version now encrypts files on a computer using a random 5 hexadecimal character extension.
A new ransomware called CryptoRoger has been discovered today by MalwareBytes security researcher S!Ri. This ransomware will encrypt a victim's files using AES encryption and then appends the .crptrgr extension to encrypted filenames.
A new variant of the Apocalypse Ransomware was released that utilizes the VMProtect software protection product. Fabian Wosar, of Emsisoft, was able to able to get the past the VMProtect protection and create a new decryptor for this variant.
This week started slow, but finished with a lot of ransomware infections released towards the end of the week. This week we have 6 new Ransomware infections, 1 new Jigsaw variant, 1 screen locker, and an update to the CryptXXX infection.
A new EDA2 ransomware was discovered called Ded Cryptor. This ransomware has been around for quite a while and targets both Russian and English speaking victims. When installed, the victims desktop will be changed to show an evil looking Santa having a good time while it encrypts your files.
A new ransomware called Apocalypse was released that encrypts your data and then appends the .encrypted extension to them. It then requires you to email firstname.lastname@example.org in order to get instructions on how to pay the ransom. For those who have been affected, Fabian Wosar of Emisoft has released a free decryptor.
Lots of ransomware news this week with 3 new infections, 7 new Jigsaw ransomware variants, 3 new decryptors, a new variant to Nemucod, and an interesting article about the Crysis ransomware. I would like to thank everyone who monitors and analyzes new ransomware infections in Twitter and through other sources.