CryptXXX has been updated to version 3.0 and Kaspersky's decryptor no longer works. Unfortunately, this upgrade also appears to have broken the malware developers own decryptor based on multiple reports from paid victims.
Today, Mikko Hypponen discovered that the TeslaCrypt ransomware developers have changed the message on their last functioning TOR site. According to Mikko, as of a few hours ago a new message appeared on the TOR TeslaCrypt site that now recommends BloodDolly's TeslaDecoder application to decrypt your files.
The ransomware keep on coming! Since the last article we have had 6 new ransomware infections released, and to weight it out, 6 decryptors. Included in the new ransomware is one that is targeting Drupal web sites. By far, the biggest news, though, was the closing of TeslaCrypt and their release of the master decryption key.
In a surprise ending to the TeslaCrypt ransomware, the malware developers have released the master decryption key for their victims. This means that all victims of the TeslaCrypt ransomware can now decrypt their files for free!
Emsisoft has released two decryptors today for the Xorist family and 777 Ransomware infections. Both infections have been active for quite a while, but now victims can use these decryptors to recover their encrypted files for free.
A new dark web site called the Hall of Ransom states that they are selling ransomware infections, including a new one called Goliath. This site makes some pretty over-the-top claims and contains some text in their site's source code that makes me think they are linked to the Jigsaw ransomware.
Wow..this has been a crazy week when it comes to ransomware. Since Monday, we have had 6 new ransomware infections, 1 new Ransomware as a Service, and 1 update to an existing ransomware. Been a busy week and have not been able to write about everything, so I thought I would put together a roundup of all the ransomware news.
This week ProofPoint announced that the CryptXXX ransomware was updated to version 2.0 and that Kaspersky's descryptor no longer worked. Today Kaspersky announced that they have released an updated decryptor that can now decrypt version 2.0 encrypted files as well.
The developers behind the Petya and Mischa Ransomware infections have also released a Ransomware as a Service portal. This service allows malware distributors to earn a revenue share by distributing the Petya ransomware installers.
In order to stop leaving money on the table, the developers of Petya have bundled an extra ransomware called Mischa into the installer. Mischa is used as a backup ransomware infection in the event that Petya is unable to be installed due to a lack privileges
The notorious Jigsaw Ransomware has rebranded itself as CryptoHitman and now uses the character from the popular Hitman video games and movies. In addition to adding the Hitman character to its locker screen, CryptoHitman also covers the lock screen with pornographic images that are definitely not safe for work.
A new ransomware called Enigma was discovered that targets Russian speaking countries. Discovered in late April by Jakub Kroustek, a reverse engineer and malware analyst for AVG, the Enigma Ransomware encrypts your data using AES encryption and then demands 0.4291 BTC or approximately $200 USD to get your files back.
A new ransomware called Alpha Ransomware was discovered this week. This ransomware encrypts your data with AES-256 encryption and then demands $400 USD in the Amazon Gift Cards in order to get your files back. Thankfully a decryptor for this infection was able to be created.
Version 4.2 of TeslaCrypt has been released with quite a few modifications. The most notable change is that ranso notes have been heavily modified to only contain the necessary information to connect to the Command & Control servers.
Yesterday, a new ransomware called TrueCrypter was discovered by AVG malware analyst Jakub Kroustek. This ransomware encrypts your data using AES-256 encryption and then demands either .2 bitcoins or $115 USD in Amazon gift cards
A new ransomware called CryptXXX was discovered by Kafeine last week. Based on his analysis it was determined that CryptXXX is affiliated with the developers of the Angler Exploit Kit as well as the Reveton ransomware family. Thankfully Kaspersky was able to release a free decryptor so victims can get their files back.
A new ransomware named 7ev3n-HONE$T has been discovered that is a variant of the 7ev3n ransomware. This ransomware will encrypt your files and then require a $400 USD bitcoin payment to decrypt your files. At this time there is no way to decrypt your files for free.
A quick post that version 4.1b of the TeslaCrypt Ransomware has been released. I am unsure when this was released, but a victim submitted a sample today of this new variant. It is currently unknown what has changed internally to the program, but there have been additional payment gateways added.
A new ransomware was discovered that tries to impersonate the well known Locky ransomware. This impersonator is created in the AutoIt scripting language and has a vulnerability that allows encrypted files to be decrypted.
When the Jigsaw Ransomware threatens to delete your files, it's not kidding. This is the first ransomware that we have seen that carries out its threats and will delete increasingly greater amounts of files each hour until the payment has been made. Thankfully, a method has been discovered that can decrypt these files for free.