A new ransomware called CryLocker, which pretends to be from a fake organization called the Central Security Treatment Organization, has been discovered that communicates via UDP, tries to find your location via nearby wireless networks, and uses a popular image hosting service to store information about the victims.
This week we have 8 stories, new ransomware, scams, taunts, and decryptors. Of particular note is the Fairware Ransomware scam being installed via hacked Linux Redis server. We also have malware developers taunting security researchers, a new Cerber version, and a new ransomware that uploads info about the computer.
A new DetoxCrypto Ransomware variant called the Nullbyte Ransomware has been discovered by Emsisoft security researched xXToffeeXx that pretends to be the popular Pokemon Go bot application called NecroBot, When infected, the ransomware will encrypt a victim's files and then demand .1 bitcoins to decrypt the files.
An article was published today that details how insecure Redis instances on the Internet were being hacked to install a fake ransomware. After reading this article, I saw that there were striking similarities between the ransom notes that Duo Security described and the ones that were being created by the Fairware ransomware.
A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When testing the new sample, there was some minor differences between this version and the previous version.
A new attack is targeting Linux users called FairWare ransomware where the attackers hack a Linux server, delete the web folder, and then leave a ransom note. The attackers then require the victim to pay 2 bitcoins in order to get their files back. It is unknown if the attackers still have a victim's files.
Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.
The Domino Ransomware is a new infection discovered by Daniel Gallagher and Michael Gillespie that is based off of the Hidden Tear open-source ransomware project. This ransomware is distributed as a KMSpico installer, encrypts your files with the .Domino extension, and contains a ransom note with a cow in it.
A new ransomware called Fantom was discovered by AVG malware researcher Jakub Kroustek that is based on the open-source EDA2 ransomware project. The Fantom Ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update while its encrypting files.
As part of the NoMoreRansom.org initiative, the National High Tech Crime Unit of the Dutch Police were able to seize the Command & Control server for the WildFire Locker ransomware. This allowed them to recover approximately 5,800 decryption keys that were used by McAfee and Kaspersky to create free decryptors for WildFire victims.
A new ransomware called Alma Locker has been discovered by Proofpoint researcher Darien Huss that encrypts a victim's data and then demands a ransom of 1 bitcoin within five days.
Wow... it has been a really busy week for ransomware. The top stories this week are the rise of Pop Culture Ransomware, as seen by two Pokemon variants and a Mr. Robot variant, and Check Point's Cerber report and short-lived, but useful, decryption service.
A new ransomware called DetoxCrypto has been discovered that includes variant that take pictures of your active screen or try to take part in the PokemonGo craze.
Today Michael Gillespie discovered a new EDA2 variant that I have dubbed the FSociety Ransomware based on the image used on the infection's wallpaper. Fans of Mr. Robot, will instantly recognize the image as the logo of the show's infamous hacking group called FSociety.
In just one day, the developers behind the Cerber Ransomware have made changes that blocked Check Point Software from decrypting Cerber victim's for free. At the same time, Cerber has added a captcha to their payment system. Was a simple captcha used to block Check Points' decryption system?
Check Point Software, along with IntSights, have released a very detailed report on the Cerber Ransomware and its Ransomware as a Service affiliate system. The revenue generated by the Cerber affiliate system is staggering, with Cerber generating $195,000 in profits for July and the malware developer taking a 40% cut from this total.
For those who have been affected by the Cerber Ransomware and decided not to pay the ransomware, we have good news for you! Today, Check Point released a free decryption service for files encrypted with the .CERBER and .CERBER2 extensions.
A new Ransomware as a Service, or RaaS, called the Shark Ransomware Project has been discovered. The Shark Ransomware Project offers would-be criminals the ability to create their own customized ransomware without needing any technical experience and by simply filling out a form and clicking a button.
A new variant of the TorrentLocker ransomware, otherwise known as Crypt0L0cker, that pretends to be a bill from the Italian energy company Enel. When the ransomware is executed it will encrypt a victim's data and append the .ENC extension to encrypted files.
With the popularity of PokemonGo, it was inevitable that a malware developer would create a ransomware that impersonates it. This is the case with a new ransomware that impersonates a PokemonGo application for Windows and includes such interesting new features such as a backdoor and spreading to removable drives.