• Home
  • Articles tagged with Ransomware
  • The Week in Ransomware - July 29 2016 - Petya, NoMoreRansom, Chimera, and More!

    This week we have leaked keys, analysis of a new family, 1 new ransomware variants, 3 new ransomware infections, and 1 new ransomware decryptor. It was a big week for the Petya and Mischa devs as they opened their Ransomware as a Service to the public and leaked 3,500 decryption keys for the Chimera Ransomware.

  • We Are Anonymous Jigsaw Ransomware Variant Discovered

    A new variant of the Jigsaw Ransomware has been discovered by Michael Gillespie that uses a new Anonymous themed background for the ransom note. Though there has been a previous variant of Jigsaw that included a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware.  The ransom screen's background now s

  • Petya and Mischa Ransomware Affiliate System Publicly Released

    Today, the Petya and Mischa Ransomware devs have made their Ransomware as a Service, or RaaS, open to the public. For the past few months, the Petya & Mischa RaaS has been been in testing with a limited amount of supposed high volume distributors. As of today, any would-be criminal can signup and become an official distributor.

  • Chimera Ransomware Decryption Keys Released by Petya Devs

    The devs behind the Mischa and Petya ransomware have leaked approximately 3500 RSA decryption keys for the Chimera Ransomware. These keys are in hex format, but can be converted back to their normal format and used within a decryptor by a security company or professional.

  • Side-by-side comparisons of the CrypMIC and CryptXXX Ransomware Infections

    Last week, TrendMicro blogged about a new ransomware family called CrypMIC that was impersonating CryptXXX. At first glance, CrypMIC looks so much like CryptXXX that when I thought it was a just a new CryptXX variant. In this article I have provided a side-by-side comparison of screens a victim may see so they can tell the difference

  • The Week in Ransomware - July 22 2016 - Stampado, Bart, HolyCrypt, and More

    This week we have 3 new ransomware variants, 2 new ransomware infections, and 4 new ransomware decryptors. Stampado finally popped its head out of its hole, but was quickly squashed and a slew of new decryptors were released. Overall, a good week for the good guys.

  • Stampado Ransomware campaign decrypted before it Started

    For about a week since Stampado was discovered being sold on the darkweb for the cheap price of $39 USD, no samples were available. That changed today when two samples of Stampado appeared on VirusTotal. It is currently unknown if these samples are from a live distribution campaign or were submitted by the distributor/developer to te

  • AVG releases Decryptor for Bart Ransomware

    AVG has released a decryptor for the Bart Ransomware infection, which stores your files in password-protected zip files. Created by the same actors behind Dridex and Locky, Bart Ransomware will password protect a victim's data without communicating with a command & control server.

  • ODCODC Ransomware Decryptor released by BloodDolly

    A decryptor has been released by ransomware expert BloodDolly that will can decrypt files encrypteby the ODCODC Ransomware. Though the Command & Control servers are no longer active, many ransomware victims do not pay the ransom and hold on to their encrypted files in the hope that a decryptor can be created.  

  • New Python ransomware called HolyCrypt Discovered

    A new ransomware has been discovered by AVG malware analyst @JakubKroustek called HolyCrypt. This ransomware is written in Python and compiled into a Windows executable using PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable. 

  • CryptXXX Ransomware is now scrambling the filenames of Encrypted Files

    A new variant of the CryptXXX ransomware has been released that is not only modifying the extension of encrypted files, but is now renaming the entire file. When installed, my file's names were completely scrambled to a seemingly random filename and extension.

  • New version of Petya Released. Fixes bug in Encryption Algorithm

    A new version of the Petya disc-encrypting ransomware has been released that fixes a bug in its encryption algorithm. This bug used to be exploited, but with the implementation fixed, it may prevent these weakness from being exploited.

  • CryptXXX providing free keys for .Crypz and .Cryp1 Versions

    Free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz and .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free. If you are infected with these variants of CryptXXX, you should log in and get your free key before they fix it.

  • CTB-Faker Ransomware does a poor job imitating CTB-Locker

    A new ransomware called CTB-Faker was discovered that pretends to be the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim's files, it will move them instead into a password protected ZIP archive.  CTB-Faker will then demand a ransom of  $50 USD in bitcoins.

  • New CryptXXX changes name to Microsoft Decryptor

    A new version of the CryptXXX Ransomware was discovered by Brad Duncan that includes changes to encrypted file names, uses modified ransom note names, a new template, and a new TOR payment site description. With this release, the ransom notes are now named README.html, README.bmp, and README.txt.

  • New Alfa, or Alpha, Ransomware from the same devs as Cerber

    Security researcher BloodDolly recently discovered a new file encrypter called Alfa Ransomware, or Alpha Ransomware, which is from the developers of Cerber. At this time, not much is known about this ransomware. Preliminary reports, though, indicate that it is not possible to decrypt encrypted files for free.

  • The Week in Ransomware - July 1 2016 - Bart, WildFire, Locky, and More

    Wow, it has been a busy week for ransomware. This week we have a new offline ransomware called Bart from the makers of Locky, 5 other new ransomware infections, a new verison of Locky, and quite a few new decryptors.

  • Decrypted: MicroCop Ransomware demands 48 Bitcoins to get your files back

    Recently, researcher Mosh shared his analysis on a new ransomware called MicroCop that TrendMicro discovered. When installed, this ransomware will encrypt your data using DES encryption and then demand an outrageous 48.48 bitcoins!

  • Satana Bootkit Encrypts your files and then locks you out of Windows

    A new ransomware called Satana was discovered by Malwarebyte​s security researcher S!Ri that packs a 2 in one punch. When installed, the Santana Ransomware will encrypt your files using a standard file crypter and then also install a bootlocker to prevent you from logging into Windows.

  • New Locky version adds the .Zepto Extension to Encrypted Files

    A new version of the Locky Ransomware was released yesterday that uses a new naming scheme that appends the .zepto extension to encrypted files. With this new version, Locky will rename files to a name similar to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto.


Remember Me
Sign in anonymously