This week we have leaked keys, analysis of a new family, 1 new ransomwareÂ variants, 3 new ransomware infections, and 1 new ransomwareÂ decryptor. It was a big week for the PetyaÂ and Mischa devs as they opened their Ransomware as a Service to the public and leaked 3,500 decryption keys for the Chimera Ransomware.
A new variant of the Jigsaw Ransomware has been discovered by Michael GillespieÂ that uses a new Anonymous themedÂ background for the ransom note. Though there has been a previous variant of Jigsaw that includedÂ a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware. Â The ransom screen's background now s
Today, the Petya and Mischa Ransomware devsÂ have made theirÂ Ransomware as a Service, or RaaS, open to the public. For the past few months, the Petya & MischaÂ RaaS has been been in testing with a limited amount of supposed high volume distributors. As of today, any would-be criminal can signup and become an official distributor.
The devs behind the Mischa and Petya ransomware have leaked approximately 3500 RSA decryption keys for the Chimera Ransomware. These keys are in hex format, but can be converted back to their normal format and used within a decryptor by a security company or professional.
Last week,Â TrendMicro blogged about a new ransomware family called CrypMIC that was impersonating CryptXXX. At first glance, CrypMIC looks so much like CryptXXX that when I thought it was a just a new CryptXX variant. In this article I have provided a side-by-side comparison of screens a victim may see so they can tell the difference
This week we have 3 new ransomwareÂ variants, 2 new ransomware infections, and 4 new ransomwareÂ decryptors. Stampado finally popped its head out of its hole, but was quickly squashed and a slew of new decryptors were released. Overall, a good week for the goodÂ guys.
For about a weekÂ since Stampado was discovered being sold on the darkweb for the cheap price of $39 USD, no samples were available. That changed today when two samples of StampadoÂ appeared on VirusTotal. It is currently unknown if these samples are from a live distribution campaign or were submitted by the distributor/developer to te
AVG has released a decryptor for the Bart Ransomware infection, which stores your files in password-protected zip files. Created by the same actors behind Dridex and Locky, Bart Ransomware will password protectÂ a victim's data without communicating with a command & control server.
A decryptor has been released by ransomware expert BloodDolly that will can decrypt files encrypteby the ODCODC Ransomware.Â Though the Command & Control servers are no longer active, many ransomware victims do not pay the ransom and hold on to their encrypted files in the hope that a decryptor can be created. Â
A new ransomware has been discovered by AVG malware analystÂ @JakubKroustekÂ called HolyCrypt. This ransomware is written in Python and compiled into a Windows executable usingÂ PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable.Â
A new variant of the CryptXXX ransomware has been released that is not only modifying the extension of encrypted files, but is now renaming the entire file. When installed, my file's namesÂ were completely scrambledÂ to a seemingly random filename and extension.
A new version of the PetyaÂ disc-encrypting ransomware has been released that fixes a bug in its encryption algorithm. This bug used to be exploited, but with the implementation fixed, it may prevent these weakness from being exploited.
Free keys are only being offered for certain versions of CryptXXX, namely the variants that add the .Crypz andÂ .Cryp1 extensions to encrypted files. All other versions are not receiving the decryption key for free. If you are infected with these variants of CryptXXX, you should log in and get your free key before they fix it.
A new ransomware called CTB-Faker was discovered that pretends to beÂ the CTB-Locker ransomware. It is a poor imitator, though, as instead of encrypting a victim's files, it will move them instead into a password protected ZIPÂ archive. Â CTB-Faker will then demandÂ a ransom of Â $50 USD in bitcoins.
A new version of the CryptXXX Ransomware was discovered by Brad DuncanÂ that includes changes to encrypted file names, usesÂ modified ransom note names, a new template, and a new TOR payment site description. With this release, the ransom notes are now named README.html, README.bmp, and README.txt.
Security researcher BloodDolly recently discovered a new file encrypter called Alfa Ransomware, or Alpha Ransomware, which is from the developers of Cerber. At this time, not much is known about this ransomware. Preliminary reports, though, indicate that it is not possible to decrypt encrypted files for free.
Wow, it has been a busy week for ransomware. This week we have a new offline ransomware called Bart from the makers of Locky, 5 other new ransomware infections, a new verison ofÂ Locky, and quite a few newÂ decryptors.
Recently, researcher Mosh shared his analysis on a new ransomware called MicroCopÂ that TrendMicro discovered. When installed, this ransomware will encrypt your data using DES encryption and then demand an outrageous 48.48 bitcoins!
A new ransomware called SatanaÂ was discovered by Malwarebyteâs security researcherÂ S!RiÂ that packs a 2 in one punch. When installed,Â the Santana Ransomware will encryptÂ your files using a standard file crypterÂ and then also install aÂ bootlockerÂ to prevent you from logging into Windows.
A new version of theÂ LockyÂ Ransomware was released yesterday that uses a new naming scheme that appends the .zepto extension to encrypted files. With this new version, Locky will rename files to a name similar to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto.