Quantcast

Ransomware Chronicle

This is a comprehensive report on ransomware-related events covering a time frame of May 2016 – July 2017. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

  • THE ENIGMA RANSOMWARE SURFACES

    Targets Russian-speaking victims. Appends the .enigma extension. Creates the enigma_encr.txt ransom note.

  • CRYPTXXX 2.0 EDITION

    Kaspersky’s free decryptor defeated. Concatenates the .crypt extension. Ransom notes named after victim ID.

  • SHUJIN RANSOMWARE SPREADING IN CHINA

    Zeroes in on Chinese victims only. Very complex decryption routine. Uses the 文件解密帮助.txt ransom note.

  • GNL LOCKER (GERMAN NETHERLANDS LOCKER)

    Targets German and Dutch users. Adds the .locked extension. UNLOCK_FILES_INSTRUCTIONS.txt manual.

  • CRYPTOHITMAN, A JIGSAW RANSOMWARE SPINOFF

    Hitman video game themed. Appends the .porno extension and uses X-rated images on warning screen.

  • CRYPREN RANSOMWARE DISTRIBUTION UPTICK

    Uses the .encrypted extension and drops READ_THIS_TO_DECRYPT.html help manual. Decryptable for free.

  • PETYA RANSOMWARE GOES WITH THE MISCHA BUNDLE

    If the MBR-overwriting Petya fails to get admin privileges, it installs Mischa, a typical file-encrypting Trojan.

  • PETYA AND MISCHA COMBO AS PART OF A RAAS

    Ransomware-as-a-Service platform launched allowing crooks to spread Petya and Mischa on an affiliate basis.

  • CRYPTXXX 2.0 CRACKED

    Kaspersky Lab updated their free decryptor for CryptXXX ransomware, version 2.0 now covered.

  • 8LOCK8 RANSOMWARE DISCOVERED

    New sample. Adds the .8lock8 extension and creates READ_IT.txt ransom notes. Interaction over email.

  • SHADE RANSOMWARE UPDATE

    New variant of the Shade aka Troldesh ransomware uses the .da_vinci_code extension to stain locked files.

  • FREE DECRYPTOR FOR GHOSTCRYPT AVAILABLE

    GhostCrypt ransomware (.Z81928819 extension, READ_THIS_FILE.txt ransom note) decrypted by researchers.

  • SNSLOCKER HITS THE HEADLINES

    New strain. Leverages AES cipher, appends the .RSNSlocked extension and demands $300 worth of Bitcoin.

  • XORIST RANSOMWARE LINEAGE DECRYPTED

    Decryptor for the Xorist family released by Emsisoft. Requires one encrypted file and its original copy.

  • 777 RANSOMWARE FAIL

    Appends the ._[timestamp]_$[email]$.777 extension. Decrypted by Emsisoft’s Fabian Wosar.

  • NEW ZYKLON LOCKER IN ROTATION

    A GNL Locker spinoff. Uses the .locked extension and drops UNLOCK_FILES_INSTRUCTIONS.html/txt manuals.

  • THE END OF TESLACRYPT: MASTER KEY RELEASED

    TeslaCrypt ransomware authors close the project and release the Master Decryption Key.

  • WEBSITE-ENCRYPTING RANSOMWARE

    New infection exploiting Drupal vulnerability. About 400 sites affected. Demands 1.4 BTC to decrypt content.

  • DMA LOCKER 4.0 DISCOVERED

    Doesn’t modify filenames. Creates Cryptinfo.txt ransom manual and extorts 1.5 BTC.

  • CRYPTXXX UPDATED TO VERSION 3.0

    Crypto flaw patched. Kaspersky’s decryptor no longer capable of restoring files.

  • TESLACRYPT DEVS RECOMMEND A RESEARCHER’S TOOL

    Crooks provide a link to expert-tailored decoder on Tor payment site for the defunct TeslaCrypt.

  • ODCODC: NEW RANSOMWARE ON THE TABLE

    File renaming format as follows: [attacker’s_email]-[original_filename].odcodc. Not decryptable for free.

  • ZCRYPT SPREADS VIA USB AND NETWORK SHARES

    New one. Appends the .zcrypt string. Propagates over autorun.inf files on memory sticks and network drives.

  • ZYKLON RANSOMWARE SWITCHES TO APROPOS EXTENSION

    New Zyklon edition switches from the .locked extension to .zyklon string. No more changes made.

  • BADBLOCK IS ON THE BLOCK

    New BadBlock ransomware doesn’t append any extension to files. Ransom size is 2 BTC.

  • INVISIBLE EMPIRE THEMED TROJAN

    Another Jigsaw ransomware version. Deletes files unless a victim pays up. Decryptable for free.

  • JOBCRYPTER UPDATE

    A modified variant of the JobCrypter ransomware discovered. Uses the .css extension.

  • JUICYLEMON RANSOMWARE DISCOVERED

    New sample telling victims to send email to support@juicylemon.biz for instructions. Demands 1000 Euros.

  • CRYPTXXX MORPHS INTO ULTRACRYPTER

    Multiple design tweaks of ransom notes and payment page. Decryptor now called UltraDeCrypter.

  • GOOD NEWS: BADBLOCK DECRYPTED

    The BadBlock strain, which cripples both data files and Windows EXEs, is decrypted courtesy of Emsisoft.

  • ANOTHER JIGSAW VARIANT EMERGES

    This descendant of the Jigsaw ransomware displays NSFW wallpaper and uses the .paybtc extension.

  • BLACK SHADES CRYPTER WANTS A SMALL RANSOM

    Targets English and Russian-speaking users, appends the .silent extension and demands $30.

  • HERBST RANSOMWARE TARGETING GERMAN USERS

    This sample uses symmetric AES cryptosystem, appends the .herbst extension to files and extorts $50.

  • RUSSIAN RANSOMWARE CALLED CRIPTOKOD

    Attacks Russian-speaking audience, adds the .criptokod extension to locked files. Decryptable for free.

  • MULTIPLE JIGSAW RANSOMWARE SPINOFFS DISCOVERED

    New Jigsaw variants use the .paymst, .payms, .pays, .paym, .paymrs, .payrms and .paymts extensions.

  • CRYSIS RANSOMWARE FAMILY EXPANDED

    Another Crysis ransomware offspring appends files with the .centurion_legion.aol.com.xtbl extension.

  • CRYSIS PLAGUE RUNS RAMPANT

    According to a research by ESET, the Crysis ransomware is gaining momentum with cybercrooks.

  • NEMUCOD TROJAN SCRAMBLES FILES USING PHP

    Researchers defeat a new iteration of the Nemucod ransomware that uses the .crypted extension.

  • CISCO CREATES A UNIVERSAL TESLACRYPT DECODER

    Cisco’s Talos Group releases a tool that decrypts all known versions of the TeslaCrypt ransomware.

  • CRYPTXXX RANSOMWARE TWEAK

    New CryptXXX (UltraCrypter) version labels encrypted entries with the .cryptz extension.

  • APOCALYPSE RANSOMWARE DECRYPTED

    Emsisoft researcher tailors a decryptor for Apocalypse ransomware, which uses the .encrypted extension.

  • JAVASCRIPT-BASED RAA RANSOMWARE

    Built with JavaScript, the RAA ransomware (.locked extension) also installs the Pony password stealer.

  • FLOCKER ATTACKS ANDROID GADGETS

    The FLocker pest targets Android devices, including Smart TV, and extorts $200 worth of iTunes gift cards.

  • DED CRYPTOR BASED ON EDA2 PROOF-OF-CONCEPT

    Affixes the .ded extension to files, imposes email interaction with the attacker and demands 2 BTC.

  • JIGSAW OFFSPRING PAYS HOMAGE TO THE ANONYMOUS

    The Anonymous themed Jigsaw ransomware variant concatenates the .epic string to scrambled files.

  • DR.JIMBO@BK.RU RANSOMWARE SETS A DEADLINE

    Instructs victims to reach the devs via email within 48 hours otherwise threatens to erase files.

  • CRYPT38 RANSOMWARE WITH WEAK CRYPTO

    Targets Russian users, appends .crypt38 to files and asks for $15 in Rubles. Free decryptor released.

  • POTENTIALLY DECRYPTABLE CRYPTOSHOCKER

    New sample using AES algorithm and appending the .locked extension. Experts found a workaround.

  • LOCKY DISTRIBUTION BACKED BY NECURS BOTNET

    New Locky proliferation campaign discovered, leverages the Necurs botnet to generate harmful spam.

  • DECRYPTOR FOR APOCALYPSEVM RELEASED

    Researchers create a decryptor for ApocalypseVM ransomware that uses advanced anti-VM features.

  • RUSSIAN USERS TARGETED BY KOZY.JOZY PEST

    Uses asymmetric RSA crypto. Victims are instructed to email the attacker at kozy.jozy@yahoo.com.

  • CRYPTOROGER, A NEW SAMPLE OUT THERE

    Employs AES algo, uses the .crptrgr extension and creates !Where_are_my_files!.html ransom note.

  • CRYPTXXX ADDS RANDOMNESS TO THE MIX

    CryptXXX ransomware starts appending random 5-char extension to files instead of .crypz.

  • ZIMBRA RANSOMWARE ENCRYPTS EMAILS

    Python-based strain. Targets the Zimbra open-source email platform. Ransom amounts to 3 BTC.

  • NEW APOCALYPSE SPINOFF DISCOVERED AND DECRYPTED

    Appends the .SecureCrypted extension. Emsisoft Apocalypse Decryptor updated to restore files.

  • TOWERWEB@YANDEX.COM RANSOMWARE

    Tells victims to email the dev at towerweb@yandex.com for instructions. Demands $100 worth of Bitcoin.

  • KRATOSCRYPT, A HIDDEN TEAR SPINOFF

    Ransomware based on open-source educational code. Concatenates the .kratos extension to files.

  • BART RANSOMARE DOESN’T ACTUALLY UTILIZE CRYPTO

    Stores files in password-protected ZIP folder rather than encrypt them. Demands 3 BTC.

  • SATANA BOOTKIT IS DOUBLE TROUBLE

    Encrypts files and wreaks havoc with Master Boot Record. Displays a lock screen asking for 0.5 BTC.

  • THE DIDACTIC EDUCRYPT RANSOMWARE

    Locks victims’ personal data but doesn’t request a ransom. Decrypt password available in a hidden .txt file.

  • ZEPTO EDITION OF LOCKY RANSOMWARE

    New Locky variant appends the .zepto extension and renames files to 32 hexadecimal chars.

  • MONEY-HUNGRY MICROCOP INFECTION

    Uses DES (Data Encryption Standard) and requests an astounding 48.48 BTC. Decrypted by analysts.

  • SHADE RANSOMWARE TWEAK

    New Shade iteration switches from using the .da_vinci_code to .Windows10 extension.

  • AVG DEVISES DECRYPTORS FOR SIX RANSOMWARE STRAINS

    The tools restore files scrambled by TeslaCrypt, Apocalypse, BadBlock, Crypt888, Legion, and SZFLocker.

  • UNLOCK92 RANSOMWARE

    Targerts Russian-speaking audience. Email for interaction: unlock92@india.com. Decryptable for free.

  • EMERGENCE OF WILDFIRE LOCKER

    A likely Zyklon copycat. Circulates mostly in the Netherlands and Belgium. Appends the .wflx extension.

  • ALFA RANSOMWARE DISCOVERED

    Alfa, aka Alpha, ransomware uses the .bin extension and appears to be created by Cerber devs.

  • NEW APOCALYPSE VARIANT DECRYPTED

    Emsisoft’s decryptor now handles the .bleepYourFiles version of the Apocalypse ransomware.

  • ANOTHER CRYPTXXX RANSOMWARE UPDATE

    New edition creates README.html (.bmp, .txt) ransom notes and upsells a tool called “Microsoft Decryptor”.

  • THE BUGGY CRYPTOFINANCIAL SPECIMEN

    Requests 0.2 BTC to unlock files but irreversibly deletes the data instead.

  • BITSTAK RANSOMWARE WITH WEAK CRYPTO

    Appends the .bitstak extension to scrambled files. Researcher named Michael Gillespie created a decryptor.

  • PIZZACRYPTS PROPAGATING VIA NEUTRINO EXPLOIT KIT

    Uses the .id-[unique_victim_id]-maestro@pizzacrypts.info extension to brand all encoded files.

  • THE PADCRYPT CAMPAIGN REVIVES

    Having stayed dormant for several months, the PadCrypt ransomware (.padcrypt extension) re-emerges.

  • UNLOCK92 ENCRYPTION ENHANCEMENTS

    New variant uses RSA-2048 cryptosystem, cannot be decrypted. Appends the .CCCRRRPPP extension.

  • A LAME CTB-LOCKER COPYCAT APPEARS

    Sample dubbed CTB-Faker moves files to a password-protected ZIP archive. Potentially crackable.

  • ODCODC RANSOMWARE FINALLY DEFEATED

    Researcher going by the handle BloodDolly came up with a method to decrypt ODCODC-encoded files.

  • NEW XORIST VERSION POSES AS CERBER

    Although this sample uses the .cerber extension, it’s a mere copycat. Doesn’t link to Tor decryptor page.

  • WILDFIRE LOCKER ON THE RISE

    According to OpenDNS, there is an upswing in WildFire Locker distribution via the Kelihos botnet.

  • LOW-COST STAMPADO RANSOMWARE FOR SALE

    Appends the .locked extension. Criminals can buy a copy on the dark web for as little as $39.

  • DECRYPTION KEYS GIVEAWAY BY CRYPTXXX DEVS

    For whatever reason, CryptXXX Tor payment sites provide free keys to decrypt .cryp1 and .crypz files.

  • PETYA RANSOMWARE UPDATED

    Petya authors improved their Salsa20 algo implementation to encrypt Master File Table more reliably.

  • CRYPTXXX BADLY CRIPPLES FILENAMES

    A fresh edition of CryptXXX replaces filenames with 32 hex characters and appends random extensions.

  • PYTHON-BASED HOLYCRYPT RANSOMWARE

    Written in Python, the HolyCrypt sample installs all components as a single Windows executable.

  • AUTOMATIC ODCODC DECRYPTOR RELEASED

    ODCODC ransomware victims can now use an automatic free decryptor. The infection’s C&C server is dead.

  • AVG CRACKS THE BART RANSOMWARE

    Free recovery tool by AVG allows Bart ransomware victims to crack the ZIP archive password.

  • POWERWARE IS NOTHING BUT A LOCKY COPYCAT

    PowerWare ransomware masquerades itself as Locky. Decryptor available courtesy of Michael Gillespie.

  • STAMPADO RANSOMWARE DECRYPTED

    Emsisoft team member Fabian Wosar created a free decrypt tool for the relatively new Stampado pest.

  • CRYPMIC, A CRYPTXXX LOOKALIKE

    CrypMIC bears a strong resemblance to CryptXXX. Researchers provide a comparative review of the two.

  • SIMPLE_ENCODER APPENDS FILENAMES WITH A TILDE

    New sample. Uses the .~ file extension and creates _RECOVER_INSTRUCTIONS.ini ransom note.

  • THE NOMORERANSOM PROJECT GOES LIVE

    A true breakthrough in fighting ransomware. Created by law enforcement agencies and security companies.

  • CHIMERA RANSOMWARE DECRYPTION KEYS RELEASED

    Petya and Mischa ransomware authors publish about 3500 decryption keys for a strain called Chimera.

  • JANUS RAAS BECOMES OPEN TO WANNABE CRIMINALS

    Crooks behind Petya and Mischa make their Ransomware-as-a-Service platform available to the public.

  • THE SHORT-LIVED JAGER RANSOMWARE

    Incremental ransom size starting with $100 worth of Bitcoin. C&C server went down shortly after launch.

  • UYARI RANSOMWARE GOES AFTER TURKISH USERS

    Appends the .locked extension to scrambled items. Ransom notes in Turkish asking for 2 BTC.

  • JIGSAW FAMILY KEEPS EXPANDING

    “We Are Anonymous” Jigsaw ransomware variant with a new warning background. Decryptable.

  • KASPERSKY’S DECRYPT TOOL UPDATED

    RakhniDecryptor solution by Kaspersky Lab decrypts Chimera-locked files with the keys previously leaked.

  • THE RAZY RANSOMWARE PREDICAMENT

    New strain, uses AES crypto and concatenates the .razy extension. Even the devs cannot decrypt files.

  • LOCKY VARIANT USES BOOBY-TRAPPED WSF ATTACHMENTS

    The Zepto version of Locky ransomware circulates via malware-tainted WSF email attachments.

  • SHINOLOCKER, A NEW PROOF-OF-CONCEPT

    Japanese researcher creates educational ransomware called ShinoLocker. Another controversial initiative.

  • ASTONISHING SURVEY RESULTS

    50% of U.S. companies were targeted by ransomware in the past 12 months, Osterman Research reveals.

  • CERBER RANSOMWARE 2.0 RELEASED

    Switches to .cerber2 extension and uses a new desktop background. Ransom notes unaltered.

  • VENUS LOCKER, AN EDA2 SPINOFF

    The EDA2 PoC gave birth to a new real-world strain. Uses AES-256 standard and appends .venusf extension.

  • HITLER-RANSOMWARE DISCOVERED

    Buggy sample that deletes extensions rather than encrypt files. Demands a 25 Euros worth Vodafone card.

  • REKTLOCKER BASED ON EDUCATIONAL HIDDEN TEAR

    Uses open-source Hidden Tear code with some modifications. Appends files with the .rekt extension.

  • RANSOMWARE ON IOT DEVICES

    Researchers demonstrate a viable ransomware hitting thermostats at the DEFCON event.

  • SMRSS32 RANSOMWARE, A CRYPTOWALL COPYCAT

    Impostor pretending to be CryptoWall. Installs manually via RDP. Appends the .encrypted extension to files.

  • PIZZACRYPTS AND JUICYLEMON DECRYPTED

    Ransomware analyst nicknamed BloodDolly creates a free decryptor for PizzaCrypts and JuicyLemon strains.

  • POKEMONGO TROJAN DROPS ARABIC RANSOM NOTES

    Appends the .locked extension. Creates a backdoor Windows user account (Hack3r) for future PC access.

  • TORRENTLOCKER TARGETS ITALIAN VICTIMS

    Aka Crypt0L0cker. Uses the .enc file extension. Infects computers via rogue energy bills sent over email.

  • THE SHARK RANSOMWARE-AS-A-SERVICE

    New RaaS platform that allows for extensive ransomware customization. Devs get 20% revenue cut.

  • CERBER RANSOMWARE DECRYPTION INITIATIVE

    Check Point released a decrypt tool for .cerber and .cerber2 variants. Worked for only 1 day, though.

  • CERBER RAAS REVENUE UNCOVERED

    According to an investigative research, Cerver devs’ annual revnue is on the order of $1 million.

  • NEW STRAIN TARGETING KOREAN VICTIMS

    Based on the educational Hidden Tear code. Apparent ties to the CripMIC ransomware discovered.

  • APOCALYPSE RANSOMWARE AUTHORS GET UPSET

    The crooks keep insulting Fabian Wosar who cracks every new edition of the pest.

  • CERBER DEVS PATCH FLAWS

    Threat actors behind Cerber ransomware make Check Point’s automatic decryptor inefficient.

  • SMRSS32 RANSOMWARE DECRYPTED

    Researchers release a free decrypt tool for the Smrss32.exe ransomware.

  • FSOCIETY RANSOMWARE DISCOVERED

    An EDA2 spinoff. Sets a Mr. Robot TV series themed wallpaper with Fsociety hacking group logo.

  • BART RANSOMWARE SWITCHES TO REAL CRYPTO

    Starts to actually encrypt files and append the .bart extension rather than simply password-protect them.

  • DETOXCRYPTO MIMICKING POKEMONGO FOR WINDOWS

    Payload pretends to be PokemonGO game. Takes a screenshot of Windows screen for intimidation purpose.

  • ALMA LOCKER USES RANDOM 5-CHAR EXTENSION

    Distributed via RIG exploit kit. Uses Tor C&C server. Ransom of 1 BTC to be submitted during 5 days.

  • ANOTHER CTB-LOCKER LOOKALIKE SURFACES

    Another CTB-Locker copycat, uses a similar ransom note and color scheme. Demands 0.5 BTC.

  • THE PURGE MOVIE-THEMED GLOBE RANSOMWARE

    Desktop wallpaper styling pays homage to the Purge movies. Appends the .purge extension to files.

  • WILDFIRE LOCKER TAKEDOWN

    Dutch police and NHTCU agency seize WildFire Locker ransomware’s C&C server. Free decryptor released.

  • ALMA LOCKER DECRYPTION OPTIONS

    According to PhishLabs, Alma Locker’s private key can be obtained with network sniffer during the attack.

  • FANTOM RANSOMWARE RUNS A FAKE WINDOWS UPDATE

    New strain based on EDA2. Displays a bogus Windows update screen to obfuscate the encryption process.

  • DOMINO RANSOMWARE POSING AS KMSPICO

    Based on educational Hidden Tear code. Payload disguised as KMSPico Windows crack.

  • LOCKY SWITCHES TO DLL INSTALLER TO AVADE AV

    The Zepto alias of Locky ransomware begins leveraging a DLL installer rather than an executable to spread.

  • SMRSS32 RANSOMWARE USES U.S. ELECTION SPAM

    New Smrss32 spam campaign delivering files masqueraded as U.S. Election news.

  • THE SERPICO VERSION OF DETOXCRYPTO

    Targets uses in Serbia and Croatia. Doesn’t modify filenames. Requests 50 EUR for decryption.

  • FAIRWARE RANSOMWARE, A THREAT TO LINUX USERS

    Adversaries compromise Linux servers, erase web folders and extort 2 BTC for recovery.

  • RAA RANSOMWARE APPEARS IN THE WILD

    Instructs victims to send email to raaconsult@mail2tor.com for decryption steps.

  • THE CURIOUS CASE OF FABIANSOMWARE

    Apocalypse ransomware devs name their new variant “Fabiansomware” to insult researcher Fabian Wosar.

  • CERBER SWITCHES TO USING A NEW EXTENSION

    New edition of the Cerber ransomware concatenates the .cerber3 extension to locked files

  • REDIS SERVERS HACKED TO INSTALL RANSOMWARE

    Crooks reportedly used insecure Redis servers to infect Linux machines with the Fairware ransomware.

  • STAMPADO STARTS SCRAMBLING FILENAMES

    New Stampado variant replaces filenames with hexadecimal chars and uses the .locked extension.

  • THE NULLBYTE RANSOMWARE FAIL

    Pretends to be a PokemonGO bot app. Demands 0.1 BTC. Decrypted by Michael Gillespie.

  • NEW CRYLOCKER IMPERSONATES A FAKE ORGANIZATION

    Acts on behalf of inexistent Central Security Treatment Organization. Appends the .cry extension

  • CRYLOCKER DETAILS REVEALED

    CryLocker propagates via Sundown exploit kit and sends victims’ details to its C2 server over UDP.

  • LOCKY SWITCHES TO AUTOPILOT MODE

    New Locky samples go with built-in RSA keys and don’t communicate with C&C servers.

  • NO ACTUAL CRYPTO BY THE RARVAULT RANSOMWARE

    Targets Russian users. Moves files to password-protected RAR archive, creates RarVault.htm ransom note.

  • KAWAIILOCKER GOES AFTER RUSSIAN-SPEAKING AUDIENCE

    Hits Russian victims. Creates “How Decrypt Files.txt” ransom manual. Free decryptor released.

  • PHILADELPHIA RANSOMWARE SPOTTED IN THE WILD

    New Stampado version sold on the darknet for $400. Features a Mercy button.

  • FLYPER RANSOMWARE POPS UP

    Appends the .locked extension and requests 0.5 BTC. Attacker’s email address is flyper01@sigaint.org.

  • PYTHON-BASED CRYPY THREAT

    Uses AES encryption, adds the .cry extension and drops README_FOR_DECRYPT.txt help file.

  • PHILADELPHIA RANSOMWARE DECRYPTED

    Emsisoft’s Fabian Wosar creates a free decryptor for the Philadelphia pest.

  • CROOKS FORGE SUPPORT FOR THE HOMELESS

    New Crysis ransomware rips users off under the guise of helping the homeless.

  • NOOBCRYPT TURNS OUT TO BE A LAME SAMPLE

    New ransomware, uses the same set of crypto keys for all victims. Decryption keys published by analysts.

  • LOCKLOCK, ANOTHER EDA2 SPINOFF

    Leverages AES-256 algo, appends the .locklock extension to files and creates READ_ME.txt ransom note.

  • NEW RAAS CALLED ATOM

    Shark RaaS rebranded as the Atom Ransomware Affiliate Program. Available on the public Internet.

  • STAMPADO DECRYPTOR UPDATED

    Fabian Wosar releases a decrypt tool handling new variants of the Stampado ransomware.

  • LOCKY PERSEVERES WITH OFFLINE ENCRYPTION

    Locky ransomware’s autopilot crypto gets improved to prevent AV detection.

  • STAMPADO ENCRYPTS WHAT’S ALREADY ENCRYPTED

    New version encrypts files that were locked by other ransomware strains, so it’s double trouble.

  • RAZY RANSOMWARE MIMICKS JIGSAW WARNING STYLE

    Razy asks for 10 EUR worth PaySafeCard to unlock files. Ransom screen resembles one by Jigsaw ransomware.

  • FANTOM RANSOMWARE UPDATE

    New edition can encrypt data offline, similarly to Locky. Now targets network shares.

  • FENIXLOCKER AUTHOR SPAWNS LOVE NOTES

    FenixLocker ransomware dev found to leave the “FenixIloveyou!!” message in each encrypted file.

  • HDDCRYPTOR REWRITES MASTER BOOT RECORD

    A highly dangerous sample that locks victims out of their computers by overwriting MBR.

  • FENIXLOCKER DECRYPTED

    Emsisoft releases a free decrypt tool for FenixLocker, which adds secret mash notes to encrypted files.

  • FANTOM RANSOMWARE TWEAKS

    New iteration sets desktop wallpapers randomly and derives ransom size from payload name.

  • STAMPADO AND APOCALYPSE UPDATED AND CRACKED

    Fabian Wosar stays busy upsetting ransomware makers with his updated free decryptors.

  • LOCKY OPTS OUT OF OFFLINE-ONLY MODE

    New Locky samples switch back to using C&C infrastructure for encryption, according to Avira.

  • CERBER CIRCULATION GROWTH

    A major increase in Cerber ransomware distribution: daily infections reach 80,000.

  • CYBER SPLITTER VBS RANSOMWARE DISCOVERED

    Spotted by GData, Cyber SpLiTTer Vbs asks for 1 BTC but fails to actually encrypt any files.

  • UNBLOCKUPC RANSOMWARE SURFACES

    New sample, drops “Files encrypted.txt” ransom manual and demands 0.18 BTC for decryption.

  • MARSJOKE, ONE MORE CTB-LOCKER COPYCAT

    Bears a strong resemblance to CTB-Locker. Mainly targets U.S. governmental and educational institutions.

  • NAGINI RANSOMWARE FOLLOWS POP CULTURE

    Warning screen contains an image of Lord Voldemort, an evil character from the Harry Potter films.

  • NEW HELP_DCFILE RANSOMWARE

    Named after ransom note help_dcfile.txt. Appends files with the .XXX extension.

  • THE DONALD TRUMP RANSOMWARE

    In-development sample with a photo of Donald Trump on the ransomware GUI.

  • LOCKY GIVES BIRTH TO A NEW .ODIN PERSONA

    New variant adds the .odin extension to files and creates _HOWDO_text.html/bmp ransom notes.

  • DXXD RANSOMWARE FINALLY CRACKED

    Michael Gillespie, aka @demonslay335, creates a decryptor for the DXXD ransom Trojan.

  • OPEN-SOURCE RANSOMWARE FOR LINUX

    New educational Linux ransomware called CryptoTrooper gets negative feedback from security community.

  • PRINCESS LOCKER WANTS TOO MUCH FOR DECRYPTION

    Decryptor page resembles Cerber’s. The ransom is 3 BTC (about $2200), doubles after deadline.

  • AL-NAMROOD RANSOMWARE DECRYPTED

    Appends the .unavailable extension. Emsisoft creates an automatic decrypt tool for this sample.

  • RAZY RANSOMWARE EXPANDS ITS GEOGRAPHY

    New version targets German users. Extorts ransom in PaySafeCard. Deadline for payment is 72 hours.

  • KASPERSKY DISSECTS BRAZILIAN CYBERCRIME

    A write-up by Kaspersky analyzes Brazilian TeamXRat ransomware that targets enterprises and hospitals.

  • NUKE RANSOMWARE SPOTTED

    New one. Uses the AES standard and creates !!_RECOVERY_instructions _!!.html/txt ransom notes.

  • RANSOMWARE MAKER JOINS SECURITY FORUM

    Apocalypse ransomware dev starts posting on BleepingComputer forums to insult researcher Fabian Wosar.

  • KASPERSKY DECRYPTS MARSJOKE RANSOMWARE

    Kaspersky updated their RannohDecryptor solution to so that it can crack the MarsJoke ransomware.

  • TREND MICRO BEATS THE GLOBE RANSOMWARE

    The Trend Micro Ransomware File Decryptor tool is now capable of decoding the Globe ransomware.

  • EMSISOFT CREATES THEIR OWN DECRYPTOR FOR GLOBE

    The tool can crack the Blowfish cipher used by the Globe ransomware.

  • KILLERLOCKER USES A FRIGHTNING TACTIC

    The strain appends files with the .rip extension and displays an image of a spooky clown.

  • FSOCIETY LOCKER BETA VERSION DISCOVERED

    Concatenates the .realfsociety@sigaint.org.fsociety extension to files and drops fsociety.html ransom note.

  • CRYPTOLOCKER 5.1 BASED ON HIDDEN TEAR

    Another example of criminals abusing educational ransomware code. No in-the-wild propagation.

  • MAJOR CERBER RANSOMWARE UPDATE

    New variant adds a random 4-character extension and creates README.hta ransom note >>>

  • HADES LOCKER, A WILDFIRE LOCKER HEIR

    Hades Locker occupies the niche of WildFire Locker, which had been taken down by Dutch law enforcement.

  • THE GLOBE RANSOMWARE FAMILY REPLENISHED

    Globe devs release multiple new spinoffs appending the .encrypted, .raid10, and .globe extensions.

  • CZECH USERS ENDANGERED BY KOSTYA RANSOMWARE

    Appends the .kostya extension. The ransom of 2,000 CZK (about $78) doubles after 12 hours.

  • THE COMRADE CIRCLE RANSOMWARE

    Adds the .comrade extension to files and displays RESTORE-FILES![ID] ransom note.

  • ENIGMA RANSOMWARE UPDATE

    New edition appends the .1txt extension and leaves enigma_info.txt ransom manual.

  • DEADLY FOR A GOOD PURPOSE RANSOMWARE

    Uses AES-256 algo and requests a Bitcoin equivalent of $500. Configured to encrypt data in 2017.

  • VENISRANSOMWARE DISCOVERED

    Uses VenisRansom@protonmail.com for communication. Enables RDP and steals passwords.

  • FIRST RANSOMWARE WRITTEN IN THE GO LANGUAGE

    Detected as Trojan.Encoder.6491, it appends the .enc extension. Cracked by Doctor Web.

  • DXXD VERSION 2 DECRYPTED

    Researchers create a decryptor for the 2nd iteration of the DXXD Ransomware.

  • NUKE RANSOMWARE UPDATE

    New Nuke variant spotted in the wild. Concatenates the .nuclear55 extension to encoded files.

  • LOCKYDUMP TOOL RELEASED

    Cisco Talos create LockyDump, a data aggregate with configuration parameters of all Locky versions.

  • EXOTIC RANSOMWARE ENCRYPTS EXECUTABLES

    Dev’s handle is EvilTwin. Encrypts all data on target computers, including executable files.

  • NEW DMALOCKER VERSION DECRYPTED

    Malwarebytes releases a tool that decrypts DMALocker’s latest !XPTLOCK5.0 version.

  • NOOBCRYPT RANSOMWARE TWEAK

    NoobCrypt 2.0 demands $50. Attackers decided to stick with the ransomware name given by a researcher.

  • ANUBIS RANSOMWARE EMERGES

    Based on EDA2 ransomware. Appends the .coded extension, attacker’s email is support.code@aol.com.

  • NEW SCREEN LOCKER SPOTTED

    Only locks one’s screen without encrypting anything. Demands 10 EUR PaySafeCard to unlock.

  • 7EV3N RANSOMWARE DECRYPTOR RELEASED

    Malwarebytes researcher nicknamed “hasherezade” contrives a free 7ev3n Ransomware decryptor.

  • RANSOM TROJAN POSING AS A CLICK ME GAME

    Obfuscates the encryption process with an amusing Click Me game.

  • JAPANLOCKER TARGETING WEBSITES

    PHP-based ransomware encrypts data on web servers. Appears to have Indonesian origin.

  • MBRFILTER COUNTERS DISK-ENCRYPTING THREATS

    MBRFilter tool by Cisco Talos blocks ransom Trojans that attempt to overwrite the Master Boot Record.

  • LOCK93 RANSOMWARE ASKS FOR RUSSIAN RUBLES

    Low-quality sample. Appends the .lock93 extension to files and requests 1000 RUR. Decryptable.

  • ANGRY DUCK RANSOMWARE IS HUNGRY FOR BTC

    Uses the .adk extension to brand affected files. Demands a huge ransom of 10 BTC.

  • N1N1N1 RANSOMWARE UPDATE

    The variant uses a different filemarker (999999) and leaves the “decrypt explanations.html” ransom note.

  • LOCKY DEVS USE SOME BAD LANGUAGE

    New version appends files with the .shit extension and creates _WHAT_is.html/bmp recovery manuals.

  • CHANGES IN THE BART RANSOMWARE

    Now adds the .perl extension. Ransom notes are called recover.bmp and recover.txt.

  • THE THOR VARIANT OF LOCKY

    Concatenates the .thor extension rather than the .shit string. Ransom notes unaltered.

  • A LOCKY COPYCAT WITH HUNGARIAN ROOTS

    Dubbed “Hucky” (Hungarian Locky), the sample mimicks Locky’s wallpaper and ransom notes.

  • RANSOMWARE IMPOSING A SURVEY

    An odd strain that asks victims to complete a sponsored survey before unlocking the computer.

  • CROOK TRIES TO SELL DECRYPT KEYS TO A RESEARCHER

    Emsisoft’s Fabian Wosar declined “realfs0ciety” cyber gang’s offer to buy their decrypt keys on the cheap.

  • ANOTHER LAME SCREEN LOCKER

    GData experts discover and defeat a screen locker that uses cuzimvirus@yahoo.com email for interaction.

  • ISSUES WITH THE CRYPTOWIRE PROOF-OF-CONCEPT

    One more educational ransomware, CryptoWire, gave rise to a real-world sample.

  • ONYX RANSOMWARE TARGETS GEORGIAN USERS

    Ransom message is written in Georgian. Warning screen contains an image of No-Face anime character.

  • THE OFFBEAT IFN643 RANSOMWARE

    Leaves the IFN643_Malware_Readme ransom note. Requests $1000 worth of Bitcoin.

  • THE BUGGY JACK.POT RANSOMWARE

    No mechanism to reach the attackers. Demands 3 BTC but provides a Litecoin address instead of Bitcoin.

  • MASTERBUSTER RANSOMWARE

    Based on EDA2 open-source project. Drops ransom note called CreatesReadThisFileImportant.txt.

  • SCREEN LOCKER CALLED RANSOMWARE 2.0 SPOTTED

    Does not encode any data but locks the screen instead. Demands 1 BTC otherwise threatens to delete files.

  • NEW SAMPLE USING !LOCKED#2.0 FILEMARKER

    Discovered by Michael Gillespie, aka @demonslay335. Malwarebytes analysts create a decryptor.

  • ALCATRAZ LOCKER DISCOVERED

    Appends the .alcatraz extension and leaves ransomed.html ransom note. Ransom size is 0.5 BTC.

  • CERBER NOW DISPLAYS VERSION NUMBER

    Cerber Ransomware devs start indicating version number in v4.1.0 and onward.

  • SMASH RANSOMWARE ISN’T MUCH OF AN ISSUE

    Displays a “File Kill Timer” window with a funny image of Super Mushroom. Doesn’t delete any files for real.

  • DUMMYLOCKER WITH HYBRID PROPERTIES

    Encrypts data and locks a victim’s screen. Files are appended with the .dCrypt extension.

  • ZSCREENLOCKER VIRUS SUGGESTS BANNING ISLAM

    Having encrypted one’s files, the zScreenLocker ransomware displays a “Ban Islam” image.

  • NEW ENCRYPTOJJS RANSOMWARE

    Appends the .enc extension and creates “How to recover.enc.txt” ransom note.

  • PAYDOS RANSOMWARE, AN OLD SCHOOL STRAIN

    Displays a ransom note within command prompt. Requests 0.33 BTC for the passcode to decrypt.

  • GREMIT RANSOMWARE EMERGING

    New one. Concatenates the .rnsmwr extension to encoded files.

  • RSA PUBLISHES AN ARTICLE ON CERBER 4.1.x

    Titled “The Evolution of Cerber… v4.1.x”, the article dissects new versions of the ransomware.

  • CLOCK.WIN32.RANSOMWARE SPOTTED

    Doesn’t encrypt any data, simply displays a lock screen. Demands $20 through PayPal.

  • CERBER 4.1.4 APPEARS

    Spreads via phishing emails with fake Word invoice attached. Version number indicated in ransom notes.

  • NOOBCRYPT RANSOMWARE UPDATE

    New version uses an expired build of C# obfuscator. Accepts random, including blank, unlock key input.

  • CERBERTEAR, A CERBER COPYCAT

    A variant of Hidden Tear proof-of-concept pretending to be the Cerber ransomware.

  • JIGSAW RANSOMWARE EDITION WITH FRENCH ROOTS

    Decryptable sample that affixes the .encrypted extension to files and leaves a ransom note in French.

  • FSOCIETY RANSOMWARE APPENDING .DLL EXTENSION

    Based on RemindMe ransomware. Uses .dll extension and drops DECRYPT_YOUR_FILES.html ransom note.

  • RANSOMWARE DISGUISED AS PAYSAFECARD GENERATOR

    Uses a fake PaySafeCard generator window to obfuscate file encryption. Prepends “.cry_” to extensions.

  • AIRACROP RANSOMWARE BY TEAMXRAT RING

    Appends the ._AiraCropEncrypted extension to files. Distributed by the TeamXRat cybercrime gang.

  • IRANSOM INFECTION KIT SOLD ONLINE

    The sample can be purchased on underground resources. Adds the .Locked extension to data entries.

  • THE HEIMDALL PHP RANSOMWARE

    A proof-of-concept written in PHP that targets web servers. Created by Brazilian researcher.

  • TELECRYPT RANSOMWARE DISCOVERED

    The sample leverages the Telegram communication protocol to interact with its C2 infrastructure.

  • FAIRYTALE-ISH SAMPLE TARGETING RUSSIAN USERS

    A new specimen using a popular Russian “Kolobok” fairytale theme for the desktop background.

  • FAKE OPM BANK NOTIFICATIONS SPREADING LOCKY

    Spam emails disguised as alerts from U.S. Office of Personnel Management deliver Locky payloads.

  • CRYSIS RANSOMWARE DEVS RELEASE DECRYPT KEYS

    CrySiS ransomware authors set up a Pastebin page with Master Decryption Keys for their infection.

  • KARMA RANSOMWARE MIMICKING PC OPTIMIZATION

    New ransomware disguised as “Windows-TuneUp” app. Propagates over pay-per-install network.

  • PADCRYPT 3.0 AFFILIATE PLATFORM LAUNCHED

    The updated PadCrypt version 3.0 can now be distributed on a Ransomware-as-a-Service basis.

  • THE ANGELA MERKEL RANSOMWARE

    Displays a photo of Angela Merkel in the ransom notes. Asks for a BTC equivalent of 1200 EUR.

  • RANSOC SCREEN LOCKER’S PENALTY NOTICE

    Locks the desktop rather than encrypt files. Blackmails users with sensitive content found on their PCs.

  • CRYPTOLUCK SPREADING VIA AN EXPLOIT KIT

    CryptoLuck mimics the warning screen of CryptoLocker. Proliferates via RIG-E exploit kit.

  • RANSOMWARE TARGETING JPG FILES ONLY

    Dubbed the “Demo” ransomware, this one only encodes JPGs and appends the .encrypted extension.

  • CROOK SEEKING RESEARCHER’S ASSISTANCE

    One of Apocalypse ransomware devs contacts Emsisoft’s Fabian Wosar, asking for help with a code bug.

  • PCLOCK IN ROTATION AGAIN

    A CryptoLocker copycat. Returns after almost 2 years of inactivity. Demands 1 Bitcoin for decryption.

  • PRINCESS LOCKER DECRYPTOR IN DEVELOPMENT

    Researcher nicknamed ‘hasherezade’ gets close to cracking the Princess Locker ransomware.

  • GLOBE RANSOMWARE DECRYPTOR UPDATE

    Fabian Wosar releases a decryptor for Globe2 (.zendr4, .raid10, .blt, .globe, and .encrypted extensions).

  • LOCKY ARRIVES WITH PHONY FLASH PLAYER UPDATE

    A variant of the Locky ransomware found to be propagating via rogue Flash Player update sites.

  • .NET-BASED CRYPTON RANSOMWARE

    Uses a mix of RSA and AES algorithms to lock files and demands 0.2-2 Bitcoins for decryption.

  • NEW SHELLLOCKER RANSOM TROJAN

    One more sample coded with .NET programming language. Adds the .L0cked file extension.

  • THE DHARMA REINCARNATION OF CRYSIS

    Dharma ransomware is a new variant of the defunct CrySiS. Uses the .[email_address].dharma extension.

  • THE HELPFUL “ID RANSOMWARE” PROJECT

    The ID Ransomware service by MalwareHunterTeam now includes 238 ransomware strains.

  • CHIP RANSOMWARE SPREADING VIA RIG-E EK

    New sample called the CHIP ransomware relies on the RIG-E exploit kit for proliferation.

  • NEW DEADLY RANSOMWARE VARIANT APPEARS

    Corrupts victims’ data and provides no way to restore them due to a buggy key saving routine.

  • TRICKY OBFUSCATION BY PADCRYPT 3.0

    Uses a rogue Visa Credit Card generator to camouflage payload execution.

  • LOCKY SPREADING VIA FACEBOOK SPAM

    Malicious .svg images sent via Facebook’s instant messaging system install Nemucod Trojan and Locky.

  • CRYPT888 SETS A DEADLINE FOR PAYMENT

    New variant claims to delete the AES-256 key unless a ransom is sent within 36 hours. Decrypted by Avast.

  • AESIR VERSION OF THE LOCKY RANSOMWARE

    Appends the .aesir extension and leaves _[random_number]-INSTRUCTION.html/bmp ransom notes.

  • VINDOWS LOCKER IS NOT A MISSPELLING

    New ransomware telling victims to call a “Microsoft Support technician”. Appends the .vindows extension.

  • PRINCESS LOCKER DECRYPTED

    Security analyst @hasherezade defeats Princess Locker’s crypto and releases a decryption tool.

  • DECRYPTOR AVAILABLE FOR TELECRYPT

    Malwarebytes releases a free decryptor for Telecrypt ransomware, which uses Telegram’s API.

  • MHT FILES DELIVERING LOCKY

    Cisco Talos spot a Locky spam wave delivering booby-trapped MHT email attachments.

  • THANKSGIVING RANSOMWARE

    New ransomware appears that displays an image of a turkey on its warning screen.

  • OZOZALOCKER IS NO BIG DEAL

    Uses the .Locked extension and Santa_helper@protonmail.com email for communication. Decryptor available.

  • LOCKY’S NEW ZZZZZ VARIANT

    Another edition of the Locky ransomware appending the .zzzzz extension to encrypted files.

  • CERBER RANSOMWARE 5.0 EMERGES

    Proliferates via RIG-V exploit kit and spam. Still appends a random 4-character extension.

  • ONE MORE HIDDEN TEAR SPINOFF IN ROTATION

    Based off of open-source Hidden Tear proof-of-concept. Uses a Jigsaw movie-themed background.

  • LOMIX RANSOMWARE USING CRYPTOWIRE’S CODE

    A byproduct of educational ransomware project called CryptoWire. Asks for a Bitcoin equivalent of $500.

  • COCKBLOCKER AKA RANSOMWAREDISPLAY

    Appears to be an in-development ransomware sample. Appends the .hannah extension to locked files.

  • CERBER’S RANSOM NOTE TWEAK

    New variant of the Cerber ransomware creates _README_.hta ransom notes.

  • NEW SCREEN LOCKER BEING DISTRIBUTED

    Claims to have found viruses and displays “Your computer is locked!” warning. Unlock password released.

  • CRYPTER RANSOMWARE TARGETING BRAZILIAN USERS

    Attack are isolated to Brazil. Renames files rather than encrypt them. Demands 1 Bitcoin for recovery.

  • A PRIMITIVE SCREEN LOCKER DISCOVERED

    Displays “Your Windows Has Been Banned” message. The unlock password is 123456.

  • THE UNUSUAL KANGAROO RANSOMWARE

    An Apocalypse ransomware spinoff. Encrypts files and displays a warning screen before Windows boots up.

  • VINDOWS LOCKER DECRYPTED

    Security researchers create a decryptor for Vindows Locker, which uses tech support scam tactic.

  • SAN FRANCISCO MUNI HIT BY RANSOMWARE

    HDDCryptor ransomware paralyzes San Francisco Municipal Transit Agency’s IT infrastructure.

  • NEW RANSOMWARE BASED ON POWERSHELL

    This PowerShell-based sample uses the ps2exe script and overwrites the original files.

  • HTCRYPTOR HARNESSING HIDDEN TEAR CODE

    HTCryptor’s code is based on open-source Hidden Tear ransomware. Tries to disable Windows firewall.

  • SFMTA DENIES DATA THEFT

    San Francisco Muni’s officials deny allegations about corporate data being stolen by ransomware devs.

  • NMOREIRA RANSOMWARE CRACKED

    Emsisoft analyst Fabian Wosar creates a free decryptor for NMoreira/XPan ransomware.

  • RANSOMWARE ATTACKS A CANADIAN UNIVERSITY

    Unidentified rasomware sample compromises Carleton University in Canada, demanding 39 BTC.

  • JIGSAW RANSOMWARE’S NEW CAMOUFLAGE

    A new Jigsaw variant uses a phony Electrum Coin Adder app’s GUI to mask the ransomware installation.

  • ZETA RANSOMWARE STAINING FILES WITH NEW EXTENSION

    New edition of the Zeta ransomware uses .rmd extension and # HELP_DECRYPT_YOUR_FILES #.txt ransom note.

  • TORRENTLOCKER UPDATE

    The latest version of TorrentLocker, aka Crypt0L0cker, appends files with 6 random characters.

  • PRINCESS LOCKER CHANGES TAKING EFFECT

    New iteration uses random extensions of 4-6 chars and !_HOW_TO_RESTORE_[random].txt ransom note.

  • MATRIX RANSOMWARE USING GNUPG

    This sample locks data using the free GnuPG implementation of OpenPGP cryptographic standard.

  • MORE FREE DECRYPTORS BY AVAST

    Avast releases 4 free decrypt tools for CrySiS, Globe, NoobCrypt and Alcatraz Locker ransomware strains.

  • ALPHA LOCKER FOR SALE ON DARKNET RESOURCES

    Wannabe crooks can purchase the new C# based Alpha Locker ransomware on underground forums for $65.

  • HIDDEN MESSAGE IN NMOREIRA/XPAN CODE

    Code of the updated ransomware contains a message to Fabian Wosar who cracked the previous version.

  • THE IN-DEV PHOENIX RANSOMWARE

    Based on the Hidden Tear POC. Appends the .R.i.P extension to files and drops Important!.txt ransom note.

  • PADCRYPT 3.1.2 GOES LIVE

    Version 3.1.2 of the PadCrypt ransomware is out. This build doesn’t feature any noteworthy changes.

  • RANSOMWARE DEV ARRESTED IN RUSSIA

    The man nicknamed “Pornopoker” is accused of creating and distributing Ransomlock.P police ransomware.

  • NEWEST NEMUCOD VARIANT CRACKED

    Emsisoft’s Fabian Wosar creates a decrypt tool for the latest variant of the Nemucod ransomware.

  • NEW ITERATION OF THE APOCALYPSE RANSOMWARE

    The updated Apocalypse Trojan leaves *md5*.txt ransom note and a new extension with country code in it.

  • ANOTHER GLOBE RANSOMWARE VERSION IS OUT

    New sample. Adds the .8lock8 extension and creates READ_IT.txt ransom notes. Interaction over email.

  • SHADE/TROLDESH RANSOMWARE DISTRIBUTION TWEAK

    New Shade, aka Troldesh, ransomware variant (.no_more_ransom extension) uses the Kelihos botnet to spread.

  • NEW SCREEN LOCKER THAT DOESN’T FUNCTION RIGHT

    It’s supposed to lock one’s screen and encode files (.encrypted extension), but the crypto part doesn’t work.

  • LOCKY STARTS USING THE .OSIRIS EXTENSION

    New Locky ransomware variant appends the .osiris extension and drops OSIRIS-[4_chars].htm ransom notes.

  • GOLDENEYE RANSOMWARE, A PETYA HEIR

    Affects master boot record (MBR) and encrypts master file table (MFT), thus completely blocking PCs.

  • NASTY MARKETING OF POPCORN TIME RANSOMWARE

    Victims are suggested to infect two more users and thereby get their decryption key free of charge.

  • JIGSAW VARIANT CALLED THE “HACKED” RANSOMWARE

    New Jigsaw ransomware build featuring “HACKED” logo. The ransom size starts at 0.25 BTC.

  • NEW SAMSAM RANSOMWARE SPOTTED

    Appends the .VforVendetta file extension and leaves 000-PLEASE-READ-WE-HELP.html ransom note.

  • EDA2/HIDDEN TEAR VARIANT FOR SALE

    A cybercrime ring made tweaks to open-source EDA2/Hidden Tear code, now selling it on the dark web.

  • CRYPTOWIRE POC GIVES BIRTH TO REAL THREATS

    Crooks use new proof-of-concept ransomware called CryptoWire to create Lomix and Ultralocker strains.

  • ULTRALOCKER, A CRYPTOWIRE SPINOFF

    Arrives at PCs with malicious Microsoft Wod documents. Demands a BTC equivalent of $1000 for decryption.

  • CYBER SPLITTER 2.0 DISCOVERED

    Cyber SpLiTTer Vbs ransomware version 2.0 is out. Based off of the Hidden Tear POC. Demands 0.5 BTC.

  • THE LOCKED-IN RANSOMWARE APPEARS

    Ransom notes are called RESTORE_CORUPTED_FILES.html. The payment deadline is set to 15 days.

  • CHIP RANSOMWARE UPDATE

    Now uses the .dale extension and leaves DALE_FILES.txt ransom note.

  • DEADLY_60 SCREEN LOCKER SPOTTED

    Uses an animated Matrix-style lock screen. Demands a Bitcoin equivalent of $400.

  • PADCRYPT UPDATED TO VERSION 3.1.5

    Other than the new version number, no significant differences from the previous edition.

  • M4N1F3STO VIRUS WITH LOW IMPACT

    Locks the screen and asks for 0.3 BTC. The unlock code is “suckmydicknigga”.

  • SAMAS RANSOMWARE GROUP EARNINGS REVEALED

    According to Palo Alto Networks, the Samas ring’s profits in 2016 amounted to more than $450,000.

  • THE PORTUGUESE PAYDAY RANSOMWARE

    A Hidden Tear spinoff. Uses the .sexy extension and drops !!!!!ATENÇÃO!!!!!.html ransom notes in Portuguese.

  • “YOU HAVE BEEN HACKED!!!” RANSOMWARE

    Appends the .Locked extension to encrypted files and demands 0.25 BTC. Steals passwords along the way.

  • NEW KRAKEN RANSOMWARE

    Renames files to base64 strings, adds the .kraken extension and creates _HELP_YOUR_FILES.html ransom notes.

  • “YOUR WINDOWS HAS BEEN BANNED” SCREEN LOCKER

    Claims to have banned a victim’s PC for terms of use violations. The unlock code is “nvidiagpuareshit”.

  • CRYPTOMIX RANSOMWARE UPDATE

    Uses the .lesli extension. Ransom notes are called INSTRUCTION RESTORE FILE.txt.

  • LOCKED-IN RANSOMWARE DECRYPTED

    Michael Gillespie (@demonslay335) releases a free decryptor for the Locked-In ransomware.

  • NEW CERBER DISTRIBUTION TACTIC

    Cerber ransomware payload arrives with rogue credit card reports that dupe users into opening a Word attachment.

  • ANOTHER XORIST VARIANT DISCOVERED

    New edition of the Xorist ransomware appends the .antihacker2017 string to files. Decryptable for free.

  • GLOBE RANSOMWARE UPDATE

    The only tweak is the new unlockvt@india.com extension for mutilated files. Demands 1.5 Bitcoin.

  • CIA SPECIAL AGENT 767 TROJAN

    Clone of the M4N1F3STO screen locker using a new background. The unlock code is the same (see above).

  • NEW FENIXLOCKER VARIANT RELEASED

    Drops “Help to decrypt.txt” ransom manual and provides thedon78@mail.com email address for payment directions.

  • KOOLOVA RANSOMWARE TARGETS ITALIAN USERS

    This sample is currently in development. Only scrambles data in the Test path on a targeted computer’s desktop.

  • “NO MORE RANSOM” PROJECT ENGAGES NEW PARTNERS

    Bitdefender, Emsisoft, Trend Micro and Check Point are now on the team. 32 new decryptors added, too.

  • AD-SUPPORTED BANDACHOR TROJAN DISTRIBUTION

    New BandaChor ransomware spreads via malvertising on X-rated sites and an e-commerce web page.

  • CHRIS’ EXPERIMENTS OVER HIDDEN TEAR

    Researchers spotted an instance of tweaking the Hidden Tear code by a wannabe crook named Chris.

  • THE BUGGY CRYPTORIUM RANSOMWARE

    New sample using the .ENC extension. Simply renames files rather than encode them.

  • A GLOBE RANSOMWARE REPLICA

    Analysts discovered a Globe clone that appends the .crypt extension and leaves HOW_OPEN_FILES.hta note.

  • CERBER RANSOMWARE’S IP RANGE CHANGED

    According to MalwareHunterTeam, Cerber starts using several new IP ranges for UDP statistics.

  • GLOBE RANSOMWARE TWEAK

    The updated infection switches to using the rescuers@india.com email address for interaction with victims.

  • DHARMA RANSOMWARE UPDATE

    New Dharma edition instructs victims to reach the attacker via amagnus@india.com email address.

  • CRYPTOBLOCK RANSOMWARE IN DEVELOPMENT

    Researchers discover CryptoBlock strain whose ransom notes resemble Cerber’s. No actual encryption yet.

  • ANDROID BANKING TROJANS EVOLVE

    New variants of Android banking malware turn out to accommodate ransomware properties.

  • RANSOMFREE TOOL COMBATS RANSOMWARE

    The RansomFree app by Cybereason detects and blocks over 40 widespread ransom Trojans.

  • APOCALYPSE RANSOMWARE TWEAK

    Creates *MD5*.txt ransom note and uses cryptcorp@inbox.ru for interacting with victims.

  • M4N1F3STO SCREEN LOCKER STARTS USING CRYPTO

    New edition of M4N1F3STO screen locker encrypts data along the way. Decryption routine is buggy.

  • MNS CRYPTOLOCKER SURFACES

    Leaves RESTORE_YOUR_FILES.txt ransom manual and uses alex.vas@dr.com email address for communication.

  • KASPERSKY’S RANNOHDECRYPTOR TOOL UPDATED

    RannohDecryptor now handles CryptXXX ransomware variants using the .crypt, .crypz and .cryp1 extensions.

  • NEW VARIANT OF SAMAS RANSOMWARE GOES LIVE

    Appends .theworldisyours extension and creates CHECK-IT-HELP-FILES.html ransom note.

  • NEW GO-BASED RANSOMWARE SAMPLE

    Written in Go, the strain uses .braincrypt extension and !!! HOW TO DECRYPT FILES !!!.txt ransom manual.

  • ENKRIPSIPC RANSOMWARE SPOTTED IN THE WILD

    Aka IDRANSOMv3, targets Indonesian users. Decrypted by Michael Gillespie (@demonslay335).

  • MANIFESTUS RANSOMWARE APPEARS

    Mimics a Windows update while encrypting data. Demands 0.2 BTC for decryption.

  • PROPOSALCRYPT IS UNDERWAY

    New sample. Appends the .crypted extension to files and asks for 1 BTC. Decrypted by Michael Gillespie.

  • PADLOCK SCREENLOCKER IS EASY TO GET AROUND

    Researchers found a way to defeat the PadLock screen locker. The unlock code is ajVr/G\RJzoR

  • FREE-FREEDOM RANSOMWARE MADE BY A TEENAGER

    The alert by Free-freedom ransomware says it was coded by a 13-year-old boy. The unlock code is ‘adam’.

  • BLEEPINGCOMPUTER RELEASES A USEFUL TUTORIAL

    Researchers at BleepingComputer publish a comprehensive guide on ransomware protection.

  • CERBER RANSOMWARE CHANGES ITS TACTIC

    New Cerber edition doesn’t delete Volume Shadow Copies and primarily targets Microsoft Office documents

  • WINNIX CRYPTOR TEAM CAMPAIGN DISSECTED

    The Winnix Cryptor Team ransomware is executed on servers via a BAT file and uses GPG crypto.

  • CERBER OPTS FOR NEW IP RANGES FOR STATS

    Cerber starts using 115.22.15.0/27, 114.23.16.0/27, and 91.239.24.0/23 IP ranges for UDP statistics.

  • THE OBNOXIOUS GUSTER RANSOMWARE

    New sample. Alerts victims with an irritating warning screen and audio. Appends the .locked extension.

  • FREE-FREEDOM MORPHS INTO ROGA RANSOMWARE

    Coded by the already familiar Adam kid. Appends the .madebyadam extension. Decrypt password is ‘adamdude9’.

  • KOOLOVA RANSOMWARE WANTS TO TEACH YOU A LESSON

    New in-dev version of Koolova decrypts files for free if a victim reads a few articles about ransomware.

  • ONE MORE CRYPTOLOCKER COPYCAT

    Another sample calling itself CryptoLocker concatenates the .cryptolocker string to encrypted entries.

  • CERBER DEVS ARE IN HOLIDAY MOOD

    The bad guys are getting ready to celebrate. Several C2 domains used by Cerber have ‘christmaas’ in their URLs.

  • VENUS LOCKER UPDATE

    New variant of the Venus Locker ransomware demands 1 BTC and sets a deadline of 72 hours.

  • ALPHABET RANSOMWARE IS ON ITS WAY

    The sample is still a debug version, hence not fully functional. Provides the decrypt key for free at this point.

  • GLOBEIMPOSTER RANSOMWARE DEFEATED

    A Globe ransomware copycat using the .crypt extension and HOW_OPEN_FILES.hta ransom notes. Decrypted by Emsisoft.

  • DERIALOCK SCREEN LOCKER DISCOVERED

    Demands $30. Victims must contact “Arizonacode” Skype user for payment steps. The code contains an “unlock all” command.

  • CERBER RANSOMWARE TWEAK

    The update has brought about new IP ranges for statistical purposes, as well as _[random]_README.hta/jpg ransom notes.

  • BADENCRIPT RANSOMWARE APPEARS

    Appends the .bript extension to mutilated files and leaves a recovery walkthrough called More.html.

  • NEW JIGSAW RANSOMWARE VERSION RELEASED

    The new .hush extension being added to files is the only change made to Jigsaw in the course of this update.

  • NMOREIRA RANSOMWARE DECRYPTOR UPDATED

    Emsisoft’s Fabian Wosar makes changes to his NMoreira decryptor, which can now handle the .maktub extension variant.

  • ODCODC RANSOMWARE RE-EMERGES

    Creates HOW_TO_RESTORE_FILES.txt ransom note and uses the C-email-[attacker_email_address]-[filename].odcodc extension.

  • LG SMART TV TARGETED BY A SCREEN LOCKER

    Android ransomware attacks LG Smart TVs, generating an FBI-themed lock screen and asking for $500 to unlock.

  • ANOTHER COMMONPLACE SAMPLE GOES LIVE

    A new strain spotted that appends the -opentoyou@india.com extension to files and drops !!!.txt ransom note.

  • KILLDISK MALWARE GETS NASTIER

    The file-deleting virus called KillDisk can now encode data. The ransom amounts to hundreds of Bitcoins.

  • ROGUE ANTIVIRUS INSTALLER SPREADS RANSOMWARE

    A sample of the GoldenEye ransomware was found to proliferate via a bogus ESET AV installer.

  • DHARMA RANSOMWARE GOES WITH NEW RANSOM NOTES

    The mkgoro@india.com version of the Dharma ransomware uses HTA format for its ransom notes (Info.hta)>>>

  • SAMAS INFECTION UNDERGOES A CHANGE

    New Samas ransomware iteration uses the .whereisyourfiles extension and WHERE-YOUR-FILES.html help file.

  • PROOF-OF-CONCEPT RANSOMWARE CRITICIZED

    An article posted on MalwareTech blog explains why open source ransomware is a bad idea.

  • EDGELOCKER, NEW RANSOMWARE ON THE TABLE

    Concatenates the .edgel extension to mutilated files. The ransom amounts to 0.1 BTC.

  • SAMAS RANSOMWARE UPDATED

    The extension being appended is .helpmeencedfiles. Now creates the HELP-ME-ENCED-FILES.html ransom manual.

  • GLOBE RANSOMWARE MIGRATED TO C/C++

    While the same on the outside, Globe is now coded in C/C++. Uses the .locked extension.

  • NEW SAMPLE CALLED FIRSTRANSOMWARE

    The executable is firstransomware.exe. Appends the .locked extension and leaves READ_IT.txt ransom note.

  • RED ALERT RANSOMWARE SPOTTED

    A derivative of the open source Hidden Tear Offline ransomware. Displays the “Your Files Has [sic.] Been Blocked” alert.

  • N-SPLITTER USING RUSSIAN FILE EXTENSION

    Another Hidden Tear spinoff. Appends the “.кибер разветвитель” extension to encrypted entries.

  • NEW EDA2 POC SPINOFF EXPOSED

    Brand-new sample based on EDA2 proof of concept ransomware. Uses the .L0CKED extension and DecryptFile.txt ransom note.

  • ANOTHER KOOLOVA VARIANT APPEARS

    N-SpLiTTer replica called the “кибер разветвитель” (Russian for “cyber splitter”). Extension and the name are a match.

  • RANSOMWARE TARGETING MONGODB DATABASES

    The strain zeroes in on MongoDB servers. Threat actor nicknamed “Harak1r1” demands 0.2 BTC to return hostage databases.

  • MR. ROBOT SERIES THEMED INFECTIONS ON THE RISE

    A group of crooks calling themselves FSociety have been busy coining multiple screen lockers and crypto ransomware samples.

  • MERRY X-MAS RANSOMWARE DISCOVERED

    Uses the .MRCR1, .PEGS1 or .RARE1 file extension and creates YOUR_FILES_ARE_DEAD.hta ransom manual.

  • TIES BETWEEN PSEUDO-DARKLEECH AND RANSOMWARE

    The pseudo-Darkleech cybercrime network was found to be responsible for multiple ransomware campaigns in 2016.

  • GLOBE V3 DECRYPTED

    Emsisoft’s Fabian Wosar cracks Globe ransomware version 3, which uses the .decrypt2017 or .hnumkhotep extensions.

  • FIRECRYPT THREAT EQUIPPED WITH DDOS FEATURE

    Appends the .firecrypt extension and drops [random]-READ_ME.html ransom note. Also crams up HDD with junk files.

  • CRYPTOMIX/CRYPTFILE2 DISSECTED

    The CERT Polska team publishes a detailed analysis of the CryptoMix/CryptFile2 ransomware campaign.

  • NEW LEGISLATION ON RANSOMWARE TAKES EFFECT

    A law passed in California defines ransomware distribution as a standalone felony rather than part of money laundering schemes.

  • KILLDISK RANSOMWARE ENHANCED

    Now attacks Linux machines along with ones running Windows. The whopping size of the ransom is 222 BTC (more than $200,000).

  • ILOCK RANSOMWARE UPDATED

    Leaves the “WARNING OPEN-ME.txt” ransom note (Russian version available too). Separate files for encryptor, live chat and TOR.

  • SKYNAME RANSOMWARE IS UNDERWAY

    In-development Hidden Tear POC spinoff. Zeroes in on Czech victims and demands 1000 Czech Koruna (about $40) for decryption.

  • DEPSEX THREAT DISCOVERED IN THE WILD

    Also known as MafiaWare, the Depsex ransomware uses the .Locked-by-Mafia extension and READ_ME.txt decryption manual.

  • NEW VIRUS PUSHING RANSOMWARE INTRICATELY

    Researchers discovered malicious code adding multiple desktop shortcuts that, once clicked, execute ransomware.

  • YET ANOTHER HIDDEN TEAR DERIVATIVE SPOTTED

    Concatenates the .locked suffix to files and creates README.txt ransom note. Goes equipped with a remote shell.

  • THE ENLIGHTENING OCELOT RANSOMWARE

    The sample called Ocelot Locker is instructive because it doesn’t do crypto and instead demonstrates how bad a real attack can be.

  • MONGODB APOCALYPSE STATS REVEALED

    The number of online-accessible MongoDB databases hit by the MongoDB Apocalypse ransomware reaches a whopping 10,000.

  • UK SCHOOL STAFF SOCIAL-ENGINEERED

    Malefactors pretending to be government officials cold-call schools in the United Kingdom, duping staff into installing ransomware.

  • “CRYPTORANSOMEWARE” MADE BY BULLIES

    The warning screen displayed by the new “CryptoRansomeware” sample is crammed up with bad language.

  • VBRANSOM 7 RANSOMWARE DISCOVERED

    Written in Visual Basic .NET, this strain uses the .VBRANSOM file extension. It’s in-dev and doesn’t do actual crypto at this point.

  • MONGODB APOCALYPSE CAMPAIGN GETS WORSE

    Ever since the Kraken cybercrime ring had stepped in, the quantity of ransomed MongoDB databases went up to 28,000.

  • RANSOMEER STRAIN IS UNDERWAY

    New Ransomeer sample is being developed. Configured to demand 0.3169 BTC and provide a 48-hour payment deadline.

  • MERRY X-MAS RANSOMWARE UPDATED

    The latest edition of Merry X-Mas crypto ransomware also installs DiamondFox, a virus that harvests victims’ sensitive information.

  • JAVASCRIPT-BASED “EVIL RANSOMWARE”

    Appends the .file0locked extension to encrypted files and instructs victims to send email to r6789986@mail.kz for recovery steps.

  • CERBER RANSOMWARE TWEAK

    The only change is that Cerber now leaves ransom notes called _HELP_DECRYPT_[A-Z0-9]{4-8}_.hta/jpg.

  • LA COLLEGE GIVES IN TO CYBERCROOKS

    Los Angeles Valley College opts for the ransom route to recover from a crypto ransomware attack, coughing up $28,000.

  • SPORA RANSOMWARE DISCOVERED

    New Spora ransomware can operate offline, features unbeatable encryption and a professionally tailored payment service.

  • MONGODB RANSOMWARE SOURCE CODE SOLD OUT

    The Kraken cybercrime syndicate sells their MongoDB ransomware script for $200. The message was posted on GitHub.

  • MERRY X-MAS STRAIN DECRYPTED

    Emsisoft releases a decryptor for the Merry X-Mas ransomware, which appends .MRCR1, .PEGS1, .RARE1, or .RMCM1 extension.

  • NEW MARLBORO RANSOMWARE SURFACES

    Arrives with spam, concatenates the .oops extension to files and creates _HELP_Recover_Files_.html ransom manual.

  • MARLBORO RANSOMWARE DEFEATED

    Having looked into the code of the Marlboro ransomware, Emsisoft’s Fabian Wosar creates a decrypt tool in less than a day.

  • MONGODB ATTACKERS SWITCH TO ELASTICSEARCH

    The group behind MongoDB database attacks shift their focus to infecting ElasticSearch servers with ransomware.

  • ODCODC RANSOMWARE DECRYPTOR UPDATED

    Researcher nicknamed ‘BloodDolly’ updates his ODCODCDecoder that restores files locked by new ODCODC ransomware variant.

  • THE BUGGY “KAANDSONA” RANSOMWARE

    Currently in development. Appends files with the .kencf extension. Fails to encode data due to a flaw in crypto implementation.

  • CERBER CAMPAIGN DETAILS LEAKED

    Avast researchers accessed a server containing a fragment of Cerber ransomware’s global infection statistics.

  • SAMSAM RANSOMWARE UPDATE

    Appends the .powerfulldecrypt extension to encrypted files and drops a ransom note called WE-MUST-DEC-FILES.html.

  • CRYPTOSEARCH TOOL HELPS DEAL WITH RANSOMWARE

    The new CryptoSearch utility locates mutilated files and allows copying or moving them to a backup drive for future decryption.

  • A DECLINE IN LOCKY RANSOMWARE INFECTIONS

    According to security analysts, the distribution of Locky via spam campaigns decreased by around 80% in Dec-Jan 2017.

  • CERBER RANSOMWARE TWEAK TAKES EFFECT

    A new edition of Cerber leaves ransom notes called _HELP_HELP_HELP_[random].hta/jpg and uses new IP ranges for UDP stats.

  • CERBER AND SPORA SHARE DISTRIBUTION INFRASTRUCTURE

    Threat actors in charge of the Spora ransomware campaign were found to use the same proliferation sites as Cerber.

  • CANCER SERVICES ORGANIZATION HIT BY RANSOMWARE

    A cancer services agency in Indiana, U.S., suffers a ransomware attack, where crooks demand a ransom of 50 BTC (about $46,000).

  • ANOTHER SAMSAM RANSOMWARE VERSION SURFACES

    New SamSam/Samas variant uses the .noproblemwedecfiles extension and 000-No-PROBLEM-WE-DEC-FILES.html ransom manual.

  • CRIMINALS CAPITALIZE ON DATABASE VULNERABILITIES

    Unidentified cybercrime rings hijack Hadoop and CouchDB databases, erasing data or demanding ransoms for recovery.

  • SPORA TURNS OUT TO HAVE WORM-LIKE PROPERTIES

    The sophisticated Spora ransomware leverages an infection vector relying on .LNK files, so it may act as a shortcut worm.

  • MERRY X-MAS RANSOMWARE DECRYPTOR UPDATE

    Emsisoft’s Fabian Wosar adjusts his decryptor for the Merry X-Mas ransomware, which can now decode .MERRY extension files.

  • LOCKY ENFEEBLED WHILE NECURS BOTNET IS OFFLINE

    Analysts see a drastic decrease in spam spreading the Locky ransomware during temporary inactivity of the Necurs botnet.

  • NEW SAMPLE TARGETING BRAZILIAN USERS

    Uses the .id-[victim_ID]_garryweber@protonmail.ch file extension and HOW_OPEN_FILES.html ransom manual.

  • CERBER’S RANSOM NOTES CHANGED AGAIN

    As part of another tweak, Cerber ransomware has started to drop _HOW_TO_DECRYPT_[random_chars][4-8]_.hta/jpg ransom notes.

  • NEW ANDROID TROJAN HITTING RUSSIAN USERS

    The Russian language Android ransomware locks a device’s screen and instructs the user to hand over their credit card details.

  • SATAN RANSOMWARE AS A SERVICE GOES LIVE

    The RaaS allows crooks to build their custom version of Satan, which uses .stn extension and HELP_DECRYPT_FILES.html ransom note.

  • NEW TURKISH RANSOM TROJAN BEING CREATED

    The in-dev ransomware is supposed to target Turkish victims and append encrypted files with the .sifreli extension.

  • CRYPTOSHADOW STRAIN IS UNDERWAY

    Based off of the Hidden Tear POC. Adds the .doomed extension to files and leaves LEER_INMEDIATAMENTE.txt ransom manual.

  • PUBLIC LIBRARIES IN SAINT LOUIS COMPROMISED

    More than 700 machines of 16 Saint Lous Public Library’s branches get hit by ransomware that demands about $35,000.

  • GLOBEIMPOSTER DECRYPTOR UPDATED

    Emsisoft updates the decryptor to support the variant that uses .crypt extension and HOW_OPEN_FILES.hta ransom note.

  • DNRANSOMWARE ISN’T THAT BAD

    New strain called DNRansomware uses the .fucked file extension. The decrypt code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.

  • “JHON WODDY” RANSOMWARE TWEAK

    Uses the same source code as DNRansomware. Appends the .killedXXX extension. Decryption routine is buggy.

  • CLOUDSWORD RANSOMWARE BEING CREATED

    Researchers discover in-dev CloudSword sample, which drops Warning??.html ransom note and sets a 5-day payment deadline.

  • MINOR UPDATE OF THE APOCALYPSE RANSOMWARE

    Uses crypt32@mail.ru email address for interacting with victims, while ransom note and filename format is unaltered.

  • SAGE 2.0 STRAIN IS UNDERWAY

    Created by the same crooks as those behind Cerber, Locky and Spora. Uses the .sage extension and !Recovery_EMf.html ransom note.

  • NEW SAMAS RANSOMWARE VERSION RELEASED

    Appends the .weareyourfriends extension to encrypted files and leaves TRY-READ-ME-TO-DEC.html ransom manual.

  • JIGSAW RANSOMWARE UPDATED

    Concatenates the .paytounlock file extension. Expert-made free decryptor already supports this variant.

  • NEW CRYPTOMIX VARIANT SPOTTED

    Uses the [original_filename].email[email_address]_id[victim_ID].rdmk file format and “INSTRUCTION RESTORE FILE.txt” ransom note.

  • SPORA RANSOMWARE DISTRIBUTION EXPANDS

    While the Spora ransomware originally proliferated in Eastern Europe only, it starts targeting victims around the globe.

  • RUSSIANROULETTE RANSOMWARE SURFACES

    A spinoff of the Philadelphia strain. Demands a ransom of 0.3 BTC (about $270) for data decryption.

  • VXLOCK RANSOMWARE LINEAGE APPEARS

    The name of this new crypto ransomware family stems from the .vxLock extension being appended to scrambled files.

  • CHARGER RANSOMWARE TARGETING ANDROID

    A Charger ransomware variant, EnergyRescue, was distributed for a while via Google Play Store as a battery optimizer. Now removed.

  • GMAIL TO BLOCK .JS ATTACHMENTS SINCE FEBRUARY 13

    A change to Gmail will take effect as of February 13, 2017 – the service will block .js attachments to thwart ransomware attacks.

  • ANOTHER SAMAS EDITION SPOTTED

    New Samas/SamSam iteration adds the .otherinformation extension and drops 000-IF-YOU-WANT-DEC-FILES.html ransom note.

  • NEW POTATO RANSOMWARE RELEASED

    Concatenates the .potato extension to encoded data and leaves README.png/html ransom payment instructions.

  • ONE MORE POLICE DEPARTMENT HIT BY RANSOMWARE

    The Cockrell Hill Police Department in Texas admits to have been attacked by ransomware. Crooks demand $4,000 worth of Bitcoin.

  • SPECIFICITY OF THE CRYPTCONSOLE RANSOMWARE

    Scrambles filenames rather than encrypt files proper. Leaves the “How decrypt files.hta” ransom note.

  • THE COMEBACK OF VIRLOCKER

    Impersonates law enforcement agencies while blocking computers. Researchers discovered that the unlock code is 64 zeros.

  • UPSWING OF MERRY X-MAS RANSOMWARE CAMPAIGN

    Analysts note that the propagation of MRCR, aka Merry X-Mas, ransomware is starting to skyrocket.

  • CRYPTCONSOLE RANSOMWARE DECRYPTED

    Researcher Michael Gillespie creates a free decryptor for CryptConsole ransom Trojan (“unCrypte@outlook.com_[random]” filenames).

  • MERRY X-MAS RANSOMWARE DECRYPTOR UPDATED

    Emsisoft’s decryptor for MRCR now supports the latest variant, which leaves MERRY_I_LOVE_YOU_BRUCE.hta ransom note.

  • ANOTHER UPDATE OF THE JIGSAW RANSOMWARE

    New variant concatenates the .uk-dealer@sigaint.org extension to encoded files. Decryptable for free.

  • HITLER RANSOMWARE TWEAK

    Crooks label it as “FINAL version of Hitler Ransomware”. Distributed via booby-trapped YOUR-BILL.pdf email attachment.

  • RANSOMPLUS, NEW SAMPLE ON THE TABLE

    Adds the .encrypted extension to locked files. Instructs victims to reach attackers at andresaha82@gmail.com.

  • AUSTRIAN HOTEL HIT BY RANSOMWARE

    Ransomware wreaks havoc with electronic door locking system at Austrian “Romantic Seehotel Jagerwirt” hotel. Demands 2 BTC.

  • XCRYPT RANSOMWARE SPOTTED

    This new strain creates ransom note called Xhelp.jpg containing Cyrillic text. Victims are told to use ICQ to reach the criminals.

  • EMSISOFT SITE DDOSED OVER RANSOMWARE

    Emsisoft’s official website suffers a DDoS attack after the vendor updates their free decryptor for Merry X-Mas ransomware.

  • SAGE 2.0 RANSOMWARE DETAILS UNCOVERED

    Swiss Government CERT publishes a comprehensive report on the Sage 2.0 ransomware dissecting its main characteristics.

  • NEW RANSOMWARE CALLED ZYKA

    Zyka ransomware appends the .locked extension to files and demands a Bitcoin equivalent of $170.

  • TRICKY DISTRIBUTION OF THE NETIX RANSOMWARE

    The new Netix ransom Trojan proliferates as a rogue app called “Netflix Login Generator v1.1”. Demands $100 payable in Bitcoin.

  • NEW INFECTION VECTOR OF THE SPORA PEST

    Researchers discovered a Spora ransomware distribution campaign involving bogus Chrome Font Pack update.

  • CRYPTOSHIELD 1.0 RANSOMWARE DISCOVERED

    A replica of the CryptoMix strain. CryptoShield 1.0 is deposited onto computers via the RIG EK (exploit kit).

  • JIGSAW RANSOMWARE UPDATED AGAIN

    The only noteworthy change is the .gefickt extension being affixed to scrambled files.

  • CHANGES MADE TO EVIL-JS RANSOMWARE

    The latest version of Evil-JS appends the .evillock string to files and provides gena1983@mbx.kz email address to contact the dev.

  • LOCKY BART CAMPAIGN VIEWED FROM THE INSIDE

    Malwarebytes researchers publish Locky Bart ransomware details based on statistics from the crooks’ breached backend server.

  • SAMAS STRAIN UPDATE

    New Samas, or SamSam, ransomware edition uses the .letmetrydecfiles extension and LET-ME-TRY-DEC-FILES.html ransom note.

  • ANOTHER DECRYPTION BREAKTHROUGH

    Avast analysts release automatic free decrypt tools for Hidden Tear, Jigsaw and Stampado ransomware families.

  • RANSOMWARE ATTACKS ONE MORE ORGANIZATION

    A number of IT systems of Ohio’s Licking County government services get affected by unidentified ransomware.

  • TWO RANSOMWARE DISTRIBUTORS APPREHENDED

    London police arrest man and woman who infected Washington’s closed-circuit television network with ransomware in mid-January.

  • RANION RAAS DISCOVERED

    Security researchers stumble upon a new low-cost Ransomware-as-a-Service platform called Ranion.

  • YOURRANSOM VIRUS IS QUITE INSTRUCTIVE

    Appends files with .yourransom extension and uses README.txt ransom note. Author (i@bobiji.com) promises free decryption.

  • NEW PYTHON-BASED LAMBDALOCKER SPOTTED

    LambdaLocker uses .lambda_l0cked file extension and READ_IT.html decryption how-to. The size of the ransom is 0.5 BTC.

  • PADCRYPT DISTRIBUTION BACKED BY A RAAS

    It turns out that there is a Ransomware-as-a-Service platform behind the PadCrypt strain, so it’s a whole affiliate network.

  • YOURRANSOM POC GETS A NEW FAN

    Someone borrows the code of YourRansom proof of concept to infect users for real, still offering free decryption though.

  • SPORA STRAIN FEATURES RESPONSIVE TECH SUPPORT

    As bizarre as it sounds, operators behind the Spora ransomware deliver quality customer care as they respond to victims’ queries.

  • ANDROID RANSOMWARE GETS SMARTER

    The Android.Lockdroid.E virus was found to use a dropper that scrutinizes an infected device before deploying the right payload.

  • CRYPTOSHIELD UPGRADED TO VERSION 1.1

    CryptoShield 1.1 engages new email addresses, namely res_reserve@india.com, res_sup@india.com, and res_sup@computer4u.com.

  • UNIQUENESS OF THE EREBUS RANSOMWARE

    New sample. Circumvents UAC prompt while getting admin privileges. The size of the ransom is fairly small, amounting to $90.

  • JOBCRYPTER STILL ALIVE AND KICKING

    JobCrypter ransomware returns after a period of inactivity. No particular changes have been made to its code.

  • AW3S0M3SC0T7 RANSOMWARE SPOTTED IN THE WILD

    Researchers discover Aw3s0m3Sc0t7 ransom Trojan created by someone named Scott. Uses the .enc file extension.

  • NEW SAMPLE TARGETING HIGHLY SENSITIVE FILES ONLY

    Unnamed strain is discovered that pilfers .ie5, .key, .pem and .ppk files (private keys and certificates) and demands a ransom of 1 BTC.

  • ANOTHER PORTUGUESE RANSOM TROJAN SPOTTED

    Uses the .id-[random]_steaveiwalker@india.com_ file extension and COMO_ABRIR_ARQUIVOS.txt ransom note.

  • ID RANSOMWARE PROJECT KEEPS EXPANDING

    The ID Ransomware initiative by MalwareHunterTeam now identifies 300 different strains of file-encrypting threats.

  • SERPENT RANSOMWARE CAMPAIGN IS UNDERWAY

    Presumably a Hades Locker spinoff. Uses the .serpent extension and HOW_TO_DECRYPT_YOUR_FILES_[random].html/txt notes.

  • DYNA-CRYPT IS MORE THAN JUST RANSOMWARE

    The new DynA-Crypt infection encodes victims’ data and steals various personally identifiable information. Requests $50 in BTC.

  • DIGISOM, ONE MORE HIDDEN TEAR DERIVATIVE

    Based on open-source Hidden Tear. Adds the .[A-Za-z0-9]{3}.x extension to files and drops “Digisom Readme[0-9].txt” ransom note.

  • FADESOFT PEST PAYS HOMAGE TO A MOVIE

    Ransom warning contains a logo of Umbrella Corporation from Resident Evil series. Demands 0.33 BTC for data decryption.

  • SERBRANSOM 2017, A NEW ONE ON THE TABLE

    Concatenates the .velikasrbija extension to files and deletes a random file every 3 minutes. Asks for $500 worth of Bitcoins.

  • WCRY SPECIMEN IS RUN-OF-THE-MILL

    Appends the .wcry suffix to enciphered files and demands 0.1 BTC for decryption.

  • RDP-BASED RANSOMWARE ATTACKS ARE ON THE RISE

    TrendMicro found that the number of RDP brute-force attacks spreading CrySiS ransomware has grown dramatically in 2017.

  • SERBRANSOM 2017 AUTHOR DETAILS REVEALED

    Experts discover that SerbRansom 2017 dev advocates ideas of ultranationalism with his hatred toward Kosovo and Croatia.

  • NEW RANSOMWARE THAT ARCHIVES FILES

    A strain is spotted that moves a victim’s files to a password-protected RAR archive and requests 0.35 BTC for the unlock password.

  • SAMAS FAMILY KEEPS EXPANDING

    Another Samas/SamSam spinoff uses the .encryptedyourfiles extension and 001-READ-FOR-DECRYPT-FILES.html ransom note.

  • NEW CYBERSPLITTER VARIANT GOES LIVE

    Displays an FBI themed warning that says, “Your Computer Has Been Locked!”. The ransom amounts to 0.5 BTC.

  • POC RANSOMWARE FOR INDUSTRIAL CONTROL SYSTEMS

    Researchers from Georgia Institute of Technology present POC ransomware targeting ICS/SCADA systems at RSA Conference.

  • MOST RANSOMWARE DEVS SPEAK RUSSIAN

    According to Kaspersky Lab, 75% of all ransomware strains circulating in 2016 were created by Russian-speaking crooks.

  • MORE CYBERSPLITTER EDITIONS SPOTTED

    Two new CyberSplitterVBS versions appear, one of which impersonates “Saher Blue Eagle” remote administration tool.

  • NEW JOBCRYPTER VARIANT RELEASED

    The fresh JobCrypter edition uses a new set of email addresses: frthnfdsgalknbvfkj@outlook.fr (…@yahoo.com, …@gmail.com).

  • CERBER SKIPS AV-RELATED FILES

    When scouring infected computers for data, a new variant of the Cerber ransomware ignores files associated with security suites.

  • SMALL TWEAK OF THE N1N1N1 STRAIN

    The changes include a new filemarker (333333333333) and a different Tor address of the decryption service.

  • RESEARCHER DEMONSTRATES RANSOMWARE REVERSING

    Fabian Wosar of Emsisoft sets up a streaming session where he reverses new Hermes ransomware and finds its weaknesses.

  • PRINCESS LOCKER UPDATE

    The latest build of the Princess Locker ransomware drops a new ransom manual called @_USE_TO_FIX_JJnY.txt.

  • KASISKI RANSOM TROJAN APPEARS IN THE WILD

    This new Spanish sample uses the [KASISKI] prefix to label encrypted files and leaves INSTRUCCIONES.txt ransom note.

  • XYZWARE, NEW BADDIE ON CYBERCRIME STAGE

    New XYZWare is a Hidden Tear POC derivative most likely hailing from Indonesia. Drops README.txt ransom note.

  • MINOR TWEAK OF CRYPTCONSOLE RANSOMWARE

    The only change as compared to the previous edition is a new email address being used: something_ne@india.com.

  • MRCR RANSOMWARE DECRYPTOR UPDATED

    Emsisoft’s Fabian Wosar updates his decryptor for the Merry X-Mas ransomware so that it can handle new versions of the plague.

  • ANDROID RANSOMWARE TRENDS DISSECTED

    ESET publishes a whitepaper on how Android ransomware has mutated and grown in volume since 2014.

  • SAGE RANSOMWARE UPDATED TO VERSION 2.2

    Aside from the new version name, Sage 2.2 ransomware creates !HELP_SOS ransom notes on the desktop and inside folders.

  • NEW VARIANT OF THE SAMAS RANSOM TROJAN

    Concatenates the .weencedufiles extension to encrypted files and leaves READ_READ_READ.html recovery how-to.

  • CRYPTOMIX VARIANT DECRYPTED BY AVAST

    Avast, in cooperation with CERT.PL, releases a free decryptor for the offline edition of CryptoMix ransomware.

  • TRUMP LOCKER, A VENUSLOCKER REMAKE

    Uses two different extensions (.TheTrumpLockerf and .TheTrumpLockerp ) and drops “What happen to my files.txt” ransom note.

  • CRYPT888 RANSOMWARE MODIFIED

    New Crypt888 variant displays a beach view instead of ransom notes and puts the “Lock.” prefix before original filenames.

  • NEW SAMPLE CODED IN PYTHON

    Avast researchers spot a new Python-based strain that appends the .d4nk string to encrypted files.

  • PATCHER RANSOMWARE TARGETING MAC OS X

    Payloads are disguised as patchers for various Mac OS apps. Drops README!.txt ransom note. Files cannot be decrypted for free.

  • THE UNUSUAL UNLOCK26 RANSOMWARE

    Provides no contact details. Before submitting the ransom to unlock files, a victim is instructed to solve a math problem.

  • ANDROID RANSOMWARE THAT CAN LISTEN

    New Lockdroid ransomware spinoff unlocks a device after the victim pronounces the unlock code obtained after payment.

  • PICKLES RANSOMWARE EMERGES

    Written in Python. Appends files with .[random].EnCrYpTeD extension and creates READ_ME_TO_DECRYPT.txt ransom notes.

  • GO-BASED VANGUARD RANSOMWARE

    New Vanguard ransomware is written in Google’s Go programming language. Not very active at this point.

  • ANOTHER CRYPTOMIX UPDATE

    The latest iteration of CryptoMix stains the names of encoded files with the .CRYPTOSHIEL extension.

  • MYSQL SERVERS UNDER ATTACK

    Extortionists hijack numerous MySQL databases around the world, erase their content and demand a ransom of 0.2 BTC.

  • DAMAGE RANSOMWARE SPOTTED

    New sample that concatenates the .damage string to encrypted files, hence the name of the ransomware.

  • WEIRDNESS OF THE BARRAX RANSOMWARE

    This is a Hidden Tear spinoff that appends files with the .BarRax suffix. The strange thing is that it has a regular support forum.

  • RAAS BEHIND UNLOCK26 INFECTION

    Unlock26 trojan is now distributed on a Ransomware-as-a-Service basis. The operators get 50% of ransoms submitted by victims.

  • SARDONINIR RANSOMWARE IN DEVELOPMENT

    An in-dev ransomware that uses the .enc extension and sends encryption password to sardoninir@gmail.com.

  • CRYPT0L0CKER SPAM CAMPAIGN DISSECTED

    Italian security experts discover that Crypt0L0cker devs sign their spam emails with legit “posta elettronica certificata” (PEC).

  • CRYPTOGRAPHER ON THE FUTURE OF RANSOMWARE

    Matthew Green, cryptographer and professor at John Hopkins University, writes an article on ransomware evolution crypto-wise.

  • FILELOCKER GOING AFTER CZECH USERS

    New FileLocker ransomware displays ransom notes in Czech, uses the .ENCR file extension and asks for 0.8 BTC.

  • DEALING WITH FINDZIP ATTACK AFTERMATH

    Malwarebytes team devises a method to restore files encrypted by Mac OS X ransomware called Findzip.

  • DETAILS OF CRYPT0L0CKER RE-EMERGENCE

    Crypt0L0cker, aka TorrentLocker, is active again after almost a year of standstill. The updated infection mostly targets Europe.

  • LOCKY RANSOMWARE USES A GENUINE CERT

    It turns out that the .osiris variant of Locky is signed by a digital certificate issued by Comodo CA.

  • DHARMA RANSOMWARE MASTER KEYS LEAKED

    Someone nicknamed ‘gektar’ provided a Pastebin link on BleepingComputer forums leading to master decryption keys for Dharma.

  • THE ONSET OF KRIDER RANSOMWARE

    A new sample called KRider is underway. It concatenates the .kr3 extension to ciphered files.

  • RANSOMWARE IDENTIFICATION IS GETTING TOUGHER

    Two emails in the “.SN-[random_numbers]-info@kraken.cc_worldcza@email.cz” extension added by a new strain are confusing.

  • PODCAST FEATURING THE AUTHOR OF “ID RANSOMWARE”

    Michael Gillespie, the architect of ID Ransomware service, provides useful security tips in the FightRansomware podcast.

  • TIES BETWEEN RIG EK AND ASN1 RANSOMWARE

    The ASN1 ransom trojan is deposited on computers via RIG exploit kit. This sample drops “!!!!!readme!!!!!.htm” ransom note.

  • DHARMA RANSOMWARE DECRYPTED

    Kaspersky, followed by ESET and Avast, release free decryptors for the Dharma ransomware based on leaked master keys.

  • CERBER PRESUMABLY STEPPING INTO ANDROID OS

    Analysts discovered Cerber ransom note README.hta being embedded in the code of several official Android apps.

  • CREATION OF MAFIAWARE SPINOFF IN PROGRESS

    Somebody is reportedly working on a new ransomware sample based on the source code of MafiaWare threat.

  • FABSYSCRYPTO, A NEW LOCKY COPYCAT

    A strain called FabSysCrypto is spotted that drops ransom notes identical to Locky’s and uses the code of Hidden Tear POC.

  • JIGSAW RANSOMWARE VERSION 4.6 SPOTTED

    The newcomer features an updated warning screen, demands $150 worth of Bitcoin, and provides a 24-hour deadline.

  • RANSOMWARE ATTACKS PA. SENATE DEMOCRATS

    Computer network of the Pennsylvania Senate Democratic Caucus gets shut down due to a ransomware incident.

  • NEW FADESOFT VARIANT EMERGES

    The updated FadeSoft ransomware uses a warning screen that’s no longer Resident Evil movie themed. No more tweaks made.

  • CRYPTOJACKY TARGETING SPANISH-SPEAKING USERS

    Ransom notes by the new CryptoJacky ransomware are in Spanish. The pest uses Aescrypt.exe application to scramble files.

  • ENHANCEMENT MADE TO SHAMOON DISK WIPER

    The notorious Shamoon disk-wiping worm originally discovered in 2012 now goes equipped with a ransomware component.

  • THE ONSET OF ENJEY CRYPTER

    New Enjey Crypter ransomware bears a resemblance to the RemindMe strain. It uses ‘contact_here_me@india.com’ email address.

  • UNLOCK92 TROJAN GETS FINE-TUNED

    The only apparent change in comparison with the previous edition is the new name of the ransom note – READ_ME_!.txt.

  • NHTNWCUF RANSOMWARE IS AN ODD ONE

    Leaves ransom notes called !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt. Ends up scrambling files beyond recovery.

  • MEET PAUL, A WANNABE EXTORTIONIST

    Researchers discovered a crude Hidden Tear POC-based sample being developed by a person from France named Paul.

  • CRYPTON, AKA NEMESIS RANSOMWARE CRACKED

    Emsisoft creates a free decryptor for the CryptON ransom trojan, which otherwise demands 0.5 BTC ($620) for file recovery.

  • NEW CRYPT0L0CKER CAMPAIGN DISSECTED

    Cisco’s Talos Intelligence Group publishes a comprehensive write-up on the new variant of Crypt0L0cker / TorrentLocker.

  • CRYPTOLOCKER 1.0.0 IS JUST AN IMPOSTOR

    CryptoLocker 1.0.0 uses RSA crypto algo and displays ransom how-to’s in Turkish. Name borrowed from the infamous prototype.

  • RANRAN RANSOMWARE ISN’T RUN-OF-THE-MILL

    Spreads within a country in the Middle East and has clear political implications. Uses encryption tiers and adds the .zZz extension.

  • CERBER NOW KEEPS FILENAMES INTACT

    New variant of the Cerber ransomware doesn’t modify original filenames. Still appends a PC-specific 4-char extension, though.

  • VORTEX RANSOMWARE TARGETING POLISH USERS

    Concatenates the .aes extension to encrypted files and drops ODSZYFRUJ-DANE.txt (“DECRYPT-DATA”) ransom manual.

  • VAPELAUNCHER, A CRYPTOWIRE SPINOFF

    New VapeLauncher ransomware is based on the code of CryptoWire POC. Demands $200 worth of Bitcoin.

  • SPORA’S INFECTION VECTOR SCRUTINIZED

    Kevin Douglas from RSA Security publishes an article with in-depth analysis of the HTA contamination vector used by Spora devs.

  • PADCRYPT 3.4.0 DISCOVERED

    Researchers found a sample of new PadCrypt ransomware v3.4.0. It uses the same build and campaign ID as the predecessor.

  • UNIQUENESS OF SAMAS RANSOMWARE EXPLAINED

    Samas ransomware uses a worm-like tactic to affect all connected servers and backups. Its devs made $450,000 in one year.

  • EXHAUSTIVE ANALYSIS OF THE SPORA RANSOMWARE

    Malwarebytes Labs aggregate the totality of the top-notch Spora ransomware’s technical details into a single post.

  • TIES BETWEEN SAGE 2.2 AND AN INFO STEALER

    Analysts discover a connection between the Sage ransomware campaign and the distribution of August Stealer malware.

  • NEW ANDROID DEVICES WITH RANSOMWARE ON BOARD

    Pre-installed ransomware and adware were found on 38 Android smartphones shipped to two big technology companies.

  • ID RANSOMWARE SERVICE ENHANCED

    The ID Ransomware resource by MalwareHunterTeam is now capable of identifying files scrambled by Spora ransomware.

  • SAMSAM STRAIN UPDATE

    New SamSam variant uses the .iaufkakfhsaraf file extension and IF_YOU_WANT_FILES_BACK_PLS_READ.html ransom note.

  • DAMAGE RANSOMWARE DECRYPTED

    Emsisoft CTO Fabian Wosar defeats the crypto of the Damage Ransomware in another live streaming session.

  • NEW ROZALOCKER SPECIMEN

    RozaLocker appends the .ENC extension to files, drops ransom notes in Russian and requests 10,000 Rubles ($173) for recovery.

  • FRESH SAMPLE AFFECTING FRENCH AUDIENCE

    A new ransom Trojan is discovered that displays its recovery how-to called “Verrouille” in French.

  • ENJEY TROJAN DEV’S REVENGE

    Operator of the Enjey ransomware fires a series of DDoS attacks at ID Ransomware site following the release of ad hoc decryptor.

  • Ŧl๏tєгค гคภร๏๓ฬคгє IS VORTEX IN DISGUISE

    Researchers discover a sample called the Ŧl๏tєгค гคภร๏๓ฬคгє, which appears to be a spinoff of the Vortex strain.

  • PADCRYPT UPDATED AGAIN

    Although the PadCrypt ransomware isn’t in active rotation, its authors keep launching new versions, now it’s 3.4.1.

  • PROJECT34 RANSOMWARE HUNT STARTS

    Analysts declare an initiative against the Project34 ransomware, which prepends “project34@india.com” to locked files.

  • PETRWRAP, A PETYA RANSOMWARE DERIVATIVE

    New PetrWrap ransomware leverages Windows PsExec tool to infect enterprise networks and completely deny access to machines.

  • NEW RAAS COMPROMISED BY WHITE HAT HACKERS

    Malwarebytes researchers hack FileCrypter Shop, a Ransomware-as-a-Service resource that’s about to go live.

  • SPORA RANSOMWARE CAMPAIGN TWEAK

    The Spora crew registers a new C2 domain torifyme[dot]com and starts using it for victim interaction purposes.

  • JIGSAW RANSOMWARE UPDATE

    The latest edition of the Jigsaw ransomware concatenates the .nemo-hacks.at.sigaint.org extension to encoded files.

  • NEW ITERATION OF THE HERMES RANSOMWARE

    Hermes, a strain previously cracked by Emsisoft’s Fabian Wosar in a live video, is now at version 2.0.

  • HERMES ENCRYPTION DEFEATED

    Researcher Michael Gillespie, in cooperation with Fabian Wosar, releases a free decryptor for the Hermes ransomware.

  • AN INSTRUCTIVE SCREEN LOCKER DISCOVERED

    A Russian screen locker is spotted that allows for easy recovery as long as the victim reads how dangerous ransomware is.

  • KARMEN RAAS BEING DEVELOPED

    Malware watchers discover a new Ransomware-as-a-Service portal called Karmen, which is currently in development.

  • REVENGE TROJAN, A CRYPTOMIX SPINOFF

    The Revenge ransomware spreads via RIG exploit kit, uses the .REVENGE file extension and # !!!HELP_FILE!!! #.txt ransom note.

  • SAMPLE PRETENDING TO BE CTB-LOCKER

    New CTB-Locker copycat displays Beni Oku.txt ransom manual in Turkish and appends the .encrypted extension to files.

  • A VANITY-DRIVEN HIDDEN TEAR VERSION

    A Hidden Tear POC offspring appears that asks victims to post a specific message on Facebook to get the fix.

  • NSIS INSTALLERS ABUSED BY RANSOMWARE DEPLOYERS

    Microsoft discovered a trend of threat actors distributing ransomware by manipulating the Nullsoft Scriptable Install System (NSIS).

  • THE ECCENTRIC KIRK RANSOMWARE

    Uses Star Trek themed warnings and Monero payment system. Appends .Kirked extension and leaves RANSOM_NOTE.txt manual.

  • LICK RANSOMWARE BASED ON KIRK STRAIN

    The Lick ransomware acts similarly to Kirk, uses the same decryption how-to (RANSOM_NOTE.txt) and the .Licked file extension.

  • SCREEN LOCKER CALLED CRYPTODEVIL

    Reverse engineering of CryptoDevil revealed that its author’s nickname is “Mutr0l”. The “kjkszpg” code unlocks the screen.

  • ROSHALOCK 2.0 USES RAR TO LOCK FILES

    Moves data to a password-protected RAR archive and creates a ransom note called “All Your Files in Archive!.txt”.

  • DECRYPT TOOL FOR CRYPTON GETS FINE-TUNED

    Emsisoft CTO Fabian Wosar releases an updated decryptor for CryptON that supports the newest edition of the infection.

  • ZINOCRYPT RANSOMWARE – 2017 EDITION

    Concatenates the .ZINO extension to ciphered files and creates ZINO_NOTE.txt ransom manual.

  • CRPTXXX IS NOTHING OUT OF THE ORDINARY

    Affixes the .crptxxx string to scrambled files and drops the HOW_TO_FIX_!.txt document to instruct victims regarding recovery.

  • JIGSAW RANSOMWARE GETS A NEW LOOK AND FEEL

    New edition of the Jigsaw crypto infection uses a new background for its warning window and appends the .fun file extension.

  • DH_FILE_LOCKER RANSOMWARE BUILDER EXPOSED

    Analysts spot a tool called DH_File_Locker by Doddy Hackman 2016 applicable for building custom ransomware.

  • BUILDER FOR TRIDENT FILE LOCKER DISCOVERED

    Another ransomware builder is spotted. Called the Trident Builder, it allows crooks to easily generate a payload of their own.

  • MACANDCHESS DEV CARES ABOUT MARKETING

    Hidden Tear based MacAndChess ransomware tells victims to post “I’ve been hacked by anony” phrase on their Facebook wall.

  • THE DECRYPTABLE BRAINCRYPT RANSOMWARE

    Appends one’s locked files with the .[braincrypt@india.com].braincrypt extension. A free decryptor is available.

  • MOTD RANSOMWARE SPOTTED

    Concatenates the .enc extension to encrypted files and drops a ransom note called motd.txt.

  • CRYPTODEVIL SAMPLE IN DEVELOPMENT

    Currently scrambles data only in sub-directories of a folder hosting its executable. Appends the .devil extension to files.

  • VIETNAMESE EDITION OF JIGSAW RANSOMWARE

    This variant of the notorious Jigsaw strain leaves a decryption how-to in Vietnamese. Still an in-dev sample at this point.

  • LOCKY CAMPAIGN STEADILY GOING DOWN

    Since the Necurs botnet stopped generating spam with Locky ransomware payloads, the campaign has been declining big time.

  • RANSOMWARE-RELATED BILL INTRODUCED

    The gist of a recent Indiana bill is to make ransomware distribution a standalone felony leading to 1-6 years in jail.

  • PADCRYPT WON’T STOP UPDATING

    Analysts discover a new variant of the PadCrypt ransomware, which now reaches v3.4.4. No noteworthy functional changes made.

  • SAMAS RANSOMWARE UPDATED ONCE AGAIN

    New edition uses the .cifgksaffsfyghd file extension and READ_READ_DEC_FILES.html ransom manual.

  • LLTP LOCKER TARGETING SPANISH-SPEAKING USERS

    Aka LLTP Ransomware. Researchers found that its code is based off of the VenusLocker strain.

  • SAP PRODUCTS EXPLOITABLE TO SERVE RANSOMWARE

    Security experts discover a vulnerability in SAP Windows client that may allow crooks to deploy ransomware remotely.

  • USER-FRIENDLY RANSOM TROJANS ARE ALREADY HERE

    An article is posted on Barkly blog, predicting that ransomware with quality customer service will make a future trend.

  • NEW ZORRO RANSOMWARE SURFACES

    Appends files with the .zorro suffix and creates a ransom note called Take_Seriously (Your saving grace).txt.

  • ANGLEWARE, ANOTHER HIDDEN TEAR OFFSPRING

    AngleWare appears to be a new derivative of the Hidden Tear proof of concept. Uses the .AngleWare file extension.

  • THE “MONUMENT” EDITION OF JIGSAW RANSOMWARE

    The payload is hidden in installer for the Imminent Monitor RAT. Provides recovery steps right in the extension added to files.

  • METEORITAN STRAIN SPREADING IN POLAND

    Leaves ransom notes called where_are_your_files.txt or readme_your_files_have_been_encrypted.txt.

  • GLOBE3 DECRYPTOR UPDATED

    Emsisoft updates their free decryptor for the Globe3 ransomware so that it restores files locked by the newest edition.

  • “MONUMENT” SAMPLE HAS NOW GOT COMPANY

    Jigsaw version called the “Monument” ransomware now propagates along with an adult-themed screen locker.

  • SOME SPORA RANSOMWARE STATS UNCOVERED

    MalwareHunterTeam provides details on the number of ransomed files (48466020) belonging to 646 Spora victims.

  • LK ENCRYPTER, ONE MORE HIDDEN TEAR SPINOFF

    The array of Hidden Tear POC derivatives gets replenished with new LK Encrypter, which uses the .locked file extension.

  • BTCWARE, NEW ONE ON THE RANSOMWARE ARENA

    Has common traits with the CrptXXX sample. Demands 0.5 BTC (about $500) for data decryption.

  • SADSTORY RANSOMWARE CAMPAIGN TAKES ROOT

    SADStory instructs victims to send email to tuyuljahat@hotmail.com for recovery steps and deletes one random file every 6 hours.

  • USEFUL CRYPTOSEARCH TOOL UPDATED

    The CryptoSearch utility by Michael Gillespie now identifies files affected by the Spora ransomware.

  • NEW VARIANT OF WCRY RANSOMWARE GOES LIVE

    The updated WCry, aka WANNACRY, ransomware drops “!WannaCryptor!.bmp” and “!Please Read Me!.txt” ransom notes.

  • SPANISH CRYPTO THREAT USING INTERESTING DISGUISE

    The strain targets Spanish-speaking audience, uses Smart Install Maker solution and displays a rogue Windows Update screen.

  • MEMELOCKER CAMPAIGN IS ABOUT TO BREAK OUT

    Researchers spot a new ransom Trojan called MemeLocker, which is still in development. Displays a bright-red warning window.

  • UNDERGROUND RANSOMWARE WORKSHOP UNCOVERED

    Cybercrime group dubbed “Mafia Malware Indonesia” is liable for creating CryPy, MafiaWare, SADStory and a few more strains.

  • iOS UPDATE FEATURING IMPORTANT SECURITY PATCH

    The latest iOS 10.3 update contains a fix for Safari security issue that will address a growing police ransomware campaign.

  • PYCL RANSOMWARE, A CTB-LOCKER COPYCAT

    New Python-based PyCL ransomware propagates via RIG exploit kit and displays ransom notes similar to CTB-Locker’s.

  • R RANSOMWARE, ANOTHER ONE ON THE TABLE

    Named simply “R”, this ransom Trojan leaves a self-explanatory Ransomware.txt how-to and demands 2 BTC for decryption.

  • STRAIN USING THE .ANDROID EXTENSION

    Fresh sample called AnDROid appends the .android extension to files and displays an animated image of a skull in its ransom note.

  • ANOTHER RANSOMWARE HUNT BEGINS

    Michael Gillespie, aka @demonslay335, declares a hunt for the .pr0tect file (READ ME ABOUT DECRYPTION.txt) ransomware.

  • GREAT WRITE-UP ON SAGE RANSOMWARE

    Malwarebytes Labs publishes an article dissecting multiple facets of the Sage ransomware, which is currently at version 2.2.

  • HAPPYDAYZZ RANSOMWARE DISCOVERED

    HappyDayzz strain can switch between different encryption algos. Uses the blackjockercrypter@gmail.com contact email.

  • DONOTCHANGE RANSOMWARE SPOTTED

    Requests $250 for decryption and warns victims that changing the names of encrypted files will make recovery impossible.

  • FILE FROZR RAAS LAUNCHED

    New Ransomware-as-a-Service portal called FILE FROZR starts functioning. Asks for $100 monthly, with $50 discount for first month.

  • DONOTCHANGE RANSOMWARE DECRYPTED

    Another win of the good guys – Michal Gillespie creates a free decryptor for the recently released DoNotChange strain.

  • GOOGLE STATES ANDROID RANSOMWARE ISN’T COMMON

    According to Google, ransomware infecting Android devices is extremely rare and the issue is blown out of proportion.

  • CRYPTOSEARCH APP FINE-TUNED

    FadeSoft ransomware victims can now use the CryptoSearch tool to detect encrypted files and move them to a new location.

  • ID RANSOMWARE SERVICE NOW IDENTIFIES FADESOFT

    The ID Ransomware online resource has been updated to identify the FadeSoft ransom Trojan by files and/or ransom notes.

  • ANDROID RANSOMWARE UNDETECTED BY AV TOOLS

    A new sample of Android ransomware is spotted that leverages an obfuscation mechanism to evade AV detection.

  • LANRAN RANSOMWARE EMERGES

    New LanRan infection displays a tasteles-looking warning screen that requests 0.5 BTC for purported recovery service.

  • FANTOM RANSOMWARE UPDATED AGAIN

    The latest edition of Fantom replaces filenames with base64 encoded strings and uses RESTORE-FILES.[random].hta ransom note.

  • NEW CRYPVAULT VARIANT IS OUT

    Spreads via spam deliving a phony CV and uses the helplovx@excite.co.jp email address to interact with victims.

  • ONE MORE RANSOMWARE HUNT LAUNCHED

    This time, researchers will try to hunt the Cradle ransomware down (.cradle extension and _HOW_TO_UNLOCK_FILES_.html note).

  • THE WITTY “SANCTIONS RANSOMWARE”

    The Sanctions ransomware takes root. It appends the .wallet extension to files and caricatures US sanctions against Russia.

  • UEFI FIRMWARE VULNERABILITY UNCOVERED

    Researchers from Cylance discover a firmware security loophole that may expose Gigabyte Brix devices to ransomware attacks.

  • GX40 RANSOMWARE MAY SPAWN LOTS OF SPINOFFS

    GX40 ransomware (.encrypted extension) employs a codebase that researchers predict may be used to coin malicious derivatives.

  • GX40 CODEBASE STARTS MAKING TROUBLE

    New sample is discovered that’s based on GX40 ransomware code. The fresh one uses geekhax@gmail.com contact address.

  • ANGRYKITE STRAIN SPOTTED

    AngryKite scrambles filenames and appends them with the .NumberDot string. Also instructs victims to dial a phone number.

  • DEATHNOTE HACKERS RANSOMWARE POPS UP

    Operated by DeathNote Hackers group, this one concatenates the .f*cked extension to encrypted files. Decryptable for free.

  • FLUFFY-TAR RANSOMWARE UNDERWAY

    Appends the .lock75 file extension, demands 0.039 BTC (about $50) for decryption, and uses a Tor gateway for communication.

  • NEW CERBER VERSION IS OUT

    Uses a new ransom note name (_READ_THI$_FILE_[random].hta/jpeg/txt or _READ_THIS_FILE_[random].hta/jpeg/txt).

  • AMADEOUS RANSOMWARE IS ALMOST HERE

    Security experts stay on top of the work of a crook named “Paul”, who came up with the “Amadeous” name for his ransomware.

  • FAIZAL, A HIDDEN TEAR OFFSPRING

    The new Faizal ransomware is based on Hidden Tear POC. It affixes the .gembok string to encoded files.

  • PADCRYPT DEVS REQUEST NICE REVIEWS

    Tor site used in the PadCrypt ransomware campaign suggests that victims give it good feedback to get a partial ransom refund.

  • NEW DECRYPTOR FOR BART RANSOMWARE RELEASED

    Bitdefender crafts a decryption tool supporting all variants of Bart ransomware, which uses the .bart.zip, .bart or .perl extension.

  • GX40 PROJECT KEEPS PRODUCING SPINOFFS

    The fresh one requests 0.02 BTC and instructs victims to contact the crooks via ransomwareinc@yopmail.com.

  • A TWEAK MADE TO THE JIGSAW PEST

    Concatenates the “.I’WANT MONEY” extension to filenames and uses ewsc77@mail2tor.com email address.

  • VORTEX RANSOMWARE CRACKED

    Michael Gillespie, ID Ransomware author, claims he can decrypt files locked by Vortex strain. Victims should contact him directly.

  • SAMAS RANSOMWARE UPDATE

    New edition uses the .skjdthghh extension and 009-READ-FOR-DECCCC-FILESSS.html ransom how-to.

  • PADCRYPT 3.5.0 GOES LIVE

    MalwareHunterTeam discovers a brand new version of PadCrypt that’s now at v3.5.0.

  • A LIKELY RAAS FOR THE FANTOM BADDIE

    Code of the latest Fantom ransomware edition contains a ‘partnerid’ attribute, so an associated RaaS may be on its way.

  • NEW CRYPTOWIRE SPINOFF SPOTTED

    The latest CryptoWire version is denominated “realfs0ciety@sigaint.org.fs0ciety”. The payload arrives as AA_V3.exe file.

  • ANOTHER PYTHON-BASED SAMPLE FOUND

    This one puts a lot of pressure on victims as it instructs them to pay 0.3 BTC within 3 hours.

  • HT SPINOFF DUBBED KRIPTO

    Security researchers come across a new Hidden Tear derivative called Dikkat (Eng. “Attention”). The ransom note is in Turkish.

  • LMAOXUS RANSOMWARE DISCOVERED

    LMAOxUS ransomware is based on open-source EDA2 POC. Its maker, however, eliminated a backdoor in the original code.

  • MAN FROM AUSTRIA ARRESTED OVER RANSOMWARE

    A 19-year-old Austrian citizen is apprehended for infecting a Linz based organization with the Philadelphia ransomware.

  • RENSENWARE FEATURES OFFBEAT TACTICS

    A sample called RansenWare tells a victim to score more than 0.2 billion in TH12 game, which is the only way to restore files.

  • $100,000+ MADE BY EXTORTION GROUP

    A single cybercrime ring reportedly made more than $100,000 by taking advantage of Apache Struts 0day vulnerability.

  • CRY9 RANSOMWARE DECRYPTED

    Emsisoft creates a decryptor for the Cry9 ransom Trojan, a CryptON spinoff that employs AES, RSA and SHA-512 crypto algos.

  • CRITICIZM OVER SCADA RANSOMWARE CLAIMS

    Experts criticize Security Affairs for publishing a far-fetched analysis on SCADA ransomware called Clear Energy.

  • MATRIX CAMPAIGN ON THE RISE

    Matrix ransomware is being reportedly distributed via RIG exploit kit, so it is shaping up to be a serious problem.

  • CERBEROS RANSOMWARE ISN’T CERBER AT ALL

    The new crypto-troublemaker called Cerberos is an offspring of the CyberSplitterVBS strain and has nothing to do with Cerber.

  • KILIT RANSOMWARE CREATION IN PROGRESS

    MalwareHunterTeam spots an in-dev sample configured to append the .kilit extension to files. No ransom note so far.

  • SERPENT STRAIN STILL ALIVE AND KICKING

    New Serpent edition uses the .serp file extension and README_TO_RESTORE_FILES.txt ransom how-to.

  • CRY9 DECRYPTOR ENHANCED

    Emsisoft updates their Cry9 decryptor to improve its performance and broaden ransomware version coverage.

  • NEW HIDDEN TEAR BASED RANSOMWARE SPOTTED

    Goes with a GUI, displays warning messages in Portuguese and concatenates the .locked string to hostage files.

  • BTCWARE INFECTION TWEAK

    The new variant of BTCWare strain instructs victims to contact the attackers via new email address lineasupport@protonmail.com.

  • ANOTHER INSTRUCTIVE RANSOMWARE SURFACES

    Called the “Kindest Ransomware ever”, this one locks files and decrypts them after the victim watches a security video online.

  • MOLE RANSOMWARE, NEW ONE ON THE TABLE

    Uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt decryption how-to.

  • REKT RANSOMWARE BEING CREATED

    According to researchers’ analysis, someone named (or nicknamed) Anthony is working on .rekt file ransomware.

  • NEW JIGSAW EDITION

    The latest Jigsaw ransomware variant displays ransom notes in French and concatenates the .crypte string to locked files.

  • IN-DEV EL-DIABLO RANSOMWARE FOUND

    MHT discovered an in-development sample dubbed El-Diablo. Its code contains references to the author’s name – SteveJenner.

  • DHARMA COPYCAT APPEARS

    New Globe v3 ransomware edition impersonates the Dharma strain. The file extension is .[no.torp3da@protonmail.ch].wallet.

  • FRESH JIGSAW RANSOMWARE SPINOFF IS UNDERWAY

    New Jigsaw variant uses the .lcked string to label scrambled files and displays a new desktop background to alert victims.

  • NEW RANSOMWARE BUILDER DISCOVERED

    Although this utility is quite primitive, it still provides wannabe crooks with source code to create viable ransomware.

  • CRADLE RANSOMWARE SOURCE CODE SOLD OUT

    Perpetrators behind the Cradle Ransomware start selling the source code they dubbed CradleCore. The price starts at 0.35 BTC.

  • CERBER AT THE TOP OF RANSOMWARE FOOD CHAIN

    According to Malwarebytes, the Cerber ransomware is today’s top crypto threat, with its current market share at 86.98%.

  • ONE MORE WANNABE CROOK ON THE RADAR

    A ne’er-do-well from Thailand is reportedly working on a Hidden Tear variant that uses the READ_IT_FOR_GET_YOUR_FILE.txt note.

  • HT VARIANT USING A SET OF EXTENSIONS

    New Hidden Tear offspring randomly chooses file extension out of .ranranranran, .okokokokok, .loveyouisreal, and .whatthefuck.

  • DISTRIBUTION CHANGE OF PYCL RANSOMWARE

    pyCL operators now use malign Word documents to spread the Trojan. The extension of locked files is .crypted.

  • DHARMA SWITCHES TO A NEW EXTENSION

    The latest edition of the Dharma ransomware concatenates the .onion string to encrypted files.

  • JIGSAW-STYLE SCREEN LOCKER

    New German screen locker displays an image of the Jigsaw movie character in its ransom note. Unlock code is HaltStopp! or 12344321.

  • SCHWERER RANSOMWARE SPOTTED

    Schwerer being the German for “harder”, this new ransomware is written in AutoIt. According to ESET, it’s potentially decryptable.

  • TROLDESH STRAIN UPDATED

    New Troldesh family rep affixes the .dexter extension to enciphered files. The ransom note is still README[random_number].txt.

  • RANSOMWARE WHOSE MAKERS ARE CONFICKER FANS

    Researchers spot a sample called C_o_N_F_i_c_k_e_r. It appends files with the .conficker suffix and uses Decrypt.txt ransom note.

  • MALABU RANSOM TROJAN

    The Malabu ransomware demands a $500 of Bitcoin for file recovery. The amount doubles in 48 hours.

  • SNAKEEYE RANSOMWARE IN DEVELOPMENT

    Security analysts come across a sample called the SnakeEye ransomware. Its development is attributed to SNAKE EYE SQUAD.

  • VERY BUGGY TURKISH RANSOMWARE

    MHT discovers a strain made by someone from Turkey, which completely erases files rather than encrypt them.

  • KARMEN RAAS LAUNCHED

    Ransomware-as-a-Service portal called Karmen is made available to would-be cybercrooks. The code is based on Hidden Tear.

  • ATLAS RANSOMWARE APPEARS

    Concatenates the .ATLAS extension to cipher-affected files and leaves a decryption how-to called ATLAS_FILES.txt.

  • LOLI STRAIN RELEASED

    The name of this one is spelled “LOLI RanSomeWare”. It uses the .LOLI string to blemish scrambled files.

  • EXTERNAL TWEAK OF JIGSAW RANSOMWARE

    This Jigsaw version displays a ransom note with images of Joker and Batman in it. The file extension is .fun.

  • KARMEN MORPHS INTO MORDOR

    Karmen ransomware, which has been distributed on a RaaS basis since April 18, gets renamed to Mordor.

  • ANOTHER HT DERIVATIVE POPS UP

    New Hidden Tear version is discovered that stains files with the .locked extension. It’s buggy, so encryption doesn’t go all the way.

  • HIGH-PROFILE DISTRIBUTION OF AES-NI RANSOMWARE

    Operators of the new AES-NI ransomware reportedly use NSA exploit called ETERNALBLUE to contaminate Windows servers.

  • LOCKY MAKES QUITE A REAPPEARANCE

    Locky ransomware devs resume their extortion campaign with a big spam wave featuring fake payment receipts.

  • LOCKY STILL OPTS FOR THE NECURS BOTNET

    Just like last year, the massive malspam wave spreading Locky is reportedly generated by the Necurs botnet.

  • ACTIVE LOCKY VARIANT IS THE SAME AS BEFORE

    Perpetrators behind Locky are still distributing the OSIRIS edition of their ransomware, the one that was in rotation last December.

  • JEEPERSCRYPT TRYING TO BE SCARY

    New JeepersCrypt ransomware with Brazilian origin stains files with the .jeepers string and demands 0.02 BTC for decryption.

  • ID RANSOMWARE BECOMES MORE INTELLIGENT

    ID Ransomware service by MHT now allows identifying strains by email, Bitcoin address or URL from a ransom note.

  • AES-NI RANSOMWARE APPEARS

    This one appends the .aes_ni_0day extension to locked files and drops !!! READ THIS – IMPORTANT !!!.txt ransom note.

  • “HOPELESS” RANSOMWARE POPS UP

    Uses the .encrypted extension. The warning screen is titled “Sem Solução”, which is the Portuguese for “Hopeless”. Password is 123.

  • BREAKTHROUGH IN XPAN DECRYPTION

    Kaspersky Lab contrives a workaround to restore files with the .one extension encrypted by XPan ransomware variant.

  • GETREKT SPINOFF OF JIGSAW SPOTTED AND CRACKED

    Michael Gillespie, aka Demonslay335, discovers a Jigsaw ransomware variant using the .getrekt extension. His decryptor handles it.

  • PSHCRYPT IS NO BIG DEAL

    New sample concatenating the .psh string to encrypted files is easy to decrypt. Just entering the HBGP serial code works wonders.

  • FAILEDACCESS TROJAN CRACKED WHILE STILL IN-DEV

    Michael Gillespie’s StupidDecryptor can defeat the crypto of in-development strain using the .FailedAccess extension.

  • CTF RANSOMWARE SURFACES

    Affixes the .CTF suffix to filenames and displays a fantasy-style background that says, “Hello… It’s me…”

  • PYTEHOLE RANSOMWARE UPDATE

    New spinoff of the pyteHole ransomware is discovered that concatenates the .adr extension to scrambled data entries.

  • MOLE RANSOMWARE DISTRIBUTION ON THE RISE

    This strain appends files with the .MOLE extension and propagates via phony Word sites that hosts rogue MS Office plugin.

  • NMOREIRA 4 VARIANT ON THE LOOSE

    The sample in question uses the .NM4 string to blemish encoded files and leaves “Recovers your files.html” recovery how-to.

  • TWEAK OF THE CERBER RANSOMWARE

    Cerber now harnesses CVE-2017-0199 vulnerability to spread and drops “_!!!_README_!!!_[random]_.hta/txt” ransom notes.

  • “INTERNATIONAL POLICE ASSOCIATION” RANSOMWARE

    Impersonates IPA, moves files to a password-protected ZIP archive, and uses the ” .locked” extension. Password is ddd123456.

  • FRESH UPDATE OF THE JIGSAW RANSOMWARE

    The latest Jigsaw variant appends scrambled files with the .Contact_TarineOZA@Gmail.com suffix. Still decryptable.

  • DETAILS OF CERBER’S NEW TACTIC UNVEILED

    The detailed write-up describes new malspam wave distributing Cerber ransomware and CVE-2017-0199 vulnerability use.

  • MORDOR RANSOMWARE CAMPAIGN KICKS OFF

    New Hidden Tear based Mordor (aka Milene) ransomware uses the .mordor file extension and READ_ME.html ransom manual.

  • INDONESIAN HT SPINOFF IN DEVELOPMENT

    A Hidden Tear variant is spotted that uses the .maya file extension and READ ME.txt ransom note with text in Indonesian.

  • DELPHI-BASED RSAUTIL RANSOMWARE RELEASED

    New RSAUtil sample stains files with the .helppme@india.com.ID[8_chars] suffix and drops How_return_files.txt help document.

  • DEADSEC-CRYPTO V2.1 IS ABOUT TO GO LIVE

    Brazilian in-dev strain called DeadSec-Crypto v2.1 is discovered. It uses thecracker0day@gmail.com email token.

  • CRYPTOMIX UPDATE

    The newest iteration of the CryptoMix ransom Trojan uses the .wallet extension and #_RESTORING_FILES_#.txt ransom note.

  • MIKOYAN ENCRYPTOR DISCOVERED

    Concatenates the .MIKOYAN extension to every ransomed file and uses mikoyan.ironsight@outlook.com email token.

  • EXTRACTOR RANSOMWARE

    Indicators of compromise for new Extractor ransomware include the .xxx extension and ReadMe_XXX.txt decryption help file.

  • RUBY RANSOMWARE IS NOTHING SPECIAL

    In-development Ruby pest appends files with an apropos .ruby string and drops a recovery how-to named rubyLeza.html.

  • ANOTHER TROLDESH OFFSPRING POPS UP

    Fresh variant from the Troldesh family blemishes locked files with the .crypted000007 extension and uses README.txt note.

  • MAYKOLIN RANSOMWARE SPOTTED

    Uses the .[maykolin1234@aol.com] string to label encoded data and leaves a help file named README.maykolin1234@aol.com.txt.

  • AMNESIA STRAIN’S NAME IS SELF-EXPLANATORY

    Denies access to personal files, appends the .amnesia extension to each one and drops a TXT ransom note.

  • FILEFROZR SHAPING UP TO BE A BIG PROBLEM

    Brand-new FileFrozr Ransomware accommodates data wiping capabilities. Drops a how-to recovery manual named READ_ME.txt.

  • ONE MORE BREAKTHROUGH BY EMSISOFT

    Emsisoft’s Fabian Wosar creates a free decryption tool for the Cry128 edition of CryptON ransomware.

  • CRYPTOBOSS SAMPLE APPEARS

    Amnesia ransomware spinoff jumbles filenames and stains them with the .cryptoboss extension.

  • GLOBEIMPOSTER EDITION WITH SOME FRESH MAKE-UP

    A GlobeImposter ransomware variant is spotted that uses the .keepcalm file extension and keepcalmpls@india.com email address.

  • F**KTHESYSTEM RANSOMWARE

    This one is quite primitive in terms of the design and crypto. Concatenates the .anon extension to locked files.

  • VCRYPT SAMPLE WITH GEO-RESTRICTIONS

    The vCrypt ransom Trojan zeroes in on Russian-speaking users. It appends the .vCrypt1 extension to every hostage data object.

  • RANSOMWARE CALLED PEC 2017

    Italian PEC 2017 strain affixes the .pec string to filenames and drops a help file called AIUTO_COME_DECIFRARE_FILE.html.

  • LOW-LEVEL HATERS RANSOMWARE

    Concatenates the .haters extension to ciphered entries. Has encryption flaws that allow for successful decryption free of charge.

  • XNCRYPT STRAIN SURFACES

    Locks the screen and blemishes files with the .xncrypt extension. The unlock code is 20faf12b60854f462c8725b18614deac.

  • SAMPLE SPOTTED THAT’S MORE THAN JUST RANSOMWARE

    Researchers from G Data came across a new in-dev ransom Trojan that combines regular extortion with spyware features.

  • CERBER VERSION 6 IS OUT

    The latest Cerber ransomware edition boasts improved encryption, AV evasion, anti-sandboxing and a few more new capacities.

  • BTCWARE MALADY UPDATED

    The only conspicuous change made to BTCWare as part of this update is the .cryptowin string added to filenames.

  • ANOTHER SCREEN LOCKER IS ON ITS WAY

    Security analysts discover a new unnamed in-development screen locking Trojan. The unlock password is KUrdS12@!#.

  • FIRST UPDATE OF SHELLLOCKER

    ShellLocker ransomware, which appeared in November 2016, spawns the first new variant ever since called X0LZS3C.

  • BTCWARE RANSOMWARE CRACKED

    Researchers create a decryptor for BTCWare. The tool can restore .cryptowin, .cryptobyte and .btcware extension files for free.

  • CLOUDED RANSOMWARE, A BUGGY ONE

    Generates a separate crypto key for each file and doesn’t store these keys anywhere. Concatenates the .cloud extension.

  • GLOBEIMPOSTER PROPPED BY NEW SPAM WAVE

    The so-called “Blank Slate” malspam campaign begins spreading the newest edition of the GlobeImposter ransomware.

  • RANS0MLOCKED SAMPLE

    The Rans0mLocked infection appends files with the .owned extension and demands 0.1 BTC for decryption.

  • PORTUGUESE ANTI-DDOS RANSOMWARE

    This open-source ransomware based sample is a combo of screen locker and file encoder. Arrives as Anti-DDos.exe file.

  • FATBOY RAAS LAUNCHED

    Russian crooks start an underground marketing campaign supporting new Ransomware-as-a-Service platform called Fatboy.

  • CCGEN 2017 VARIANT OF JIGSAW RANSOMWARE

    The payload for this new Jigsaw spinoff is disguised as a credit card generator. This pest adds the .fun extension to filenames.

  • INDICATORS OF COMPROMISE FOR NEWHT RANSOMWARE

    NewHT, which might stand for “New Hidden Tear”, uses the .htrs file extension and readme.txt help file.

  • NON-STANDARD TACTIC OF ZIPLOCKER SPECIMEN

    ZipLocker moves files to a password-protected ZIP archive (password is “Destroy”) and adds UnlockMe.txt ransom note.

  • ENJEY RANSOMWARE UPDATE

    New Enjey variant switches to using the .encrypted.decrypter_here@freemail.hu.enjey extension for hostage files.

  • DECRYPTOR AVAILABLE FOR AMNESIA RANSOMWARE

    Emsisoft security vendor creates a free decryption tool for the Amnesia ransom Trojan.

  • NEW JIGSAW VARIANT IS OUT

    The latest edition of Jigsaw ransomware uses the .PAY extension to label encrypted files. Still decryptable.

  • FILE FROZR RAAS DETAILS

    Crooks market the Ransomware-as-a-Service called File Frozr as a ” great security tool”. The usage cost is $220.

  • CRYPTO-BLOCKER CAMPAIGN FAILS

    Crude ransom Trojan called Crypto-Blocker appears, asks for 10 USD or EUR. Researchers retrieve the unlock code, which is 01001.

  • THUNDERCRYPT SPREADS VIA ONLINE FORUM

    IT analysts discover that the ThunderCrypt ransomware is using a Taiwan forum as a springboard for propagation.

  • RANSOMWARE-RELATED LAWSUIT

    Law firm from Rhode Island tries to get $700,000 compensation from insurance company over ransomware losses.

  • BITKANGOROO RANSOMWARE ERASES DATA

    Unless paid, the BitKangoroo ransomware, which appends the .bitkangoroo extension to files, will be deleting one file every hour.

  • GRUXER RANSOMWARE IS OFF THE BEATEN TRACK

    New sample called Gruxer arrives with a loader composed of a Hidden Tear based code, screen locker, and image-scrambling module.

  • BTCWARE STRAIN REFRESHED

    Another variant of BTCWare crypto pest concatenates the .[sql772@aol.com].theva string to every ransomed file.

  • NEMES1S RANSOMWARE-AS-A-SERVICE

    It turns out that newly discovered NemeS1S RaaS props a recent wave of PadCrypt ransomware attacks.

  • RSAUTIL SAMPLE PLANTED ON COMPUTERS MANUALLY

    RSAUtil ransomware, which uses the .helppme@india.com extension, arrives at PCs via RDP services cracked by extortionists.

  • RUSSIAN VCRYPT RANSOMWARE

    Targets Russian users, adds the .vCrypt1 suffix to files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.

  • SCREEN LOCKER FEATURING A BIT OF POLITICS

    A ransomware is spotted that displays images of South Korean election candidates on its warning screen.

  • A LIKELY NEW LOCKY VARIANT SURFACES

    Following the Osiris edition of the Locky ransomware, another possible spinoff appears that uses the .loptr file extension.

  • AMNESIA DECRYPTOR UPDATED

    Emsisoft’s CTO Fabian Wosar publishes an update for his Amnesia ransomware decryptor that supports all variants.

  • JAFF RANSOMWARE GOES LIVE

    A Locky lookalike is discovered that appends files with the .jaff extension and demands a whopping 2 BTC, or about $3500.

  • IN-DEPTH ANALYSIS OF JAFF PUBLISHED

    Emsisoft does a write-up on the new Jaff ransomware, analyzing its ostensible ties with the Locky plague.

  • SLOCKER TROJAN RE-EMERGES

    A cybercrime group behind Android ransomware called SLocker spawns 400 new spinoffs making the rounds after a long hiatus.

  • EXTERNAL CHANGE OF GRUXER

    Updated Gruxer strain displays a Matrix movie-style warning screen but fails to complete the encryption routine.

  • ACRYPT SAMPLE BECOMES BCRYPT

    This lineage started with vCrypt, then changed to aCrypt followed by bCrypt. The crooks must have run out of creativity, obviously.

  • WANA DECRYPT0R 2.0 IS ON A POWERFUL RISE

    Aka WannaCry, it labels locked files with the .WNCRY extension. Hits Spain’s telco provider Telefonica, disrupting its operations.

  • HIGH-PROFILE PROPAGATION OF WNCRY STRAIN

    The .WNCRY file ransomware (Wana Decrypt0r) uses previously leaked NSA exploits to infect numerous PCs around the globe.

  • WANA DECRYPT0R KEEPS IMPRESSING

    The specimen continues to affect home users and large companies, most of which are in the UK, Spain, Russia, Ukraine, and Taiwan.

  • USAGE OF NSA EXPLOITS BY WNCRY EXPLAINED

    Most infection instances involve the ETERNALBLUE exploit dumped by the Shadow Brokers hacker ring recently.

  • RESEARCHERS CREATE WANNACRY HEAT MAP

    The New York Times aggregates information on reported WannaCry infection instances and creates a live global heat map.

  • INTERESTING WRITE-UP ON WNCRY VIRUS

    Malwarebytes security firm publishes a comprehensive technical report on the newsmaking Wana Decrypt0r 2.0 threat.

  • WANNACRY CAMPAIGN INTERRUPTED BY CHANCE

    Researcher going by the alias MalwareTech registers a domain involved in WannaCry outbreak, thus disrupting the wave for a while.

  • MICROSOFT TRYING TO THWART WNCRY EPIDEMIC

    The corporation rolls out a patch for Windows XP/8/Server 2003, having previously done the same for newer OS editions.

  • IN-DEV TDELF SAMPLE

    Security experts come across a new in-development strain that’s configured to concatenate the .tdelf string to hostage files.

  • SECRETSYSTEM RANSOM TROJAN

    Uses the .slvpawned extension to mark encrypted data. Crackable with StupidDecryptor tool made by Michael Gillespie.

  • MINOR CHANGE OF VCRYPT

    Similarly to a few previous tweaks, the only change made to vCrypt ransomware is a different first letter, so it’s now xCrypt.

  • ZELTA RANSOMWARE REPRESENTS A KNOWN LINEAGE

    A new variant of the Stampado strain called Zelta surfaces. It subjoins the .locked suffix to enciphered files.

  • PROOF OF IMMENSE WANNACRY ACTIVITY

    Security analyst from France deliberately sets up a honeypot server, and its gets hit by WannaCry 6 times in an hour and a half.

  • MICROSOFT ON WANNACRY OUTBREAK

    Chief Legal Officer at Microsoft does a write-up where he accuses NSA for failing to properly protect discovered exploits.

  • FAKE JIGSAW RANSOMWARE

    This Jigsaw strain lookalike uses the .fun extension for locked files. The password to decrypt is FAKEJIGSAWRansomware.

  • GLOBEIMPOSTER UPDATE

    New GlobeImposter edition takes after Dharma in that it uses the .wallet extension. The ransom note is how_to_back_files.html.

  • GRUXER EVOLUTION MOVES ON

    Another version of the relatively new GruXer ransomware appears. Just like its predecessor, it has crypto imperfections.

  • WANNACRY COPYCATS POP UP

    Several replicas of WannaCry are spotted in the wild, including one called DarkoderCrypt0r and a customizeable ransomware builder.

  • WANNACRY VERSION WITH NEW KILL SWITCH

    WannaCry strain starts using a new domain as a kill switch. Researchers promptly register this domain and thus interrupt the wave.

  • EDITION OF WANNACRY WITH NO KILL SWITCH

    Someone reportedly tried to launch a WannaCry variant that doesn’t use a kill switch. Fortunately, the attempt failed.

  • PHILADELPHIA RANSOMWARE SPREADING WITH COMPANY

    New variant of the Philadelphia strain is deposited on computers via RIG exploit kit, along with the Pony info-stealing virus.

  • FRESH BTCWARE VARIANT IS OUT

    BTCWare edition dubbed Onyonlock appends the .onyon suffix to encrypted files and drops !#_DECRYPT_#!.inf ransom how-to.

  • MAY RANSOMWARE APPEARS

    The sample called May Ransomware uses the .locked or .maysomware extension and Restore_your_files.txt help file.

  • FOUL PLAY BY KEE RANSOMWARE

    This one displays a warning window titled @kee and does not provide any chance to restore data, not even through payment.

  • FARTPLZ SAMPLE IS NO JOKE

    The strain in question stains files with the .FartPlz extension and creates a ransom note named ReadME_Decrypt_Help_.html.

  • MONERO MINER TURNS OUT A VACCINE FOR WANNACRY

    A Monero cryptocurrency miner dubbed Adylkuzz blocks SMB ports, so it effectively prevents WannaCry from infecting a computer.

  • USERS MOCKING WANNACRY UBIQUITY

    People make Internet memes about WannaCry Trojan, posting self-made pictures with the ransom screen on various devices.

  • HAPPY ENDING FOR BTCWARE VICTIMS

    Someone posted Master Decryption Key for BTCWare infection. Researchers quickly came up with a free decryptor.

  • WANNA SUBSCRIBE 1.0

    This Java-based WannaCry copycat doesn’t do any crypto but instead instructs victims to subscribe to a specified YouTube channel.

  • NEW XORIST EDITION RELEASED

    Brand-new offspring of the Xorist family is spotted. It affixes the .SaMsUnG string to encoded data entries.

  • A PARTICULARLY HOSTILE JIGSAW VARIANT

    An iteration of the Jigsaw ransomware goes live that blemishes victims’ files with the .die extension.

  • LOCKOUT SAMPLE STARTS PROPAGATING

    Appends the .Lockout extension to files, drops Payment-Instructions.txt ransom note and displays a warning message before startup.

  • SPORA WON’T STOP SPREADING

    Although the Spora ransomware campaign slowed down lately, it is regaining momentum, according to ID Ransomware service.

  • POSSIBLE TIES BETWEEN LAZARUS GROUP AND WANNACRY

    Some researchers claim WannaCry code resembles that of malware used by Lazarus Group, a North Korean cybercrime ring.

  • GLOBEIMPOSTER SPAWNS MORE VARIANTS

    Two new editions of GlobeImposter ransomware surface. They use the .hNcrypt and .nCrypt extensions for encrypted files.

  • UIWIX TAKES AFTER WANNACRY IN A WAY

    The new Uiwix ransomware (.UIWIX extension, _DECODE_FILES.txt how-to) is reportedly proliferating via EternalBlue exploit.

  • WALLET RANSOMWARE IS NOW DECRYPTABLE

    An anonymous person posts Master Decryption Keys for Wallet ransomware on BleepingComputer forums. Avast releases a free fix.

  • HATERS STRAIN DISGUISED AS WANNACRY

    Authors of the Haters ransomware release an Indonesian variant that pretends to be WannaCry. Includes a PayPal ransom option.

  • SOME EXPERT DISCUSSION ABOUT WANNACRY OUTBREAK

    An entry is posted on Emsisoft blog, where researchers shed light on nuances of the WannaCry ransomware campaign.

  • ONE MORE REPLICA OF WANNACRY

    Called WannaCry Decryptor v0.2, this one goes ahead and erases victims’ files with no recovery option.

  • RAY OF HOPE FOR WANNACRY VICTIMS

    Security analyst Benjamin Delpy creates a tool called WanaKiwi that decrypts WannaCry ransomware under certain conditions.

  • MEDICAL EQUIPMENT EXPOSED TO WANNACRY ATTACKS

    The WannaCry ransomware reported infected a Windows-based medical radiology device in a U.S. hospital.

  • XDATA SAMPLE WREAKING HAVOC IN UKRAINE

    This one uses the .~xdata~ file extension and HOW_CAN_I_DECRYPT_MY_FILES.txt ransom note. Mostly spreads in Ukraine.

  • BCTWARE DECRYPTOR ENHANCED

    Free decryption tool for BTCWare now supports the .onyon and .theva file extension variants of this strain.

  • YURIZ MA SCREEN LOCKER FAILS TO CAUSE DAMAGE

    This new screen locker displays a warning message saying, “Hacked by Yuriz MA”. Fortunately, it can be closed via Alt+F4.

  • YET ANOTHER WANNACRY REPLICA

    One more WannaCry lookalike called Wana Decrypt0r 3.0 is spotted in the wild. It fails to encrypt any files.

  • VISIONCRYPT 2.0 RANSOMWARE POPS UP

    This specimen uses the .VisionCrypt extension and doesn’t change original filenames. Attackers’ email is VisionDep@sigaint.org.

  • RANSOMWARE PILFERING IMAGES

    MHT spots a sample that transmits a victim’s image files to the attacker’s email address and then deletes them from the PC.

  • ONE MORE WANNACRY KNOCKOFF

    Unlike the other copycats, this one’s warning screen is titled after the original ransomware (Wana Decryptor 2.0). No crypto so far.

  • DECRYPTION ASSISTANT RANSOMWARE

    The development of this sample is still in progress. It is set to concatenate the .pwned string to enciphered entries.

  • IN-DEV D2+D RANSOMWARE

    Another unfinished extortion program. While it does no crypto so far, the hard-coded password is 215249148.

  • “UNIDENTIFIED” SCREEN LOCKER

    Althought this screen locker hasn’t gone live yet, researchers were able to get hold of the would-be unlock password.

  • BTCWARE DECRYPTOR TWEAK

    The latest edition can decrypt .onyon extension files up to 1270896 bytes even if it fails to retrieve the decryption key.

  • NORTH KOREA’S STATEMENT ON WANNACRY EPIDEMIC

    In response to security experts’ verdicts, North Korean representative at the UN claims his state has nothing to do with WannaCry.

  • WANNACRY SPINOFFS FRENZY CONTINUES

    One more replica of WannaCry called Wana DecryptOr 2.0 pops up. The warning screen is identical of the original.

  • VMOLA RANSOMWARE HUNT KICKS OFF

    Researchers declare a ransomware hunt for the sample that uses the (Encrypted_By_VMola.com) file extension token.

  • JAFF RANSOMWARE UPDATE

    New edition switched to using the .WLU string to encoded files. It still uses spam to propagate.

  • CVLOCKER, A NEW CRUDE SAMPLE

    This one is currently in development. It is configured to delete a victim’s files unless a payment is sent within a specified deadline.

  • ROMANIAN SCREEN LOCKER CALLED WIDIA

    Widia’s warning states it has encrypted data, but it’s in fact just a primitive screen locker that can be bypassed via Alt+F4.

  • LAME FBI LOCKER IS OUT

    Dubbed MemeWare, this screen locker pretends to be from the FBI. Accepts ransoms over MoneyPak. Unlock code is 290134884.

  • ELMER’S GLUE LOCKER V1.0

    The lock screen says, “Your computer has been locked with very sticky Elmers Glue,” whatever that means. Removable in Safe Mode.

  • NEW HT SPINOFF SPOTTED

    Another Hidden Tear POC derivative dubbed Deos demands 0.1 BTC for decryption. It has critical flaws and doesn’t encrypt right.

  • .WTDI FILE BADDIE ON THE TABLE

    This sample is a .NET edition of CryptoWall ransom Trojan. It uses the .wtdi file extension and displays a warning message in Russian.

  • FRAUDSTERS CASHING IN ON WANNACRY EPIDEMIC

    A scam alert is issued regarding growing tech support frauds that use the fuss around WannaCry to rip off gullible users.

  • MOWARE H.F.D PEST SURFACES

    Said malware is an umpteenth offspring of Hidden Tear POC in the wild. Appends files with the .H_F_D_locked extension.

  • ONE MORE DECRYPTOR FOR BTCWARE CREATED

    Avast devises a free decryption tool for BTCWare that supports all variants of this crypto hoax.

  • XDATA LOOKALIKE FROM A KNOWN FAMILY

    A version of the Xorist ransomware is out that mimics the recent XData infection. Similarly to its prototype, it uses the .xdata file suffix.

  • ADONIS RANSOMWARE IS ALL ABOUT BLUFF

    Coded in AutoIT, the Adonis ransomware claims to encrypt data but it actually doesn’t. And yet, it leaves DE.html and EN.html notes.

  • NEW THOR RANSOMWARE, NOTHING TO DO WITH LOCKY

    This in-development sample doesn’t use any extension to flag ransomed files. Replaces desktop background and demands 0.5 BTC.

  • EXTREMELY DESTRUCTIVE STRAIN SPREADING

    Ransomware that uses ‘mother of all viruses.exe’ process wipes all HDD volumes rather than encode data.

  • TIES BETWEEN 4RW5W PEST AND WANNACRY

    The 4rw5w crypto virus also uses a kill switch principle and similar names for auxiliary files. The extension is .4rwcry4w.

  • MASTER DECRYPTION KEYS FOR AES-NI AVAILABLE

    The author of the AES-NI ransomware releases decryption keys so that victims can restore their files for free.

  • WANNACRY DEV MOST LIKELY SPEAKS CHINESE

    Having scrutinized WannaCry ransom how-to files, linguists concluded that the maker’s native language is most likely Chinese.

  • LIGHTNING CRYPT RANSOMWARE APPEARS

    This new strain has moderate demands, asking for 0.17 BTC. Affixes the .lightning extension to ransomed data entries.

  • CRYSTALCRYPT RANSOM TROJAN

    CrystalCrypt is a Lightning Crypt remake. It appends victims’ files with the .blocked extension.

  • MANCROS+AI4939 RANSOMWARE

    The sample called Mancros+AI4939 is in fact a screen locker that doesn’t actually do crypto. It requests $50 worth of Bitcoin.

  • BTCWARE TWEAK

    BTCWare ransom Trojan has switched to using the .xfile suffix to label hostage files. The existing decryptor already supports it.

  • DMA LOCKER 3, NEW VARIANT OF OLD RANSOMWARE

    This fresh spinoff of the DMA Locker ransomware uses the !Encrypt! filemarker, data0001@tuta.io email address, and asks for 1 BTC.

  • AUTOMATIC TOOL NOW DECRYPTS AES-NI RANSOMWARE

    Avast security vendor uses the previously released master decryption keys for AES-NI to create a free decryptor.

  • LOW-LEVEL WANADIE RANSOMWARE

    It’s based on buggy open-source ransomware code. Appends the .WINDIE string to encrypted files. Crackable with StupidDecryptor.

  • ENHANCEMENTS MADE TO STUPIDDECRYPTOR

    The StupidDecryptor solution by Michael Gillespie (@demonslay335) is updated to support .fucking and .WINDIE extension strains.

  • CRYING RANSOMWARE CODING IN PROGRESS

    Analysts stumble upon an in-dev sample that uses the .crying file extension and READ_IT.txt ransom instructions.

  • ROBLOCKER X INFECTION BEING CREATED

    In-dev Roblocker X claims to encrypt Roblox game files but only locks the screen instead. The unlock password is currently ‘PooPoo’.

  • GLOBEIMPOSTER REMAKE

    The newest variant of GlobeImposter ransomware concatenates the .write_us_on_email string to each enciphered file.

  • DVIIDE, ANOTHER RUN-OF-THE-MILL RANSOMWARE

    The sample with bizarre name “Dviide” appends encrypted files with the .dviide extension. Uses a primitive warning window.

  • NEW CHINESE SCREEN LOCKER

    The lock screen is in Chinese. This low-impact Trojan also displays QR code to streamline the ransom payment routine.

  • LOCKEDBYTE RANSOMWARE

    This one employs XOR encryption and stains hostage files with random extensions. The ransom note is hard to read due to font color.

  • EXTORTIONIST LEVERAGING REMOTE ACCESS TROJAN

    An individual nicknamed “vicswors baghdad” is trying his hand at deploying the Houdini RAT and MoWare H.F.D. ransom Trojan.

  • BLACKSHEEP INFECTION DOESN’T LIVE UP TO ITS NAME

    The ransomware called BlackSheep concatenates the .666 extension to files and demands $500 worth of BTC. Nothing special about it.

  • 1337LOCKER RANSOMWARE

    This new strain jumbles filenames and affixes the .adr string to them. Uses the AES-256 cryptosystem.

  • DOLPHINTEAR, AN UMPTEENTH HT OFFSPRING

    Unidentified crooks used open-source code of Hidden Tear PoC to create yet another derivative called DolphinTear (.dolphin extension).

  • RANSOM TROJAN USING WINRAR

    Rather than encipher files proper, the new sample moves one’s data to encrypted WinRAR archives. It’s currently in development.

  • SINTALOCKER STRAIN REPRESENTING A KNOWN FAMILY

    Researchers from GData come across a CryPy spinoff called SintaLocker. It uses the README_FOR_DECRYPT.txt ransom note.

  • NEW RANSOMWARE WITH NO NAME

    A sample is spotted that displays a window reading, “Your files have been blocked”. Demands $50 worth of Bitcoin.

  • JIGSAW VERSION WITH NEW BACKGROUND

    The makers of Jigsaw ransomware switch to a new theme for their warning screen, which now depicts a scary clown.

  • IM SORRY RANSOMWARE FROM POLITE CROOK

    Concatenates the .imsorry string to encrypted files and adds a ransom note called “Read me for help thanks.txt”.

  • ID RANSOMWARE ENHANCEMENTS ARE UNDERWAY

    The ID Ransomware service by MalwareHunterTeam is now capable of recognizing 400 ransomware strains. Thumbs up to MHT.

  • SEVERAL MORE DECRYPTORS CREATED

    Avast and CERT Polska cook up free decryption tools for the AES-NI, BTCWare and Mole ransomware.

  • R3STORE RANSOMWARE

    The specimen in question uses the .r3store file extension and READ_IT.txt ransom note. Demands $450 worth of Bitcoin.

  • DMA LOCKER KNOCKOFF DISCOVERED

    A replica of the DMA Locker ransomware pops up. Uses a slightly modified binary and the same GUI except for the name attribute.

  • WANNACRY STATS CORRECTION

    According to new research, Chinese users – not Russian – suffered the heaviest blow from the WannaCry ransomware.

  • UNEXPECTED TURN OF EVENTS WITH XDATA

    XData ransomware dev releases Master Decryption Keys. Security vendors, including Avast, ESET and Kaspersky, create decryptors.

  • BLOOPERS ENCRYPTER 1.0

    This one claims to encode data but actually fails to. It is easy to remove with commonplace AV tools, which fixes the problem.

  • ANDONIO RANSOMWARE IS NO BIG DEAL

    Only encrypts data on the desktop, uses the .andonio extension and a help file named READ ME.txt. It is a Hidden Tear variant.

  • GRODEXCRYPT IS CRYPT888 IN DISGUISE

    New GrodexCrypt Trojan is based on Crypt888 ransomware but additionally uses a GUI. Demands $50 worth of BTC. Decryptable.

  • OOPS RAMENWARE SAMPLE SPOTTED

    Instead of applying crypto, the strain called OoPS Ramenware moves files to password-protected ZIP archive with .ramen extension.

  • AMNESIA RANSOMWARE UPDATE

    The latest Amnesia edition uses the .TRMT file extension and HOW TO RECOVER ENCRYPTED FILES.txt ransom how-to.

  • BRICKR STRAIN SURFACES

    Concatenates the .brickr suffix to scrambled files and drops a recovery manual named READ_DECRYPT_FILES.txt.

  • THE UNUSUAL RESURRECTION-RANSOMWARE

    Affixes the .resurrection extension to files and uses README.html ransom note. Also plays a music box-ish melody.

  • KILLSWITCH RANSOMWARE IS ALMOST HERE

    The in-dev sample called KillSwitch appends the .switch extension to ransomed files. Quite crude at this point.

  • LUXNUT, ONE MORE POC SPINOFF

    Crooks used the code of EDA2 proof-of-concept to create Luxnut ransomware, which concatenates the .locked extension to files.

  • CRYPTO HOAX POSING AS MS SECURITY ESSENTIALS

    The ransom note of this new sample is titled “Microsoft Security Essentials”. It requests $400 worth of Bitcoin for decryption.

  • SCREEN LOCKER CALLED BLUEHOWL

    Provides a 72-hour deadline for payment, demands 0.2 BTC and displays QR code to facilitate the process of submitting the ransom.

  • AMNESIA V2 DECRYPTED

    Owing to Emsisoft, victims of the Amnesia2 variant can now decrypt their data through the use of ad hoc free decryption tool.

  • LOTS OF HADOOP SERVERS STILL HELD FOR RANSOM

    About 200 Hadoop servers around the globe reportedly remain hijacked – either due to infamous January campaign or a current one.

  • GERMAN CAINXPII SCREEN LOCKER

    The strain dubbed CainXPii most likely represents the same lineage as the older Hitler ransomware. Demands €20 via PaySafeCard.

  • THE SIMPLISTIC JOKSY RANSOMWARE

    Joksy locks the screen with a warning message in Lithuanian. The ransom is payable in PayPal, which means bad OPSEC of the crooks.

  • LOCKCRYPT STRAIN POPS UP

    This infection appends files with victim ID followed by the .lock string and drops a ransom how-to called ReadMe.txt.

  • TURKISH JIGSAW VARIANT RELEASED

    Called the Ramsey Ransomware, this Jigsaw offspring displays a warning message in Turkish and uses the .ram file extension.

  • EXECUTIONER RANSOMWARE

    This new Hidden Tear derivative blemishes encrypted files with random extensions and drops Sifre_Coz_Talimat.html ransom note.

  • HT-BASED MORA PROJECT RANSOMWARE

    Another infection based on Hidden Tear PoC. Uses the .encrypted file extension and ReadMe_Important.txt recovery how-to.

  • STRUTTERGEAR, A FRESH JIGSAW VERSION

    The Jigsaw ransomware edition dubbed StrutterGear displays a ransom note with lots of swear words and demands $500 worth of BTC.

  • TIES BETWEEN JAFF STRAIN AND CYBERCRIME WEB STORE

    The Jaff ransomware turns out to use server space provided by the PaySell cybercrime marketplace based in St. Petersburg, Russia.

  • JIGSAW FAMILY KEEPS SPAWNING CLONES

    A Jigsaw variant surfaces that concatenates the .lost extension to ransomed files.

  • THE DECEPTIVE MRLOCKER SAMPLE

    The malware called Mr.Locker is quite an impostor. It claims to delete one’s files unless paid, but doesn’t pose any real risk in fact.

  • MORE JIGSAW EDITIONS ARE NOW DECRYPTABLE

    ID Ransomware maker Michael Gillespie updates his Jigsaw decryption tool so that it supports .lost, .ram and .tax extension versions.

  • THE DARK ENCRYPTOR, A JIGSAW LOOKALIKE

    This one stains hostage files with the .tdelf extension and generates a desktop background reminiscent of Jigsaw’s.

  • PRIMITIVE-LOOKING OGRE RANSOMWARE

    The Ogre sample appears crude at this point. It requests a BTC equivalent of €20 and uses the .ogre file extension.

  • SCREEN LOCKER IMPERSONATING YOUTUBE

    This low-level ransom Trojan states that the victim has “violated the YouTube law”. The code to unlock it is “law725”.

  • $UCYLOCKER BASED ON HIDDEN TEAR

    New baddie called $ucyLocker subjoins the .windows string to filenames and leaves a help file named READ_IT.txt.

  • BTCWARE UPDATE

    The latest iteration of BTCWare appends files with the .[3bitcoins@protonmail.com].blocking suffix.

  • CRYMORE RANSOMWARE

    Uses the .encrypt extension to label hostage entries and threatens to make the ransom 1.5 times larger every 12 hours.

  • ENHANCEMENT OF CRYPTOSEARCH TOOL

    Michael Gillespie’s CryptoSearch utility now identifies data locked by Amnesia, Amnesia2, Cry9, Cry128 and Cry36 strains.

  • ID RANSOMWARE SERVICE SPORTS USEFUL ADDITION

    The ID Ransomware service by MalwareHunterTeam can now detect the Cry36 ransomware sample.

  • SIMPLISTIC ZILLA RANSOMWARE

    This Turkish crypto threat concatenates the .zilla string to files and provides a decryption manual named OkuBeni.txt.

  • BEETHOVEN PEST IN DEVELOPMENT

    This one is configured to append the .BeethoveN extension to scrambled files and provides a list thereof in FILELIST.txt document.

  • SCREEN-LOCKING VARIANT OF MRLOCKER

    An edition of the relatively new MrLocker malware surfaces that locks one’s screen. The 6269521 code does the unlock trick.

  • JIGSAW MAKERS COIN ANOTHER VERSION

    The most recent Jigsaw spinoff uses the .R3K7M9 extension to label encrypted files. Decryptable with Michael Gillespie’s tool.

  • WINDOWS 10 S ALLEGEDLY IMMUNE TO RANSOMWARE

    According to Microsoft, the upcoming Windows 10 S edition is going to be bulletproof against ransomware attacks.

  • XXLECXX RANSOM TROJAN IS A FAIL

    The sample called xXLecXx locks one’s screen and claims to encrypt data, while in fact it doesn’t.

  • NEW RUSSIAN RANSOMWARE APPEARS

    Appends files with the .cr020801 extension and instructs victims to send email to unlckr@protonomail.com for recovery steps.

  • CRYPTOGOD STRAIN BASED ON MOWARE H.F.D. CODE

    Displays a warning screen titled “Information Security” and concatenates the .payforunlock extension to affected files.

  • BLURRED ORIGINAL GOALS OF WANNACRY

    WannaCry ransomware distributors may be unable to decrypt victim data individually, so it may have been created for other purposes.

  • IN-DEV SPECTRE RANSOMWARE SPOTTED

    The Spectre strain appears to be professionally tailored. It scrambles filenames and affixes the .spectre extension to each one.

  • JAFF RANSOMWARE TWEAK

    The latest variant of the quite successful Jaff ransomware concatenates the .sVn extension to locked data entries.

  • MACRANSOM RAAS DISCOVERED ON THE DARK WEB

    Security experts spot a Ransomware-as-a-Service platform called MacRansom that props a new extortion campaign targeting Macs.

  • BEETHOVEN RANSOMWARE UPDATE

    New variant of the BeethoveN ransom Trojan uses hard-coded encryption keys rather than request them from C2 server.

  • INITIATIVE COUNTERING WANNACRY CAMPAIGN

    French law enforcement seized a server hosting two Tor relays purportedly associated with the WannaCry ransomware wave.

  • SVPPS.XYZ VIRUS THAT LOCKS SCREENS

    Screen locker called svpps.xyz claims to encrypt files but actually doesn’t. It demands $50 worth of BTC to unlock.

  • RANSOMWARE USING .FACEBOOK EXTENSION

    The process name is Facebook.exe and the appended extension is .Facebook. This sample is a Hidden Tear offspring.

  • RANSOMWARE HITTING DUTCH USERS

    New Hidden Tear based Dutch strain appends files with the .R4bb0l0ck extension and drops LEES_MIJ.txt ransom note.

  • ANOTHER EXTENSION TWEAK OF JIGSAW

    The latest Jigsaw ransomware edition stains encrypted files with the .Ghost extension.

  • CHILDISH-LOOKING “VIRUS RANSOMWARE”

    Called the “Virus Ransomware”, the sample displays an image of a toy from My Little Pony line. Doesn’t do any real harm.

  • THE BUGGY CA$HOUT RANSOMWARE

    In-dev crypto threat called CA$HOUT asks for $100 but fails to affect a victim’s data in any way.

  • NEW MAC MALWARE SERVICES FOR HIRE

    Security analysts stumble upon MacSpy and MacRansom sites, the former propping Mac spyware and the latter – Mac ransomware.

  • GPAA RANSOMWARE EMPLOYS A REVOLTING TACTIC

    Impersonating a rogue organization called “Global Poverty Aid Agency”, this strain claims to collect money for children in need.

  • NEW SAMPLE WITH UNWISE PAYMENT CHANNEL

    Appends the .rnsmwre string to filenames, drops @decrypt_your_files.txt ransom note and demands payment in PaySafeCard.

  • JAFF RANSOMWARE UPDATED AGAIN

    The latest edition of Jaff drops the following ransom notes: !!!SAVE YOUR FILES!.bmp and !!!!!SAVE YOUR FILES!!!!.txt.

  • JUNK STRAIN CALLED WHY-CRY

    Based on low-quality open source code, this one concatenates the .whycry extension to hostage files and reguests $300 worth of BTC.

  • EREBUS RANSOMWARE INFECTS A HIGH-PROFILE TARGET

    The sample called Erebus hits over 100 Linux servers belonging to South Korean web hosting provider Nayana.

  • KASPERSKY LAB CRACKS JAFF RANSOMWARE

    Researchers at Kaspersky update their RakhniDecryptor tool to support all known variants (.jaff, .wlu, and .sVn) of the Jaff ransomware.

  • BTCWARE UPDATE FEATURES NEW EXTENSION

    Fresh variant called BTCWare MasterLock uses the .[teroda@bigmir.net].master extension to stain enciphered files.

  • AVAST DEFEATS CRYPTO OF ENCRYPTILE RANSOMWARE

    Avast replenishes their collection of free decryptors with a tool that restores data locked by multilingual EncrypTile ransom Trojan.

  • SAGE DEVS DROP NUMBERED VERSION NAMING

    As opposed to predecessors, the latest edition of the Sage ransomware does not indicate version number in the decryption how-to.

  • CRYFORME RANSOMWARE

    Someone is reportedly in the process of creating a Hidden Tear PoC spinoff called CryForMe, which will demand €250 worth of BTC.

  • RANSOMWARE ATTACKS UK COLLEGE

    University College London (UCL) fell victim to unidentified ransomware that circumvented the institution’s AV defenses.

  • CRYPTOSPIDER RANSOMWARE SPOTTED

    MHT comes across an in-dev Hidden Tear variant called CryptoSpider, which concatenates the .Cspider string to filenames.

  • WINUPDATESDISABLER, A NEW SAMPLE OUT THERE

    One more Hidden Tear derivative called WinUpdatesDisabler appends the .zbt suffix to locked files.

  • WINBAN RANSOMWARE IS NO BIG DEAL

    New screen locker appears that displays “Your Windows has been banned” alert. Victims can use code “4N2nfY5nn2991” to unlock.

  • EXECUTIONER STRAIN IS POTENTIALLY DECRYPTABLE

    Turkish ransomware called Executioner has flaws in its crypto implementation, which makes it possible for analysts to decrypt the data.

  • SANDWICH RANSOMWARE IS EASY TO GET AROUND

    Researchers spot a new screen locker displaying a picture of a sandwich on its lock screen. Codes to unlock are available.

  • SCREEN LOCKER IMPERSONATING CERBER

    This fairly persistent Cerber-style infection doesn’t actually apply any crypto, although it claims to. Demands 0.1 BTC to unlock.

  • NEW JIGSAW EDITION, NEW EXTENSION

    A spinoff of the Jigsaw ransomware surfaces that stains enciphered files with the .sux string and mainly targets Italian users.

  • HT-BASED WANNACRY KNOCKOFF

    Built using the Hidden Tear PoC code, this WannaCry replica appends the “.Wana Decrypt0r Trojan-Syria Editi0n” extension to files.

  • WINBAMBOOZLE BADDIE IS ON ITS WAY

    In-dev sample called WinBamboozle drops _README.txt note and appends files with random 4-character extensions.

  • SKULLLOCKER IS RIDICULOUSLY EASY TO BYPASS

    New screen locking virus called SkullLocker can be closed down via Alt+F4 combo. Nothing special about it except scary warning.

  • RANSOMWARE TARGETING POLISH USERS

    A Polish spinoff of the Dumb ransomware PoC is spotted. Demands 1880 zł worth of Bitcoin (0.2 BTC) for decryption.

  • RETURN OF SAMAS/SAMSAM RANSOMWARE

    Fresh samples from the thought-extinct SamSam family appear that use the .breeding123, .mention9823 and .suppose666 extensions.

  • DECRPTOR 3.2 STRAIN POPS UP

    Currently in development and doesn’t cause damage, simply displays a warning screen. Configured to demands $100 worth of BTC.

  • NSMF RANSOMWARE

    Hidden Tear offspring. Uses the .nsmf file extension and readme.txt ransom note. Demands 5 BTC “or pizza”.

  • WHOPPING RANSOMWARE PAYOUT

    South Korean hosting provider called Nayana agrees to pay a huge ransom of $1 million to recover from a ransomware attack.

  • KUNTZWARE, A BUGGY SAMPLE IN THE WILD

    Concatenates the .kuntzware extension to encrypted files. Doesn’t work as intended, so no real encryption at this point.

  • TURKISH STRAIN CALLED ZILLA

    Targets Turkish users and utilizes the .zilla string to label hostage files. The ransom note is named @@BurayaBak.txt (Eng. “Look here”)

  • GANSTA RANSOMWARE

    Affixes the .enc extension to encrypted data entries. Claims to decrypt files for free as long as a victim contacts the devs via email.

  • ANOTHER SCREEN LOCKER SURFACES

    What makes this new screen locker stand out from the rest is that it requests a victim’s credit card details.

  • CRYPT888 UPDATE

    Fresh version of the old Crypt888 ransomware switches to a new desktop background and prepends the Lock. string to filenames.

  • WANNACRY IS STILL UP AND RUNNING

    WannaCry ransomware compromised part of IT infrastructure of Honda car factory in Japan, causing the plant’s temporary halt.

  • TESLAWARE KIT FOR SALE

    New customizeable sample called TeslaWare can be purchased on dark web for €35-70. Fortunately, it’s decryptable.

  • AZAZEL RANSOMWARE HUNT

    MHT offers researchers to join a hunt for aZaZeL ransomware, which uses .Encrypted extension and File_Encryption_Notice.txt note.

  • NEW STRAIN WRITTEN IN RUBY

    The Ruby ransomware leverages a DGA (domain generation algorithm) and Command & Control server to streamline the extortion.

  • ONECRYPT IS TOO CRUDE TO WORK RIGHT

    This one is in the process of development thus far. Ransom note !!!.txt has a bunch of blanks to be filled out by the author.

  • ANOTHER HIGH-PROFILE TARGET OF WANNACRY

    WannaCry infects 55 road safety cameras in Victoria state, Australia, forcing officials to suspend thousands of infringement tickets.

  • ANOTHER COMEBACK OF LOCKY

    Once again, Locky ransomware architects resume their campaign. However, the pest only targets Windows XP and Vista.

  • CRYPTODARK RANSOMWARE

    Said sample is pretty much harmless as it doesn’t engage real crypto. And yet, it demands $300 worth of BTC.

  • CERBER COPYCAT SPOTTED

    Researchers bump into a specimen that imitates Cerber ransomware and concatenates the .encrypted suffix to files.

  • RANSOMWARE PILFERING GROWTOPIA CREDENTIALS

    AlixSpy malware captures sensitive login info for Growtopia game and generates a “System locked” screen asking for $20 worth of BTC.

  • QUAKEWAY ISN’T THAT BAD

    This ransomware appends the .org extension to locked files and ___iWasHere.txt ransom how-to. Decryptable, according to MHT.

  • RANSOMWARE INCIDENTS ARE SCARCELY REPORTED

    According to FBI’s 2016 Internet Crime Report, few ransomware victims notify law enforcement of these attacks.

  • WINDOWS 10 S ISN’T THAT BULLETPROOF

    Despite Microsoft’s claims of Windows 10 S edition being invulnerable to ransomware, white hat hackers proved the opposite.

  • UNIQUENESS OF THE REETNER RANSOMWARE

    Sample called Reetner leverages ad hoc executables for different processes, or so-called modular principle of attack deployment.

  • NEW SCREEN LOCKER THAT DOESN’T WANT MONEY

    Researchers discover a screen locker that acts like the average strain in this niche, except that it doesn’t demand a ransom to unlock.

  • EYLAMO RANSOMWARE IS RUN-OF-THE-MILL

    Hidden Tear derivative. Concatenates the .lamo extension to filenames and provides instructions in READ_IT.txt document.

  • KRYPTONITE HAS INTERESTING CAMOUFLAGE

    The payload of Kryptonite hoax is masqueraded as a Snake game. Crashes upon execution but demands $500 regardless.

  • JIGSAW UPDATED, ONCE AGAIN

    New offspring of the Jigsaw ransomware family uses the .rat extension to flag encrypted data.

  • HT VARIANT INVOLVED IN TARGETED ATTACKS

    Appends the .locked extension to filenames, drops READ_ME.txt note and specifically zeroes in on the Eurogate company.

  • ANDROID RANSOMWARE WITH ADULT FLAVOR

    Dubbed Koler, this ransom Trojan spreads as a rogue PornHub applet. Displays FBI themed lock screen on infected Android device.

  • HIDDEN TEAR DERIVATIVE IN NEW DISGUISE

    Another HT spinoff is discovered that mimics the Battlefield game to infect PCs. Uses the .locked file extension.

  • MMM RANSOMWARE

    Said infection concatenates the .0x004867 string to encoded data and sprinkles numerous .info files with encryption keys.

  • SAMAS LINEAGE PRODUCES ANOTHER VARIANT

    Brand-new edition of Samas/SamSam ransomware affixes the .moments2900 extension to locked files.

  • NAYANA CASE GOES TOXIC

    After web host Nayana paid a $1 million ransom, crooks started shelling other South Korean companies with DDoS-for-ransom attacks.

  • KARO TROJAN WITH NOTHING SPECIAL UNDER THE HOOD

    New ransomware called Karo concatenates the .ipygh string to filenames and creates ReadMe.html ransom manual.

  • VIACRYPT, A GARDEN-VARIETY SAMPLE

    The main hallmark of this strain is the .via extension added to files. Displays a ransom note with Latvian text.

  • SHIFR RANSOMWARE-AS-A-SERVICE

    This RaaS network lets cybercriminals create custom ransomware builds for a fee that’s much lower than the average.

  • PETYA RETURNS WITH LARGE-SCALE CAMPAIGN

    A sample resembling the ill-famed Petya MFT encryptor infects numerous organizations in Ukraine and other European countries.

  • PETYA INBOX SUSPENDED

    Email provider Posteo blocks account wowsmith123456@posteo.net, which is used in the new Petya ransomware wave.

  • POSSIBLE SOURCE OF PETYA EPIDEMIC DISCOVERED

    Petya, or NotPetya as some researchers dubbed it, reportedly spreads as a contagious update for M.E.Doc accounting software.

  • METHOD FOUND TO AVOID PETYA

    Turns out that creating a new read-only file named ‘perfc.dat’ inside Windows folder stops Petya attack in its tracks.

  • CRYPTOBUBBLE RANSOMWARE

    Someone calling himself “Bob” starts spreading CryptoBubble, a sample that uses the .bubble file extension. This one is decryptable.

  • EXECUTIONER RANSOMWARE CHANGE

    Turkish crypto malady called Executioner starts staining hostage files with a random 6-character extension.

  • PETYA IS NOT AN EXTORTION INSTRUMENT

    Kaspersky researchers affirm that the new Petya does not accommodate MFT decryption feature, so paying ransoms has no effect.

  • CROOKS ARE TARGETING UKRAINE ALL THE TIME

    Ransomware called PSCrypt had reportedly begun propagating in Ukraine several days before the Petya outbreak occurred.

  • PETYA MAY NOT BE RANSOMWARE AT ALL

    Since classic ransomware is all about extortion, the Petya remake doesn’t fall into this category as it simply destroys systems.

  • MISICGUY SAMPLE

    The only thing worth mentioning about the new MusicGuy ransomware is that it appends files with the .locked string.

  • STRAIN DUBBED RANDOM6

    Analysts call it this way because it uses extensions consisting of random 6 chars. The ransom note is RESTORE-.[random]-FILES.txt.

  • GANK RANSOM

    Uses the .gankLocked file extension and READ_ME_ASAP.txt ransom how-to, demands “one million bitcoins”, which is obviously a prank.

  • PIRATEWARE WITH NO CRYPTO MODULE THUS FAR

    Warning screen of the new Pirateware asks for 0.1 BTC (about $250). The code is incomplete and doesn’t do crypto.

  • ANTI-RANSOMWARE WINDOWS FEATURE ANNOUNCED

    Microsoft is planning to equip Windows Defender with “Controlled Folder Access” feature to prevent malicious encryption.

  • CRBR ENCRYPTOR, A CERBER HEIR

    Cerber ransomware is renamed to CRBR ENCRYPTOR. Still scrambles filenames, adds 4-char extension and drops HTA ransom note.

  • UKRAINE KEEPS SUFFERING FROM RANSOMWARE ATTACKS

    New strain specifically targeting Ukraine is a WannaCry copycat written in .NET and possibly circulating via M.E.Doc software.

  • ABCSCREENLOCKER IS TOO IMMATURE YET

    As the name hints, in-dev ABCScreenLocker is supposed to lock the screen and demand money. Only does the locking part at this point.

  • NEMUCOD UPDATED

    Brand new edition of the old Nemucod ransomware displays a revamped red warning background. Does not use any file extension.

  • PETYA WON’T DECRYPT SYSTEMS NO MATTER WHAT

    Reputable security experts confirm that Petya (NotPetya or ExPetr) doesn’t go with decryption mechanism, so it’s meant for sabotage.

  • TIES BETWEEN PETYA AND PAST ATTACKS AGAINST UKRAINE

    Several security companies state the (Not)Petya campaign is attributed to a group that targeted Ukrainian power grid back in 2015.

  • LALABITCH RANSOMWARE

    This one uses the .lalabitch extension for locked files, base64 enciphers filenames and leaves a recovery how-to called lalabitch.php.

  • TAKEOM SAMPLE BEING CREATED

    Analysts discover in-dev Takeom ransomware that demands $300 worth of BTC and provides a 24-hour deadline to pay up.

  • RANSRANS IS TOO IMMATURE TO PROSPER

    This is a new Hidden Tear PoC offshoot. Subjoins the .ransrans string to encrypted files and keeps crashing all the time.

  • HELL, AKA RADIATION, RANSOMWARE

    Another crude infection “made by KingCobra” that destroys data beyond recovery. Leaves decrypt.txt ransom note on desktop.

  • BTCWARE UPDATE

    The latest iteration of BTCWare ransom Trojan concatenates the .aleta extension to hostage files.

  • HT VARIANT CALLED UNIKEY

    Not much to say about this sample except that it’s a derivative of the academic Hidden Tear ransomware. Dev’s nickname is Nhan.

  • CRY36 FAMILY PRODUCES A NEW SPINOFF

    Fresh edition of the Cry36 ransomware uses the .63vc4 file extension and ### DECRYPT MY FILES ###.txt decryption manual.

  • UKRAINIAN POLICE RAID AS PART OF PETYA INVESTIGATION

    Ukrainian law enforcement seize servers belonging to vendor whose backdoored software (M.E.Doc) was used in Petya virus outbreak.

  • SHELLLOCKER RANSOMWARE UPDATE

    New version appends files with the .L0cked string, jumbles filenames, displays ransom note in Russian and uses 5quish@mail.ru email.

  • ZERORANSOM SAMPLE SPOTTED

    Concatenates the .z3r0 suffix to ransomed files and displays decryption how-to named EncryptNote_README.txt.

  • J-RANSOMWARE, A ZERORANSOM OFFSHOOT

    Strain called J-Ransomware is based on the above ZeroRansom. Uses the .LoveYou extension to mark encoded files.

  • ZSCREENLOCKER VARIANT DISCOVERED

    zScreenlocker was originally discovered in November 2016. Fresh iteration uses the following unlock password: Kate8Zlord.

  • NEW EXTENSION USED BY CRYPTOMIX

    The most recent edition of CryptoMix, or Mole ransomware, affixes the .MOLE00 extension to locked files.

  • CRYPTER 1.0 IS A MESS

    Sample called Crypter 1.0 fails to encrypt anything and generates messages with weird contents demanding 10 BTC.

  • CROOKS BEHIND PETYA GET OUT IN THE OPEN

    Individuals reponsible for the recent Petya outbreak start transferring obtained cryptocurrency to other Bitcoin wallets.

  • UNEXPECTED FINDINGS OF AV-TEST

    According to Security Report 2016/17 by AV-TEST, the share of ransomware in the global malware volume is only about 1%.

  • CRYPTOMIX VARIANT CRACKED

    Thanks to combined efforts of security vendors and enthusiasts, free decryptor for the MOLE02 edition of CryptoMix is released.

  • ANDROID RANSOMWARE AUTHORS ARRESTED

    Chinese police apprehend two individuals for spreading SLocker Android ransomware version that resembles WannaCry.

  • NEW CRYPTOMIX SPINOFF DISCOVERED

    The latest incarnation of CryptoMix uses the .Azer file extension and drops _INTERESTING_INFORMATION_FOR_DECRYPT.txt note.

  • MASTER EDITION OF BTCWARE NOW DECRYPTABLE

    MHT’s Michael Gillespie updates his BTCWareDecrypter that now supports the .master file extension variant of this ransomware.

  • EXECUTIONER RANSOMWARE – STILL NO BIG DEAL

    In spite of Executioner ransomware makers’ efforts to make the pest uncrackable, newer iterations are still decryptable.

  • COUNTLOCKER SHAPING UP TO BE A SERIOUS ISSUE

    In-dev ransomware called CountLocker claims to delete all data on C drive unless the victim pays 0.3 BTC in 72 hours.

  • FENRIR TROJAN IS UNUSUAL IN A WAY

    This sample derives the file extension from infected host’s Hardware ID (HWID). The ransom note is Ransom.rtf.

  • ELMERSGLUE_3 RANSOMWARE

    Screen locker called ElmersGlue_3 is a derivative of ElmersGlue Locker v1.0, which was spotted in May 2017. Easy to get around.

  • ORIGINAL PETYA IS NOW OFFICIALLY DECRYPTABLE

    Member of the JANUS cybercrime ring dumps master decryption keys for the original Petya, Mischa and Goldeneye ransomware.

  • RANSOMWARE TELLING VICTIMS TO DO SURVEYS

    Dubbed SurveyLocker, the new Trojan drags victims into a loop of surveys so that their screen can be unlocked.

  • RANDOM6 IS PART OF A KNOWN LINEAGE

    According to some in-depth analysis, the recently spotted Random6 pest appears to be a Fantom ransomware derivative.

  • LEAKERLOCKER ANDROID RANSOMWARE

    Spreading via 2 booby-trapped apps on Google Play, this one threatens to send victims’ sensitive data to all contacts. Demands $50.

  • PETYA COPYCAT DISCOVERED

    Dubbed Petya+, this ransomware is programmed in .NET. The ransom screen is almost a replica of the original. No crypto so far.

  • SCORPIO RANSOMWARE USES APROPOS EXTENSION

    Also referred to as Scarab, this sample scrambles filenames and appends them with the .[Help-Mails@Ya.Ru].Scorpio extension.

  • OXAR RANSOMWARE BASED ON HIDDEN TEAR

    HT based strain called Oxar, or Locked In, concatenates the .OXR suffix to encoded files. Demands $100 worth of Bitcoin.

  • BIT PAYMER SPECIMEN APPEARS

    Uses the .locked file extension and creates a separate .readme_txt recovery how-to for every hostage file.

  • NEWSMAKING ARREST OVER RANSOMWARE

    Australian authorities apprehend a 75-year-old man for setting up rogue tech support companies involved in ransomware schemes.

  • NEMUCODAES STRAIN DECRYPTED

    Emsisoft makes another breakthrough in fighting ransomware. This time they release a free decryptor for the NemucodAES strand.

  • ASLAHORA TROJAN – HIDDEN TEAR MISUSED AGAIN

    Brand new HT offshoot called AslaHora subjoins the .Malki extension to ransomed files. The unlock password is MALKIMALKIMALKI.

  • DCRY RANSOMWARE DECRYPTED

    Researchers come up with a free decryption tool that supports the Dcry ransomware appending files with the .dcry extension.

  • BLACKOUT RANSOMWARE SURFACES

    New sample called BLACKOUT drops README_[random numbers].txt ransom note and base64 encodes filenames.

  • KEEP CALM RANSOMWARE

    This one is based off of EDA2 PoC. Concatenates the .locked string to hostage files and leaves “Read Instructions.rtf” ransom note.

  • PURGE STRAIN TURNS OUT SHODDY

    Blemishes files with the .purge extension. Keeps crashing during encryption process. The unlock password is “TotallyNotStupid”.

  • “YOUR ALL DATA IS ENCRYPT” SCREEN LOCKER

    The name is the phrase this sample displays on its lock screen. Demands 1 BTC but is ridiculously easy to get around (Alt+F4).

  • BRAINLAG SPECIMEN SPOTTED

    Currently in the process of development, so no crypto thus far. Displays a black lock screen with a smiley in the middle.

  • RANSED RANSOMWARE

    Stains files with the appropos .Ransed extension. Reaches out to MySQL server, so server access credentials are hard coded.

  • EJIGSAW STRAND PRODUCES ANOTHER VARIANT

    The newest iteration of the Jigsaw ransomware switches to using the .kill string to label hostage files.

  • SAMSAM RANSOMWARE UPDATED

    Brand new edition of the SamSam/Samas ransomware concatenates the .country82000 extension to locked data entries.

  • ENDCRYPT0R SAMPLE IS NO BIG DEAL

    Screen locker called ENDcrypt0r displays an alert saying that files have been encrypted, while they aren’t. Unlock code is A01B.

  • FUACKED RANSOMWARE IS A DULL ONE

    Nothing special about the new specimen called Fuacked. Leaves a ransom note named dummy_file.txt.

  •  
    an ongoing list…

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

Like This Article? Let Others Know!
Related Articles:

7 comments

  1. Lima Tango says:

    This is a great timeline – thx

  2. Shree says:

    Awesome Dude! I see you spent tons of time here.

  3. Vipin Pandey says:

    I got infected with Locky Ransomware last year. I had to lose my files. This timeline is awesome it can aware people to know about ransomware.

  4. Greg Edwards says:

    Great timeline! The average person is so unaware how rampant and dangerous ransomware is. Thanks for putting this together and keeping it top of mind.

  5. Austin Taylor says:

    Thank you for creating this! I have consolidated your table into a visualization at austintaylor.io/ransomware/visualization/2017/01/07/ransomware-year-in-review-timeline/

  6. RoctumX says:

    I got infected last saturday with this new PCLOCK cryptolocker ransomware. Any news about it and its decryption?

    • admin says:

      Unfortunately, the new PcLock isn’t decryptable, Emsisoft decrypter is capable only for the early 2015 versions.

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: