Content:
This timeline fully reflects the state of the ransomware ecosystem over the period of May – December 2016. For your convenience, the entries are intuitively split up by the following categories: new ransomware released; existing ransomware updated; free decryptors created; and other important news on the e-extortion domain. The chronicle includes absolutely all ransomware events/incidents that occurred in the specified timeframe.
Read ransomware chronicle for 2017
Read ransomware chronicle for 2018
New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events
Targets Russian-speaking victims. Appends the .enigma extension. Creates the enigma_encr.txt ransom note.
Kaspersky’s free decryptor defeated. Concatenates the .crypt extension. Ransom notes named after victim ID.
Zeroes in on Chinese victims only. Very complex decryption routine. Uses the 文件解密帮助.txt ransom note.
Targets German and Dutch users. Adds the .locked extension. UNLOCK_FILES_INSTRUCTIONS.txt manual.
Hitman video game themed. Appends the .porno extension and uses X-rated images on warning screen.
Uses the .encrypted extension and drops READ_THIS_TO_DECRYPT.html help manual. Decryptable for free.
If the MBR-overwriting Petya fails to get admin privileges, it installs Mischa, a typical file-encrypting Trojan.
Ransomware-as-a-Service platform launched allowing crooks to spread Petya and Mischa on an affiliate basis.
Kaspersky Lab updated their free decryptor for CryptXXX ransomware, version 2.0 now covered.
New sample. Adds the .8lock8 extension and creates READ_IT.txt ransom notes. Interaction over email.
New variant of the Shade aka Troldesh ransomware uses the .da_vinci_code extension to stain locked files.
GhostCrypt ransomware (.Z81928819 extension, READ_THIS_FILE.txt ransom note) decrypted by researchers.
New strain. Leverages AES cipher, appends the .RSNSlocked extension and demands $300 worth of Bitcoin.
Decryptor for the Xorist family released by Emsisoft. Requires one encrypted file and its original copy.
Appends the ._[timestamp]_$[email]$.777 extension. Decrypted by Emsisoft’s Fabian Wosar.
A GNL Locker spinoff. Uses the .locked extension and drops UNLOCK_FILES_INSTRUCTIONS.html/txt manuals.
TeslaCrypt ransomware authors close the project and release the Master Decryption Key.
New infection exploiting Drupal vulnerability. About 400 sites affected. Demands 1.4 BTC to decrypt content.
Doesn’t modify filenames. Creates Cryptinfo.txt ransom manual and extorts 1.5 BTC.
Crypto flaw patched. Kaspersky’s decryptor no longer capable of restoring files.
Crooks provide a link to expert-tailored decoder on Tor payment site for the defunct TeslaCrypt.
File renaming format as follows: [attacker’s_email]-[original_filename].odcodc. Not decryptable for free.
New one. Appends the .zcrypt string. Propagates over autorun.inf files on memory sticks and network drives.
New Zyklon edition switches from the .locked extension to .zyklon string. No more changes made.
New BadBlock ransomware doesn’t append any extension to files. Ransom size is 2 BTC.
Another Jigsaw ransomware version. Deletes files unless a victim pays up. Decryptable for free.
A modified variant of the JobCrypter ransomware discovered. Uses the .css extension.
New sample telling victims to send email to support@juicylemon.biz for instructions. Demands 1000 Euros.
Multiple design tweaks of ransom notes and payment page. Decryptor now called UltraDeCrypter.
The BadBlock strain, which cripples both data files and Windows EXEs, is decrypted courtesy of Emsisoft.
This descendant of the Jigsaw ransomware displays NSFW wallpaper and uses the .paybtc extension.
Targets English and Russian-speaking users, appends the .silent extension and demands $30.
This sample uses symmetric AES cryptosystem, appends the .herbst extension to files and extorts $50.
Attacks Russian-speaking audience, adds the .criptokod extension to locked files. Decryptable for free.
New Jigsaw variants use the .paymst, .payms, .pays, .paym, .paymrs, .payrms and .paymts extensions.
Another Crysis ransomware offspring appends files with the .centurion_legion.aol.com.xtbl extension.
According to a research by ESET, the Crysis ransomware is gaining momentum with cybercrooks.
Researchers defeat a new iteration of the Nemucod ransomware that uses the .crypted extension.
Cisco’s Talos Group releases a tool that decrypts all known versions of the TeslaCrypt ransomware.
New CryptXXX (UltraCrypter) version labels encrypted entries with the .cryptz extension.
Emsisoft researcher tailors a decryptor for Apocalypse ransomware, which uses the .encrypted extension.
Built with JavaScript, the RAA ransomware (.locked extension) also installs the Pony password stealer.
The FLocker pest targets Android devices, including Smart TV, and extorts $200 worth of iTunes gift cards.
Affixes the .ded extension to files, imposes email interaction with the attacker and demands 2 BTC.
The Anonymous themed Jigsaw ransomware variant concatenates the .epic string to scrambled files.
Instructs victims to reach the devs via email within 48 hours otherwise threatens to erase files.
Targets Russian users, appends .crypt38 to files and asks for $15 in Rubles. Free decryptor released.
New sample using AES algorithm and appending the .locked extension. Experts found a workaround.
New Locky proliferation campaign discovered, leverages the Necurs botnet to generate harmful spam.
Researchers create a decryptor for ApocalypseVM ransomware that uses advanced anti-VM features.
Uses asymmetric RSA crypto. Victims are instructed to email the attacker at kozy.jozy@yahoo.com.
Employs AES algo, uses the .crptrgr extension and creates !Where_are_my_files!.html ransom note.
CryptXXX ransomware starts appending random 5-char extension to files instead of .crypz.
Python-based strain. Targets the Zimbra open-source email platform. Ransom amounts to 3 BTC.
Appends the .SecureCrypted extension. Emsisoft Apocalypse Decryptor updated to restore files.
Tells victims to email the dev at towerweb@yandex.com for instructions. Demands $100 worth of Bitcoin.
Ransomware based on open-source educational code. Concatenates the .kratos extension to files.
Stores files in password-protected ZIP folder rather than encrypt them. Demands 3 BTC.
Encrypts files and wreaks havoc with Master Boot Record. Displays a lock screen asking for 0.5 BTC.
Locks victims’ personal data but doesn’t request a ransom. Decrypt password available in a hidden .txt file.
New Locky variant appends the .zepto extension and renames files to 32 hexadecimal chars.
Uses DES (Data Encryption Standard) and requests an astounding 48.48 BTC. Decrypted by analysts.
New Shade iteration switches from using the .da_vinci_code to .Windows10 extension.
The tools restore files scrambled by TeslaCrypt, Apocalypse, BadBlock, Crypt888, Legion, and SZFLocker.
Targerts Russian-speaking audience. Email for interaction: unlock92@india.com. Decryptable for free.
A likely Zyklon copycat. Circulates mostly in the Netherlands and Belgium. Appends the .wflx extension.
Alfa, aka Alpha, ransomware uses the .bin extension and appears to be created by Cerber devs.
Emsisoft’s decryptor now handles the .bleepYourFiles version of the Apocalypse ransomware.
New edition creates README.html (.bmp, .txt) ransom notes and upsells a tool called “Microsoft Decryptor”.
Requests 0.2 BTC to unlock files but irreversibly deletes the data instead.
Appends the .bitstak extension to scrambled files. Researcher named Michael Gillespie created a decryptor.
Uses the .id-[unique_victim_id]-maestro@pizzacrypts.info extension to brand all encoded files.
Having stayed dormant for several months, the PadCrypt ransomware (.padcrypt extension) re-emerges.
New variant uses RSA-2048 cryptosystem, cannot be decrypted. Appends the .CCCRRRPPP extension.
Sample dubbed CTB-Faker moves files to a password-protected ZIP archive. Potentially crackable.
Researcher going by the handle BloodDolly came up with a method to decrypt ODCODC-encoded files.
Although this sample uses the .cerber extension, it’s a mere copycat. Doesn’t link to Tor decryptor page.
According to OpenDNS, there is an upswing in WildFire Locker distribution via the Kelihos botnet.
Appends the .locked extension. Criminals can buy a copy on the dark web for as little as $39.
For whatever reason, CryptXXX Tor payment sites provide free keys to decrypt .cryp1 and .crypz files.
Petya authors improved their Salsa20 algo implementation to encrypt Master File Table more reliably.
A fresh edition of CryptXXX replaces filenames with 32 hex characters and appends random extensions.
Written in Python, the HolyCrypt sample installs all components as a single Windows executable.
ODCODC ransomware victims can now use an automatic free decryptor. The infection’s C&C server is dead.
Free recovery tool by AVG allows Bart ransomware victims to crack the ZIP archive password.
PowerWare ransomware masquerades itself as Locky. Decryptor available courtesy of Michael Gillespie.
Emsisoft team member Fabian Wosar created a free decrypt tool for the relatively new Stampado pest.
CrypMIC bears a strong resemblance to CryptXXX. Researchers provide a comparative review of the two.
New sample. Uses the .~ file extension and creates _RECOVER_INSTRUCTIONS.ini ransom note.
A true breakthrough in fighting ransomware. Created by law enforcement agencies and security companies.
Petya and Mischa ransomware authors publish about 3500 decryption keys for a strain called Chimera.
Crooks behind Petya and Mischa make their Ransomware-as-a-Service platform available to the public.
Incremental ransom size starting with $100 worth of Bitcoin. C&C server went down shortly after launch.
Appends the .locked extension to scrambled items. Ransom notes in Turkish asking for 2 BTC.
“We Are Anonymous” Jigsaw ransomware variant with a new warning background. Decryptable.
RakhniDecryptor solution by Kaspersky Lab decrypts Chimera-locked files with the keys previously leaked.
New strain, uses AES crypto and concatenates the .razy extension. Even the devs cannot decrypt files.
The Zepto version of Locky ransomware circulates via malware-tainted WSF email attachments.
Japanese researcher creates educational ransomware called ShinoLocker. Another controversial initiative.
50% of U.S. companies were targeted by ransomware in the past 12 months, Osterman Research reveals.
Switches to .cerber2 extension and uses a new desktop background. Ransom notes unaltered.
The EDA2 PoC gave birth to a new real-world strain. Uses AES-256 standard and appends .venusf extension.
Buggy sample that deletes extensions rather than encrypt files. Demands a 25 Euros worth Vodafone card.
Uses open-source Hidden Tear code with some modifications. Appends files with the .rekt extension.
Researchers demonstrate a viable ransomware hitting thermostats at the DEFCON event.
Impostor pretending to be CryptoWall. Installs manually via RDP. Appends the .encrypted extension to files.
Ransomware analyst nicknamed BloodDolly creates a free decryptor for PizzaCrypts and JuicyLemon strains.
Appends the .locked extension. Creates a backdoor Windows user account (Hack3r) for future PC access.
Aka Crypt0L0cker. Uses the .enc file extension. Infects computers via rogue energy bills sent over email.
New RaaS platform that allows for extensive ransomware customization. Devs get 20% revenue cut.
Check Point released a decrypt tool for .cerber and .cerber2 variants. Worked for only 1 day, though.
According to an investigative research, Cerver devs’ annual revnue is on the order of $1 million.
Based on the educational Hidden Tear code. Apparent ties to the CripMIC ransomware discovered.
The crooks keep insulting Fabian Wosar who cracks every new edition of the pest.
Threat actors behind Cerber ransomware make Check Point’s automatic decryptor inefficient.
Researchers release a free decrypt tool for the Smrss32.exe ransomware.
An EDA2 spinoff. Sets a Mr. Robot TV series themed wallpaper with Fsociety hacking group logo.
Starts to actually encrypt files and append the .bart extension rather than simply password-protect them.
Payload pretends to be PokemonGO game. Takes a screenshot of Windows screen for intimidation purpose.
Distributed via RIG exploit kit. Uses Tor C&C server. Ransom of 1 BTC to be submitted during 5 days.
Another CTB-Locker copycat, uses a similar ransom note and color scheme. Demands 0.5 BTC.
Desktop wallpaper styling pays homage to the Purge movies. Appends the .purge extension to files.
Dutch police and NHTCU agency seize WildFire Locker ransomware’s C&C server. Free decryptor released.
According to PhishLabs, Alma Locker’s private key can be obtained with network sniffer during the attack.
New strain based on EDA2. Displays a bogus Windows update screen to obfuscate the encryption process.
Based on educational Hidden Tear code. Payload disguised as KMSPico Windows crack.
The Zepto alias of Locky ransomware begins leveraging a DLL installer rather than an executable to spread.
New Smrss32 spam campaign delivering files masqueraded as U.S. Election news.
Targets uses in Serbia and Croatia. Doesn’t modify filenames. Requests 50 EUR for decryption.
Adversaries compromise Linux servers, erase web folders and extort 2 BTC for recovery.
Instructs victims to send email to raaconsult@mail2tor.com for decryption steps.
Apocalypse ransomware devs name their new variant “Fabiansomware” to insult researcher Fabian Wosar.
New edition of the Cerber ransomware concatenates the .cerber3 extension to locked files
Crooks reportedly used insecure Redis servers to infect Linux machines with the Fairware ransomware.
New Stampado variant replaces filenames with hexadecimal chars and uses the .locked extension.
Pretends to be a PokemonGO bot app. Demands 0.1 BTC. Decrypted by Michael Gillespie.
Acts on behalf of inexistent Central Security Treatment Organization. Appends the .cry extension
CryLocker propagates via Sundown exploit kit and sends victims’ details to its C2 server over UDP.
New Locky samples go with built-in RSA keys and don’t communicate with C&C servers.
Targets Russian users. Moves files to password-protected RAR archive, creates RarVault.htm ransom note.
Hits Russian victims. Creates “How Decrypt Files.txt” ransom manual. Free decryptor released.
New Stampado version sold on the darknet for $400. Features a Mercy button.
Appends the .locked extension and requests 0.5 BTC. Attacker’s email address is flyper01@sigaint.org.
Uses AES encryption, adds the .cry extension and drops README_FOR_DECRYPT.txt help file.
Emsisoft’s Fabian Wosar creates a free decryptor for the Philadelphia pest.
New Crysis ransomware rips users off under the guise of helping the homeless.
New ransomware, uses the same set of crypto keys for all victims. Decryption keys published by analysts.
Leverages AES-256 algo, appends the .locklock extension to files and creates READ_ME.txt ransom note.
Shark RaaS rebranded as the Atom Ransomware Affiliate Program. Available on the public Internet.
Fabian Wosar releases a decrypt tool handling new variants of the Stampado ransomware.
Locky ransomware’s autopilot crypto gets improved to prevent AV detection.
New version encrypts files that were locked by other ransomware strains, so it’s double trouble.
Razy asks for 10 EUR worth PaySafeCard to unlock files. Ransom screen resembles one by Jigsaw ransomware.
New edition can encrypt data offline, similarly to Locky. Now targets network shares.
FenixLocker ransomware dev found to leave the “FenixIloveyou!!” message in each encrypted file.
A highly dangerous sample that locks victims out of their computers by overwriting MBR.
Emsisoft releases a free decrypt tool for FenixLocker, which adds secret mash notes to encrypted files.
New iteration sets desktop wallpapers randomly and derives ransom size from payload name.
Fabian Wosar stays busy upsetting ransomware makers with his updated free decryptors.
New Locky samples switch back to using C&C infrastructure for encryption, according to Avira.
A major increase in Cerber ransomware distribution: daily infections reach 80,000.
Spotted by GData, Cyber SpLiTTer Vbs asks for 1 BTC but fails to actually encrypt any files.
New sample, drops “Files encrypted.txt” ransom manual and demands 0.18 BTC for decryption.
Bears a strong resemblance to CTB-Locker. Mainly targets U.S. governmental and educational institutions.
Warning screen contains an image of Lord Voldemort, an evil character from the Harry Potter films.
Named after ransom note help_dcfile.txt. Appends files with the .XXX extension.
In-development sample with a photo of Donald Trump on the ransomware GUI.
New variant adds the .odin extension to files and creates _HOWDO_text.html/bmp ransom notes.
Michael Gillespie, aka @demonslay335, creates a decryptor for the DXXD ransom Trojan.
New educational Linux ransomware called CryptoTrooper gets negative feedback from security community.
Decryptor page resembles Cerber’s. The ransom is 3 BTC (about $2200), doubles after deadline.
Appends the .unavailable extension. Emsisoft creates an automatic decrypt tool for this sample.
New version targets German users. Extorts ransom in PaySafeCard. Deadline for payment is 72 hours.
A write-up by Kaspersky analyzes Brazilian TeamXRat ransomware that targets enterprises and hospitals.
New one. Uses the AES standard and creates !!_RECOVERY_instructions _!!.html/txt ransom notes.
Apocalypse ransomware dev starts posting on BleepingComputer forums to insult researcher Fabian Wosar.
Kaspersky updated their RannohDecryptor solution to so that it can crack the MarsJoke ransomware.
The Trend Micro Ransomware File Decryptor tool is now capable of decoding the Globe ransomware.
The tool can crack the Blowfish cipher used by the Globe ransomware.
The strain appends files with the .rip extension and displays an image of a spooky clown.
Concatenates the .realfsociety@sigaint.org.fsociety extension to files and drops fsociety.html ransom note.
Another example of criminals abusing educational ransomware code. No in-the-wild propagation.
New variant adds a random 4-character extension and creates README.hta ransom note >>>
Hades Locker occupies the niche of WildFire Locker, which had been taken down by Dutch law enforcement.
Globe devs release multiple new spinoffs appending the .encrypted, .raid10, and .globe extensions.
Appends the .kostya extension. The ransom of 2,000 CZK (about $78) doubles after 12 hours.
Adds the .comrade extension to files and displays RESTORE-FILES![ID] ransom note.
New edition appends the .1txt extension and leaves enigma_info.txt ransom manual.
Uses AES-256 algo and requests a Bitcoin equivalent of $500. Configured to encrypt data in 2017.
Uses VenisRansom@protonmail.com for communication. Enables RDP and steals passwords.
Detected as Trojan.Encoder.6491, it appends the .enc extension. Cracked by Doctor Web.
Researchers create a decryptor for the 2nd iteration of the DXXD Ransomware.
New Nuke variant spotted in the wild. Concatenates the .nuclear55 extension to encoded files.
Cisco Talos create LockyDump, a data aggregate with configuration parameters of all Locky versions.
Dev’s handle is EvilTwin. Encrypts all data on target computers, including executable files.
Malwarebytes releases a tool that decrypts DMALocker’s latest !XPTLOCK5.0 version.
NoobCrypt 2.0 demands $50. Attackers decided to stick with the ransomware name given by a researcher.
Based on EDA2 ransomware. Appends the .coded extension, attacker’s email is support.code@aol.com.
Only locks one’s screen without encrypting anything. Demands 10 EUR PaySafeCard to unlock.
Malwarebytes researcher nicknamed “hasherezade” contrives a free 7ev3n Ransomware decryptor.
Obfuscates the encryption process with an amusing Click Me game.
PHP-based ransomware encrypts data on web servers. Appears to have Indonesian origin.
MBRFilter tool by Cisco Talos blocks ransom Trojans that attempt to overwrite the Master Boot Record.
Low-quality sample. Appends the .lock93 extension to files and requests 1000 RUR. Decryptable.
Uses the .adk extension to brand affected files. Demands a huge ransom of 10 BTC.
The variant uses a different filemarker (999999) and leaves the “decrypt explanations.html” ransom note.
New version appends files with the .shit extension and creates _WHAT_is.html/bmp recovery manuals.
Now adds the .perl extension. Ransom notes are called recover.bmp and recover.txt.
Concatenates the .thor extension rather than the .shit string. Ransom notes unaltered.
Dubbed “Hucky” (Hungarian Locky), the sample mimicks Locky’s wallpaper and ransom notes.
An odd strain that asks victims to complete a sponsored survey before unlocking the computer.
Emsisoft’s Fabian Wosar declined “realfs0ciety” cyber gang’s offer to buy their decrypt keys on the cheap.
GData experts discover and defeat a screen locker that uses cuzimvirus@yahoo.com email for interaction.
One more educational ransomware, CryptoWire, gave rise to a real-world sample.
Ransom message is written in Georgian. Warning screen contains an image of No-Face anime character.
Leaves the IFN643_Malware_Readme ransom note. Requests $1000 worth of Bitcoin.
No mechanism to reach the attackers. Demands 3 BTC but provides a Litecoin address instead of Bitcoin.
Based on EDA2 open-source project. Drops ransom note called CreatesReadThisFileImportant.txt.
Does not encode any data but locks the screen instead. Demands 1 BTC otherwise threatens to delete files.
Discovered by Michael Gillespie, aka @demonslay335. Malwarebytes analysts create a decryptor.
Appends the .alcatraz extension and leaves ransomed.html ransom note. Ransom size is 0.5 BTC.
Cerber Ransomware devs start indicating version number in v4.1.0 and onward.
Displays a “File Kill Timer” window with a funny image of Super Mushroom. Doesn’t delete any files for real.
Encrypts data and locks a victim’s screen. Files are appended with the .dCrypt extension.
Having encrypted one’s files, the zScreenLocker ransomware displays a “Ban Islam” image.
Appends the .enc extension and creates “How to recover.enc.txt” ransom note.
Displays a ransom note within command prompt. Requests 0.33 BTC for the passcode to decrypt.
New one. Concatenates the .rnsmwr extension to encoded files.
Titled “The Evolution of Cerber… v4.1.x”, the article dissects new versions of the ransomware.
Doesn’t encrypt any data, simply displays a lock screen. Demands $20 through PayPal.
Spreads via phishing emails with fake Word invoice attached. Version number indicated in ransom notes.
New version uses an expired build of C# obfuscator. Accepts random, including blank, unlock key input.
A variant of Hidden Tear proof-of-concept pretending to be the Cerber ransomware.
Decryptable sample that affixes the .encrypted extension to files and leaves a ransom note in French.
Based on RemindMe ransomware. Uses .dll extension and drops DECRYPT_YOUR_FILES.html ransom note.
Uses a fake PaySafeCard generator window to obfuscate file encryption. Prepends “.cry_” to extensions.
Appends the ._AiraCropEncrypted extension to files. Distributed by the TeamXRat cybercrime gang.
The sample can be purchased on underground resources. Adds the .Locked extension to data entries.
A proof-of-concept written in PHP that targets web servers. Created by Brazilian researcher.
The sample leverages the Telegram communication protocol to interact with its C2 infrastructure.
A new specimen using a popular Russian “Kolobok” fairytale theme for the desktop background.
Spam emails disguised as alerts from U.S. Office of Personnel Management deliver Locky payloads.
CrySiS ransomware authors set up a Pastebin page with Master Decryption Keys for their infection.
New ransomware disguised as “Windows-TuneUp” app. Propagates over pay-per-install network.
The updated PadCrypt version 3.0 can now be distributed on a Ransomware-as-a-Service basis.
Displays a photo of Angela Merkel in the ransom notes. Asks for a BTC equivalent of 1200 EUR.
Locks the desktop rather than encrypt files. Blackmails users with sensitive content found on their PCs.
CryptoLuck mimics the warning screen of CryptoLocker. Proliferates via RIG-E exploit kit.
Dubbed the “Demo” ransomware, this one only encodes JPGs and appends the .encrypted extension.
One of Apocalypse ransomware devs contacts Emsisoft’s Fabian Wosar, asking for help with a code bug.
A CryptoLocker copycat. Returns after almost 2 years of inactivity. Demands 1 Bitcoin for decryption.
Researcher nicknamed ‘hasherezade’ gets close to cracking the Princess Locker ransomware.
Fabian Wosar releases a decryptor for Globe2 (.zendr4, .raid10, .blt, .globe, and .encrypted extensions).
A variant of the Locky ransomware found to be propagating via rogue Flash Player update sites.
Uses a mix of RSA and AES algorithms to lock files and demands 0.2-2 Bitcoins for decryption.
One more sample coded with .NET programming language. Adds the .L0cked file extension.
Dharma ransomware is a new variant of the defunct CrySiS. Uses the .[email_address].dharma extension.
The ID Ransomware service by MalwareHunterTeam now includes 238 ransomware strains.
New sample called the CHIP ransomware relies on the RIG-E exploit kit for proliferation.
Corrupts victims’ data and provides no way to restore them due to a buggy key saving routine.
Uses a rogue Visa Credit Card generator to camouflage payload execution.
Malicious .svg images sent via Facebook’s instant messaging system install Nemucod Trojan and Locky.
New variant claims to delete the AES-256 key unless a ransom is sent within 36 hours. Decrypted by Avast.
Appends the .aesir extension and leaves _[random_number]-INSTRUCTION.html/bmp ransom notes.
New ransomware telling victims to call a “Microsoft Support technician”. Appends the .vindows extension.
Security analyst @hasherezade defeats Princess Locker’s crypto and releases a decryption tool.
Malwarebytes releases a free decryptor for Telecrypt ransomware, which uses Telegram’s API.
Cisco Talos spot a Locky spam wave delivering booby-trapped MHT email attachments.
New ransomware appears that displays an image of a turkey on its warning screen.
Uses the .Locked extension and Santa_helper@protonmail.com email for communication. Decryptor available.
Another edition of the Locky ransomware appending the .zzzzz extension to encrypted files.
Proliferates via RIG-V exploit kit and spam. Still appends a random 4-character extension.
Based off of open-source Hidden Tear proof-of-concept. Uses a Jigsaw movie-themed background.
A byproduct of educational ransomware project called CryptoWire. Asks for a Bitcoin equivalent of $500.
Appears to be an in-development ransomware sample. Appends the .hannah extension to locked files.
New variant of the Cerber ransomware creates _README_.hta ransom notes.
Claims to have found viruses and displays “Your computer is locked!” warning. Unlock password released.
Attack are isolated to Brazil. Renames files rather than encrypt them. Demands 1 Bitcoin for recovery.
Displays “Your Windows Has Been Banned” message. The unlock password is 123456.
An Apocalypse ransomware spinoff. Encrypts files and displays a warning screen before Windows boots up.
Security researchers create a decryptor for Vindows Locker, which uses tech support scam tactic.
HDDCryptor ransomware paralyzes San Francisco Municipal Transit Agency’s IT infrastructure.
This PowerShell-based sample uses the ps2exe script and overwrites the original files.
HTCryptor’s code is based on open-source Hidden Tear ransomware. Tries to disable Windows firewall.
San Francisco Muni’s officials deny allegations about corporate data being stolen by ransomware devs.
Emsisoft analyst Fabian Wosar creates a free decryptor for NMoreira/XPan ransomware.
Unidentified rasomware sample compromises Carleton University in Canada, demanding 39 BTC.
A new Jigsaw variant uses a phony Electrum Coin Adder app’s GUI to mask the ransomware installation.
New edition of the Zeta ransomware uses .rmd extension and # HELP_DECRYPT_YOUR_FILES #.txt ransom note.
The latest version of TorrentLocker, aka Crypt0L0cker, appends files with 6 random characters.
New iteration uses random extensions of 4-6 chars and !_HOW_TO_RESTORE_[random].txt ransom note.
This sample locks data using the free GnuPG implementation of OpenPGP cryptographic standard.
Avast releases 4 free decrypt tools for CrySiS, Globe, NoobCrypt and Alcatraz Locker ransomware strains.
Wannabe crooks can purchase the new C# based Alpha Locker ransomware on underground forums for $65.
Code of the updated ransomware contains a message to Fabian Wosar who cracked the previous version.
Based on the Hidden Tear POC. Appends the .R.i.P extension to files and drops Important!.txt ransom note.
Version 3.1.2 of the PadCrypt ransomware is out. This build doesn’t feature any noteworthy changes.
The man nicknamed “Pornopoker” is accused of creating and distributing Ransomlock.P police ransomware.
Emsisoft’s Fabian Wosar creates a decrypt tool for the latest variant of the Nemucod ransomware.
The updated Apocalypse Trojan leaves *md5*.txt ransom note and a new extension with country code in it.
New sample. Adds the .8lock8 extension and creates READ_IT.txt ransom notes. Interaction over email.
New Shade, aka Troldesh, ransomware variant (.no_more_ransom extension) uses the Kelihos botnet to spread.
It’s supposed to lock one’s screen and encode files (.encrypted extension), but the crypto part doesn’t work.
New Locky ransomware variant appends the .osiris extension and drops OSIRIS-[4_chars].htm ransom notes.
Affects master boot record (MBR) and encrypts master file table (MFT), thus completely blocking PCs.
Victims are suggested to infect two more users and thereby get their decryption key free of charge.
New Jigsaw ransomware build featuring “HACKED” logo. The ransom size starts at 0.25 BTC.
Appends the .VforVendetta file extension and leaves 000-PLEASE-READ-WE-HELP.html ransom note.
A cybercrime ring made tweaks to open-source EDA2/Hidden Tear code, now selling it on the dark web.
Crooks use new proof-of-concept ransomware called CryptoWire to create Lomix and Ultralocker strains.
Arrives at PCs with malicious Microsoft Wod documents. Demands a BTC equivalent of $1000 for decryption.
Cyber SpLiTTer Vbs ransomware version 2.0 is out. Based off of the Hidden Tear POC. Demands 0.5 BTC.
Ransom notes are called RESTORE_CORUPTED_FILES.html. The payment deadline is set to 15 days.
Now uses the .dale extension and leaves DALE_FILES.txt ransom note.
Uses an animated Matrix-style lock screen. Demands a Bitcoin equivalent of $400.
Other than the new version number, no significant differences from the previous edition.
Locks the screen and asks for 0.3 BTC. The unlock code is “suckmydicknigga”.
According to Palo Alto Networks, the Samas ring’s profits in 2016 amounted to more than $450,000.
A Hidden Tear spinoff. Uses the .sexy extension and drops !!!!!ATENÇÃO!!!!!.html ransom notes in Portuguese.
Appends the .Locked extension to encrypted files and demands 0.25 BTC. Steals passwords along the way.
Renames files to base64 strings, adds the .kraken extension and creates _HELP_YOUR_FILES.html ransom notes.
Claims to have banned a victim’s PC for terms of use violations. The unlock code is “nvidiagpuareshit”.
Uses the .lesli extension. Ransom notes are called INSTRUCTION RESTORE FILE.txt.
Michael Gillespie (@demonslay335) releases a free decryptor for the Locked-In ransomware.
Cerber ransomware payload arrives with rogue credit card reports that dupe users into opening a Word attachment.
New edition of the Xorist ransomware appends the .antihacker2017 string to files. Decryptable for free.
The only tweak is the new unlockvt@india.com extension for mutilated files. Demands 1.5 Bitcoin.
Clone of the M4N1F3STO screen locker using a new background. The unlock code is the same (see above).
Drops “Help to decrypt.txt” ransom manual and provides thedon78@mail.com email address for payment directions.
This sample is currently in development. Only scrambles data in the Test path on a targeted computer’s desktop.
Bitdefender, Emsisoft, Trend Micro and Check Point are now on the team. 32 new decryptors added, too.
New BandaChor ransomware spreads via malvertising on X-rated sites and an e-commerce web page.
Researchers spotted an instance of tweaking the Hidden Tear code by a wannabe crook named Chris.
New sample using the .ENC extension. Simply renames files rather than encode them.
Analysts discovered a Globe clone that appends the .crypt extension and leaves HOW_OPEN_FILES.hta note.
According to MalwareHunterTeam, Cerber starts using several new IP ranges for UDP statistics.
The updated infection switches to using the rescuers@india.com email address for interaction with victims.
New Dharma edition instructs victims to reach the attacker via amagnus@india.com email address.
Researchers discover CryptoBlock strain whose ransom notes resemble Cerber’s. No actual encryption yet.
New variants of Android banking malware turn out to accommodate ransomware properties.
The RansomFree app by Cybereason detects and blocks over 40 widespread ransom Trojans.
Creates *MD5*.txt ransom note and uses cryptcorp@inbox.ru for interacting with victims.
New edition of M4N1F3STO screen locker encrypts data along the way. Decryption routine is buggy.
Leaves RESTORE_YOUR_FILES.txt ransom manual and uses alex.vas@dr.com email address for communication.
RannohDecryptor now handles CryptXXX ransomware variants using the .crypt, .crypz and .cryp1 extensions.
Appends .theworldisyours extension and creates CHECK-IT-HELP-FILES.html ransom note.
Written in Go, the strain uses .braincrypt extension and !!! HOW TO DECRYPT FILES !!!.txt ransom manual.
Aka IDRANSOMv3, targets Indonesian users. Decrypted by Michael Gillespie (@demonslay335).
Mimics a Windows update while encrypting data. Demands 0.2 BTC for decryption.
New sample. Appends the .crypted extension to files and asks for 1 BTC. Decrypted by Michael Gillespie.
Researchers found a way to defeat the PadLock screen locker. The unlock code is ajVr/G\RJzoR
The alert by Free-freedom ransomware says it was coded by a 13-year-old boy. The unlock code is ‘adam’.
Researchers at BleepingComputer publish a comprehensive guide on ransomware protection.
New Cerber edition doesn’t delete Volume Shadow Copies and primarily targets Microsoft Office documents
The Winnix Cryptor Team ransomware is executed on servers via a BAT file and uses GPG crypto.
Cerber starts using 115.22.15.0/27, 114.23.16.0/27, and 91.239.24.0/23 IP ranges for UDP statistics.
New sample. Alerts victims with an irritating warning screen and audio. Appends the .locked extension.
Coded by the already familiar Adam kid. Appends the .madebyadam extension. Decrypt password is ‘adamdude9’.
New in-dev version of Koolova decrypts files for free if a victim reads a few articles about ransomware.
Another sample calling itself CryptoLocker concatenates the .cryptolocker string to encrypted entries.
The bad guys are getting ready to celebrate. Several C2 domains used by Cerber have ‘christmaas’ in their URLs.
New variant of the Venus Locker ransomware demands 1 BTC and sets a deadline of 72 hours.
The sample is still a debug version, hence not fully functional. Provides the decrypt key for free at this point.
A Globe ransomware copycat using the .crypt extension and HOW_OPEN_FILES.hta ransom notes. Decrypted by Emsisoft.
Demands $30. Victims must contact “Arizonacode” Skype user for payment steps. The code contains an “unlock all” command.
The update has brought about new IP ranges for statistical purposes, as well as _[random]_README.hta/jpg ransom notes.
Appends the .bript extension to mutilated files and leaves a recovery walkthrough called More.html.
The new .hush extension being added to files is the only change made to Jigsaw in the course of this update.
Emsisoft’s Fabian Wosar makes changes to his NMoreira decryptor, which can now handle the .maktub extension variant.
Creates HOW_TO_RESTORE_FILES.txt ransom note and uses the C-email-[attacker_email_address]-[filename].odcodc extension.
Android ransomware attacks LG Smart TVs, generating an FBI-themed lock screen and asking for $500 to unlock.
A new strain spotted that appends the -opentoyou@india.com extension to files and drops !!!.txt ransom note.
The file-deleting virus called KillDisk can now encode data. The ransom amounts to hundreds of Bitcoins.
A sample of the GoldenEye ransomware was found to proliferate via a bogus ESET AV installer.
The mkgoro@india.com version of the Dharma ransomware uses HTA format for its ransom notes (Info.hta)>>>
New Samas ransomware iteration uses the .whereisyourfiles extension and WHERE-YOUR-FILES.html help file.
An article posted on MalwareTech blog explains why open source ransomware is a bad idea.
Concatenates the .edgel extension to mutilated files. The ransom amounts to 0.1 BTC.
New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events
Exposure management is changing the way we assess risk, but not everyone is out in… Read More
Introduction: Navigating the SOCaaS Revolution In today's hyperconnected digital landscape, where cyber threats evolve faster… Read More
The Middle East and Asia are fast-growing hubs for both digital innovation and cyber threats,… Read More
In Europe, digital forensics and incident response firms operate within a complex landscape shaped by… Read More
The United States is home to many of the world’s leading digital forensics and incident… Read More
Third-party vendors have transformed operations for many entities. Tasks like payroll, shipping logistics, and IT… Read More