Ransomware Chronicle

This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

• New ransomware released

• Old ransomware updated

• Ransomware decrypted

• Other important ransomware related events

• HEROPOINT RANSOMWARE DISSECTED

  In-dev sample called HeroPoint appends random numbers to filenames and demands $20 worth of Bitcoin for recovery.

• FILE-LOCKER RANSOMWARE TWEAK

  This Korean ransomware switches from using the .locked file extension to .razy string for labeling hostage data items.

• TRIPLEM (MMM) RANSOMWARE

  Subjoins the .triple_m or .0x009d8a string to encrypted files and drops RESTORE_triple_m__FILES.html ransom notification.

• GOOGLE CRYPT SOUNDS MORE PROFESSIONAL THAN IT IS

  Currently in development, the Google Crypt strain claims to encrypt data but actually just locks the screen of an infected machine.

• A DECRYPTABLE EDITION OF XORIST DISCOVERED

  Researchers come across a Xorist ransomware variant that has been around for quite some time. Uses the .cryptedx file extension.

• ANOTHER DAY, ANOTHER CRYPTOMIX TWEAK

  The CryptoMix ransomware mutates again. Its newest version switches to using the .SERVER extension for ransomed data entries.

• ONE MORE GLOBE2 SPINOFF

  A fresh Turkish variant of the Globe2 ransomware is discovered. It concatenates the .vrmrkz string to ciphered files. Decryptable.

• LEON EDITION OF THE BLIND RANSOMWARE

  The Blind ransomware lineage produces another mod that blemishes data with the .leon extension prepended with attacker’s email.

• KOREANLOCKER RANSOMWARE SPOTTED

  New sample called KoreanLocker is a spinoff of the academic Hidden Tear project. Uses the .locked extension to label hostage files.

• JIGSAW RANSOMWARE GETS A MAKEOVER

  Fresh variant of the Jigsaw blackmail virus targets Polish users and displays an x-rated picture on its warning screen.

• KRYPTON RANSOMWARE, A NEW ONE

  Another Hidden Tear variant called the Krypton Ransomware uses the .kryptonite extension and KRYPTON_RANSOMWARE.txt note.

• REVOLUTIONARY HC7 VERSION

  New edition of the HC7 ransomware adds .PLANETARY string to filenames and accepts payments in Bitcoin, Monero and Ethereum.

• D.KOPORUSHKIN VIRUS DISCOVERED

  Named after a TXT file it creates, the D.Koporushkin culprit encrypts files adding the .aes extension and also acts as a data stealer.

• FROG RANSOMWARE HAILING FROM VIETNAM

  Unsurprisingly, one more derivative of Hidden Tear PoC. Appends the .frog extension to files and drops frog.txt ransom note.

• JIGSAW GETS ANOTHER UPDATE

  An umpteenth edition of the Jigsaw ransomware is spotted that concatenates the .CryptWalker suffix to encrypted files.

• LONGTERMMEMORYLOSS RANSOMWARE

  Currently in development, the LongTermMemoryLoss ransom Trojan uses an apropos .LTML extension to stain encoded data.

• DEATH N0TE RANSOMWARE SURFACES

  Rather than encrypt a victim’s files, the Death N0te infection moves them to a RAR archive protected by a password.

• CRYPTWALKER, ONE MORE BADDIE ON THE TABLE

  The sample called CryptWalker turns out to be a DUMB ransomware spinoff. Does not modify filenames. In-dev at this point.

• SHADY APPLICATION CALLED D4CK3R C0NTR01

  This one is a paid decrypt tool for the ransomware called D4CK3R. Interestingly, analysts haven’t spotted the ransomware itself yet.

• LAZAGNECRYPT CULPRIT IN THE WILD

  New blackmail virus called LazagneCrypt encrypts files while staining them with the .encr extension and steals victims’ passwords.

• NEW VARIANT OF KILLDISK

  A fresh edition of KillDisk, a destructive data wiper, wreaks havoc in Latin America, destroying data while posing as classic ransomware.

• U.S. HOSPITAL GIVES IN TO EXTORTIONISTS

  The Hancock Health hospital in Greenfield, IN, pays a ransom of $55,000 to restore data crippled by SamSam ransomware.

• KILLBOT VIRUS BEING DEVELOPED

  Researchers spot in-dev ransomware calling itself the Killbot Virus. It simply displays a warning screen so far, with no crypto in place.

• R3VO RANSOMWARE SPOTTED

  New sample called R3vo ransomware appends the .Lime string to hostage files and demands $100 worth of Bitcoin for decryption.

• NEW BACKUP FEATURE ANNOUNCED BY MICROSOFT

  Microsoft is reportedly planning to include “Files Restore” function to OneDrive for Business that will allow restoring lost data.

• SAMSAM STRAIN SPREADING LIKE WILDFIRE

  The gang behind SamSam/Samas ransomware was able to infect high-profile victims recently, including hospitals and a U.S. city council.

• JIGSAW RANSOMWARE GETS A SMALL TWEAK

  The latest Jigsaw edition called Mada stains encrypted files with the .LOCKED_BY_pabluklocker extension and uses a new background.

• TALK RANSOMWARE SURFACES

  This one is a Hidden Tear spinoff that targets Korean-speaking audience. Uses the .암호화됨 (means “.encrypted”) extension.

• RANSOMUSERLOCKER STRAIN OUT THERE

  Another Korean offshoot of Hidden Tear PoC from the creators of Talk Ransomware. Uses the .RansomUserLocker file extension.

• GHACK RANSOMWARE

  Currently in development, the GHack specimen turns out really buggy. Does not encrypt and simply generates a warning screen.

• SURERANSOM INFECTION BEING CREATED

  One more in-dev sample discovered by security analysts. No crypto at this point. Claims to use AES-256 and demands £50.

• ANOTHER CRUDE STRAIN CALLED RANCIDLOCKER

  Aka Rancidware Screen Locker, this pest purports to block access to the desktop and demands $150. Only displays a warning screen.

• QWERTY RANSOMARE RELEASED

  Hidden Tear based Qwerty ransomware targets Portuguese-speaking users. Uses the .qwerty file extension and demands 0.05 Bitcoin.

• DESUCRYPT SPINOFFS BEING DISTRIBUTED

  Two variants of open-source desuCrypt ransomware start making the rounds, appending the .insane and .deuscrypt extension to locked files.

• RAPID RANSOMWARE STANDS OUT FROM THE REST

  This sample (.rapid extension, How Recovery Files.txt note) encodes data spotted at attack point and any new files created on the computer.

• GLOBEIMPOSTER 2.0 UPDATED

  The latest GlobeImposter 2.0 version switches to the .crypted! suffix for encrypted data items and sticks with how_to_back_files.html note.

• THE INTRICATE MONEROPAY RANSOMWARE

  New file-encrypting threat called MoneroPay masquerades itself as a wallet application for rogue altcoin called SpriteCoin.

• NOTPETYA CAUSED LOTS OF TROUBLE TO MAERSK

  Maersk, Danish transportation company, claims to have reinstalled thousands of servers and PCs to recover from last year’s NotPetya incident.

• NEW ADULT SITES BORNE INFECTION SURFACES

  Dubbed PornBlackmailer, this culprit spreads via x-rated sites and threatens to notify law enforcement that the victim distributes child porn.

• FRESH RANSOMWARE STATISTICS RELEASED

  According to a report by Malwarebytes, ransomware attacks against end users and businesses grew by 93% and 90% in 2017, respectively.

• ROTORCRYPT UPDATED

  The most recent variant of the RotorCrypt ransomware appends files with an unusually long extension ending with .Black_OFFserve.

• VELSO RANSOMWARE IN THE WILD

  The baddie in question spreads via compromised remote desktop services and concatenates the .velso extension to scrambled files.

• TIES BETWEEN DRIDEX GANG AND BITPAYMER THREAT

  According to ESET, the BitPaymer/FriedEx ransomware was most likely created by the crooks behind the notorious Dridex banking Trojan.

• GANDCRAB RANSOMWARE RELEASED

  The GandCrab ransomware spreading via exploit kits is revolutionary as it accepts ransoms in DASH cryptocurrency rather than Bitcoin.

• TOR-TO-WEB PROXY OPERATOR PLAYS NAUGHTY

  The Onion.top Tor proxy service was found to replace Bitcoin addresses on some ransomware payment sites with its own wallet addresses.

• SCHOOL DISTRICT IN THE U.S. HIT BY RANSOMWARE

  Chester County School District, South Carolina, is trying to recover data after unidentified ransomware crippled it over the weekend.

• CRYSIS/DHARMA RANSOMWARE UPDATED

  The latest discovered variant of the CrySiS/Dharma ransomware lineage switches to using the .write extension for hostage files.

• SPRING HILL, TN, RECOVERING FROM CRYPTO ONSLAUGHT

  The city of Spring Hill, Tennessee, continues to rebuild its servers after last year’s ransomwrae attack, putting utility payments back online.

• PUBLIC LIBRARY FALLS VICTIM TO RANSOMWARE

  Unknown ransom Trojan infects the computer network of Spartanburg County Public Library in South Carolina. Staff refuses to pay the ransom.

• “RANSOMWARE” TERM ADDED TO POPULAR DICTIONARY

  The word “ransomware” has been added to the latest edition of Oxford English Dictionary. No wonder, it’s such a common term these days.

• MINDLOST RANSOMWARE HARVESTS SENSITIVE DATA

  The new strain called MindLost instructs victims to provide their credit card information and pay $200 ransom for data decryption.

• ANOTHER GLOBEIMPOSTER VERSION RELEASED

  Malware analysts come across a brand new variant of the GlobeImposter ransom Trojan that appends the .DREAM string to locked files.

• FAMOUS RANSOMWARE FIGHTER TO BE AWARDED

  The FBI is going to give the FBI Director’s Community Leadership Award to Michael Gillespie (@demonslay335) for his anti-ransomware work.

• GANDCRAB MARKETED AS A RAAS

  It turns out that the recently released GandCrab ransomware is backed by a Ransomware-as-a-Service model being pushed via shady forums.

• SCARABEY RANSOMWARE, OFFSHOOT OF THE SCARAB PEST

  Researchers discover the new Scarabey ransomware that’s a spinoff of the Scarab strain infecting companies via hacked RDP services.

• CRYPTOMIX UNDERGOES A TWEAK

  The most recent mod of the prolific CryptoMix blackmail virus switches to concatenating the .SYSTEM extension to encrypted files.

• TEAR DR0P V1 CULPRIT DISCOVERED AND DECRYPTED

  The sample called TEAR DR0P V1 employs SpeechSynthesizer tool to produce audio alerts. Analysts were able to crack it fairly fast.

• INFINITE TEAR BADDIE FINE-TUNED

  New iteration called InfiniteTear 3 uses the .Infinite extension for ransomed files and #How_Decrypt_Files.txt ransom note.

• COUCHDB SERVERS STILL EXPOSED TO EXTORTION

  Security researchers discover a new wave of CouchDB database hacks for ransom. The crooks demand 0.2 BTC for restoring the content.

• RARUCRYPT USES PASSWORD-PROTECTED ARCHIVES

  RaruCrypt is a Russian ransomware strain demanding 200 RUB for unlocking a RAR archive with data. Password is S?{DCO^C!{L@CR^+<7E}2.

• HERMES 2.1 STRAIN GETS FINE-TUNED

  The previously released Hermes 2.1 ransomware undergoes a tweak, switching to a new filemarker and appending no extension to filenames.

• MONEROPAY RANSOMWARE DECRYPTED

  Analysts from NioGuard Security Lab create a free decryption tool for the MoneroPay ransomware, which pretends to be a SpriteCoin wallet.

• ONE MORE SAMPLE IN THE JIGSAW LINEAGE

  The most recent mod of the Jigsaw ransomware concatenates the .# suffix to encoded files. Still decryptable courtesy of @demonslay335.

• CRYPT12 PEST UPDATED

  A fresh edition of the Crypt12 strain switches to using hernansec@protonmail.ch email address for interaction with victims.

• INTERESTING STATS REGARDING RANSOMWARE

  According to a survey by Sophos, 54% of organizations fell victim to ransomware in 2017. Most suffered such attacks twice during the year.

• WINDOWS’ CFA FEATURE SUSCEPTIBLE TO ABUSE

  Spanish researcher Yago Jesus was able to get around Controlled Folder Access feature that’s supposed to protect against ransomware.

• YET ANOTHER JIGSAW EDITION SPOTTED

  New Turkish version of the Jigsaw ransomware is discovered that concatenates the .justice string to encoded files. Decryptable.

• ADAMLOCKER RANSOMWARE UPDATED

  The latest iteration disables Task Manager, displays a ransom note in Korean and subjoins the .adam extension to encrypted files.

• GANDCRAB SPREADING VIA BOOBY-TRAPPED SPAM

  Operators of the GandCrab ransomware campaign switch to malicious spam for distribution. The emails contain rogue receipts.

• HONOR RANSOMWARE IN THE WILD

  This one replaces filenames with random hexadecimal characters and adds the .honor extension to each. Does not leave a ransom how-to.

• CALIFORNIA VOTER DATABASE HACKED ONCE AGAIN

  Threat actors were able to breach and steal data from MongoDB database of California voters, demanding ransom for reinstating the records.

• BLACK RUBY RANSOMWARE SPOTTED

  Prepends the ‘Encrypted_’ string and appends .BlackRuby extension to filenames. Additionally installs a Monero cryptocurrency miner.

• DEXCRYPT CRIPPLES MASTER BOOT RECORD

  DexCrypt is a Chinese blackmail virus affecting the MBR of target hosts, thus denying access to Windows. Demands 30 Yuan (about $5).

• DCRTR RANSOMWARE DISCOVERED

  Affixes the .[decryptor@cock.li].dcrtr string to encrypted files and provides recovery steps in ReadMe_Decryptor.txt document.

• ROTORCRYPT KEEPS ON CHANGING

  The latest edition of the RotorCrypt ransomware concatenates the !decrfile@tutanota.com.crypo extension to encoded files.

• THE NEW TBLOCKER RANSOMWARE

  TBlocker appends the “_” extension to encrypted files and demands $250 worth of Bitcoin. Decryptable beyond ransom.

• RAPID RANSOMWARE DISTRIBUTION DETAILS

  The Rapid ransomware strain is spreading via phishing emails disguised as urgent notifications from the U.S. Internal Revenue Service.

• DEFENDER RANSOMWARE SURFACES

  This one tries to mimic Windows Defender. Concatenates the .defender extension to locked files and has a flaw that thwarts decryption.

• BLANK RANSOMWARE IS SOMEBODY’S PRANK

  This sample appends the apropos .blank extension to filenames and provides the decryption key after a victim hits the right button.

• DESUCRYPT RANSOMWARE UPDATED

  The latest version of the desuCrypt strain stains hostage files with the .Tornado extension and drops a ransom note named key.txt.

• PENDOR RANSOMWARE CRACKED

  Well-known security researcher Michael Gillespie, aka demonslay335, releases a free decryptor for Pendor (.pnr files) ransomware.

• FRESH JIGSAW RANSOMWARE VERSION OUT THERE

  Brand-new Korean mod of the prolific Jigsaw ransom Trojan switches to using the .locked extension for crippled files.

• NOTPETYA ATTRIBUTION UNVEILED BY THE UK

  The United Kingdom officially accuses Russian government for the NotPetya ransomware outbreak that took place in June 2017.

• GLOBEIMPOSTER GOING AFTER HIGH-PROFILE VICTIMS

  New variant of the GlobeImposter ransomware adds the .suddentax extension to files and targets enterprise computer networks.

• UMARU RANSOMWARE RELEASED

  The Umaru ransomware is a Japanese strain that concatenates the .干物妹！suffix to encrypted files and doesn’t leave a ransom note.

• SATURN RANSOMWARE SPREADING ON A LARGE SCALE

  New sample called Saturn ransomware uses the .saturn extension for encoded files and drops #DECRYPT_MY_FILES#.txt/html ransom notes.

• RELEC RANSOMWARE TURNS OUT A PIECE OF JUNK

  Relec ransomware is a new in-development sample configured to demand 1 BTC for decryption, although it fails to encrypt anything.

• DEADRANSOMWARE DOESN’T DO MUCH DAMAGE

  While this one claims to encrypt data, it is actually a screen locker. The password to unlock is “DeadRansomwareDecryptMyFiles”.

• NEW ONE USING .RANSOMWARED EXTENSION

  A fresh strain is spotted that concatenates the .ransomwared string to encrypted items. Currently in development.

• WANNACRYPT DISCOVERED AND CRACKED

  The sample called WannaCrypt displays a warning screen with a barcode and demands 0.05 BTC. Decrypted by researchers.

• SATURN RAAS WAITING FOR AFFILIATES

  Analysts discover a new Ransomware-as-a-Service platform backing the distribution of the Saturn ransomware. No registration fee required.

• U.S. COUNTIES STAY VULNERABLE TO RANSOM ATTACKS

  The computer network of Davidson Country, North Carolina, suffers a ransomware attack. There are reportedly good backups in place.

• ANDROID RANSOMWARE’S DECLINE IN 2017

  According to the findings of researchers at ESET, the number of reported Android ransomware infections went down last year.

• BANANACRYPT RANSOMWARE SURFACES

  The brand-new BananaCrypt ransomware speckles encrypted files with the .bananaCrypt extension and demands $300 worth of Bitcoin.

• RUSSENGER RANSOMWARE SPOTTED

  This one zeroes in on Russian-speaking computer users. Appends the .messenger-[random] extension to encoded files.

• NEW LOCKCRYPT VARIANT SPREADING VIA RDP

  An edition of the LockCrypt ransomware is released that spreads over breached remote desktop services and uses the .1BTC file extension.

• SHIFR STRAIN UPDATED

  The latest version of the Shifr ransomware switches to using the .cypher extension and How_To_Decrypt_Files.html rescue note.

• INTERVIEW WITH PROMINENT RANSOMWARE ANALYST

  MonsterCloud Cyber Security publishes an interview with Michael Gillespie, a ransomware fighter who got the FBI’s special award.

• THE NASTY IMPACT OF ANNABELLE RANSOMWARE

  The Annabelle blackmail strain terminates numerous programs, encrypts a victim’s data and cripples the MBR (master boot record).

• NEW HIGH-PROFILE VICTIM MADE BY SAMSAM STRAIN

  The SamSam/Samas ransomware infects the Colorado Department of Transportation, forcing the shutdown of more than 2,000 computers.

• GLOBE2 RANSOMWARE UPDATED

  A new mod of the Globe2 ransom Trojan targets Turkish users and subjoins the .frmvrlr2017 suffix to locked files. Decryptable.

• BALILUWARE SAMPLE POPS UP

  Baliluware is a Hidden Tear PoC derivative that uses the .you-are-f*cked-by-baliluware-(coded-by-heropoint) extension for hostage files.

• DATA KEEPER RANSOMWARE GAINS TRACTION

  Having been launched on a RaaS basis a couple of days ago, the Data Keeper ransom Trojan starts contaminating PCs in the wild.

• THANATOS STRAIN DOESN’T WORK AS INTENDED

  The new Thanatos (“Death” in Greek) ransomware doesn’t save the crypto keys, so recovery is impossible. Accepts Bitcoin Cash for ransoms.

• RIG EK OPERATORS ABANDON RANSOMWARE BUSINESS

  According to researchers, one of the most common exploit kits called RIG has switched from spreading ransomware to delivering coin miners.

• NEW XIAOBA VARIANT RELEASED

  The latest persona of this blackmail virus uses the .Encrypted[BaYuCheng@yeah.net].XiaoBa extension and _XiaoBa_Info_.hta ransom note.

• GANDCRAB RANSOMWARE CRACKED

  Bitdefender finds a workaround for the crypto utlized by GandCrab ransomware, allowing those infected to recover their data for free.

• NEW DISTRIBUTION TACTIC BY GANDCRAB OPERATORS

  A recent wave of GandCrab ransomware propagation leverages the notorious “HoeflerText font wasn’t found” scam.

• KWAAK RANSOMWARE, A HIDDEN TEAR SPINOFF

  Yet another incarnation of the academic Hidden Tear ransomware dubbed Kwaak uses the .kwaaklocked suffix to label hostage data entries.

• JIGSAW LINEAGE PRODUCES ONE MORE SPINOFF

  Another variant of the Jigsaw ransomware appears that appends .contact-me-here-for-the-key-admin@adsoleware.com to locked files.

• NEW CRYPTCONSOLE VERSION DECRYPTABLE FOR FREE

  Having found the original decryptor for CryptConsole’s qar48@tutanota.com edition, Michael Gillespie adds support for it to his decrypt tool.

• DHARMA RANSOMWARE SHOOTING ‘ARROWS’

  A version of the Dharma ransomware is discovered in the wild that concatenates the .id-[victim ID].arrow extension to encrypted files.

• SAMPLE USING GNUPG FREE ENCRYPTION TOOL

  Security experts stumble upon a ransomware strain that leverages GnuPG, aka GPG, solution to encrypt. Uses the .[number].qwerty extension.

• PRINCESS LOCKER RESURFACES

  A new mod of the Princess Locker culprit is spotted after a long hiatus of this family. It drops “=_HOW_TO_FIX_RQZLIN.txt” recovery how-to.

• MAGNIBER ON THE RISE IN SOUTH KOREA

  According to analysts’ observations, there is an ongoing powerful wave of Magniber ransomware attacks zeroing in on South Korean users.

• GLOBEIMPOSTER STRAIN KEEPS MUTATING

  The latest build of the GlobeImposter ransomware uses the .encrypt extension for hostage files and instructions.html rescue note.

• JIGSAW STARTS USING AN OFFBEAT EXTORTION TACTIC

  New variant of the Jigsaw blackmail virus appends .Bitconnect to files and instructs victims to post photos of themselves on Instagram.

• ROTORCRYPT GETS A BIT OF FINE-TUNING

  Fresh version of RotorCrypt ransomware appends the “! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2” extension to files.

• GANDCRAB RANSOMWARE UPDATED

  GandCrab v2 is out. It switches to using the .CRAB extension for encrypted data items and a ransom note named CRAB-DECRYPT.txt.

• PLUS ONE MOD FOR THE CRYAKL FAMILY

  Cryakl, a ransomware old stager, is updated to version 1.5.1.0 and starts using email-dorispackman@tuta.io contact address.

• JIGSAW EDITION TARGETING SPANISH-SPEAKING USERS

  Yet another version of the Jigsaw culprit concatenates the .jes extension to files and features Cthulhu image on its warning screen.

• GLOBEIMPOSTER AND GANDCRAB CAMPAIGNS DISSECTED

  Security analysts provide in-depth information on the latest spam campaigns spreading the GlobeImposter and GandCrab strains.

• SILENTSPRING SAMPLE SPOTTED

  This is a new one that doesn’t appear to represent any known family. Affixes the .Sil3nt5pring extension to ransomed files.

• CRYPTO CRACKING MASTERCLASS FROM EXPERTS

  Researchers at Malwarebytes post a write-up regarding weak links in ransomware crypto that allow for data decryption beyond ransom.

• RESEARCH PROVES PAYING RANSOMS IS A SLIPPERY SLOPE

  International survey by CyberEdge Group shows that less than 50% of ransomware victims who paid up were able to decrypt their files.

• FRESH DETAILS RELEASED ON QWERTY RANSOMWARE

  The pest in question overwrites original files with encrypted copies and drops a ransom notification named README_DECRYPT.txt.

• FRS RANSOMWARE ON THE TABLE

  This brand-new strain blemishes encrypted files with the .FRS suffix and drops a combo of READ_ME_HELP.txt/png ransom notes.

• CROOKS MAKE ANOTHER HIGH-PROFILE VICTIM

  The computer network of Connecticut state judicial branch gets hit by ransomware infection that impacts protective order registry service.

• ULTIMO, A HIDDEN TEAR SPINOFF, GETS A MINOR UPDATE

  Originally spotted in September 2017, Ultimo ransomware speckles files with the .locked string and uses READ_IT.txt decryption how-to.

• THE ODDITY OF CRYPT888 RANSOMWARE

  G DATA analysts provide an insight into imperfections of the Crypt888 strain and the fact it demands YouTube subscriptions, not money.

• MOST SPAM IN 2017 CAME FROM TWO BOTNETS

  According to McAfee researchers’ findings, two botnets – Necurs and Gamut – produced 97% of all web spam volume last year.

• SIGMA RANSOMWARE DISTRIBUTION FINE-TUNED

  A new wave of malspam delivering the Sigma ransom Trojan revolves around booby-trapped emails disguised as messages from Craigslist.

• PARADISE RANSOMWARE UPDATED

  The latest variant uses the .[id-…].[support@all-ransomware.info].sell extension and #DECRYPT MY FILES# {random}.html ransom note.

• VBRANSOM SAMPLE IN DEVELOPMENT

  Fresh strain called VBRansom replaces desktop wallpaper with a warning message and drops Important.txt how-to. No crypto so far.

• L0CKED RANSOMWARE GETS A REFRESH

  Made by crooks calling themselves #TEAM-UINA, this edition replaces filenames with random strings and uses the .L0cked extension.

• JIGSAW CONTINUES TO UNDERGO TWEAKS

  Jigsaw ransomware family gets a new one targeting Korean users. The file extension is .email-[powerhacker03@hotmail.com].koreaGame.

• HERMES CULPRIT USES A NEW SPREADING TACTIC

  Another spin of the Hermes ransomware distribution campaign that broke out in South Korea involves a zero-day Flash exploit.

• ASIA WAS MOST TARGETED BY RANSOMWARE IN 2017

  As per a report by Microsoft, end users and companies in Asian countries suffered the bulk of all ransomware attacks recorded last year.

• MORE ANTI-RUSSIAN SANCTIONS BY THE U.S.

  Additional sanctions take effect over U.S. power grid attacks, NotPetya campaign, and 2016 presidential election interference attempts.

• ZENIS RANSOMWARE WAVE TAKES ROOT

  The new Zenis strain uses AES cipher to encrypt victims’ data, prepends ‘Zenis’ to scrambled filenames and erases data backups.

• U.S. ENTITY RE-INFECTED WITH SAMSAM RANSOMWARE

  Having been hit by SamSam/Samas strain in February, the Colorado Department of Transportation falls victim to the same pest again.

• INFAMOUS RANSOMWARE MAKER APPREHENDED

  Polish police arrest an individual nicknamed Tomasz ‘Armagedon’ T., the developer of Vortex, Flotera and Polski ransomware lineages.

• TOMASZ T. HACKER BACKGROUND REVEALED

  Virus Bulletin publishes an article dissecting the story of the above-mentioned ransomware dev, who might not be too tech-savvy in fact.

• STINGER RANSOMWARE SPOTTED IN THE WILD

  This one concatenates the .Stinger suffix to filenames and drops a ransom note named ‘About .Stinger unlocking instructions.txt.

• U.S. HEALTHCARE AGENCY HIT BY RANSOMWARE

  Finger Lakes Health, a New York based healthcare agency, falls victim to an unidentified ransomware infection. The FBI is investigating.

• R2D2 METHOD COMBATTING DATA-WIPING MALWARE

  R2D2 (Reactive Redundancy for Data Destruction) is a technique devised by Purdue University researchers to protect against data wipers.

• RANSOMWARE INFECTS IT NETWORK OF A U.S. CITY

  The computer infrastructure of the City of Atlanta, Georgia, suffers a cyber attack, the infection being the SamSam/Samas ransomware.

• NOTORIOUS BANKING TROJAN GETS A RANSOMWARE TRAIT

  The latest mod of the TrickBot banking malware now goes with a screen locking module, so victims who don’t use e-banking are still at risk.

• YET ANOTHER BUILD OF THE L0CKED RANSOMWARE

  The L0cked blackmail virus gets updated once again. The new edition subjoins the %s%s%s.lckd extension to encrypted files.

• NEW AVCRYPT USES BIZARRE TACTICS

  Brand-new sample called AVCrypt uninstalls AV software found on a computer and doesn’t provide any contact details. May be a data wiper.

• RAPID RANSOMWARE V2.0 IS OUT

  Rapid 2.0 affixes a random extension to files, drops DECRYPT.[random].txt ransom note and does no harm to Russian-speaking victims.

• DISKWRITER ISN’T CLASSIC RANSOMWARE

  New wiper-like strain called DiskWriter, aka UselessDisk, messes up MBR and demands $300 worth of BTC. No working recovery, though.

• PARADISE RANSOMWARE GETS A DOUBLE TWEAK

  One of the oldies called the Paradise ransomware has been updated with new variants using the .ransom and .logger file extensions.

• EGGLOCKER SAMPLE SPOTTED

  Malware analysts come across a fresh in-dev culprit called EggLocker that’s configured to append the .EGG string to encrypted files.

• WHITEROSE RANSOMWARE IN THE WILD

  New WhiteRose sample replaces filenames with [random]_ENCRYPTED_BY.WHITEROSE string and uses HOW-TO-RECOVERY-FILES.txt note.

• THE SARCASTIC SORRY RANSOMWARE

  A Hidden Tear PoC spinoff called Sorry Ransomware uses the .sorry extension and ‘How Recovery Files.txt’/hrf.txt rescue notes.

• JFRANSOMWARE IS NO BIG DEAL

  Blackmail virus called JFRansomware claims to encrypt data but actually just locks the screen. Victims can simply enter ‘Saus2018’ to unlock.

• HAXERBOI BADDIE IS A MALICIOUS COMBO

  Researchers spot an entity called Haxerboi that turns out to be a malware construction tool as well as a crypto ransomware infection.

• FINE-TUNING OF THE L0CKED RANSOMWARE

  Another iteration of the L0cked ransomware appears that concatenates the .lckd extension to encoded files. Not yet in active distribution.

• BANSOMQARE MANNA STRAIN

  The sample going by a weird name of BansomQare Manna mimics WannaCry and subjoins the .bitcoin extension to hostage files.

• BOEING CONFRONTED WITH WANNACRY ATTACK

  Boeing was reportedly hit by the WannaCry ransomware. Executives state the attack surface is minor and remediations were applied.

• FIRST CRYPTOMIX UPDATE IN A LONG TIME

  The CryptoMix ransomware undergoes an update after a two-month hiatus. New build appends the .MOLE66 string to locked data items.

• RANSOMWARETEST, NOT AN ISSUE SO FAR

  According to analysts who spotted RansomwareTest sample, its development is in progress. Configured to append the .crypt string to files.

• THE OFFBEAT H34RTBL33D RANSOMWARE

  New one called H34rtBl33d propagates via Limewire peer-to-peer file sharing client and leverages Balloon Tips to interact with victims.

• COMEBACK OF THE SATAN RANSOMWARE

  Although this strain was considered extinct, it re-emerged with a multilingual version blemishing encoded files with the .satan extension.

• NEW RANSOMWARE LAW TAKES EFFECT IN MICHIGAN

  Two bills passed and signed in Michigan make ransomware possession and distribution a prosecutable felony leading to 3-year sentence.

• SOME MAGNIBER VARIANTS ARE NOW DECRYPTABLE

  Analysts at AhnLab security firm have released decrypt tools supporting several widespread builds of the Magniber ransomware.

• VURTEN RANSOMWARE EMERGES

  New strain called Vurten zeroes in on enterprise computer networks, uses the .improved file extension and UNCRYPT.README.txt note.

• CRYPREN SAMPLE SPOTTED IN THE WILD

  Another fresh culprit called Crypren ransomware appends .ENCRYPTED to filenames and drops READ_THIS_TO_DECRYPT.html how-to.

• OXAR LINEAGE UPDATED

  The Oxar ransomware oldie gets an update introducing the .F*CK file extension and ‘1 What happens with my files.txt’ ransom note.

• BANSOMQARE MANNA DECRYPTED

  Security researchers were able to defeat the encryption of BansomQare Manna ransomware strain and released an ad hoc recovery tool.

• DOUBLE TWEAK OF THE MATRIX RANSOMWARE

  One more old-stager on the ransomware arena called Matrix spews out two new spinoffs using ‘What happened with your files’ ransom note.

• TURKHACKTEAM RANSOMWARE BUILDER

  Malware watchers come across ‘TurkHackTeam Ransomware Builder’ tool that’s claimed to automate ransomware creation process.

• WHITEROSE STRAIN TURNS OUT DECRYPTABLE

  MalwareHunterTeam experts have succeeded in finding a workaround for the crypto applied by the relatively new WhiteRose ransomware.

• HAXERBOI RANSOMWARE BUILDER IS NO LONGER AN ISSUE

  The details being unclear, the so-called Haxerboi ransomware builder utility isn’t accessible to the cybercrime underground anymore.

• A FLAW FOUND IN CRYPTO OF THE LOCKCRYPT BADDIE

  Malwarebytes employees have discovered an imperfection in the encryption routine utilized by LockCrypt, so data recovery may be possible.

• OFFICE 365 SUITE NOW RANSOMWARE-RESISTANT

  Microsoft has introduced new features to their Office 365 package that allow users to restore encrypted files to their previous state.

• UNSETTLING AFTERMATH OF A RANSOMWARE INCIDENT

  The Colorado Department of Transportation reportedly spent $1.5 million to partially recover its systems from SamSam ransomware attack.

• JIGSAW PEST UPDATED ONCE AGAIN

  According to MalwareHunterTeam, the latest discovered variant of the Jigsaw ransomware blemishes hostage files with the .LolSec string.

• SKYFILE RANSOMWARE DISCOVERED

  Brand-new SkyFile ransomware is spotted that concatenates the .sky extension to files and uses ‘HOW TO DECRYPT.txt’ ransom note.

• MATRIX RANSOMWARE OFFSHOOTS USING RDP

  Two more spinoffs of the Matrix ransomware are spotted. Both are deposited on target hosts via hacked remote desktop services.

• HORROS RANSOMWARE POPS UP

  The new Horros ransomware turns out to be a derivative of the Hidden Tear PoC code. Concatenates the .horros extension to encrypted files.

• DCRTR STRAIN GETS AN UPDATE

  Crooks release a new ‘kinaman@protonmail.ch’ variant of the Dcrtr ransomware that was discovered in early February 2018. No crypto so far.

• PUBG RANSOMWARE BY A GAMING FAN

  New sample called the PUBG Ransomware is offbeat as it decrypts hostage data if the victim plays the PlayerUnknown’s Battlegrounds game.

• BREAKTHROUGH IN FIGHTING WANNACRY

  Researchers from Kryptos Logic firm present a tool called Telltale that provides organizations with access to WannaCry sinkhole information.

• MOST RANSOMWARE VICTIMS WHO PAID WOULD PAY AGAIN

  According to Telstra Enterprise, 80% of ransomware victims who paid the ransom for data decryption would cough it up again if infected.

• CRYPTOWIRE STRAIN STILL ACTIVE

  A fresh edition of the CryptoWire ransomware is spotted that inserts the ‘.encrypted’ string in between the filename and original extension.

• COMMENTARY ON A U.S. COUNTY’S 911 CENTER ATTACK

  Independence County (Arkansas) judge issues an official statement regarding a purported ransomware attack against local 911 center.

• ERROR DISRUPTS NEW GANDCRAB CAMPAIGN

  A script compile flaw has reportedly rendered a new GandCrab ransomware malspam campaign inefficient, causing contamination to halt.

• MAGNIBER DECRYPTOR FINE-TUNED

  AhnLab, South Korean security software provider, releases an updated Magniber ransomware decryption tool that now goes with a GUI.

• MICROSOFT’S NEW ANTI-RANSOMWARE INITIATIVE

  Microsoft is reportedly planning to add a new Ransomware Protection feature as part of the upcoming Windows 10 Spring Creators update.

• MICROSOFT STAFFER IN CAHOOTS WITH REVETON CREW

  Network engineer at Microsoft is being charged for assisting the Reveton ransomware distributors to launder their ill-gotten money.

• IRON RANSOMWARE IS SUCH A COPYCAT

  New Iron ransomware is discovered that mimics the Maktub, DMA Locker, and Satan strains in several ways. Appends the .encry extension.

• TRON RANSOMWARE SPOTTED

  This one affixes the .tron file extension, doesn’t drop any ransom notes, and doesn’t do damage to computers with Russian locale.

• SPARTACUS STRAIN SURFACES

  The brand new Spartacus ransomware blemishes encrypted files with the .[MastersRecovery@protonmail.com].Spartacus extension.

• NM4 RANSOMWARE UPDATED

  NM4, a spinoff of the NMoreira infection, spews out a fresh variant that uses the .NMCRYPT extension and ‘Recovers your files.html’ note.

• GREETING FROM GANDCRAB TO A SECURITY ANALYST

  Researcher Marcelo Rivero, who has focused on GandCrab lately, spotted a variant that displays “Hello, Marcelo :)” popup message.

• VORTEX DECRYPTOR NOW AVAILABLE TO VICTIMS

  CERT Polska, the Polish security think tank, releases a free decryption tool for the Vortex/Polski ransomware, following arrest of the author.

• XIAOBA GOES THROUGH A BUGGY TRANSFORMATION

  The XiaoBa ransomware crew have remade their code for cryptojacking purposes, but it damages victims’ executables due to critical bugs.

• NHS HASN’T DONE ENOUGH TO TACKLE RANSOMWARE

  Having fallen victim to WannaCry ransomware almost a year ago, the UK’s NHS has barely improved the security of its services, experts say.

• MAGNITUDE EK REPURPOSED FOR GANDCRAB’S GOALS

  The Magnitude exploit kit, which has propped Magniber campaign exclusively, is now reportedly also pushing the GandCrab ransomware.

• GLOBEIMPOSTER ARE ON THE ‘PLUS’ WAVE

  The latest variants of the GlobeImposter ransomware have been appending new extensions followed by the ‘+’ sign (e.g. .ALCO2+, .LIN+).

• JIGSAW FAMILY GROWS FURTHER

  Another Jigsaw ransomware mod called Apophis goes live. Looks primitive and still demands $500 worth of Bitcoin for data decryption.

• TWO GAME-THEMED RANSOMWARE STRAINS RELEASED

  Analysts on the MalwareHunterTeam discover strains themed after Minecraft and CS:GO. The two don’t encrypt or do other damage so far.

• NEW PYTHON-BASED BLACKMAIL INFECTION APPEARS

  A sample called “Meine_ransomware_PGP_DANGEROUS” is discovered that might be a PoC. Uses the .enc extension for encrypted files.

• SATYR RANSOMWARE ON THE TABLE

  The new Satyr ransomware leverages a fusion of AES and RSA-2048 ciphers to lock data and stains encoded files with the .Satyr extension.

• RANSSIRIA PEST USES DESPICABLE TACTICS

  The RansSIRIA ransomware zeroes in on Brazilian users and tells victims that the ransoms they pay will be donated to Syrian refugees.

• GANDCRAB MIGHT BE USING PROMO CODES

  Security researchers notice that the GandCrab ransomware payment portal now includes a field for victims to enter promotion codes.

• KRAKATOWIS RANSOMWARE POPS UP

  A new screen locker called Krakatowis is spotted in the wild. Analysts figured out the unlock code: 1eb472049398e443d014d27c438ebff1.

• BLACKHEART RANSOMWARE ON THE TABLE

  This Star Wars themed ransomware uses the .BlackRouter or .pay2me extension for hostage files and drops ReadME-BLackHeart.txt note.

• KRAKEN RANSOMWARE TRIES TO ‘CATCHEM’

  The sample called Kraken runs as catchem.exe binary and leverages Discord freeware’s server for C&C purposes and to report infections.

• SATAN STRAIN TURNS OUT TO USE ETERNALBLUE EXPLOIT

  The notorious Satan ransomware adds the NSA exploit dubbed EternalBlue to its repertoir, thus propagating in a highly surreptitious fashion.

• GOV WEBSITE ATTACKED BY BLACKMAIL VIRUS

  The official website of the Prince Edwards Island government reportedly fell victim to the VevoLocker ransomware holding it for ransom.

• GANDCRAB V2.1 GOES LIVE

  GandCrab, one of the most widespread samples presently, gets updated to version 2.1 that utilizes code injection into svchost.exe.

• PUBG LINEAGE GROWS

  The game-themed PUBG ransomware spawns the ‘Special 999Hours’ / ‘TALK SHOP Edition’ variant. Demands 999 hours of playing to decrypt.

• WEIRD NEW VERSION OF THE XORIST RANSOMWARE

  The Xorist ransomware family spews out a variant appending files with an incredibly long extension that almost covers all ransom demands.

• OBLIVION RANSOMWARE DISCOVERED

  This new strain jumbles up filenames and adds the .OBLIVION string to each one. Drops OBLIVION DECRYPTION INFORMATION.txt note.

• UKRAINIAN GOV SITE HIT BY RANSOMWARE

  The website of Ukraine’s energy ministry gets knocked offline by the VevoLocker ransomware. The crooks demand 0.1 BTC ($937) ransom.

• EXTORTIONISTS ZERO IN ON HPE ILO 4 SERVERS

  Unidentified ransomware targets HPE iLO 4 remote management interfaces that are online-accessible. Uses RSA-2048 cryptosystem.

• LOCKCRYPT UPDATED, DECRYPTOR AVAILABLE

  The latest edition of the LockCrypt pest concatenates the .mich extension to encrypted files. Researcher Michael Gillespie cracks this one.

• OFFBEAT C# RANSOMWARE

  Security analysts spot C# based blackmail malware that stands out from the rest as it compiles itself at runtime and runs directly in memory.

• CRYPTCONSOLE STRAIN GETS A MINOR TWEAK

  New iteration of the CryptConsole ransomware switches to using xzet@tutanota.com contact email. Can still be decrypted for free.

• KCW RANSOMWARE GOING AFTER WEBSITES

  An India based hacking crew calling itself ‘Team Kerala Cyber Warriors’ starts infecting Pakistani websites with KCW crypto ransomware.

• RANDOMLOCKER STARTS MAKING THE ROUNDS

  Brand-new RandomLocker ransomware blemishes encrypted files with the .rand extension and is most likely distributed in a manual way.

• UK’S NHS STARTS USING WINDOWS 10 AS A SAFER OS

  The UK National Health Service officials decided to switch to Windows 10 for their computers in light of WannaCry incident.

• KRAKEN 2.0 WASN’T INTENDED FOR OFFENSIVE USE

  Researchers state the Kraken 2.0 ransomware was originally created as a PoC but the code ended up stolen and weaponized by crooks.

• A DECENT WRITE-UP ON BTCWARE RELEASED

  Sophos analysts publish in-depth analysis of the BTCWare ransomware strain that was active throughout 2017 and spawned 17 variants.

• BLACKHEART RANSOMWARE’S CROSS-PROMOTION TACTIC

  It turns out that a variant of the relatively new Blackheart ransomware is distributed along with a legit remote desktop tool called AnyDesk.

• USELESSFILES BLACKMAIL VIRUS SPOTTED

  A new ransomware strain called UselessFiles starts making the rounds. It uses the .UselessFiles extension and demands $300 worth of BTC.

• XIAOBA STRAIN UPDATED

  Malware watchers bump into a fresh edition of the XiaoBa ransomware that switches to using the .[BaYuCheng@yeah.net] file extension.

• GANDCRAB REACHES VERSION 3

  GandCrab v3 is released, featuring a number of conspicuous alterations. Now it replaces the desktop background with a warning screen.

• JIGSAW UNDERGOES YET ANOTHER UPDATE

  Jigsaw ransomware, one of the oldies in the extortion landscape, spawns a new edition that appends the .hac suffix to ransomed items.

• UNUSUAL DEMANDS BY THE NEW BKRANSOMWARE

  Analysts discover a Vietnamese ransom Trojan called BKRansomware, which runs via a command line and asks for phone number refill.

• MMM RANSOMWARE UPDATED

  The latest spinoff of the TripleM (MMM) ransomware uses the .MMM file extension and GET_YOUR_FILES_BACK.html ransom how-to.

• SCARAB RANSOMWARE PRODUCES A NEW MOD

  According to some scarce reports made by infected users, the Scarab ransomware has been updated to .horsia@airmail.cc extension variant.

• SYNACK STRAIN BECOMES MORE EVASIVE

  A fresh variant of the SynAck ransomware appears to be leveraging the so-called ‘Process Doppelgänging’ fileless code injection technique.

• MATRIX FAMILY GROWING

  Another iteration of the Matrix ransomware introduces #What_Wrong_With_Files#.rtf note and new contact emails to reach the crooks.

• THE COMEBACK OF PSCRYPT RANSOMWARE

  PSCrypt ransomware, which targeted Ukrainian users and companies in 2017, reemerges with a version using the .docs file extension.

• RANSOMWARE INCIDENTS COUNT DECREASED IN 2017

  According to the annual FBI Internet Crime Report, the number of officially reported ransomware attacks in the U.S. went down last year.

• RANSOMAES SAMPLE SURFACES

  Brand-new culprit called RansomAES concatenates the apropos .RansomAES extension to files and drops READ ME.txt ransom note.

• GANDCRAB V3.0.1 APPEARS

  GandCrab operators release version 3.0.1 that doesn’t go with the wallpaper replacement and autorun feature introduced in previous build.

• ANOTHER HASTY UPDATE OF THE MATRIX PEST

  Three days after previous Matrix variant went live, a new one pops up that switches to .[RestoreFiles@qq.com].MTXLOCK file extension.

• FACEBOOK RANSOMWARE DISCOVERED

  This baddie subjoins the .facebook extension to encrypted files and features a picture of Mark Zuckerberg shown on its warning screen.

• POLICE DEPT IN THE U.S. REPEATEDLY HIT BY RANSOMWARE

  Riverside Fire and Police department falls victim to ransomware for the second time during a month, with only 8 hours work lost this time.

• CRYPTON RANSOMWARE UPDATED

  The latest iteration of CryptON aka Nemesis uses the .[victim_ID].ransomed@india.com extension and HOWTODECRYPTFILES.html note.

• FRESH RSAUTIL MOD RELEASED

  New version of the RSAUtil ransomware is spotted that uses new contact emails, including tizer78224@gmx.de / india.com / protonmail.com.

• STALINLOCKER IS NOT A JOKE

  The sample called StalinLocker plays USSR anthem and tries to wipe the hard drive unless a correct code is entered during 10 minutes.

• RAPID RANSOMWARE V3 IS OUT

  The 3rd version of the Rapid Ransomware appends a random 5-character extension to encrypted files. Demands 0.07 BTC for decryption.

• RANSOMWARE ATTACKS AUSTRALIAN HEALTHCARE ORG

  Family Planning NSW (New South Wales) suffers a ransomware incursion that may expose sentitive records on more than 8,000 clients.

• SEPSIS RANSOMWARE EMERGES

  New sample called Sepsis ransomware affixes the .[Sepsis@protonmail.com].SEPSIS extension to files and drops Info.hta ransom manual.

• CRYSIS FAMILY PRODUCES ANOTHER SPINOFF

  The latest version of the CrySiS/Dharma ransomware concatenates the .bip string to hostage files and uses Beamsell@qq.com contact email.

• SCARAB RANSOMWARE TWEAK

  Brand-new variant of the Scarab strain called Walker uses the .JohnnieWalker extension and HOW TO DECRYPT WALKER INFO.txt note.

• HORSUKE EDITION OF SCARAB

  The Scarab lineage spawns one more culprit called Horsuke, which uses the .HORSE extension and horsuke@nuke.africa contact email.

• NEW JIGSAW SAMPLE RELEASED

  Analysts spot a variant of the Jigsaw ransomware that appends the .booknish string to files and uses some new wording for the ransom note.

• SIGRUN RANSOMWARE IN THE WILD

  This one subjoins the .sigrun extension to scrambled files and leaves a combo of rescue notes named RESTORE-SIGRUN.txt/html.

• MR. DEC RANSOMWARE

  New Mr. Dec ransomware concatenates the [ID]”random”[ID] suffix to encrypted data items and drops ‘Decoding help.hta’ ransom note.

• UNLOCK92 STRAIN GETS A MAKEOVER

  Updated version of the Unlock92 ransomware switches to using the .cdrpt file extension and unlckr@protonmail.com contact email.

• CRYPTCONSOLE2 UPDATED

  New build of the CryptConsole2 baddie is released. Uses szems@tutanota.com mailbox and leaves a ransom note named README.hta.

• FRESH ROTORCRYPT EDITION POPS UP

  The latest RotorCrypt verison appends ransomed files with the !________INKOGNITO8000@TUTAMAIL.COM_________.SPG extension.

• PGPSNIPPET RANSOMWARE DISCOVERED

  New ransom Trojan called PGPSnippet appends .decodeme666@tutanota_com file extension and drops !!!README_DECRYPT!!!.txt note.

• SMALL UPDATE OF AES-MATRIX PEST

  Researchers spot a fresh version of AES-Matrix ransomware that leaves a how-to file named ‘ACCUDATA_pay and get your data back.txt’.

• JOSEPCRYPT SAMPLE SPOTTED

  Another new ransomware called JosepCrypt appends an apropos .josep suffix to filenames and drops RECOVERY.txt rescue note.

• CRYPTON CHANGES SPREADING TACTIC

  The campaign delivering the ransomed@india.com variant of CryptON ransomware relies on compromising remote desktop services.

• RANSOMWARE TARGETING RUSSIAN-SPEAKING AUDIENCE

  A Russian blackmail malware sample is spotted that drops a ransom how-to named Dont_Worry.txt and appends .UPS-[random] to filenames.

• YET ANOTHER UPDATE OF CRYPTCONSOLE2

  One more edition of the CryptConsole2 family is released. Still drops README.hta note and uses szem@tutanota.com contact email address.

• ID RANSOMWARE ENHANCED WITH NEW FEATURE

  The ID Ransomware service by MalwareHunterTeam now allows victims to get notifications when their sample becomes decryptable.

• FLKR RANSOMWARE SPEWS OUT A SPINOFF

  The marginal FLKR ransomware undergoes an update. Uses the .__murzik@jabber.mipt.ru files extension and INSTRUCTIONS.txt ransom note.

• PLUS ONE VARIANT OF CRYPTCONSOLE

  The original CryptConsole culprit gets an overhaul featuring desparo@tuta.io contact email. It can still be decrypted beyond ransom.

• JIGSAW OPERATORS BREAK NEW GROUND

  A new version of the Jigsaw ransomware is discovered that uses a C&C server, unlike all previous builds that ran without such a feature.

• DHARMA RANSOMWARE UPDATED

  A tweak made to the Dharma ransom Trojan after a fairly long hiatus introduces the .id-{victim ID}.[java2018@tuta.io].arrow file extension.

• FRESH EDITION OF SCARAB POPS UP

  The latest iteration of the Scarab ransomware switches to the .osk file extension and ‘HOW TO RECOVER ENCRYPTED FILES.txt’ ransom note.

• CRYPTCONSOLE2 KEEPS GETTING TWEAKS

  Yet another spinoff of the CryptConsole2 ransomware uses ‘HOW DECRIPT FILES.hta’ rescue note and zeman@tutanota.de contact email.

• ADDING C2 SERVERS BECOMES A TREND WITH CROOKS

  Shortly after the recent Jigsaw virus update, the Aurora (aka OneKeyLocker) ransomware follows suit by starting to use a C2 server.

• CRYPTCONSOLE SPEWS OUT A NEW EDITION

  CryptConsole ransomware (not to be confused with CryptConsole2) undergoes an update with helps@tutanota.com contact email being used.

• NEW CRYPTOMIX VERSION MAKING THE ROUNDS

  Ransomware watchers spot a new build of the CryptoMix blackmail infection that blemishes encrypted data with the .BACKUP extension.

• SCARAB LINEAGE GROWS

  Another mod of the Scarab ransomware is discovered that uses the .REBUS file extension and ‘REBUS RECOVERY INFORMATION.txt’ how-to.

• INSTA RANSOMWARE HUNT

  MHT’s Michael Gillespie asks fellow-researchres to help spot samples of new ransomware that uses .insta extension and filesinfo.txt note.

• TIES BETWEEN JIGSAW STRAIN AND ETHICAL HACKING

  Security analysts stumble upon a case where a sample of the prolific Jigsaw ransomware is leveraged in an ethical hacking course.

• PAIN LOCKER RANSOMWARE ON THE TABLE

  MalwareHunterTeam discovers Pain Locker ransomware that uses the .[pain@cock.lu].pain extension and !=How_recovery_files=!.txt note./li>

• EVERBE RANSOMWARE UPDATED

  New version of the Everbe ransomware drops !=How_recovery_files=!.txt note and appends the .[embrace@airmail.cc].embrace extension.

• THE CRUDE LITTLEFINGER BADDIE

  A sample called LittleFinger is spotted. Doesn’t affix any extension to filenames and demands 0.01 BTC. Probably an in-dev specimen.

• CRYPTGH0ST BEGINS MAKING VICTIMS

  Fresh file-encrypting infection concatenates the .cryptgh0st string to files and leaves a rescue note named READ_TO_DECRYPT.html.

• LOCKCRYPT 2.0 ITERATION FOUND

  Researchers discover a build of LockCrypt 2.0 ransomware that uses the .id-{victim ID}.BI_D extension and ‘How To Restore Files.txt’ note.

• ONE MORE SCARAB MOD RELEASED

  The pest appends .infovip@airmail.cc extension and drops ‘HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT’ ransom note.

• STOP RANSOMWARE GETS A TWEAK

  The latest version of the Stop ransomware subjoins the .CONTACTUS suffix to files and leaves !!!!RESTORE_FILES!!!.txt how-to document.

• BITPAYMER RANSOMWARE UPDATED

  Fresh modification of the BitPaymer pest is spotted that switches to using a new ransom note and features a few other insignificant changes.

• SIGRUN MAKER WANTS NO RANSOMS FROM RUSSIANS

  The architect of the Sigrun ransomware campaign allows Russian-speaking victims to get their data back without paying the ransom.

• OPSVENEZUELA RANSOMWARE IN THE WILD

  The OpsVenezuela sample combines the code of the Hidden Tear PoC and that of the EDA2 academic ransomware. Uses a weak crypto key.

• CRYBRAZIL RANSOMWARE

  New one. Targets Brazilian users, concatenating the .crybrazil extension to encoded data items. Based on Hidden Tear and EDA2 PoCs.

• AMBA STRAIN RELEASED

  The new Amba ransomware zeroes in on Russian-speaking users. Uses the .UPS-[random] file extension and Dont_Worry.txt ransom note.

• MAGNIBER ON THE LOOSE IN SOUTH KOREA

  Analysts report a Fresh Magniber ransomware distribution wave localized in South Korea. The infection drops README.txt how-to file.

• OPEDCONT RANSOMWARE FEATURING HARSH IMPACT

  The PedCont sample displays a ransom warning accusing the victim of accessing prohibited adult content. Crashes the screen shortly.

• SCARAB FAMILY GIVES RISE TO NEW OFFSHOOT

  The latest variant of the Scarab ransomware appends the .DiskDoctor string to files and drops HOW TO RECOVER ENCRYPTED FILES.txt note.

• HITLER-THEMED XIAOBA RANSOMWARE TWEAK

  New mod of the XiaoBa lineage subjoins the .AdolfHitler suffix to hostage files and leaves a note named ‘# # DECRYPT MY FILE # #.bmp’.

• CRYPTCONSOLE UPDATED

  MalwareHunterTeam researchers discover a new CryptConsole version that uses the xser@tutanota.com contact email. Still decryptable.

• ATLANTA PD’S EVIDENCE LOST OVER RANSOMWARE

  Years’ worth of Dashcam videos from police cars in Atlanta have been lost in a ransomware incident that hit the city in March 2018.

• REDEYE RANSOMWARE SPOTTED

  The fresh ransomware specimen in question uses the .RedEye extension for ransomed files. It can wipe data and affect a host’s MBR.

• AURORA STRAIN UNDERGOES A CHANGE

  The most recent build of the Aurora blackmail malware switches to using the #RECOVERY-PC#.txt ransom note and new BTC address.

• SECOND UPDATE OF CRYPTCONSOLE IN A FEW DAYS

  Yet another variant of the CryptConsole ransomware is discovered that instructs victims to contact the attacker at redbul@tutanota.com.

• CRYPTCONSOLE MUTATES AS IF ON STEROIDS

  No other ransomware strain is being fine-tuned as often as CryptConsole lately. One more iteration features heineken@tuta.io contact email.

• GLOBEIMPOSTER MAKES A COMEBACK

  Having remained mostly idle for quite some time, the GlobeImposter campaign resurfaces with a variant using the .emilysupp file extension.

• PRINCESS RANSOMWARE RAAS BEING PROMOTED

  The authors of the once widespread Princess Ransomware encourage other crooks to spread it on a Ransomware-as-a-Service basis.

• PGPSNIPPET BADDIE UPDATED

  Brand-new edition of the PGPSnippet ransomware uses the .digiworldhack@tutanota.com extension and !!!README_DECRYPT!!!.txt note.

• NEW SPARTACUS RANSOMWARE MOD FOUND

  Security enthusiasts spot a variant of the Spartacus ransomware (probably a test one) that appends the .SF extension to hostage objects.

• ANOTHER UPDATE OF THE MAGNIBER STRAIN

  New Magniber edition starts making the rounds. Concatenates the .ndpyhss string to filenames and uses a number of new Tor addresses.
• an ongoing list…

• New ransomware released

• Old ransomware updated

• Ransomware decrypted

• Other important ransomware related events