Ransomware Chronicle

11
225

This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

  • HEROPOINT RANSOMWARE DISSECTED

    In-dev sample called HeroPoint appends random numbers to filenames and demands $20 worth of Bitcoin for recovery.
  • FILE-LOCKER RANSOMWARE TWEAK

    This Korean ransomware switches from using the .locked file extension to .razy string for labeling hostage data items.
  • TRIPLEM (MMM) RANSOMWARE

    Subjoins the .triple_m or .0x009d8a string to encrypted files and drops RESTORE_triple_m__FILES.html ransom notification.
  • GOOGLE CRYPT SOUNDS MORE PROFESSIONAL THAN IT IS

    Currently in development, the Google Crypt strain claims to encrypt data but actually just locks the screen of an infected machine.
  • A DECRYPTABLE EDITION OF XORIST DISCOVERED

    Researchers come across a Xorist ransomware variant that has been around for quite some time. Uses the .cryptedx file extension.
  • ANOTHER DAY, ANOTHER CRYPTOMIX TWEAK

    The CryptoMix ransomware mutates again. Its newest version switches to using the .SERVER extension for ransomed data entries.
  • ONE MORE GLOBE2 SPINOFF

    A fresh Turkish variant of the Globe2 ransomware is discovered. It concatenates the .vrmrkz string to ciphered files. Decryptable.
  • LEON EDITION OF THE BLIND RANSOMWARE

    The Blind ransomware lineage produces another mod that blemishes data with the .leon extension prepended with attacker’s email.
  • KOREANLOCKER RANSOMWARE SPOTTED

    New sample called KoreanLocker is a spinoff of the academic Hidden Tear project. Uses the .locked extension to label hostage files.
  • JIGSAW RANSOMWARE GETS A MAKEOVER

    Fresh variant of the Jigsaw blackmail virus targets Polish users and displays an x-rated picture on its warning screen.
  • KRYPTON RANSOMWARE, A NEW ONE

    Another Hidden Tear variant called the Krypton Ransomware uses the .kryptonite extension and KRYPTON_RANSOMWARE.txt note.
  • REVOLUTIONARY HC7 VERSION

    New edition of the HC7 ransomware adds .PLANETARY string to filenames and accepts payments in Bitcoin, Monero and Ethereum.
  • D.KOPORUSHKIN VIRUS DISCOVERED

    Named after a TXT file it creates, the D.Koporushkin culprit encrypts files adding the .aes extension and also acts as a data stealer.
  • FROG RANSOMWARE HAILING FROM VIETNAM

    Unsurprisingly, one more derivative of Hidden Tear PoC. Appends the .frog extension to files and drops frog.txt ransom note.
  • JIGSAW GETS ANOTHER UPDATE

    An umpteenth edition of the Jigsaw ransomware is spotted that concatenates the .CryptWalker suffix to encrypted files.
  • LONGTERMMEMORYLOSS RANSOMWARE

    Currently in development, the LongTermMemoryLoss ransom Trojan uses an apropos .LTML extension to stain encoded data.
  • DEATH N0TE RANSOMWARE SURFACES

    Rather than encrypt a victim’s files, the Death N0te infection moves them to a RAR archive protected by a password.
  • CRYPTWALKER, ONE MORE BADDIE ON THE TABLE

    The sample called CryptWalker turns out to be a DUMB ransomware spinoff. Does not modify filenames. In-dev at this point.
  • SHADY APPLICATION CALLED D4CK3R C0NTR01

    This one is a paid decrypt tool for the ransomware called D4CK3R. Interestingly, analysts haven’t spotted the ransomware itself yet.
  • LAZAGNECRYPT CULPRIT IN THE WILD

    New blackmail virus called LazagneCrypt encrypts files while staining them with the .encr extension and steals victims’ passwords.
  • NEW VARIANT OF KILLDISK

    A fresh edition of KillDisk, a destructive data wiper, wreaks havoc in Latin America, destroying data while posing as classic ransomware.
  • U.S. HOSPITAL GIVES IN TO EXTORTIONISTS

    The Hancock Health hospital in Greenfield, IN, pays a ransom of $55,000 to restore data crippled by SamSam ransomware.
  • KILLBOT VIRUS BEING DEVELOPED

    Researchers spot in-dev ransomware calling itself the Killbot Virus. It simply displays a warning screen so far, with no crypto in place.
  • R3VO RANSOMWARE SPOTTED

    New sample called R3vo ransomware appends the .Lime string to hostage files and demands $100 worth of Bitcoin for decryption.
  • NEW BACKUP FEATURE ANNOUNCED BY MICROSOFT

    Microsoft is reportedly planning to include “Files Restore” function to OneDrive for Business that will allow restoring lost data.
  • SAMSAM STRAIN SPREADING LIKE WILDFIRE

    The gang behind SamSam/Samas ransomware was able to infect high-profile victims recently, including hospitals and a U.S. city council.
  • JIGSAW RANSOMWARE GETS A SMALL TWEAK

    The latest Jigsaw edition called Mada stains encrypted files with the .LOCKED_BY_pabluklocker extension and uses a new background.
  • TALK RANSOMWARE SURFACES

    This one is a Hidden Tear spinoff that targets Korean-speaking audience. Uses the .암호화됨 (means “.encrypted”) extension.
  • RANSOMUSERLOCKER STRAIN OUT THERE

    Another Korean offshoot of Hidden Tear PoC from the creators of Talk Ransomware. Uses the .RansomUserLocker file extension.
  • GHACK RANSOMWARE

    Currently in development, the GHack specimen turns out really buggy. Does not encrypt and simply generates a warning screen.
  • SURERANSOM INFECTION BEING CREATED

    One more in-dev sample discovered by security analysts. No crypto at this point. Claims to use AES-256 and demands £50.
  • ANOTHER CRUDE STRAIN CALLED RANCIDLOCKER

    Aka Rancidware Screen Locker, this pest purports to block access to the desktop and demands $150. Only displays a warning screen.
  • QWERTY RANSOMARE RELEASED

    Hidden Tear based Qwerty ransomware targets Portuguese-speaking users. Uses the .qwerty file extension and demands 0.05 Bitcoin.
  • DESUCRYPT SPINOFFS BEING DISTRIBUTED

    Two variants of open-source desuCrypt ransomware start making the rounds, appending the .insane and .deuscrypt extension to locked files.
  • RAPID RANSOMWARE STANDS OUT FROM THE REST

    This sample (.rapid extension, How Recovery Files.txt note) encodes data spotted at attack point and any new files created on the computer.
  • GLOBEIMPOSTER 2.0 UPDATED

    The latest GlobeImposter 2.0 version switches to the .crypted! suffix for encrypted data items and sticks with how_to_back_files.html note.
  • THE INTRICATE MONEROPAY RANSOMWARE

    New file-encrypting threat called MoneroPay masquerades itself as a wallet application for rogue altcoin called SpriteCoin.
  • NOTPETYA CAUSED LOTS OF TROUBLE TO MAERSK

    Maersk, Danish transportation company, claims to have reinstalled thousands of servers and PCs to recover from last year’s NotPetya incident.
  • NEW ADULT SITES BORNE INFECTION SURFACES

    Dubbed PornBlackmailer, this culprit spreads via x-rated sites and threatens to notify law enforcement that the victim distributes child porn.
  • FRESH RANSOMWARE STATISTICS RELEASED

    According to a report by Malwarebytes, ransomware attacks against end users and businesses grew by 93% and 90% in 2017, respectively.
  • ROTORCRYPT UPDATED

    The most recent variant of the RotorCrypt ransomware appends files with an unusually long extension ending with .Black_OFFserve.
  • VELSO RANSOMWARE IN THE WILD

    The baddie in question spreads via compromised remote desktop services and concatenates the .velso extension to scrambled files.
  • TIES BETWEEN DRIDEX GANG AND BITPAYMER THREAT

    According to ESET, the BitPaymer/FriedEx ransomware was most likely created by the crooks behind the notorious Dridex banking Trojan.
  • GANDCRAB RANSOMWARE RELEASED

    The GandCrab ransomware spreading via exploit kits is revolutionary as it accepts ransoms in DASH cryptocurrency rather than Bitcoin.
  • TOR-TO-WEB PROXY OPERATOR PLAYS NAUGHTY

    The Onion.top Tor proxy service was found to replace Bitcoin addresses on some ransomware payment sites with its own wallet addresses.
  • SCHOOL DISTRICT IN THE U.S. HIT BY RANSOMWARE

    Chester County School District, South Carolina, is trying to recover data after unidentified ransomware crippled it over the weekend.
  • CRYSIS/DHARMA RANSOMWARE UPDATED

    The latest discovered variant of the CrySiS/Dharma ransomware lineage switches to using the .write extension for hostage files.
  • SPRING HILL, TN, RECOVERING FROM CRYPTO ONSLAUGHT

    The city of Spring Hill, Tennessee, continues to rebuild its servers after last year’s ransomwrae attack, putting utility payments back online.
  • PUBLIC LIBRARY FALLS VICTIM TO RANSOMWARE

    Unknown ransom Trojan infects the computer network of Spartanburg County Public Library in South Carolina. Staff refuses to pay the ransom.
  • “RANSOMWARE” TERM ADDED TO POPULAR DICTIONARY

    The word “ransomware” has been added to the latest edition of Oxford English Dictionary. No wonder, it’s such a common term these days.
  • MINDLOST RANSOMWARE HARVESTS SENSITIVE DATA

    The new strain called MindLost instructs victims to provide their credit card information and pay $200 ransom for data decryption.
  • ANOTHER GLOBEIMPOSTER VERSION RELEASED

    Malware analysts come across a brand new variant of the GlobeImposter ransom Trojan that appends the .DREAM string to locked files.
  • FAMOUS RANSOMWARE FIGHTER TO BE AWARDED

    The FBI is going to give the FBI Director’s Community Leadership Award to Michael Gillespie (@demonslay335) for his anti-ransomware work.
  • GANDCRAB MARKETED AS A RAAS

    It turns out that the recently released GandCrab ransomware is backed by a Ransomware-as-a-Service model being pushed via shady forums.
  • SCARABEY RANSOMWARE, OFFSHOOT OF THE SCARAB PEST

    Researchers discover the new Scarabey ransomware that’s a spinoff of the Scarab strain infecting companies via hacked RDP services.
  • CRYPTOMIX UNDERGOES A TWEAK

    The most recent mod of the prolific CryptoMix blackmail virus switches to concatenating the .SYSTEM extension to encrypted files.
  • TEAR DR0P V1 CULPRIT DISCOVERED AND DECRYPTED

    The sample called TEAR DR0P V1 employs SpeechSynthesizer tool to produce audio alerts. Analysts were able to crack it fairly fast.
  • INFINITE TEAR BADDIE FINE-TUNED

    New iteration called InfiniteTear 3 uses the .Infinite extension for ransomed files and #How_Decrypt_Files.txt ransom note.
  • COUCHDB SERVERS STILL EXPOSED TO EXTORTION

    Security researchers discover a new wave of CouchDB database hacks for ransom. The crooks demand 0.2 BTC for restoring the content.
  • RARUCRYPT USES PASSWORD-PROTECTED ARCHIVES

    RaruCrypt is a Russian ransomware strain demanding 200 RUB for unlocking a RAR archive with data. Password is S?{DCO^C!{L@CR^+<7E}2.
  • HERMES 2.1 STRAIN GETS FINE-TUNED

    The previously released Hermes 2.1 ransomware undergoes a tweak, switching to a new filemarker and appending no extension to filenames.
  • MONEROPAY RANSOMWARE DECRYPTED

    Analysts from NioGuard Security Lab create a free decryption tool for the MoneroPay ransomware, which pretends to be a SpriteCoin wallet.
  • ONE MORE SAMPLE IN THE JIGSAW LINEAGE

    The most recent mod of the Jigsaw ransomware concatenates the .# suffix to encoded files. Still decryptable courtesy of @demonslay335.
  • CRYPT12 PEST UPDATED

    A fresh edition of the Crypt12 strain switches to using hernansec@protonmail.ch email address for interaction with victims.
  • INTERESTING STATS REGARDING RANSOMWARE

    According to a survey by Sophos, 54% of organizations fell victim to ransomware in 2017. Most suffered such attacks twice during the year.
  • WINDOWS’ CFA FEATURE SUSCEPTIBLE TO ABUSE

    Spanish researcher Yago Jesus was able to get around Controlled Folder Access feature that’s supposed to protect against ransomware.
  • YET ANOTHER JIGSAW EDITION SPOTTED

    New Turkish version of the Jigsaw ransomware is discovered that concatenates the .justice string to encoded files. Decryptable.
  • ADAMLOCKER RANSOMWARE UPDATED

    The latest iteration disables Task Manager, displays a ransom note in Korean and subjoins the .adam extension to encrypted files.
  • GANDCRAB SPREADING VIA BOOBY-TRAPPED SPAM

    Operators of the GandCrab ransomware campaign switch to malicious spam for distribution. The emails contain rogue receipts.
  • HONOR RANSOMWARE IN THE WILD

    This one replaces filenames with random hexadecimal characters and adds the .honor extension to each. Does not leave a ransom how-to.
  • CALIFORNIA VOTER DATABASE HACKED ONCE AGAIN

    Threat actors were able to breach and steal data from MongoDB database of California voters, demanding ransom for reinstating the records.
  • BLACK RUBY RANSOMWARE SPOTTED

    Prepends the ‘Encrypted_’ string and appends .BlackRuby extension to filenames. Additionally installs a Monero cryptocurrency miner.
  • DEXCRYPT CRIPPLES MASTER BOOT RECORD

    DexCrypt is a Chinese blackmail virus affecting the MBR of target hosts, thus denying access to Windows. Demands 30 Yuan (about $5).
  • DCRTR RANSOMWARE DISCOVERED

    Affixes the .[decryptor@cock.li].dcrtr string to encrypted files and provides recovery steps in ReadMe_Decryptor.txt document.
  • ROTORCRYPT KEEPS ON CHANGING

    The latest edition of the RotorCrypt ransomware concatenates the !decrfile@tutanota.com.crypo extension to encoded files.
  • THE NEW TBLOCKER RANSOMWARE

    TBlocker appends the “_” extension to encrypted files and demands $250 worth of Bitcoin. Decryptable beyond ransom.
  • RAPID RANSOMWARE DISTRIBUTION DETAILS

    The Rapid ransomware strain is spreading via phishing emails disguised as urgent notifications from the U.S. Internal Revenue Service.
  • DEFENDER RANSOMWARE SURFACES

    This one tries to mimic Windows Defender. Concatenates the .defender extension to locked files and has a flaw that thwarts decryption.
  • BLANK RANSOMWARE IS SOMEBODY’S PRANK

    This sample appends the apropos .blank extension to filenames and provides the decryption key after a victim hits the right button.
  • DESUCRYPT RANSOMWARE UPDATED

    The latest version of the desuCrypt strain stains hostage files with the .Tornado extension and drops a ransom note named key.txt.
  • PENDOR RANSOMWARE CRACKED

    Well-known security researcher Michael Gillespie, aka demonslay335, releases a free decryptor for Pendor (.pnr files) ransomware.
  • FRESH JIGSAW RANSOMWARE VERSION OUT THERE

    Brand-new Korean mod of the prolific Jigsaw ransom Trojan switches to using the .locked extension for crippled files.
  • NOTPETYA ATTRIBUTION UNVEILED BY THE UK

    The United Kingdom officially accuses Russian government for the NotPetya ransomware outbreak that took place in June 2017.
  • GLOBEIMPOSTER GOING AFTER HIGH-PROFILE VICTIMS

    New variant of the GlobeImposter ransomware adds the .suddentax extension to files and targets enterprise computer networks.
  • UMARU RANSOMWARE RELEASED

    The Umaru ransomware is a Japanese strain that concatenates the .干物妹!suffix to encrypted files and doesn’t leave a ransom note.
  • SATURN RANSOMWARE SPREADING ON A LARGE SCALE

    New sample called Saturn ransomware uses the .saturn extension for encoded files and drops #DECRYPT_MY_FILES#.txt/html ransom notes.
  • RELEC RANSOMWARE TURNS OUT A PIECE OF JUNK

    Relec ransomware is a new in-development sample configured to demand 1 BTC for decryption, although it fails to encrypt anything.
  • DEADRANSOMWARE DOESN’T DO MUCH DAMAGE

    While this one claims to encrypt data, it is actually a screen locker. The password to unlock is “DeadRansomwareDecryptMyFiles”.
  • NEW ONE USING .RANSOMWARED EXTENSION

    A fresh strain is spotted that concatenates the .ransomwared string to encrypted items. Currently in development.
  • WANNACRYPT DISCOVERED AND CRACKED

    The sample called WannaCrypt displays a warning screen with a barcode and demands 0.05 BTC. Decrypted by researchers.
  • SATURN RAAS WAITING FOR AFFILIATES

    Analysts discover a new Ransomware-as-a-Service platform backing the distribution of the Saturn ransomware. No registration fee required.
  • U.S. COUNTIES STAY VULNERABLE TO RANSOM ATTACKS

    The computer network of Davidson Country, North Carolina, suffers a ransomware attack. There are reportedly good backups in place.
  • ANDROID RANSOMWARE’S DECLINE IN 2017

    According to the findings of researchers at ESET, the number of reported Android ransomware infections went down last year.
  • BANANACRYPT RANSOMWARE SURFACES

    The brand-new BananaCrypt ransomware speckles encrypted files with the .bananaCrypt extension and demands $300 worth of Bitcoin.
  • RUSSENGER RANSOMWARE SPOTTED

    This one zeroes in on Russian-speaking computer users. Appends the .messenger-[random] extension to encoded files.
  • NEW LOCKCRYPT VARIANT SPREADING VIA RDP

    An edition of the LockCrypt ransomware is released that spreads over breached remote desktop services and uses the .1BTC file extension.
  • SHIFR STRAIN UPDATED

    The latest version of the Shifr ransomware switches to using the .cypher extension and How_To_Decrypt_Files.html rescue note.
  • INTERVIEW WITH PROMINENT RANSOMWARE ANALYST

    MonsterCloud Cyber Security publishes an interview with Michael Gillespie, a ransomware fighter who got the FBI’s special award.
  • THE NASTY IMPACT OF ANNABELLE RANSOMWARE

    The Annabelle blackmail strain terminates numerous programs, encrypts a victim’s data and cripples the MBR (master boot record).
  • NEW HIGH-PROFILE VICTIM MADE BY SAMSAM STRAIN

    The SamSam/Samas ransomware infects the Colorado Department of Transportation, forcing the shutdown of more than 2,000 computers.
  • GLOBE2 RANSOMWARE UPDATED

    A new mod of the Globe2 ransom Trojan targets Turkish users and subjoins the .frmvrlr2017 suffix to locked files. Decryptable.
  • BALILUWARE SAMPLE POPS UP

    Baliluware is a Hidden Tear PoC derivative that uses the .you-are-f*cked-by-baliluware-(coded-by-heropoint) extension for hostage files.
  • DATA KEEPER RANSOMWARE GAINS TRACTION

    Having been launched on a RaaS basis a couple of days ago, the Data Keeper ransom Trojan starts contaminating PCs in the wild.
  • THANATOS STRAIN DOESN’T WORK AS INTENDED

    The new Thanatos (“Death” in Greek) ransomware doesn’t save the crypto keys, so recovery is impossible. Accepts Bitcoin Cash for ransoms.
  • RIG EK OPERATORS ABANDON RANSOMWARE BUSINESS

    According to researchers, one of the most common exploit kits called RIG has switched from spreading ransomware to delivering coin miners.
  • NEW XIAOBA VARIANT RELEASED

    The latest persona of this blackmail virus uses the .Encrypted[BaYuCheng@yeah.net].XiaoBa extension and _XiaoBa_Info_.hta ransom note.
  • GANDCRAB RANSOMWARE CRACKED

    Bitdefender finds a workaround for the crypto utlized by GandCrab ransomware, allowing those infected to recover their data for free.
  • NEW DISTRIBUTION TACTIC BY GANDCRAB OPERATORS

    A recent wave of GandCrab ransomware propagation leverages the notorious “HoeflerText font wasn’t found” scam.
  • KWAAK RANSOMWARE, A HIDDEN TEAR SPINOFF

    Yet another incarnation of the academic Hidden Tear ransomware dubbed Kwaak uses the .kwaaklocked suffix to label hostage data entries.
  • JIGSAW LINEAGE PRODUCES ONE MORE SPINOFF

    Another variant of the Jigsaw ransomware appears that appends .contact-me-here-for-the-key-admin@adsoleware.com to locked files.
  • NEW CRYPTCONSOLE VERSION DECRYPTABLE FOR FREE

    Having found the original decryptor for CryptConsole’s qar48@tutanota.com edition, Michael Gillespie adds support for it to his decrypt tool.
  • DHARMA RANSOMWARE SHOOTING ‘ARROWS’

    A version of the Dharma ransomware is discovered in the wild that concatenates the .id-[victim ID].arrow extension to encrypted files.
  • SAMPLE USING GNUPG FREE ENCRYPTION TOOL

    Security experts stumble upon a ransomware strain that leverages GnuPG, aka GPG, solution to encrypt. Uses the .[number].qwerty extension.
  • PRINCESS LOCKER RESURFACES

    A new mod of the Princess Locker culprit is spotted after a long hiatus of this family. It drops “=_HOW_TO_FIX_RQZLIN.txt” recovery how-to.
  • MAGNIBER ON THE RISE IN SOUTH KOREA

    According to analysts’ observations, there is an ongoing powerful wave of Magniber ransomware attacks zeroing in on South Korean users.
  • GLOBEIMPOSTER STRAIN KEEPS MUTATING

    The latest build of the GlobeImposter ransomware uses the .encrypt extension for hostage files and instructions.html rescue note.
  • JIGSAW STARTS USING AN OFFBEAT EXTORTION TACTIC

    New variant of the Jigsaw blackmail virus appends .Bitconnect to files and instructs victims to post photos of themselves on Instagram.
  • ROTORCRYPT GETS A BIT OF FINE-TUNING

    Fresh version of RotorCrypt ransomware appends the “! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2” extension to files.
  • GANDCRAB RANSOMWARE UPDATED

    GandCrab v2 is out. It switches to using the .CRAB extension for encrypted data items and a ransom note named CRAB-DECRYPT.txt.
  • PLUS ONE MOD FOR THE CRYAKL FAMILY

    Cryakl, a ransomware old stager, is updated to version 1.5.1.0 and starts using email-dorispackman@tuta.io contact address.
  • JIGSAW EDITION TARGETING SPANISH-SPEAKING USERS

    Yet another version of the Jigsaw culprit concatenates the .jes extension to files and features Cthulhu image on its warning screen.
  • GLOBEIMPOSTER AND GANDCRAB CAMPAIGNS DISSECTED

    Security analysts provide in-depth information on the latest spam campaigns spreading the GlobeImposter and GandCrab strains.
  • SILENTSPRING SAMPLE SPOTTED

    This is a new one that doesn’t appear to represent any known family. Affixes the .Sil3nt5pring extension to ransomed files.
  • CRYPTO CRACKING MASTERCLASS FROM EXPERTS

    Researchers at Malwarebytes post a write-up regarding weak links in ransomware crypto that allow for data decryption beyond ransom.
  • RESEARCH PROVES PAYING RANSOMS IS A SLIPPERY SLOPE

    International survey by CyberEdge Group shows that less than 50% of ransomware victims who paid up were able to decrypt their files.
  • FRESH DETAILS RELEASED ON QWERTY RANSOMWARE

    The pest in question overwrites original files with encrypted copies and drops a ransom notification named README_DECRYPT.txt.
  • FRS RANSOMWARE ON THE TABLE

    This brand-new strain blemishes encrypted files with the .FRS suffix and drops a combo of READ_ME_HELP.txt/png ransom notes.
  • CROOKS MAKE ANOTHER HIGH-PROFILE VICTIM

    The computer network of Connecticut state judicial branch gets hit by ransomware infection that impacts protective order registry service.
  • ULTIMO, A HIDDEN TEAR SPINOFF, GETS A MINOR UPDATE

    Originally spotted in September 2017, Ultimo ransomware speckles files with the .locked string and uses READ_IT.txt decryption how-to.
  • THE ODDITY OF CRYPT888 RANSOMWARE

    G DATA analysts provide an insight into imperfections of the Crypt888 strain and the fact it demands YouTube subscriptions, not money.
  • MOST SPAM IN 2017 CAME FROM TWO BOTNETS

    According to McAfee researchers’ findings, two botnets – Necurs and Gamut – produced 97% of all web spam volume last year.
  • SIGMA RANSOMWARE DISTRIBUTION FINE-TUNED

    A new wave of malspam delivering the Sigma ransom Trojan revolves around booby-trapped emails disguised as messages from Craigslist.
  • PARADISE RANSOMWARE UPDATED

    The latest variant uses the .[id-…].[support@all-ransomware.info].sell extension and #DECRYPT MY FILES# {random}.html ransom note.
  • VBRANSOM SAMPLE IN DEVELOPMENT

    Fresh strain called VBRansom replaces desktop wallpaper with a warning message and drops Important.txt how-to. No crypto so far.
  • L0CKED RANSOMWARE GETS A REFRESH

    Made by crooks calling themselves #TEAM-UINA, this edition replaces filenames with random strings and uses the .L0cked extension.
  • JIGSAW CONTINUES TO UNDERGO TWEAKS

    Jigsaw ransomware family gets a new one targeting Korean users. The file extension is .email-[powerhacker03@hotmail.com].koreaGame.
  • HERMES CULPRIT USES A NEW SPREADING TACTIC

    Another spin of the Hermes ransomware distribution campaign that broke out in South Korea involves a zero-day Flash exploit.
  • ASIA WAS MOST TARGETED BY RANSOMWARE IN 2017

    As per a report by Microsoft, end users and companies in Asian countries suffered the bulk of all ransomware attacks recorded last year.
  • MORE ANTI-RUSSIAN SANCTIONS BY THE U.S.

    Additional sanctions take effect over U.S. power grid attacks, NotPetya campaign, and 2016 presidential election interference attempts.
  • ZENIS RANSOMWARE WAVE TAKES ROOT

    The new Zenis strain uses AES cipher to encrypt victims’ data, prepends ‘Zenis’ to scrambled filenames and erases data backups.
  • U.S. ENTITY RE-INFECTED WITH SAMSAM RANSOMWARE

    Having been hit by SamSam/Samas strain in February, the Colorado Department of Transportation falls victim to the same pest again.
  • INFAMOUS RANSOMWARE MAKER APPREHENDED

    Polish police arrest an individual nicknamed Tomasz ‘Armagedon’ T., the developer of Vortex, Flotera and Polski ransomware lineages.
  • TOMASZ T. HACKER BACKGROUND REVEALED

    Virus Bulletin publishes an article dissecting the story of the above-mentioned ransomware dev, who might not be too tech-savvy in fact.
  • STINGER RANSOMWARE SPOTTED IN THE WILD

    This one concatenates the .Stinger suffix to filenames and drops a ransom note named ‘About .Stinger unlocking instructions.txt.
  • U.S. HEALTHCARE AGENCY HIT BY RANSOMWARE

    Finger Lakes Health, a New York based healthcare agency, falls victim to an unidentified ransomware infection. The FBI is investigating.
  • R2D2 METHOD COMBATTING DATA-WIPING MALWARE

    R2D2 (Reactive Redundancy for Data Destruction) is a technique devised by Purdue University researchers to protect against data wipers.
  • RANSOMWARE INFECTS IT NETWORK OF A U.S. CITY

    The computer infrastructure of the City of Atlanta, Georgia, suffers a cyber attack, the infection being the SamSam/Samas ransomware.
  • NOTORIOUS BANKING TROJAN GETS A RANSOMWARE TRAIT

    The latest mod of the TrickBot banking malware now goes with a screen locking module, so victims who don’t use e-banking are still at risk.
  • YET ANOTHER BUILD OF THE L0CKED RANSOMWARE

    The L0cked blackmail virus gets updated once again. The new edition subjoins the %s%s%s.lckd extension to encrypted files.
  • NEW AVCRYPT USES BIZARRE TACTICS

    Brand-new sample called AVCrypt uninstalls AV software found on a computer and doesn’t provide any contact details. May be a data wiper.
  • RAPID RANSOMWARE V2.0 IS OUT

    Rapid 2.0 affixes a random extension to files, drops DECRYPT.[random].txt ransom note and does no harm to Russian-speaking victims.
  • DISKWRITER ISN’T CLASSIC RANSOMWARE

    New wiper-like strain called DiskWriter, aka UselessDisk, messes up MBR and demands $300 worth of BTC. No working recovery, though.
  • PARADISE RANSOMWARE GETS A DOUBLE TWEAK

    One of the oldies called the Paradise ransomware has been updated with new variants using the .ransom and .logger file extensions.
  • EGGLOCKER SAMPLE SPOTTED

    Malware analysts come across a fresh in-dev culprit called EggLocker that’s configured to append the .EGG string to encrypted files.
  • WHITEROSE RANSOMWARE IN THE WILD

    New WhiteRose sample replaces filenames with [random]_ENCRYPTED_BY.WHITEROSE string and uses HOW-TO-RECOVERY-FILES.txt note.
  • THE SARCASTIC SORRY RANSOMWARE

    A Hidden Tear PoC spinoff called Sorry Ransomware uses the .sorry extension and ‘How Recovery Files.txt’/hrf.txt rescue notes.
  • JFRANSOMWARE IS NO BIG DEAL

    Blackmail virus called JFRansomware claims to encrypt data but actually just locks the screen. Victims can simply enter ‘Saus2018’ to unlock.
  • HAXERBOI BADDIE IS A MALICIOUS COMBO

    Researchers spot an entity called Haxerboi that turns out to be a malware construction tool as well as a crypto ransomware infection.
  • FINE-TUNING OF THE L0CKED RANSOMWARE

    Another iteration of the L0cked ransomware appears that concatenates the .lckd extension to encoded files. Not yet in active distribution.
  • BANSOMQARE MANNA STRAIN

    The sample going by a weird name of BansomQare Manna mimics WannaCry and subjoins the .bitcoin extension to hostage files.
  • BOEING CONFRONTED WITH WANNACRY ATTACK

    Boeing was reportedly hit by the WannaCry ransomware. Executives state the attack surface is minor and remediations were applied.
  • FIRST CRYPTOMIX UPDATE IN A LONG TIME

    The CryptoMix ransomware undergoes an update after a two-month hiatus. New build appends the .MOLE66 string to locked data items.
  • RANSOMWARETEST, NOT AN ISSUE SO FAR

    According to analysts who spotted RansomwareTest sample, its development is in progress. Configured to append the .crypt string to files.
  • THE OFFBEAT H34RTBL33D RANSOMWARE

    New one called H34rtBl33d propagates via Limewire peer-to-peer file sharing client and leverages Balloon Tips to interact with victims.
  • COMEBACK OF THE SATAN RANSOMWARE

    Although this strain was considered extinct, it re-emerged with a multilingual version blemishing encoded files with the .satan extension.
  • NEW RANSOMWARE LAW TAKES EFFECT IN MICHIGAN

    Two bills passed and signed in Michigan make ransomware possession and distribution a prosecutable felony leading to 3-year sentence.
  • SOME MAGNIBER VARIANTS ARE NOW DECRYPTABLE

    Analysts at AhnLab security firm have released decrypt tools supporting several widespread builds of the Magniber ransomware.
  • VURTEN RANSOMWARE EMERGES

    New strain called Vurten zeroes in on enterprise computer networks, uses the .improved file extension and UNCRYPT.README.txt note.
  • CRYPREN SAMPLE SPOTTED IN THE WILD

    Another fresh culprit called Crypren ransomware appends .ENCRYPTED to filenames and drops READ_THIS_TO_DECRYPT.html how-to.
  • OXAR LINEAGE UPDATED

    The Oxar ransomware oldie gets an update introducing the .F*CK file extension and ‘1 What happens with my files.txt’ ransom note.
  • BANSOMQARE MANNA DECRYPTED

    Security researchers were able to defeat the encryption of BansomQare Manna ransomware strain and released an ad hoc recovery tool.
  • DOUBLE TWEAK OF THE MATRIX RANSOMWARE

    One more old-stager on the ransomware arena called Matrix spews out two new spinoffs using ‘What happened with your files’ ransom note.
  • TURKHACKTEAM RANSOMWARE BUILDER

    Malware watchers come across ‘TurkHackTeam Ransomware Builder’ tool that’s claimed to automate ransomware creation process.
  • WHITEROSE STRAIN TURNS OUT DECRYPTABLE

    MalwareHunterTeam experts have succeeded in finding a workaround for the crypto applied by the relatively new WhiteRose ransomware.
  • HAXERBOI RANSOMWARE BUILDER IS NO LONGER AN ISSUE

    The details being unclear, the so-called Haxerboi ransomware builder utility isn’t accessible to the cybercrime underground anymore.
  • A FLAW FOUND IN CRYPTO OF THE LOCKCRYPT BADDIE

    Malwarebytes employees have discovered an imperfection in the encryption routine utilized by LockCrypt, so data recovery may be possible.
  • OFFICE 365 SUITE NOW RANSOMWARE-RESISTANT

    Microsoft has introduced new features to their Office 365 package that allow users to restore encrypted files to their previous state.
  • UNSETTLING AFTERMATH OF A RANSOMWARE INCIDENT

    The Colorado Department of Transportation reportedly spent $1.5 million to partially recover its systems from SamSam ransomware attack.
  • JIGSAW PEST UPDATED ONCE AGAIN

    According to MalwareHunterTeam, the latest discovered variant of the Jigsaw ransomware blemishes hostage files with the .LolSec string.
  • SKYFILE RANSOMWARE DISCOVERED

    Brand-new SkyFile ransomware is spotted that concatenates the .sky extension to files and uses ‘HOW TO DECRYPT.txt’ ransom note.
  • MATRIX RANSOMWARE OFFSHOOTS USING RDP

    Two more spinoffs of the Matrix ransomware are spotted. Both are deposited on target hosts via hacked remote desktop services.
  • HORROS RANSOMWARE POPS UP

    The new Horros ransomware turns out to be a derivative of the Hidden Tear PoC code. Concatenates the .horros extension to encrypted files.
  • DCRTR STRAIN GETS AN UPDATE

    Crooks release a new ‘kinaman@protonmail.ch’ variant of the Dcrtr ransomware that was discovered in early February 2018. No crypto so far.
  • PUBG RANSOMWARE BY A GAMING FAN

    New sample called the PUBG Ransomware is offbeat as it decrypts hostage data if the victim plays the PlayerUnknown’s Battlegrounds game.
  • BREAKTHROUGH IN FIGHTING WANNACRY

    Researchers from Kryptos Logic firm present a tool called Telltale that provides organizations with access to WannaCry sinkhole information.
  • MOST RANSOMWARE VICTIMS WHO PAID WOULD PAY AGAIN

    According to Telstra Enterprise, 80% of ransomware victims who paid the ransom for data decryption would cough it up again if infected.
  • CRYPTOWIRE STRAIN STILL ACTIVE

    A fresh edition of the CryptoWire ransomware is spotted that inserts the ‘.encrypted’ string in between the filename and original extension.
  • COMMENTARY ON A U.S. COUNTY’S 911 CENTER ATTACK

    Independence County (Arkansas) judge issues an official statement regarding a purported ransomware attack against local 911 center.
  • ERROR DISRUPTS NEW GANDCRAB CAMPAIGN

    A script compile flaw has reportedly rendered a new GandCrab ransomware malspam campaign inefficient, causing contamination to halt.
  • MAGNIBER DECRYPTOR FINE-TUNED

    AhnLab, South Korean security software provider, releases an updated Magniber ransomware decryption tool that now goes with a GUI.
  • MICROSOFT’S NEW ANTI-RANSOMWARE INITIATIVE

    Microsoft is reportedly planning to add a new Ransomware Protection feature as part of the upcoming Windows 10 Spring Creators update.
  • MICROSOFT STAFFER IN CAHOOTS WITH REVETON CREW

    Network engineer at Microsoft is being charged for assisting the Reveton ransomware distributors to launder their ill-gotten money.
  • IRON RANSOMWARE IS SUCH A COPYCAT

    New Iron ransomware is discovered that mimics the Maktub, DMA Locker, and Satan strains in several ways. Appends the .encry extension.
  • TRON RANSOMWARE SPOTTED

    This one affixes the .tron file extension, doesn’t drop any ransom notes, and doesn’t do damage to computers with Russian locale.
  • SPARTACUS STRAIN SURFACES

    The brand new Spartacus ransomware blemishes encrypted files with the .[MastersRecovery@protonmail.com].Spartacus extension.
  • NM4 RANSOMWARE UPDATED

    NM4, a spinoff of the NMoreira infection, spews out a fresh variant that uses the .NMCRYPT extension and ‘Recovers your files.html’ note.
  • GREETING FROM GANDCRAB TO A SECURITY ANALYST

    Researcher Marcelo Rivero, who has focused on GandCrab lately, spotted a variant that displays “Hello, Marcelo :)” popup message.
  • VORTEX DECRYPTOR NOW AVAILABLE TO VICTIMS

    CERT Polska, the Polish security think tank, releases a free decryption tool for the Vortex/Polski ransomware, following arrest of the author.
  • XIAOBA GOES THROUGH A BUGGY TRANSFORMATION

    The XiaoBa ransomware crew have remade their code for cryptojacking purposes, but it damages victims’ executables due to critical bugs.
  • NHS HASN’T DONE ENOUGH TO TACKLE RANSOMWARE

    Having fallen victim to WannaCry ransomware almost a year ago, the UK’s NHS has barely improved the security of its services, experts say.
  • MAGNITUDE EK REPURPOSED FOR GANDCRAB’S GOALS

    The Magnitude exploit kit, which has propped Magniber campaign exclusively, is now reportedly also pushing the GandCrab ransomware.
  • GLOBEIMPOSTER ARE ON THE ‘PLUS’ WAVE

    The latest variants of the GlobeImposter ransomware have been appending new extensions followed by the ‘+’ sign (e.g. .ALCO2+, .LIN+).
  • JIGSAW FAMILY GROWS FURTHER

    Another Jigsaw ransomware mod called Apophis goes live. Looks primitive and still demands $500 worth of Bitcoin for data decryption.
  • TWO GAME-THEMED RANSOMWARE STRAINS RELEASED

    Analysts on the MalwareHunterTeam discover strains themed after Minecraft and CS:GO. The two don’t encrypt or do other damage so far.
  • NEW PYTHON-BASED BLACKMAIL INFECTION APPEARS

    A sample called “Meine_ransomware_PGP_DANGEROUS” is discovered that might be a PoC. Uses the .enc extension for encrypted files.
  • SATYR RANSOMWARE ON THE TABLE

    The new Satyr ransomware leverages a fusion of AES and RSA-2048 ciphers to lock data and stains encoded files with the .Satyr extension.
  • RANSSIRIA PEST USES DESPICABLE TACTICS

    The RansSIRIA ransomware zeroes in on Brazilian users and tells victims that the ransoms they pay will be donated to Syrian refugees.
  • GANDCRAB MIGHT BE USING PROMO CODES

    Security researchers notice that the GandCrab ransomware payment portal now includes a field for victims to enter promotion codes.
  • KRAKATOWIS RANSOMWARE POPS UP

    A new screen locker called Krakatowis is spotted in the wild. Analysts figured out the unlock code: 1eb472049398e443d014d27c438ebff1.
  • BLACKHEART RANSOMWARE ON THE TABLE

    This Star Wars themed ransomware uses the .BlackRouter or .pay2me extension for hostage files and drops ReadME-BLackHeart.txt note.
  • KRAKEN RANSOMWARE TRIES TO ‘CATCHEM’

    The sample called Kraken runs as catchem.exe binary and leverages Discord freeware’s server for C&C purposes and to report infections.
  • SATAN STRAIN TURNS OUT TO USE ETERNALBLUE EXPLOIT

    The notorious Satan ransomware adds the NSA exploit dubbed EternalBlue to its repertoir, thus propagating in a highly surreptitious fashion.
  • GOV WEBSITE ATTACKED BY BLACKMAIL VIRUS

    The official website of the Prince Edwards Island government reportedly fell victim to the VevoLocker ransomware holding it for ransom.
  • GANDCRAB V2.1 GOES LIVE

    GandCrab, one of the most widespread samples presently, gets updated to version 2.1 that utilizes code injection into svchost.exe.
  • PUBG LINEAGE GROWS

    The game-themed PUBG ransomware spawns the ‘Special 999Hours’ / ‘TALK SHOP Edition’ variant. Demands 999 hours of playing to decrypt.
  • WEIRD NEW VERSION OF THE XORIST RANSOMWARE

    The Xorist ransomware family spews out a variant appending files with an incredibly long extension that almost covers all ransom demands.
  • OBLIVION RANSOMWARE DISCOVERED

    This new strain jumbles up filenames and adds the .OBLIVION string to each one. Drops OBLIVION DECRYPTION INFORMATION.txt note.
  • UKRAINIAN GOV SITE HIT BY RANSOMWARE

    The website of Ukraine’s energy ministry gets knocked offline by the VevoLocker ransomware. The crooks demand 0.1 BTC ($937) ransom.
  • EXTORTIONISTS ZERO IN ON HPE ILO 4 SERVERS

    Unidentified ransomware targets HPE iLO 4 remote management interfaces that are online-accessible. Uses RSA-2048 cryptosystem.
  • LOCKCRYPT UPDATED, DECRYPTOR AVAILABLE

    The latest edition of the LockCrypt pest concatenates the .mich extension to encrypted files. Researcher Michael Gillespie cracks this one.
  • OFFBEAT C# RANSOMWARE

    Security analysts spot C# based blackmail malware that stands out from the rest as it compiles itself at runtime and runs directly in memory.
  • CRYPTCONSOLE STRAIN GETS A MINOR TWEAK

    New iteration of the CryptConsole ransomware switches to using xzet@tutanota.com contact email. Can still be decrypted for free.
  • KCW RANSOMWARE GOING AFTER WEBSITES

    An India based hacking crew calling itself ‘Team Kerala Cyber Warriors’ starts infecting Pakistani websites with KCW crypto ransomware.
  • RANDOMLOCKER STARTS MAKING THE ROUNDS

    Brand-new RandomLocker ransomware blemishes encrypted files with the .rand extension and is most likely distributed in a manual way.
  • UK’S NHS STARTS USING WINDOWS 10 AS A SAFER OS

    The UK National Health Service officials decided to switch to Windows 10 for their computers in light of WannaCry incident.
  • KRAKEN 2.0 WASN’T INTENDED FOR OFFENSIVE USE

    Researchers state the Kraken 2.0 ransomware was originally created as a PoC but the code ended up stolen and weaponized by crooks.
  • A DECENT WRITE-UP ON BTCWARE RELEASED

    Sophos analysts publish in-depth analysis of the BTCWare ransomware strain that was active throughout 2017 and spawned 17 variants.
  • BLACKHEART RANSOMWARE’S CROSS-PROMOTION TACTIC

    It turns out that a variant of the relatively new Blackheart ransomware is distributed along with a legit remote desktop tool called AnyDesk.
  • USELESSFILES BLACKMAIL VIRUS SPOTTED

    A new ransomware strain called UselessFiles starts making the rounds. It uses the .UselessFiles extension and demands $300 worth of BTC.
  • XIAOBA STRAIN UPDATED

    Malware watchers bump into a fresh edition of the XiaoBa ransomware that switches to using the .[BaYuCheng@yeah.net] file extension.
  • GANDCRAB REACHES VERSION 3

    GandCrab v3 is released, featuring a number of conspicuous alterations. Now it replaces the desktop background with a warning screen.
  • JIGSAW UNDERGOES YET ANOTHER UPDATE

    Jigsaw ransomware, one of the oldies in the extortion landscape, spawns a new edition that appends the .hac suffix to ransomed items.
  • UNUSUAL DEMANDS BY THE NEW BKRANSOMWARE

    Analysts discover a Vietnamese ransom Trojan called BKRansomware, which runs via a command line and asks for phone number refill.
  • MMM RANSOMWARE UPDATED

    The latest spinoff of the TripleM (MMM) ransomware uses the .MMM file extension and GET_YOUR_FILES_BACK.html ransom how-to.
  • SCARAB RANSOMWARE PRODUCES A NEW MOD

    According to some scarce reports made by infected users, the Scarab ransomware has been updated to .horsia@airmail.cc extension variant.
  • SYNACK STRAIN BECOMES MORE EVASIVE

    A fresh variant of the SynAck ransomware appears to be leveraging the so-called ‘Process Doppelgänging’ fileless code injection technique.
  • MATRIX FAMILY GROWING

    Another iteration of the Matrix ransomware introduces #What_Wrong_With_Files#.rtf note and new contact emails to reach the crooks.
  • THE COMEBACK OF PSCRYPT RANSOMWARE

    PSCrypt ransomware, which targeted Ukrainian users and companies in 2017, reemerges with a version using the .docs file extension.
  • RANSOMWARE INCIDENTS COUNT DECREASED IN 2017

    According to the annual FBI Internet Crime Report, the number of officially reported ransomware attacks in the U.S. went down last year.
  • RANSOMAES SAMPLE SURFACES

    Brand-new culprit called RansomAES concatenates the apropos .RansomAES extension to files and drops READ ME.txt ransom note.
  • GANDCRAB V3.0.1 APPEARS

    GandCrab operators release version 3.0.1 that doesn’t go with the wallpaper replacement and autorun feature introduced in previous build.
  • ANOTHER HASTY UPDATE OF THE MATRIX PEST

    Three days after previous Matrix variant went live, a new one pops up that switches to .[RestoreFiles@qq.com].MTXLOCK file extension.
  • FACEBOOK RANSOMWARE DISCOVERED

    This baddie subjoins the .facebook extension to encrypted files and features a picture of Mark Zuckerberg shown on its warning screen.
  • POLICE DEPT IN THE U.S. REPEATEDLY HIT BY RANSOMWARE

    Riverside Fire and Police department falls victim to ransomware for the second time during a month, with only 8 hours work lost this time.
  • CRYPTON RANSOMWARE UPDATED

    The latest iteration of CryptON aka Nemesis uses the .[victim_ID].ransomed@india.com extension and HOWTODECRYPTFILES.html note.
  • FRESH RSAUTIL MOD RELEASED

    New version of the RSAUtil ransomware is spotted that uses new contact emails, including tizer78224@gmx.de / india.com / protonmail.com.
  • STALINLOCKER IS NOT A JOKE

    The sample called StalinLocker plays USSR anthem and tries to wipe the hard drive unless a correct code is entered during 10 minutes.
  • RAPID RANSOMWARE V3 IS OUT

    The 3rd version of the Rapid Ransomware appends a random 5-character extension to encrypted files. Demands 0.07 BTC for decryption.
  • RANSOMWARE ATTACKS AUSTRALIAN HEALTHCARE ORG

    Family Planning NSW (New South Wales) suffers a ransomware incursion that may expose sentitive records on more than 8,000 clients.
  • SEPSIS RANSOMWARE EMERGES

    New sample called Sepsis ransomware affixes the .[Sepsis@protonmail.com].SEPSIS extension to files and drops Info.hta ransom manual.
  • CRYSIS FAMILY PRODUCES ANOTHER SPINOFF

    The latest version of the CrySiS/Dharma ransomware concatenates the .bip string to hostage files and uses Beamsell@qq.com contact email.
  • SCARAB RANSOMWARE TWEAK

    Brand-new variant of the Scarab strain called Walker uses the .JohnnieWalker extension and HOW TO DECRYPT WALKER INFO.txt note.
  • HORSUKE EDITION OF SCARAB

    The Scarab lineage spawns one more culprit called Horsuke, which uses the .HORSE extension and horsuke@nuke.africa contact email.
  • NEW JIGSAW SAMPLE RELEASED

    Analysts spot a variant of the Jigsaw ransomware that appends the .booknish string to files and uses some new wording for the ransom note.
  • SIGRUN RANSOMWARE IN THE WILD

    This one subjoins the .sigrun extension to scrambled files and leaves a combo of rescue notes named RESTORE-SIGRUN.txt/html.
  • MR. DEC RANSOMWARE

    New Mr. Dec ransomware concatenates the [ID]”random”[ID] suffix to encrypted data items and drops ‘Decoding help.hta’ ransom note.
  • UNLOCK92 STRAIN GETS A MAKEOVER

    Updated version of the Unlock92 ransomware switches to using the .cdrpt file extension and unlckr@protonmail.com contact email.
  • CRYPTCONSOLE2 UPDATED

    New build of the CryptConsole2 baddie is released. Uses szems@tutanota.com mailbox and leaves a ransom note named README.hta.
  • FRESH ROTORCRYPT EDITION POPS UP

    The latest RotorCrypt verison appends ransomed files with the !________INKOGNITO8000@TUTAMAIL.COM_________.SPG extension.
  • PGPSNIPPET RANSOMWARE DISCOVERED

    New ransom Trojan called PGPSnippet appends .decodeme666@tutanota_com file extension and drops !!!README_DECRYPT!!!.txt note.
  • SMALL UPDATE OF AES-MATRIX PEST

    Researchers spot a fresh version of AES-Matrix ransomware that leaves a how-to file named ‘ACCUDATA_pay and get your data back.txt’.
  • JOSEPCRYPT SAMPLE SPOTTED

    Another new ransomware called JosepCrypt appends an apropos .josep suffix to filenames and drops RECOVERY.txt rescue note.
  • CRYPTON CHANGES SPREADING TACTIC

    The campaign delivering the ransomed@india.com variant of CryptON ransomware relies on compromising remote desktop services.
  • RANSOMWARE TARGETING RUSSIAN-SPEAKING AUDIENCE

    A Russian blackmail malware sample is spotted that drops a ransom how-to named Dont_Worry.txt and appends .UPS-[random] to filenames.
  • YET ANOTHER UPDATE OF CRYPTCONSOLE2

    One more edition of the CryptConsole2 family is released. Still drops README.hta note and uses szem@tutanota.com contact email address.
  • ID RANSOMWARE ENHANCED WITH NEW FEATURE

    The ID Ransomware service by MalwareHunterTeam now allows victims to get notifications when their sample becomes decryptable.
  • FLKR RANSOMWARE SPEWS OUT A SPINOFF

    The marginal FLKR ransomware undergoes an update. Uses the .__murzik@jabber.mipt.ru files extension and INSTRUCTIONS.txt ransom note.
  • PLUS ONE VARIANT OF CRYPTCONSOLE

    The original CryptConsole culprit gets an overhaul featuring desparo@tuta.io contact email. It can still be decrypted beyond ransom.
  • JIGSAW OPERATORS BREAK NEW GROUND

    A new version of the Jigsaw ransomware is discovered that uses a C&C server, unlike all previous builds that ran without such a feature.
  • DHARMA RANSOMWARE UPDATED

    A tweak made to the Dharma ransom Trojan after a fairly long hiatus introduces the .id-{victim ID}.[java2018@tuta.io].arrow file extension.
  • FRESH EDITION OF SCARAB POPS UP

    The latest iteration of the Scarab ransomware switches to the .osk file extension and ‘HOW TO RECOVER ENCRYPTED FILES.txt’ ransom note.
  • CRYPTCONSOLE2 KEEPS GETTING TWEAKS

    Yet another spinoff of the CryptConsole2 ransomware uses ‘HOW DECRIPT FILES.hta’ rescue note and zeman@tutanota.de contact email.
  • ADDING C2 SERVERS BECOMES A TREND WITH CROOKS

    Shortly after the recent Jigsaw virus update, the Aurora (aka OneKeyLocker) ransomware follows suit by starting to use a C2 server.
  • CRYPTCONSOLE SPEWS OUT A NEW EDITION

    CryptConsole ransomware (not to be confused with CryptConsole2) undergoes an update with helps@tutanota.com contact email being used.
  • NEW CRYPTOMIX VERSION MAKING THE ROUNDS

    Ransomware watchers spot a new build of the CryptoMix blackmail infection that blemishes encrypted data with the .BACKUP extension.
  • SCARAB LINEAGE GROWS

    Another mod of the Scarab ransomware is discovered that uses the .REBUS file extension and ‘REBUS RECOVERY INFORMATION.txt’ how-to.
  • INSTA RANSOMWARE HUNT

    MHT’s Michael Gillespie asks fellow-researchres to help spot samples of new ransomware that uses .insta extension and filesinfo.txt note.
  • TIES BETWEEN JIGSAW STRAIN AND ETHICAL HACKING

    Security analysts stumble upon a case where a sample of the prolific Jigsaw ransomware is leveraged in an ethical hacking course.
  • PAIN LOCKER RANSOMWARE ON THE TABLE

    MalwareHunterTeam discovers Pain Locker ransomware that uses the .[pain@cock.lu].pain extension and !=How_recovery_files=!.txt note./li>
  • EVERBE RANSOMWARE UPDATED

    New version of the Everbe ransomware drops !=How_recovery_files=!.txt note and appends the .[embrace@airmail.cc].embrace extension.
  • THE CRUDE LITTLEFINGER BADDIE

    A sample called LittleFinger is spotted. Doesn’t affix any extension to filenames and demands 0.01 BTC. Probably an in-dev specimen.
  • CRYPTGH0ST BEGINS MAKING VICTIMS

    Fresh file-encrypting infection concatenates the .cryptgh0st string to files and leaves a rescue note named READ_TO_DECRYPT.html.
  • LOCKCRYPT 2.0 ITERATION FOUND

    Researchers discover a build of LockCrypt 2.0 ransomware that uses the .id-{victim ID}.BI_D extension and ‘How To Restore Files.txt’ note.
  • ONE MORE SCARAB MOD RELEASED

    The pest appends .infovip@airmail.cc extension and drops ‘HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT’ ransom note.
  • STOP RANSOMWARE GETS A TWEAK

    The latest version of the Stop ransomware subjoins the .CONTACTUS suffix to files and leaves !!!!RESTORE_FILES!!!.txt how-to document.
  • BITPAYMER RANSOMWARE UPDATED

    Fresh modification of the BitPaymer pest is spotted that switches to using a new ransom note and features a few other insignificant changes.
  • SIGRUN MAKER WANTS NO RANSOMS FROM RUSSIANS

    The architect of the Sigrun ransomware campaign allows Russian-speaking victims to get their data back without paying the ransom.
  • OPSVENEZUELA RANSOMWARE IN THE WILD

    The OpsVenezuela sample combines the code of the Hidden Tear PoC and that of the EDA2 academic ransomware. Uses a weak crypto key.
  • CRYBRAZIL RANSOMWARE

    New one. Targets Brazilian users, concatenating the .crybrazil extension to encoded data items. Based on Hidden Tear and EDA2 PoCs.
  • AMBA STRAIN RELEASED

    The new Amba ransomware zeroes in on Russian-speaking users. Uses the .UPS-[random] file extension and Dont_Worry.txt ransom note.
  • MAGNIBER ON THE LOOSE IN SOUTH KOREA

    Analysts report a Fresh Magniber ransomware distribution wave localized in South Korea. The infection drops README.txt how-to file.
  • OPEDCONT RANSOMWARE FEATURING HARSH IMPACT

    The PedCont sample displays a ransom warning accusing the victim of accessing prohibited adult content. Crashes the screen shortly.
  • SCARAB FAMILY GIVES RISE TO NEW OFFSHOOT

    The latest variant of the Scarab ransomware appends the .DiskDoctor string to files and drops HOW TO RECOVER ENCRYPTED FILES.txt note.
  • HITLER-THEMED XIAOBA RANSOMWARE TWEAK

    New mod of the XiaoBa lineage subjoins the .AdolfHitler suffix to hostage files and leaves a note named ‘# # DECRYPT MY FILE # #.bmp’.
  • CRYPTCONSOLE UPDATED

    MalwareHunterTeam researchers discover a new CryptConsole version that uses the xser@tutanota.com contact email. Still decryptable.
  • ATLANTA PD’S EVIDENCE LOST OVER RANSOMWARE

    Years’ worth of Dashcam videos from police cars in Atlanta have been lost in a ransomware incident that hit the city in March 2018.
  • REDEYE RANSOMWARE SPOTTED

    The fresh ransomware specimen in question uses the .RedEye extension for ransomed files. It can wipe data and affect a host’s MBR.
  • AURORA STRAIN UNDERGOES A CHANGE

    The most recent build of the Aurora blackmail malware switches to using the #RECOVERY-PC#.txt ransom note and new BTC address.
  • SECOND UPDATE OF CRYPTCONSOLE IN A FEW DAYS

    Yet another variant of the CryptConsole ransomware is discovered that instructs victims to contact the attacker at redbul@tutanota.com.
  • CRYPTCONSOLE MUTATES AS IF ON STEROIDS

    No other ransomware strain is being fine-tuned as often as CryptConsole lately. One more iteration features heineken@tuta.io contact email.
  • GLOBEIMPOSTER MAKES A COMEBACK

    Having remained mostly idle for quite some time, the GlobeImposter campaign resurfaces with a variant using the .emilysupp file extension.
  • PRINCESS RANSOMWARE RAAS BEING PROMOTED

    The authors of the once widespread Princess Ransomware encourage other crooks to spread it on a Ransomware-as-a-Service basis.
  • PGPSNIPPET BADDIE UPDATED

    Brand-new edition of the PGPSnippet ransomware uses the .digiworldhack@tutanota.com extension and !!!README_DECRYPT!!!.txt note.
  • NEW SPARTACUS RANSOMWARE MOD FOUND

    Security enthusiasts spot a variant of the Spartacus ransomware (probably a test one) that appends the .SF extension to hostage objects.
  • ANOTHER UPDATE OF THE MAGNIBER STRAIN

    New Magniber edition starts making the rounds. Concatenates the .ndpyhss string to filenames and uses a number of new Tor addresses.
  • an ongoing list…
  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

11 COMMENTS

  1. I got infected with Locky Ransomware last year. I had to lose my files. This timeline is awesome it can aware people to know about ransomware.

  2. Great timeline! The average person is so unaware how rampant and dangerous ransomware is. Thanks for putting this together and keeping it top of mind.

  3. Thank you for creating this! I have consolidated your table into a visualization at austintaylor.io/ransomware/visualization/2017/01/07/ransomware-year-in-review-timeline/

LEAVE A REPLY

Please enter your comment!
Please enter your name here