News

Ransomware Chronicle 2017

627

This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

Read ransomware chronicle for 2016

Read ransomware chronicle for 2018

New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events

SAMAS RANSOMWARE UPDATED

The extension being appended is .helpmeencedfiles. Now creates the HELP-ME-ENCED-FILES.html ransom manual.
GLOBE RANSOMWARE MIGRATED TO C/C++

While the same on the outside, Globe is now coded in C/C++. Uses the .locked extension.
NEW SAMPLE CALLED FIRSTRANSOMWARE

The executable is firstransomware.exe. Appends the .locked extension and leaves READ_IT.txt ransom note.
RED ALERT RANSOMWARE SPOTTED

A derivative of the open source Hidden Tear Offline ransomware. Displays the “Your Files Has [sic.] Been Blocked” alert.
N-SPLITTER USING RUSSIAN FILE EXTENSION

Another Hidden Tear spinoff. Appends the “.кибер разветвитель” extension to encrypted entries.
NEW EDA2 POC SPINOFF EXPOSED

Brand-new sample based on EDA2 proof of concept ransomware. Uses the .L0CKED extension and DecryptFile.txt ransom note.
ANOTHER KOOLOVA VARIANT APPEARS

N-SpLiTTer replica called the “кибер разветвитель” (Russian for “cyber splitter”). Extension and the name are a match.
RANSOMWARE TARGETING MONGODB DATABASES

The strain zeroes in on MongoDB servers. Threat actor nicknamed “Harak1r1” demands 0.2 BTC to return hostage databases.
MR. ROBOT SERIES THEMED INFECTIONS ON THE RISE

A group of crooks calling themselves FSociety have been busy coining multiple screen lockers and crypto ransomware samples.
MERRY X-MAS RANSOMWARE DISCOVERED

Uses the .MRCR1, .PEGS1 or .RARE1 file extension and creates YOUR_FILES_ARE_DEAD.hta ransom manual.
TIES BETWEEN PSEUDO-DARKLEECH AND RANSOMWARE

The pseudo-Darkleech cybercrime network was found to be responsible for multiple ransomware campaigns in 2016.
GLOBE V3 DECRYPTED

Emsisoft’s Fabian Wosar cracks Globe ransomware version 3, which uses the .decrypt2017 or .hnumkhotep extensions.
FIRECRYPT THREAT EQUIPPED WITH DDOS FEATURE

Appends the .firecrypt extension and drops [random]-READ_ME.html ransom note. Also crams up HDD with junk files.
CRYPTOMIX/CRYPTFILE2 DISSECTED

The CERT Polska team publishes a detailed analysis of the CryptoMix/CryptFile2 ransomware campaign.
NEW LEGISLATION ON RANSOMWARE TAKES EFFECT

A law passed in California defines ransomware distribution as a standalone felony rather than part of money laundering schemes.
KILLDISK RANSOMWARE ENHANCED

Now attacks Linux machines along with ones running Windows. The whopping size of the ransom is 222 BTC (more than $200,000).
ILOCK RANSOMWARE UPDATED

Leaves the “WARNING OPEN-ME.txt” ransom note (Russian version available too). Separate files for encryptor, live chat and TOR.
SKYNAME RANSOMWARE IS UNDERWAY

In-development Hidden Tear POC spinoff. Zeroes in on Czech victims and demands 1000 Czech Koruna (about $40) for decryption.
DEPSEX THREAT DISCOVERED IN THE WILD

Also known as MafiaWare, the Depsex ransomware uses the .Locked-by-Mafia extension and READ_ME.txt decryption manual.
NEW VIRUS PUSHING RANSOMWARE INTRICATELY

Researchers discovered malicious code adding multiple desktop shortcuts that, once clicked, execute ransomware.
YET ANOTHER HIDDEN TEAR DERIVATIVE SPOTTED

Concatenates the .locked suffix to files and creates README.txt ransom note. Goes equipped with a remote shell.
THE ENLIGHTENING OCELOT RANSOMWARE

The sample called Ocelot Locker is instructive because it doesn’t do crypto and instead demonstrates how bad a real attack can be.
MONGODB APOCALYPSE STATS REVEALED

The number of online-accessible MongoDB databases hit by the MongoDB Apocalypse ransomware reaches a whopping 10,000.
UK SCHOOL STAFF SOCIAL-ENGINEERED

Malefactors pretending to be government officials cold-call schools in the United Kingdom, duping staff into installing ransomware.
“CRYPTORANSOMEWARE” MADE BY BULLIES

The warning screen displayed by the new “CryptoRansomeware” sample is crammed up with bad language.
VBRANSOM 7 RANSOMWARE DISCOVERED

Written in Visual Basic .NET, this strain uses the .VBRANSOM file extension. It’s in-dev and doesn’t do actual crypto at this point.
MONGODB APOCALYPSE CAMPAIGN GETS WORSE

Ever since the Kraken cybercrime ring had stepped in, the quantity of ransomed MongoDB databases went up to 28,000.
RANSOMEER STRAIN IS UNDERWAY

New Ransomeer sample is being developed. Configured to demand 0.3169 BTC and provide a 48-hour payment deadline.
MERRY X-MAS RANSOMWARE UPDATED

The latest edition of Merry X-Mas crypto ransomware also installs DiamondFox, a virus that harvests victims’ sensitive information.
JAVASCRIPT-BASED “EVIL RANSOMWARE”

Appends the .file0locked extension to encrypted files and instructs victims to send email to r6789986@mail.kz for recovery steps.
CERBER RANSOMWARE TWEAK

The only change is that Cerber now leaves ransom notes called _HELP_DECRYPT_[A-Z0-9]{4-8}_.hta/jpg.
LA COLLEGE GIVES IN TO CYBERCROOKS

Los Angeles Valley College opts for the ransom route to recover from a crypto ransomware attack, coughing up $28,000.
SPORA RANSOMWARE DISCOVERED

New Spora ransomware can operate offline, features unbeatable encryption and a professionally tailored payment service.
MONGODB RANSOMWARE SOURCE CODE SOLD OUT

The Kraken cybercrime syndicate sells their MongoDB ransomware script for $200. The message was posted on GitHub.
MERRY X-MAS STRAIN DECRYPTED

Emsisoft releases a decryptor for the Merry X-Mas ransomware, which appends .MRCR1, .PEGS1, .RARE1, or .RMCM1 extension.
NEW MARLBORO RANSOMWARE SURFACES

Arrives with spam, concatenates the .oops extension to files and creates _HELP_Recover_Files_.html ransom manual.
MARLBORO RANSOMWARE DEFEATED

Having looked into the code of the Marlboro ransomware, Emsisoft’s Fabian Wosar creates a decrypt tool in less than a day.
MONGODB ATTACKERS SWITCH TO ELASTICSEARCH

The group behind MongoDB database attacks shift their focus to infecting ElasticSearch servers with ransomware.
ODCODC RANSOMWARE DECRYPTOR UPDATED

Researcher nicknamed ‘BloodDolly’ updates his ODCODCDecoder that restores files locked by new ODCODC ransomware variant.
THE BUGGY “KAANDSONA” RANSOMWARE

Currently in development. Appends files with the .kencf extension. Fails to encode data due to a flaw in crypto implementation.
CERBER CAMPAIGN DETAILS LEAKED

Avast researchers accessed a server containing a fragment of Cerber ransomware’s global infection statistics.
SAMSAM RANSOMWARE UPDATE

Appends the .powerfulldecrypt extension to encrypted files and drops a ransom note called WE-MUST-DEC-FILES.html.
CRYPTOSEARCH TOOL HELPS DEAL WITH RANSOMWARE

The new CryptoSearch utility locates mutilated files and allows copying or moving them to a backup drive for future decryption.
A DECLINE IN LOCKY RANSOMWARE INFECTIONS

According to security analysts, the distribution of Locky via spam campaigns decreased by around 80% in Dec-Jan 2017.
CERBER RANSOMWARE TWEAK TAKES EFFECT

A new edition of Cerber leaves ransom notes called _HELP_HELP_HELP_[random].hta/jpg and uses new IP ranges for UDP stats.
CERBER AND SPORA SHARE DISTRIBUTION INFRASTRUCTURE

Threat actors in charge of the Spora ransomware campaign were found to use the same proliferation sites as Cerber.
CANCER SERVICES ORGANIZATION HIT BY RANSOMWARE

A cancer services agency in Indiana, U.S., suffers a ransomware attack, where crooks demand a ransom of 50 BTC (about $46,000).
ANOTHER SAMSAM RANSOMWARE VERSION SURFACES

New SamSam/Samas variant uses the .noproblemwedecfiles extension and 000-No-PROBLEM-WE-DEC-FILES.html ransom manual.
CRIMINALS CAPITALIZE ON DATABASE VULNERABILITIES

Unidentified cybercrime rings hijack Hadoop and CouchDB databases, erasing data or demanding ransoms for recovery.
SPORA TURNS OUT TO HAVE WORM-LIKE PROPERTIES

The sophisticated Spora ransomware leverages an infection vector relying on .LNK files, so it may act as a shortcut worm.
MERRY X-MAS RANSOMWARE DECRYPTOR UPDATE

Emsisoft’s Fabian Wosar adjusts his decryptor for the Merry X-Mas ransomware, which can now decode .MERRY extension files.
LOCKY ENFEEBLED WHILE NECURS BOTNET IS OFFLINE

Analysts see a drastic decrease in spam spreading the Locky ransomware during temporary inactivity of the Necurs botnet.
NEW SAMPLE TARGETING BRAZILIAN USERS

Uses the .id-[victim_ID]_garryweber@protonmail.ch file extension and HOW_OPEN_FILES.html ransom manual.
CERBER’S RANSOM NOTES CHANGED AGAIN

As part of another tweak, Cerber ransomware has started to drop _HOW_TO_DECRYPT_[random_chars][4-8]_.hta/jpg ransom notes.
NEW ANDROID TROJAN HITTING RUSSIAN USERS

The Russian language Android ransomware locks a device’s screen and instructs the user to hand over their credit card details.
SATAN RANSOMWARE AS A SERVICE GOES LIVE

The RaaS allows crooks to build their custom version of Satan, which uses .stn extension and HELP_DECRYPT_FILES.html ransom note.
NEW TURKISH RANSOM TROJAN BEING CREATED

The in-dev ransomware is supposed to target Turkish victims and append encrypted files with the .sifreli extension.
CRYPTOSHADOW STRAIN IS UNDERWAY

Based off of the Hidden Tear POC. Adds the .doomed extension to files and leaves LEER_INMEDIATAMENTE.txt ransom manual.
PUBLIC LIBRARIES IN SAINT LOUIS COMPROMISED

More than 700 machines of 16 Saint Lous Public Library’s branches get hit by ransomware that demands about $35,000.
GLOBEIMPOSTER DECRYPTOR UPDATED

Emsisoft updates the decryptor to support the variant that uses .crypt extension and HOW_OPEN_FILES.hta ransom note.
DNRANSOMWARE ISN’T THAT BAD

New strain called DNRansomware uses the .fucked file extension. The decrypt code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.
“JHON WODDY” RANSOMWARE TWEAK

Uses the same source code as DNRansomware. Appends the .killedXXX extension. Decryption routine is buggy.
CLOUDSWORD RANSOMWARE BEING CREATED

Researchers discover in-dev CloudSword sample, which drops Warning??.html ransom note and sets a 5-day payment deadline.
MINOR UPDATE OF THE APOCALYPSE RANSOMWARE

Uses crypt32@mail.ru email address for interacting with victims, while ransom note and filename format is unaltered.
SAGE 2.0 STRAIN IS UNDERWAY

Created by the same crooks as those behind Cerber, Locky and Spora. Uses the .sage extension and !Recovery_EMf.html ransom note.
NEW SAMAS RANSOMWARE VERSION RELEASED

Appends the .weareyourfriends extension to encrypted files and leaves TRY-READ-ME-TO-DEC.html ransom manual.
JIGSAW RANSOMWARE UPDATED

Concatenates the .paytounlock file extension. Expert-made free decryptor already supports this variant.
NEW CRYPTOMIX VARIANT SPOTTED

Uses the [original_filename].email[email_address]_id[victim_ID].rdmk file format and “INSTRUCTION RESTORE FILE.txt” ransom note.
SPORA RANSOMWARE DISTRIBUTION EXPANDS

While the Spora ransomware originally proliferated in Eastern Europe only, it starts targeting victims around the globe.
RUSSIANROULETTE RANSOMWARE SURFACES

A spinoff of the Philadelphia strain. Demands a ransom of 0.3 BTC (about $270) for data decryption.
VXLOCK RANSOMWARE LINEAGE APPEARS

The name of this new crypto ransomware family stems from the .vxLock extension being appended to scrambled files.
CHARGER RANSOMWARE TARGETING ANDROID

A Charger ransomware variant, EnergyRescue, was distributed for a while via Google Play Store as a battery optimizer. Now removed.
GMAIL TO BLOCK .JS ATTACHMENTS SINCE FEBRUARY 13

A change to Gmail will take effect as of February 13, 2017 – the service will block .js attachments to thwart ransomware attacks.
ANOTHER SAMAS EDITION SPOTTED

New Samas/SamSam iteration adds the .otherinformation extension and drops 000-IF-YOU-WANT-DEC-FILES.html ransom note.
NEW POTATO RANSOMWARE RELEASED

Concatenates the .potato extension to encoded data and leaves README.png/html ransom payment instructions.
ONE MORE POLICE DEPARTMENT HIT BY RANSOMWARE

The Cockrell Hill Police Department in Texas admits to have been attacked by ransomware. Crooks demand $4,000 worth of Bitcoin.
SPECIFICITY OF THE CRYPTCONSOLE RANSOMWARE

Scrambles filenames rather than encrypt files proper. Leaves the “How decrypt files.hta” ransom note.
THE COMEBACK OF VIRLOCKER

Impersonates law enforcement agencies while blocking computers. Researchers discovered that the unlock code is 64 zeros.
UPSWING OF MERRY X-MAS RANSOMWARE CAMPAIGN

Analysts note that the propagation of MRCR, aka Merry X-Mas, ransomware is starting to skyrocket.
CRYPTCONSOLE RANSOMWARE DECRYPTED

Researcher Michael Gillespie creates a free decryptor for CryptConsole ransom Trojan (“unCrypte@outlook.com_[random]” filenames).
MERRY X-MAS RANSOMWARE DECRYPTOR UPDATED

Emsisoft’s decryptor for MRCR now supports the latest variant, which leaves MERRY_I_LOVE_YOU_BRUCE.hta ransom note.
ANOTHER UPDATE OF THE JIGSAW RANSOMWARE

New variant concatenates the .uk-dealer@sigaint.org extension to encoded files. Decryptable for free.
HITLER RANSOMWARE TWEAK

Crooks label it as “FINAL version of Hitler Ransomware”. Distributed via booby-trapped YOUR-BILL.pdf email attachment.
RANSOMPLUS, NEW SAMPLE ON THE TABLE

Adds the .encrypted extension to locked files. Instructs victims to reach attackers at andresaha82@gmail.com.
AUSTRIAN HOTEL HIT BY RANSOMWARE

Ransomware wreaks havoc with electronic door locking system at Austrian “Romantic Seehotel Jagerwirt” hotel. Demands 2 BTC.
XCRYPT RANSOMWARE SPOTTED

This new strain creates ransom note called Xhelp.jpg containing Cyrillic text. Victims are told to use ICQ to reach the criminals.
EMSISOFT SITE DDOSED OVER RANSOMWARE

Emsisoft’s official website suffers a DDoS attack after the vendor updates their free decryptor for Merry X-Mas ransomware.
SAGE 2.0 RANSOMWARE DETAILS UNCOVERED

Swiss Government CERT publishes a comprehensive report on the Sage 2.0 ransomware dissecting its main characteristics.
NEW RANSOMWARE CALLED ZYKA

Zyka ransomware appends the .locked extension to files and demands a Bitcoin equivalent of $170.
TRICKY DISTRIBUTION OF THE NETIX RANSOMWARE

The new Netix ransom Trojan proliferates as a rogue app called “Netflix Login Generator v1.1”. Demands $100 payable in Bitcoin.
NEW INFECTION VECTOR OF THE SPORA PEST

Researchers discovered a Spora ransomware distribution campaign involving bogus Chrome Font Pack update.
CRYPTOSHIELD 1.0 RANSOMWARE DISCOVERED

A replica of the CryptoMix strain. CryptoShield 1.0 is deposited onto computers via the RIG EK (exploit kit).
JIGSAW RANSOMWARE UPDATED AGAIN

The only noteworthy change is the .gefickt extension being affixed to scrambled files.
CHANGES MADE TO EVIL-JS RANSOMWARE

The latest version of Evil-JS appends the .evillock string to files and provides gena1983@mbx.kz email address to contact the dev.
LOCKY BART CAMPAIGN VIEWED FROM THE INSIDE

Malwarebytes researchers publish Locky Bart ransomware details based on statistics from the crooks’ breached backend server.

SAMAS STRAIN UPDATE

New Samas, or SamSam, ransomware edition uses the .letmetrydecfiles extension and LET-ME-TRY-DEC-FILES.html ransom note.
ANOTHER DECRYPTION BREAKTHROUGH

Avast analysts release automatic free decrypt tools for Hidden Tear, Jigsaw and Stampado ransomware families.
RANSOMWARE ATTACKS ONE MORE ORGANIZATION

A number of IT systems of Ohio’s Licking County government services get affected by unidentified ransomware.
TWO RANSOMWARE DISTRIBUTORS APPREHENDED

London police arrest man and woman who infected Washington’s closed-circuit television network with ransomware in mid-January.
RANION RAAS DISCOVERED

Security researchers stumble upon a new low-cost Ransomware-as-a-Service platform called Ranion.
YOURRANSOM VIRUS IS QUITE INSTRUCTIVE

Appends files with .yourransom extension and uses README.txt ransom note. Author (i@bobiji.com) promises free decryption.
NEW PYTHON-BASED LAMBDALOCKER SPOTTED

LambdaLocker uses .lambda_l0cked file extension and READ_IT.html decryption how-to. The size of the ransom is 0.5 BTC.
PADCRYPT DISTRIBUTION BACKED BY A RAAS

It turns out that there is a Ransomware-as-a-Service platform behind the PadCrypt strain, so it’s a whole affiliate network.
YOURRANSOM POC GETS A NEW FAN

Someone borrows the code of YourRansom proof of concept to infect users for real, still offering free decryption though.
SPORA STRAIN FEATURES RESPONSIVE TECH SUPPORT

As bizarre as it sounds, operators behind the Spora ransomware deliver quality customer care as they respond to victims’ queries.
ANDROID RANSOMWARE GETS SMARTER

The Android.Lockdroid.E virus was found to use a dropper that scrutinizes an infected device before deploying the right payload.
CRYPTOSHIELD UPGRADED TO VERSION 1.1

CryptoShield 1.1 engages new email addresses, namely res_reserve@india.com, res_sup@india.com, and res_sup@computer4u.com.
UNIQUENESS OF THE EREBUS RANSOMWARE

New sample. Circumvents UAC prompt while getting admin privileges. The size of the ransom is fairly small, amounting to $90.
JOBCRYPTER STILL ALIVE AND KICKING

JobCrypter ransomware returns after a period of inactivity. No particular changes have been made to its code.
AW3S0M3SC0T7 RANSOMWARE SPOTTED IN THE WILD

Researchers discover Aw3s0m3Sc0t7 ransom Trojan created by someone named Scott. Uses the .enc file extension.
NEW SAMPLE TARGETING HIGHLY SENSITIVE FILES ONLY

Unnamed strain is discovered that pilfers .ie5, .key, .pem and .ppk files (private keys and certificates) and demands a ransom of 1 BTC.
ANOTHER PORTUGUESE RANSOM TROJAN SPOTTED

Uses the .id-[random]_steaveiwalker@india.com_ file extension and COMO_ABRIR_ARQUIVOS.txt ransom note.
ID RANSOMWARE PROJECT KEEPS EXPANDING

The ID Ransomware initiative by MalwareHunterTeam now identifies 300 different strains of file-encrypting threats.
SERPENT RANSOMWARE CAMPAIGN IS UNDERWAY

Presumably a Hades Locker spinoff. Uses the .serpent extension and HOW_TO_DECRYPT_YOUR_FILES_[random].html/txt notes.
DYNA-CRYPT IS MORE THAN JUST RANSOMWARE

The new DynA-Crypt infection encodes victims’ data and steals various personally identifiable information. Requests $50 in BTC.
DIGISOM, ONE MORE HIDDEN TEAR DERIVATIVE

Based on open-source Hidden Tear. Adds the .[A-Za-z0-9]{3}.x extension to files and drops “Digisom Readme[0-9].txt” ransom note.
FADESOFT PEST PAYS HOMAGE TO A MOVIE

Ransom warning contains a logo of Umbrella Corporation from Resident Evil series. Demands 0.33 BTC for data decryption.
SERBRANSOM 2017, A NEW ONE ON THE TABLE

Concatenates the .velikasrbija extension to files and deletes a random file every 3 minutes. Asks for $500 worth of Bitcoins.
WCRY SPECIMEN IS RUN-OF-THE-MILL

Appends the .wcry suffix to enciphered files and demands 0.1 BTC for decryption.
RDP-BASED RANSOMWARE ATTACKS ARE ON THE RISE

TrendMicro found that the number of RDP brute-force attacks spreading CrySiS ransomware has grown dramatically in 2017.
SERBRANSOM 2017 AUTHOR DETAILS REVEALED

Experts discover that SerbRansom 2017 dev advocates ideas of ultranationalism with his hatred toward Kosovo and Croatia.
NEW RANSOMWARE THAT ARCHIVES FILES

A strain is spotted that moves a victim’s files to a password-protected RAR archive and requests 0.35 BTC for the unlock password.
SAMAS FAMILY KEEPS EXPANDING

Another Samas/SamSam spinoff uses the .encryptedyourfiles extension and 001-READ-FOR-DECRYPT-FILES.html ransom note.
NEW CYBERSPLITTER VARIANT GOES LIVE

Displays an FBI themed warning that says, “Your Computer Has Been Locked!”. The ransom amounts to 0.5 BTC.
POC RANSOMWARE FOR INDUSTRIAL CONTROL SYSTEMS

Researchers from Georgia Institute of Technology present POC ransomware targeting ICS/SCADA systems at RSA Conference.
MOST RANSOMWARE DEVS SPEAK RUSSIAN

According to Kaspersky Lab, 75% of all ransomware strains circulating in 2016 were created by Russian-speaking crooks.
MORE CYBERSPLITTER EDITIONS SPOTTED

Two new CyberSplitterVBS versions appear, one of which impersonates “Saher Blue Eagle” remote administration tool.
NEW JOBCRYPTER VARIANT RELEASED

The fresh JobCrypter edition uses a new set of email addresses: frthnfdsgalknbvfkj@outlook.fr (…@yahoo.com, …@gmail.com).
CERBER SKIPS AV-RELATED FILES

When scouring infected computers for data, a new variant of the Cerber ransomware ignores files associated with security suites.
SMALL TWEAK OF THE N1N1N1 STRAIN

The changes include a new filemarker (333333333333) and a different Tor address of the decryption service.
RESEARCHER DEMONSTRATES RANSOMWARE REVERSING

Fabian Wosar of Emsisoft sets up a streaming session where he reverses new Hermes ransomware and finds its weaknesses.
PRINCESS LOCKER UPDATE

The latest build of the Princess Locker ransomware drops a new ransom manual called @_USE_TO_FIX_JJnY.txt.
KASISKI RANSOM TROJAN APPEARS IN THE WILD

This new Spanish sample uses the [KASISKI] prefix to label encrypted files and leaves INSTRUCCIONES.txt ransom note.
XYZWARE, NEW BADDIE ON CYBERCRIME STAGE

New XYZWare is a Hidden Tear POC derivative most likely hailing from Indonesia. Drops README.txt ransom note.
MINOR TWEAK OF CRYPTCONSOLE RANSOMWARE

The only change as compared to the previous edition is a new email address being used: something_ne@india.com.
MRCR RANSOMWARE DECRYPTOR UPDATED

Emsisoft’s Fabian Wosar updates his decryptor for the Merry X-Mas ransomware so that it can handle new versions of the plague.
ANDROID RANSOMWARE TRENDS DISSECTED

ESET publishes a whitepaper on how Android ransomware has mutated and grown in volume since 2014.
SAGE RANSOMWARE UPDATED TO VERSION 2.2

Aside from the new version name, Sage 2.2 ransomware creates !HELP_SOS ransom notes on the desktop and inside folders.
NEW VARIANT OF THE SAMAS RANSOM TROJAN

Concatenates the .weencedufiles extension to encrypted files and leaves READ_READ_READ.html recovery how-to.
CRYPTOMIX VARIANT DECRYPTED BY AVAST

Avast, in cooperation with CERT.PL, releases a free decryptor for the offline edition of CryptoMix ransomware.
TRUMP LOCKER, A VENUSLOCKER REMAKE

Uses two different extensions (.TheTrumpLockerf and .TheTrumpLockerp ) and drops “What happen to my files.txt” ransom note.
CRYPT888 RANSOMWARE MODIFIED

New Crypt888 variant displays a beach view instead of ransom notes and puts the “Lock.” prefix before original filenames.
NEW SAMPLE CODED IN PYTHON

Avast researchers spot a new Python-based strain that appends the .d4nk string to encrypted files.
PATCHER RANSOMWARE TARGETING MAC OS X

Payloads are disguised as patchers for various Mac OS apps. Drops README!.txt ransom note. Files cannot be decrypted for free.
THE UNUSUAL UNLOCK26 RANSOMWARE

Provides no contact details. Before submitting the ransom to unlock files, a victim is instructed to solve a math problem.
ANDROID RANSOMWARE THAT CAN LISTEN

New Lockdroid ransomware spinoff unlocks a device after the victim pronounces the unlock code obtained after payment.
PICKLES RANSOMWARE EMERGES

Written in Python. Appends files with .[random].EnCrYpTeD extension and creates READ_ME_TO_DECRYPT.txt ransom notes.
GO-BASED VANGUARD RANSOMWARE

New Vanguard ransomware is written in Google’s Go programming language. Not very active at this point.
ANOTHER CRYPTOMIX UPDATE

The latest iteration of CryptoMix stains the names of encoded files with the .CRYPTOSHIEL extension.
MYSQL SERVERS UNDER ATTACK

Extortionists hijack numerous MySQL databases around the world, erase their content and demand a ransom of 0.2 BTC.
DAMAGE RANSOMWARE SPOTTED

New sample that concatenates the .damage string to encrypted files, hence the name of the ransomware.
WEIRDNESS OF THE BARRAX RANSOMWARE

This is a Hidden Tear spinoff that appends files with the .BarRax suffix. The strange thing is that it has a regular support forum.
RAAS BEHIND UNLOCK26 INFECTION

Unlock26 trojan is now distributed on a Ransomware-as-a-Service basis. The operators get 50% of ransoms submitted by victims.
SARDONINIR RANSOMWARE IN DEVELOPMENT

An in-dev ransomware that uses the .enc extension and sends encryption password to sardoninir@gmail.com.
CRYPT0L0CKER SPAM CAMPAIGN DISSECTED

Italian security experts discover that Crypt0L0cker devs sign their spam emails with legit “posta elettronica certificata” (PEC).
CRYPTOGRAPHER ON THE FUTURE OF RANSOMWARE

Matthew Green, cryptographer and professor at John Hopkins University, writes an article on ransomware evolution crypto-wise.
FILELOCKER GOING AFTER CZECH USERS

New FileLocker ransomware displays ransom notes in Czech, uses the .ENCR file extension and asks for 0.8 BTC.
DEALING WITH FINDZIP ATTACK AFTERMATH

Malwarebytes team devises a method to restore files encrypted by Mac OS X ransomware called Findzip.

DETAILS OF CRYPT0L0CKER RE-EMERGENCE

Crypt0L0cker, aka TorrentLocker, is active again after almost a year of standstill. The updated infection mostly targets Europe.
LOCKY RANSOMWARE USES A GENUINE CERT

It turns out that the .osiris variant of Locky is signed by a digital certificate issued by Comodo CA.
DHARMA RANSOMWARE MASTER KEYS LEAKED

Someone nicknamed ‘gektar’ provided a Pastebin link on BleepingComputer forums leading to master decryption keys for Dharma.
THE ONSET OF KRIDER RANSOMWARE

A new sample called KRider is underway. It concatenates the .kr3 extension to ciphered files.
RANSOMWARE IDENTIFICATION IS GETTING TOUGHER

Two emails in the “.SN-[random_numbers]-info@kraken.cc_worldcza@email.cz” extension added by a new strain are confusing.
PODCAST FEATURING THE AUTHOR OF “ID RANSOMWARE”

Michael Gillespie, the architect of ID Ransomware service, provides useful security tips in the FightRansomware podcast.
TIES BETWEEN RIG EK AND ASN1 RANSOMWARE

The ASN1 ransom trojan is deposited on computers via RIG exploit kit. This sample drops “!!!!!readme!!!!!.htm” ransom note.
DHARMA RANSOMWARE DECRYPTED

Kaspersky, followed by ESET and Avast, release free decryptors for the Dharma ransomware based on leaked master keys.
CERBER PRESUMABLY STEPPING INTO ANDROID OS

Analysts discovered Cerber ransom note README.hta being embedded in the code of several official Android apps.
CREATION OF MAFIAWARE SPINOFF IN PROGRESS

Somebody is reportedly working on a new ransomware sample based on the source code of MafiaWare threat.
FABSYSCRYPTO, A NEW LOCKY COPYCAT

A strain called FabSysCrypto is spotted that drops ransom notes identical to Locky’s and uses the code of Hidden Tear POC.
JIGSAW RANSOMWARE VERSION 4.6 SPOTTED

The newcomer features an updated warning screen, demands $150 worth of Bitcoin, and provides a 24-hour deadline.
RANSOMWARE ATTACKS PA. SENATE DEMOCRATS

Computer network of the Pennsylvania Senate Democratic Caucus gets shut down due to a ransomware incident.
NEW FADESOFT VARIANT EMERGES

The updated FadeSoft ransomware uses a warning screen that’s no longer Resident Evil movie themed. No more tweaks made.
CRYPTOJACKY TARGETING SPANISH-SPEAKING USERS

Ransom notes by the new CryptoJacky ransomware are in Spanish. The pest uses Aescrypt.exe application to scramble files.
ENHANCEMENT MADE TO SHAMOON DISK WIPER

The notorious Shamoon disk-wiping worm originally discovered in 2012 now goes equipped with a ransomware component.
THE ONSET OF ENJEY CRYPTER

New Enjey Crypter ransomware bears a resemblance to the RemindMe strain. It uses ‘contact_here_me@india.com’ email address.
UNLOCK92 TROJAN GETS FINE-TUNED

The only apparent change in comparison with the previous edition is the new name of the ransom note – READ_ME_!.txt.
NHTNWCUF RANSOMWARE IS AN ODD ONE

Leaves ransom notes called !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt. Ends up scrambling files beyond recovery.
MEET PAUL, A WANNABE EXTORTIONIST

Researchers discovered a crude Hidden Tear POC-based sample being developed by a person from France named Paul.
CRYPTON, AKA NEMESIS RANSOMWARE CRACKED

Emsisoft creates a free decryptor for the CryptON ransom trojan, which otherwise demands 0.5 BTC ($620) for file recovery.
NEW CRYPT0L0CKER CAMPAIGN DISSECTED

Cisco’s Talos Intelligence Group publishes a comprehensive write-up on the new variant of Crypt0L0cker / TorrentLocker.
CRYPTOLOCKER 1.0.0 IS JUST AN IMPOSTOR

CryptoLocker 1.0.0 uses RSA crypto algo and displays ransom how-to’s in Turkish. Name borrowed from the infamous prototype.
RANRAN RANSOMWARE ISN’T RUN-OF-THE-MILL

Spreads within a country in the Middle East and has clear political implications. Uses encryption tiers and adds the .zZz extension.
CERBER NOW KEEPS FILENAMES INTACT

New variant of the Cerber ransomware doesn’t modify original filenames. Still appends a PC-specific 4-char extension, though.
VORTEX RANSOMWARE TARGETING POLISH USERS

Concatenates the .aes extension to encrypted files and drops ODSZYFRUJ-DANE.txt (“DECRYPT-DATA”) ransom manual.
VAPELAUNCHER, A CRYPTOWIRE SPINOFF

New VapeLauncher ransomware is based on the code of CryptoWire POC. Demands $200 worth of Bitcoin.
SPORA’S INFECTION VECTOR SCRUTINIZED

Kevin Douglas from RSA Security publishes an article with in-depth analysis of the HTA contamination vector used by Spora devs.
PADCRYPT 3.4.0 DISCOVERED

Researchers found a sample of new PadCrypt ransomware v3.4.0. It uses the same build and campaign ID as the predecessor.
UNIQUENESS OF SAMAS RANSOMWARE EXPLAINED

Samas ransomware uses a worm-like tactic to affect all connected servers and backups. Its devs made $450,000 in one year.
EXHAUSTIVE ANALYSIS OF THE SPORA RANSOMWARE

Malwarebytes Labs aggregate the totality of the top-notch Spora ransomware’s technical details into a single post.
TIES BETWEEN SAGE 2.2 AND AN INFO STEALER

Analysts discover a connection between the Sage ransomware campaign and the distribution of August Stealer malware.
NEW ANDROID DEVICES WITH RANSOMWARE ON BOARD

Pre-installed ransomware and adware were found on 38 Android smartphones shipped to two big technology companies.
ID RANSOMWARE SERVICE ENHANCED

The ID Ransomware resource by MalwareHunterTeam is now capable of identifying files scrambled by Spora ransomware.
SAMSAM STRAIN UPDATE

New SamSam variant uses the .iaufkakfhsaraf file extension and IF_YOU_WANT_FILES_BACK_PLS_READ.html ransom note.
DAMAGE RANSOMWARE DECRYPTED

Emsisoft CTO Fabian Wosar defeats the crypto of the Damage Ransomware in another live streaming session.
NEW ROZALOCKER SPECIMEN

RozaLocker appends the .ENC extension to files, drops ransom notes in Russian and requests 10,000 Rubles ($173) for recovery.
FRESH SAMPLE AFFECTING FRENCH AUDIENCE

A new ransom Trojan is discovered that displays its recovery how-to called “Verrouille” in French.
ENJEY TROJAN DEV’S REVENGE

Operator of the Enjey ransomware fires a series of DDoS attacks at ID Ransomware site following the release of ad hoc decryptor.
Ŧl๏tєгค гคภร๏๓ฬคгє IS VORTEX IN DISGUISE

Researchers discover a sample called the Ŧl๏tєгค гคภร๏๓ฬคгє, which appears to be a spinoff of the Vortex strain.
PADCRYPT UPDATED AGAIN

Although the PadCrypt ransomware isn’t in active rotation, its authors keep launching new versions, now it’s 3.4.1.
PROJECT34 RANSOMWARE HUNT STARTS

Analysts declare an initiative against the Project34 ransomware, which prepends “project34@india.com” to locked files.
PETRWRAP, A PETYA RANSOMWARE DERIVATIVE

New PetrWrap ransomware leverages Windows PsExec tool to infect enterprise networks and completely deny access to machines.
NEW RAAS COMPROMISED BY WHITE HAT HACKERS

Malwarebytes researchers hack FileCrypter Shop, a Ransomware-as-a-Service resource that’s about to go live.
SPORA RANSOMWARE CAMPAIGN TWEAK

The Spora crew registers a new C2 domain torifyme[dot]com and starts using it for victim interaction purposes.
JIGSAW RANSOMWARE UPDATE

The latest edition of the Jigsaw ransomware concatenates the .nemo-hacks.at.sigaint.org extension to encoded files.
NEW ITERATION OF THE HERMES RANSOMWARE

Hermes, a strain previously cracked by Emsisoft’s Fabian Wosar in a live video, is now at version 2.0.
HERMES ENCRYPTION DEFEATED

Researcher Michael Gillespie, in cooperation with Fabian Wosar, releases a free decryptor for the Hermes ransomware.
AN INSTRUCTIVE SCREEN LOCKER DISCOVERED

A Russian screen locker is spotted that allows for easy recovery as long as the victim reads how dangerous ransomware is.
KARMEN RAAS BEING DEVELOPED

Malware watchers discover a new Ransomware-as-a-Service portal called Karmen, which is currently in development.
REVENGE TROJAN, A CRYPTOMIX SPINOFF

The Revenge ransomware spreads via RIG exploit kit, uses the .REVENGE file extension and # !!!HELP_FILE!!! #.txt ransom note.
SAMPLE PRETENDING TO BE CTB-LOCKER

New CTB-Locker copycat displays Beni Oku.txt ransom manual in Turkish and appends the .encrypted extension to files.
A VANITY-DRIVEN HIDDEN TEAR VERSION

A Hidden Tear POC offspring appears that asks victims to post a specific message on Facebook to get the fix.
NSIS INSTALLERS ABUSED BY RANSOMWARE DEPLOYERS

Microsoft discovered a trend of threat actors distributing ransomware by manipulating the Nullsoft Scriptable Install System (NSIS).
THE ECCENTRIC KIRK RANSOMWARE

Uses Star Trek themed warnings and Monero payment system. Appends .Kirked extension and leaves RANSOM_NOTE.txt manual.
LICK RANSOMWARE BASED ON KIRK STRAIN

The Lick ransomware acts similarly to Kirk, uses the same decryption how-to (RANSOM_NOTE.txt) and the .Licked file extension.
SCREEN LOCKER CALLED CRYPTODEVIL

Reverse engineering of CryptoDevil revealed that its author’s nickname is “Mutr0l”. The “kjkszpg” code unlocks the screen.
ROSHALOCK 2.0 USES RAR TO LOCK FILES

Moves data to a password-protected RAR archive and creates a ransom note called “All Your Files in Archive!.txt”.
DECRYPT TOOL FOR CRYPTON GETS FINE-TUNED

Emsisoft CTO Fabian Wosar releases an updated decryptor for CryptON that supports the newest edition of the infection.
ZINOCRYPT RANSOMWARE – 2017 EDITION

Concatenates the .ZINO extension to ciphered files and creates ZINO_NOTE.txt ransom manual.
CRPTXXX IS NOTHING OUT OF THE ORDINARY

Affixes the .crptxxx string to scrambled files and drops the HOW_TO_FIX_!.txt document to instruct victims regarding recovery.
JIGSAW RANSOMWARE GETS A NEW LOOK AND FEEL

New edition of the Jigsaw crypto infection uses a new background for its warning window and appends the .fun file extension.
DH_FILE_LOCKER RANSOMWARE BUILDER EXPOSED

Analysts spot a tool called DH_File_Locker by Doddy Hackman 2016 applicable for building custom ransomware.
BUILDER FOR TRIDENT FILE LOCKER DISCOVERED

Another ransomware builder is spotted. Called the Trident Builder, it allows crooks to easily generate a payload of their own.
MAC-AND-CHESS DEV CARES ABOUT MARKETING

Hidden Tear based ransomware tells victims to post “I have been hacked by anonymous” phrase on their Facebook wall.
THE DECRYPTABLE BRAINCRYPT RANSOMWARE

Appends one’s locked files with the .[braincrypt@india.com].braincrypt extension. A free decryptor is available.
MOTD RANSOMWARE SPOTTED

Concatenates the .enc extension to encrypted files and drops a ransom note called motd.txt.
CRYPTODEVIL SAMPLE IN DEVELOPMENT

Currently scrambles data only in sub-directories of a folder hosting its executable. Appends the .devil extension to files.
VIETNAMESE EDITION OF JIGSAW RANSOMWARE

This variant of the notorious Jigsaw strain leaves a decryption how-to in Vietnamese. Still an in-dev sample at this point.
LOCKY CAMPAIGN STEADILY GOING DOWN

Since the Necurs botnet stopped generating spam with Locky ransomware payloads, the campaign has been declining big time.
RANSOMWARE-RELATED BILL INTRODUCED

The gist of a recent Indiana bill is to make ransomware distribution a standalone felony leading to 1-6 years in jail.
PADCRYPT WON’T STOP UPDATING

Analysts discover a new variant of the PadCrypt ransomware, which now reaches v3.4.4. No noteworthy functional changes made.
SAMAS RANSOMWARE UPDATED ONCE AGAIN

New edition uses the .cifgksaffsfyghd file extension and READ_READ_DEC_FILES.html ransom manual.
LLTP LOCKER TARGETING SPANISH-SPEAKING USERS

Aka LLTP Ransomware. Researchers found that its code is based off of the VenusLocker strain.
SAP PRODUCTS EXPLOITABLE TO SERVE RANSOMWARE

Security experts discover a vulnerability in SAP Windows client that may allow crooks to deploy ransomware remotely.
USER-FRIENDLY RANSOM TROJANS ARE ALREADY HERE

An article is posted on Barkly blog, predicting that ransomware with quality customer service will make a future trend.
NEW ZORRO RANSOMWARE SURFACES

Appends files with the .zorro suffix and creates a ransom note called Take_Seriously (Your saving grace).txt.
ANGLEWARE, ANOTHER HIDDEN TEAR OFFSPRING

AngleWare appears to be a new derivative of the Hidden Tear proof of concept. Uses the .AngleWare file extension.
THE “MONUMENT” EDITION OF JIGSAW RANSOMWARE

The payload is hidden in installer for the Imminent Monitor RAT. Provides recovery steps right in the extension added to files.
METEORITAN STRAIN SPREADING IN POLAND

Leaves ransom notes called where_are_your_files.txt or readme_your_files_have_been_encrypted.txt.
GLOBE3 DECRYPTOR UPDATED

Emsisoft updates their free decryptor for the Globe3 ransomware so that it restores files locked by the newest edition.
“MONUMENT” SAMPLE HAS NOW GOT COMPANY

Jigsaw version called the “Monument” ransomware now propagates along with an adult-themed screen locker.
SOME SPORA RANSOMWARE STATS UNCOVERED

MalwareHunterTeam provides details on the number of ransomed files (48466020) belonging to 646 Spora victims.
LK ENCRYPTER, ONE MORE HIDDEN TEAR SPINOFF

The array of Hidden Tear POC derivatives gets replenished with new LK Encrypter, which uses the .locked file extension.
BTCWARE, NEW ONE ON THE RANSOMWARE ARENA

Has common traits with the CrptXXX sample. Demands 0.5 BTC (about $500) for data decryption.
SADSTORY RANSOMWARE CAMPAIGN TAKES ROOT

SADStory instructs victims to send email to tuyuljahat@hotmail.com for recovery steps and deletes one random file every 6 hours.
USEFUL CRYPTOSEARCH TOOL UPDATED

The CryptoSearch utility by Michael Gillespie now identifies files affected by the Spora ransomware.
NEW VARIANT OF WCRY RANSOMWARE GOES LIVE

The updated WCry, aka WANNACRY, ransomware drops “!WannaCryptor!.bmp” and “!Please Read Me!.txt” ransom notes.
SPANISH CRYPTO THREAT USING INTERESTING DISGUISE

The strain targets Spanish-speaking audience, uses Smart Install Maker solution and displays a rogue Windows Update screen.
MEMELOCKER CAMPAIGN IS ABOUT TO BREAK OUT

Researchers spot a new ransom Trojan called MemeLocker, which is still in development. Displays a bright-red warning window.
UNDERGROUND RANSOMWARE WORKSHOP UNCOVERED

Cybercrime group dubbed “Mafia Malware Indonesia” is liable for creating CryPy, MafiaWare, SADStory and a few more strains.
iOS UPDATE FEATURING IMPORTANT SECURITY PATCH

The latest iOS 10.3 update contains a fix for Safari security issue that will address a growing police ransomware campaign.
PYCL RANSOMWARE, A CTB-LOCKER COPYCAT

New Python-based PyCL ransomware propagates via RIG exploit kit and displays ransom notes similar to CTB-Locker’s.
R RANSOMWARE, ANOTHER ONE ON THE TABLE

Named simply “R”, this ransom Trojan leaves a self-explanatory Ransomware.txt how-to and demands 2 BTC for decryption.
STRAIN USING THE .ANDROID EXTENSION

Fresh sample called AnDROid appends the .android extension to files and displays an animated image of a skull in its ransom note.
ANOTHER RANSOMWARE HUNT BEGINS

Michael Gillespie, aka @demonslay335, declares a hunt for the .pr0tect file (READ ME ABOUT DECRYPTION.txt) ransomware.
GREAT WRITE-UP ON SAGE RANSOMWARE

Malwarebytes Labs publishes an article dissecting multiple facets of the Sage ransomware, which is currently at version 2.2.
HAPPYDAYZZ RANSOMWARE DISCOVERED

HappyDayzz strain can switch between different encryption algos. Uses the blackjockercrypter@gmail.com contact email.
DONOTCHANGE RANSOMWARE SPOTTED

Requests $250 for decryption and warns victims that changing the names of encrypted files will make recovery impossible.
FILE FROZR RAAS LAUNCHED

New Ransomware-as-a-Service portal called FILE FROZR starts functioning. Asks for $100 monthly, with $50 discount for first month.
DONOTCHANGE RANSOMWARE DECRYPTED

Another win of the good guys – Michal Gillespie creates a free decryptor for the recently released DoNotChange strain.
GOOGLE STATES ANDROID RANSOMWARE ISN’T COMMON

According to Google, ransomware infecting Android devices is extremely rare and the issue is blown out of proportion.
CRYPTOSEARCH APP FINE-TUNED

FadeSoft ransomware victims can now use the CryptoSearch tool to detect encrypted files and move them to a new location.
ID RANSOMWARE SERVICE NOW IDENTIFIES FADESOFT

The ID Ransomware online resource has been updated to identify the FadeSoft ransom Trojan by files and/or ransom notes.
ANDROID RANSOMWARE UNDETECTED BY AV TOOLS

A new sample of Android ransomware is spotted that leverages an obfuscation mechanism to evade AV detection.
LANRAN RANSOMWARE EMERGES

New LanRan infection displays a tasteles-looking warning screen that requests 0.5 BTC for purported recovery service.
FANTOM RANSOMWARE UPDATED AGAIN

The latest edition of Fantom replaces filenames with base64 encoded strings and uses RESTORE-FILES.[random].hta ransom note.
NEW CRYPVAULT VARIANT IS OUT

Spreads via spam deliving a phony CV and uses the helplovx@excite.co.jp email address to interact with victims.
ONE MORE RANSOMWARE HUNT LAUNCHED

This time, researchers will try to hunt the Cradle ransomware down (.cradle extension and _HOW_TO_UNLOCK_FILES_.html note).
THE WITTY “SANCTIONS RANSOMWARE”

The Sanctions ransomware takes root. It appends the .wallet extension to files and caricatures US sanctions against Russia.

UEFI FIRMWARE VULNERABILITY UNCOVERED

Researchers from Cylance discover a firmware security loophole that may expose Gigabyte Brix devices to ransomware attacks.
GX40 RANSOMWARE MAY SPAWN LOTS OF SPINOFFS

GX40 ransomware (.encrypted extension) employs a codebase that researchers predict may be used to coin malicious derivatives.
GX40 CODEBASE STARTS MAKING TROUBLE

New sample is discovered that’s based on GX40 ransomware code. The fresh one uses geekhax@gmail.com contact address.
ANGRYKITE STRAIN SPOTTED

AngryKite scrambles filenames and appends them with the .NumberDot string. Also instructs victims to dial a phone number.
DEATHNOTE HACKERS RANSOMWARE POPS UP

Operated by DeathNote Hackers group, this one concatenates the .f*cked extension to encrypted files. Decryptable for free.
FLUFFY-TAR RANSOMWARE UNDERWAY

Appends the .lock75 file extension, demands 0.039 BTC (about $50) for decryption, and uses a Tor gateway for communication.
NEW CERBER VERSION IS OUT

Uses a new ransom note name (_READ_THI$_FILE_[random].hta/jpeg/txt or _READ_THIS_FILE_[random].hta/jpeg/txt).
AMADEOUS RANSOMWARE IS ALMOST HERE

Security experts stay on top of the work of a crook named “Paul”, who came up with the “Amadeous” name for his ransomware.
FAIZAL, A HIDDEN TEAR OFFSPRING

The new Faizal ransomware is based on Hidden Tear POC. It affixes the .gembok string to encoded files.
PADCRYPT DEVS REQUEST NICE REVIEWS

Tor site used in the PadCrypt ransomware campaign suggests that victims give it good feedback to get a partial ransom refund.
NEW DECRYPTOR FOR BART RANSOMWARE RELEASED

Bitdefender crafts a decryption tool supporting all variants of Bart ransomware, which uses the .bart.zip, .bart or .perl extension.
GX40 PROJECT KEEPS PRODUCING SPINOFFS

The fresh one requests 0.02 BTC and instructs victims to contact the crooks via ransomwareinc@yopmail.com.
A TWEAK MADE TO THE JIGSAW PEST

Concatenates the “.I’WANT MONEY” extension to filenames and uses ewsc77@mail2tor.com email address.
VORTEX RANSOMWARE CRACKED

Michael Gillespie, ID Ransomware author, claims he can decrypt files locked by Vortex strain. Victims should contact him directly.
SAMAS RANSOMWARE UPDATE

New edition uses the .skjdthghh extension and 009-READ-FOR-DECCCC-FILESSS.html ransom how-to.
PADCRYPT 3.5.0 GOES LIVE

MalwareHunterTeam discovers a brand new version of PadCrypt that’s now at v3.5.0.
A LIKELY RAAS FOR THE FANTOM BADDIE

Code of the latest Fantom ransomware edition contains a ‘partnerid’ attribute, so an associated RaaS may be on its way.
NEW CRYPTOWIRE SPINOFF SPOTTED

The latest CryptoWire version is denominated “realfs0ciety@sigaint.org.fs0ciety”. The payload arrives as AA_V3.exe file.
ANOTHER PYTHON-BASED SAMPLE FOUND

This one puts a lot of pressure on victims as it instructs them to pay 0.3 BTC within 3 hours.
HT SPINOFF DUBBED KRIPTO

Security researchers come across a new Hidden Tear derivative called Dikkat (Eng. “Attention”). The ransom note is in Turkish.
LMAOXUS RANSOMWARE DISCOVERED

LMAOxUS ransomware is based on open-source EDA2 POC. Its maker, however, eliminated a backdoor in the original code.
MAN FROM AUSTRIA ARRESTED OVER RANSOMWARE

A 19-year-old Austrian citizen is apprehended for infecting a Linz based organization with the Philadelphia ransomware.
RENSENWARE FEATURES OFFBEAT TACTICS

A sample called RansenWare tells a victim to score more than 0.2 billion in TH12 game, which is the only way to restore files.
$100,000+ MADE BY EXTORTION GROUP

A single cybercrime ring reportedly made more than $100,000 by taking advantage of Apache Struts 0day vulnerability.
CRY9 RANSOMWARE DECRYPTED

Emsisoft creates a decryptor for the Cry9 ransom Trojan, a CryptON spinoff that employs AES, RSA and SHA-512 crypto algos.
CRITICIZM OVER SCADA RANSOMWARE CLAIMS

Experts criticize Security Affairs for publishing a far-fetched analysis on SCADA ransomware called Clear Energy.
MATRIX CAMPAIGN ON THE RISE

Matrix ransomware is being reportedly distributed via RIG exploit kit, so it is shaping up to be a serious problem.
CERBEROS RANSOMWARE ISN’T CERBER AT ALL

The new crypto-troublemaker called Cerberos is an offspring of the CyberSplitterVBS strain and has nothing to do with Cerber.
KILIT RANSOMWARE CREATION IN PROGRESS

MalwareHunterTeam spots an in-dev sample configured to append the .kilit extension to files. No ransom note so far.
SERPENT STRAIN STILL ALIVE AND KICKING

New Serpent edition uses the .serp file extension and README_TO_RESTORE_FILES.txt ransom how-to.
CRY9 DECRYPTOR ENHANCED

Emsisoft updates their Cry9 decryptor to improve its performance and broaden ransomware version coverage.
NEW HIDDEN TEAR BASED RANSOMWARE SPOTTED

Goes with a GUI, displays warning messages in Portuguese and concatenates the .locked string to hostage files.
BTCWARE INFECTION TWEAK

The new variant of BTCWare strain instructs victims to contact the attackers via new email address lineasupport@protonmail.com.
ANOTHER INSTRUCTIVE RANSOMWARE SURFACES

Called the “Kindest Ransomware ever”, this one locks files and decrypts them after the victim watches a security video online.
MOLE RANSOMWARE, NEW ONE ON THE TABLE

Uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt decryption how-to.
REKT RANSOMWARE BEING CREATED

According to researchers’ analysis, someone named (or nicknamed) Anthony is working on .rekt file ransomware.
NEW JIGSAW EDITION

The latest Jigsaw ransomware variant displays ransom notes in French and concatenates the .crypte string to locked files.
IN-DEV EL-DIABLO RANSOMWARE FOUND

MHT discovered an in-development sample dubbed El-Diablo. Its code contains references to the author’s name – SteveJenner.
DHARMA COPYCAT APPEARS

New Globe v3 ransomware edition impersonates the Dharma strain. The file extension is .[no.torp3da@protonmail.ch].wallet.
FRESH JIGSAW RANSOMWARE SPINOFF IS UNDERWAY

New Jigsaw variant uses the .lcked string to label scrambled files and displays a new desktop background to alert victims.
NEW RANSOMWARE BUILDER DISCOVERED

Although this utility is quite primitive, it still provides wannabe crooks with source code to create viable ransomware.
CRADLE RANSOMWARE SOURCE CODE SOLD OUT

Perpetrators behind the Cradle Ransomware start selling the source code they dubbed CradleCore. The price starts at 0.35 BTC.
CERBER AT THE TOP OF RANSOMWARE FOOD CHAIN

According to Malwarebytes, the Cerber ransomware is today’s top crypto threat, with its current market share at 86.98%.
ONE MORE WANNABE CROOK ON THE RADAR

A ne’er-do-well from Thailand is reportedly working on a Hidden Tear variant that uses the READ_IT_FOR_GET_YOUR_FILE.txt note.
HT VARIANT USING A SET OF EXTENSIONS

New Hidden Tear offspring randomly chooses file extension out of .ranranranran, .okokokokok, .loveyouisreal, and .whatthefuck.
DISTRIBUTION CHANGE OF PYCL RANSOMWARE

pyCL operators now use malign Word documents to spread the Trojan. The extension of locked files is .crypted.
DHARMA SWITCHES TO A NEW EXTENSION

The latest edition of the Dharma ransomware concatenates the .onion string to encrypted files.
JIGSAW-STYLE SCREEN LOCKER

New German screen locker displays an image of the Jigsaw movie character in its ransom note. Unlock code is HaltStopp! or 12344321.
SCHWERER RANSOMWARE SPOTTED

Schwerer being the German for “harder”, this new ransomware is written in AutoIt. According to ESET, it’s potentially decryptable.
TROLDESH STRAIN UPDATED

New Troldesh family rep affixes the .dexter extension to enciphered files. The ransom note is still README[random_number].txt.
RANSOMWARE WHOSE MAKERS ARE CONFICKER FANS

Researchers spot a sample called C_o_N_F_i_c_k_e_r. It appends files with the .conficker suffix and uses Decrypt.txt ransom note.
MALABU RANSOM TROJAN

The Malabu ransomware demands a $500 of Bitcoin for file recovery. The amount doubles in 48 hours.
SNAKEEYE RANSOMWARE IN DEVELOPMENT

Security analysts come across a sample called the SnakeEye ransomware. Its development is attributed to SNAKE EYE SQUAD.
VERY BUGGY TURKISH RANSOMWARE

MHT discovers a strain made by someone from Turkey, which completely erases files rather than encrypt them.
KARMEN RAAS LAUNCHED

Ransomware-as-a-Service portal called Karmen is made available to would-be cybercrooks. The code is based on Hidden Tear.
ATLAS RANSOMWARE APPEARS

Concatenates the .ATLAS extension to cipher-affected files and leaves a decryption how-to called ATLAS_FILES.txt.
LOLI STRAIN RELEASED

The name of this one is spelled “LOLI RanSomeWare”. It uses the .LOLI string to blemish scrambled files.
EXTERNAL TWEAK OF JIGSAW RANSOMWARE

This Jigsaw version displays a ransom note with images of Joker and Batman in it. The file extension is .fun.
KARMEN MORPHS INTO MORDOR

Karmen ransomware, which has been distributed on a RaaS basis since April 18, gets renamed to Mordor.
ANOTHER HT DERIVATIVE POPS UP

New Hidden Tear version is discovered that stains files with the .locked extension. It’s buggy, so encryption doesn’t go all the way.
HIGH-PROFILE DISTRIBUTION OF AES-NI RANSOMWARE

Operators of the new AES-NI ransomware reportedly use NSA exploit called ETERNALBLUE to contaminate Windows servers.
LOCKY MAKES QUITE A REAPPEARANCE

Locky ransomware devs resume their extortion campaign with a big spam wave featuring fake payment receipts.
LOCKY STILL OPTS FOR THE NECURS BOTNET

Just like last year, the massive malspam wave spreading Locky is reportedly generated by the Necurs botnet.
ACTIVE LOCKY VARIANT IS THE SAME AS BEFORE

Perpetrators behind Locky are still distributing the OSIRIS edition of their ransomware, the one that was in rotation last December.
JEEPERSCRYPT TRYING TO BE SCARY

New JeepersCrypt ransomware with Brazilian origin stains files with the .jeepers string and demands 0.02 BTC for decryption.
ID RANSOMWARE BECOMES MORE INTELLIGENT

ID Ransomware service by MHT now allows identifying strains by email, Bitcoin address or URL from a ransom note.
AES-NI RANSOMWARE APPEARS

This one appends the .aes_ni_0day extension to locked files and drops !!! READ THIS – IMPORTANT !!!.txt ransom note.
“HOPELESS” RANSOMWARE POPS UP

Uses the .encrypted extension. The warning screen is titled “Sem Solução”, which is the Portuguese for “Hopeless”. Password is 123.
BREAKTHROUGH IN XPAN DECRYPTION

Kaspersky Lab contrives a workaround to restore files with the .one extension encrypted by XPan ransomware variant.
GETREKT SPINOFF OF JIGSAW SPOTTED AND CRACKED

Michael Gillespie, aka Demonslay335, discovers a Jigsaw ransomware variant using the .getrekt extension. His decryptor handles it.
PSHCRYPT IS NO BIG DEAL

New sample concatenating the .psh string to encrypted files is easy to decrypt. Just entering the HBGP serial code works wonders.
FAILEDACCESS TROJAN CRACKED WHILE STILL IN-DEV

Michael Gillespie’s StupidDecryptor can defeat the crypto of in-development strain using the .FailedAccess extension.
CTF RANSOMWARE SURFACES

Affixes the .CTF suffix to filenames and displays a fantasy-style background that says, “Hello… It’s me…”
PYTEHOLE RANSOMWARE UPDATE

New spinoff of the pyteHole ransomware is discovered that concatenates the .adr extension to scrambled data entries.
MOLE RANSOMWARE DISTRIBUTION ON THE RISE

This strain appends files with the .MOLE extension and propagates via phony Word sites that hosts rogue MS Office plugin.
NMOREIRA 4 VARIANT ON THE LOOSE

The sample in question uses the .NM4 string to blemish encoded files and leaves “Recovers your files.html” recovery how-to.
TWEAK OF THE CERBER RANSOMWARE

Cerber now harnesses CVE-2017-0199 vulnerability to spread and drops “_!!!_README_!!!_[random]_.hta/txt” ransom notes.
“INTERNATIONAL POLICE ASSOCIATION” RANSOMWARE

Impersonates IPA, moves files to a password-protected ZIP archive, and uses the ” .locked” extension. Password is ddd123456.
FRESH UPDATE OF THE JIGSAW RANSOMWARE

The latest Jigsaw variant appends scrambled files with the .Contact_TarineOZA@Gmail.com suffix. Still decryptable.
DETAILS OF CERBER’S NEW TACTIC UNVEILED

The detailed write-up describes new malspam wave distributing Cerber ransomware and CVE-2017-0199 vulnerability use.
MORDOR RANSOMWARE CAMPAIGN KICKS OFF

New Hidden Tear based Mordor (aka Milene) ransomware uses the .mordor file extension and READ_ME.html ransom manual.
INDONESIAN HT SPINOFF IN DEVELOPMENT

A Hidden Tear variant is spotted that uses the .maya file extension and READ ME.txt ransom note with text in Indonesian.
DELPHI-BASED RSAUTIL RANSOMWARE RELEASED

New RSAUtil sample stains files with the .helppme@india.com.ID[8_chars] suffix and drops How_return_files.txt help document.
DEADSEC-CRYPTO V2.1 IS ABOUT TO GO LIVE

Brazilian in-dev strain called DeadSec-Crypto v2.1 is discovered. It uses thecracker0day@gmail.com email token.

CRYPTOMIX UPDATE

The newest iteration of the CryptoMix ransom Trojan uses the .wallet extension and #_RESTORING_FILES_#.txt ransom note.
MIKOYAN ENCRYPTOR DISCOVERED

Concatenates the .MIKOYAN extension to every ransomed file and uses mikoyan.ironsight@outlook.com email token.
EXTRACTOR RANSOMWARE

Indicators of compromise for new Extractor ransomware include the .xxx extension and ReadMe_XXX.txt decryption help file.
RUBY RANSOMWARE IS NOTHING SPECIAL

In-development Ruby pest appends files with an apropos .ruby string and drops a recovery how-to named rubyLeza.html.
ANOTHER TROLDESH OFFSPRING POPS UP

Fresh variant from the Troldesh family blemishes locked files with the .crypted000007 extension and uses README.txt note.
MAYKOLIN RANSOMWARE SPOTTED

Uses the .[maykolin1234@aol.com] string to label encoded data and leaves a help file named README.maykolin1234@aol.com.txt.
AMNESIA STRAIN’S NAME IS SELF-EXPLANATORY

Denies access to personal files, appends the .amnesia extension to each one and drops a TXT ransom note.
FILEFROZR SHAPING UP TO BE A BIG PROBLEM

Brand-new FileFrozr Ransomware accommodates data wiping capabilities. Drops a how-to recovery manual named READ_ME.txt.
ONE MORE BREAKTHROUGH BY EMSISOFT

Emsisoft’s Fabian Wosar creates a free decryption tool for the Cry128 edition of CryptON ransomware.
CRYPTOBOSS SAMPLE APPEARS

Amnesia ransomware spinoff jumbles filenames and stains them with the .cryptoboss extension.
GLOBEIMPOSTER EDITION WITH SOME FRESH MAKE-UP

A GlobeImposter ransomware variant is spotted that uses the .keepcalm file extension and keepcalmpls@india.com email address.
F**KTHESYSTEM RANSOMWARE

This one is quite primitive in terms of the design and crypto. Concatenates the .anon extension to locked files.
VCRYPT SAMPLE WITH GEO-RESTRICTIONS

The vCrypt ransom Trojan zeroes in on Russian-speaking users. It appends the .vCrypt1 extension to every hostage data object.
RANSOMWARE CALLED PEC 2017

Italian PEC 2017 strain affixes the .pec string to filenames and drops a help file called AIUTO_COME_DECIFRARE_FILE.html.
LOW-LEVEL HATERS RANSOMWARE

Concatenates the .haters extension to ciphered entries. Has encryption flaws that allow for successful decryption free of charge.
XNCRYPT STRAIN SURFACES

Locks the screen and blemishes files with the .xncrypt extension. The unlock code is 20faf12b60854f462c8725b18614deac.
SAMPLE SPOTTED THAT’S MORE THAN JUST RANSOMWARE

Researchers from G Data came across a new in-dev ransom Trojan that combines regular extortion with spyware features.
CERBER VERSION 6 IS OUT

The latest Cerber ransomware edition boasts improved encryption, AV evasion, anti-sandboxing and a few more new capacities.
BTCWARE MALADY UPDATED

The only conspicuous change made to BTCWare as part of this update is the .cryptowin string added to filenames.
ANOTHER SCREEN LOCKER IS ON ITS WAY

Security analysts discover a new unnamed in-development screen locking Trojan. The unlock password is KUrdS12@!#.
FIRST UPDATE OF SHELLLOCKER

ShellLocker ransomware, which appeared in November 2016, spawns the first new variant ever since called X0LZS3C.
BTCWARE RANSOMWARE CRACKED

Researchers create a decryptor for BTCWare. The tool can restore .cryptowin, .cryptobyte and .btcware extension files for free.
CLOUDED RANSOMWARE, A BUGGY ONE

Generates a separate crypto key for each file and doesn’t store these keys anywhere. Concatenates the .cloud extension.
GLOBEIMPOSTER PROPPED BY NEW SPAM WAVE

The so-called “Blank Slate” malspam campaign begins spreading the newest edition of the GlobeImposter ransomware.
RANS0MLOCKED SAMPLE

The Rans0mLocked infection appends files with the .owned extension and demands 0.1 BTC for decryption.
PORTUGUESE ANTI-DDOS RANSOMWARE

This open-source ransomware based sample is a combo of screen locker and file encoder. Arrives as Anti-DDos.exe file.
FATBOY RAAS LAUNCHED

Russian crooks start an underground marketing campaign supporting new Ransomware-as-a-Service platform called Fatboy.
CCGEN 2017 VARIANT OF JIGSAW RANSOMWARE

The payload for this new Jigsaw spinoff is disguised as a credit card generator. This pest adds the .fun extension to filenames.
INDICATORS OF COMPROMISE FOR NEWHT RANSOMWARE

NewHT, which might stand for “New Hidden Tear”, uses the .htrs file extension and readme.txt help file.
NON-STANDARD TACTIC OF ZIPLOCKER SPECIMEN

ZipLocker moves files to a password-protected ZIP archive (password is “Destroy”) and adds UnlockMe.txt ransom note.
ENJEY RANSOMWARE UPDATE

New Enjey variant switches to using the .encrypted.decrypter_here@freemail.hu.enjey extension for hostage files.
DECRYPTOR AVAILABLE FOR AMNESIA RANSOMWARE

Emsisoft security vendor creates a free decryption tool for the Amnesia ransom Trojan.
NEW JIGSAW VARIANT IS OUT

The latest edition of Jigsaw ransomware uses the .PAY extension to label encrypted files. Still decryptable.
FILE FROZR RAAS DETAILS

Crooks market the Ransomware-as-a-Service called File Frozr as a ” great security tool”. The usage cost is $220.
CRYPTO-BLOCKER CAMPAIGN FAILS

Crude ransom Trojan called Crypto-Blocker appears, asks for 10 USD or EUR. Researchers retrieve the unlock code, which is 01001.
THUNDERCRYPT SPREADS VIA ONLINE FORUM

IT analysts discover that the ThunderCrypt ransomware is using a Taiwan forum as a springboard for propagation.
RANSOMWARE-RELATED LAWSUIT

Law firm from Rhode Island tries to get $700,000 compensation from insurance company over ransomware losses.
BITKANGOROO RANSOMWARE ERASES DATA

Unless paid, the BitKangoroo ransomware, which appends the .bitkangoroo extension to files, will be deleting one file every hour.
GRUXER RANSOMWARE IS OFF THE BEATEN TRACK

New sample called Gruxer arrives with a loader composed of a Hidden Tear based code, screen locker, and image-scrambling module.
BTCWARE STRAIN REFRESHED

Another variant of BTCWare crypto pest concatenates the .[sql772@aol.com].theva string to every ransomed file.
NEMES1S RANSOMWARE-AS-A-SERVICE

It turns out that newly discovered NemeS1S RaaS props a recent wave of PadCrypt ransomware attacks.
RSAUTIL SAMPLE PLANTED ON COMPUTERS MANUALLY

RSAUtil ransomware, which uses the .helppme@india.com extension, arrives at PCs via RDP services cracked by extortionists.
RUSSIAN VCRYPT RANSOMWARE

Targets Russian users, adds the .vCrypt1 suffix to files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.
SCREEN LOCKER FEATURING A BIT OF POLITICS

A ransomware is spotted that displays images of South Korean election candidates on its warning screen.
A LIKELY NEW LOCKY VARIANT SURFACES

Following the Osiris edition of the Locky ransomware, another possible spinoff appears that uses the .loptr file extension.
AMNESIA DECRYPTOR UPDATED

Emsisoft’s CTO Fabian Wosar publishes an update for his Amnesia ransomware decryptor that supports all variants.
JAFF RANSOMWARE GOES LIVE

A Locky lookalike is discovered that appends files with the .jaff extension and demands a whopping 2 BTC, or about $3500.
IN-DEPTH ANALYSIS OF JAFF PUBLISHED

Emsisoft does a write-up on the new Jaff ransomware, analyzing its ostensible ties with the Locky plague.
SLOCKER TROJAN RE-EMERGES

A cybercrime group behind Android ransomware called SLocker spawns 400 new spinoffs making the rounds after a long hiatus.
EXTERNAL CHANGE OF GRUXER

Updated Gruxer strain displays a Matrix movie-style warning screen but fails to complete the encryption routine.
ACRYPT SAMPLE BECOMES BCRYPT

This lineage started with vCrypt, then changed to aCrypt followed by bCrypt. The crooks must have run out of creativity, obviously.
WANA DECRYPT0R 2.0 IS ON A POWERFUL RISE

Aka WannaCry, it labels locked files with the .WNCRY extension. Hits Spain’s telco provider Telefonica, disrupting its operations.
HIGH-PROFILE PROPAGATION OF WNCRY STRAIN

The .WNCRY file ransomware (Wana Decrypt0r) uses previously leaked NSA exploits to infect numerous PCs around the globe.
WANA DECRYPT0R KEEPS IMPRESSING

The specimen continues to affect home users and large companies, most of which are in the UK, Spain, Russia, Ukraine, and Taiwan.
USAGE OF NSA EXPLOITS BY WNCRY EXPLAINED

Most infection instances involve the ETERNALBLUE exploit dumped by the Shadow Brokers hacker ring recently.
RESEARCHERS CREATE WANNACRY HEAT MAP

The New York Times aggregates information on reported WannaCry infection instances and creates a live global heat map.
INTERESTING WRITE-UP ON WNCRY VIRUS

Malwarebytes security firm publishes a comprehensive technical report on the newsmaking Wana Decrypt0r 2.0 threat.
WANNACRY CAMPAIGN INTERRUPTED BY CHANCE

Researcher going by the alias MalwareTech registers a domain involved in WannaCry outbreak, thus disrupting the wave for a while.
MICROSOFT TRYING TO THWART WNCRY EPIDEMIC

The corporation rolls out a patch for Windows XP/8/Server 2003, having previously done the same for newer OS editions.
IN-DEV TDELF SAMPLE

Security experts come across a new in-development strain that’s configured to concatenate the .tdelf string to hostage files.
SECRETSYSTEM RANSOM TROJAN

Uses the .slvpawned extension to mark encrypted data. Crackable with StupidDecryptor tool made by Michael Gillespie.
MINOR CHANGE OF VCRYPT

Similarly to a few previous tweaks, the only change made to vCrypt ransomware is a different first letter, so it’s now xCrypt.
ZELTA RANSOMWARE REPRESENTS A KNOWN LINEAGE

A new variant of the Stampado strain called Zelta surfaces. It subjoins the .locked suffix to enciphered files.
PROOF OF IMMENSE WANNACRY ACTIVITY

Security analyst from France deliberately sets up a honeypot server, and its gets hit by WannaCry 6 times in an hour and a half.
MICROSOFT ON WANNACRY OUTBREAK

Chief Legal Officer at Microsoft does a write-up where he accuses NSA for failing to properly protect discovered exploits.
FAKE JIGSAW RANSOMWARE

This Jigsaw strain lookalike uses the .fun extension for locked files. The password to decrypt is FAKEJIGSAWRansomware.
GLOBEIMPOSTER UPDATE

New GlobeImposter edition takes after Dharma in that it uses the .wallet extension. The ransom note is how_to_back_files.html.
GRUXER EVOLUTION MOVES ON

Another version of the relatively new GruXer ransomware appears. Just like its predecessor, it has crypto imperfections.
WANNACRY COPYCATS POP UP

Several replicas of WannaCry are spotted in the wild, including one called DarkoderCrypt0r and a customizeable ransomware builder.
WANNACRY VERSION WITH NEW KILL SWITCH

WannaCry strain starts using a new domain as a kill switch. Researchers promptly register this domain and thus interrupt the wave.
EDITION OF WANNACRY WITH NO KILL SWITCH

Someone reportedly tried to launch a WannaCry variant that doesn’t use a kill switch. Fortunately, the attempt failed.
PHILADELPHIA RANSOMWARE SPREADING WITH COMPANY

New variant of the Philadelphia strain is deposited on computers via RIG exploit kit, along with the Pony info-stealing virus.
FRESH BTCWARE VARIANT IS OUT

BTCWare edition dubbed Onyonlock appends the .onyon suffix to encrypted files and drops !#_DECRYPT_#!.inf ransom how-to.
MAY RANSOMWARE APPEARS

The sample called May Ransomware uses the .locked or .maysomware extension and Restore_your_files.txt help file.
FOUL PLAY BY KEE RANSOMWARE

This one displays a warning window titled @kee and does not provide any chance to restore data, not even through payment.
FARTPLZ SAMPLE IS NO JOKE

The strain in question stains files with the .FartPlz extension and creates a ransom note named ReadME_Decrypt_Help_.html.
MONERO MINER TURNS OUT A VACCINE FOR WANNACRY

A Monero cryptocurrency miner dubbed Adylkuzz blocks SMB ports, so it effectively prevents WannaCry from infecting a computer.
USERS MOCKING WANNACRY UBIQUITY

People make Internet memes about WannaCry Trojan, posting self-made pictures with the ransom screen on various devices.
HAPPY ENDING FOR BTCWARE VICTIMS

Someone posted Master Decryption Key for BTCWare infection. Researchers quickly came up with a free decryptor.
WANNA SUBSCRIBE 1.0

This Java-based WannaCry copycat doesn’t do any crypto but instead instructs victims to subscribe to a specified YouTube channel.
NEW XORIST EDITION RELEASED

Brand-new offspring of the Xorist family is spotted. It affixes the .SaMsUnG string to encoded data entries.
A PARTICULARLY HOSTILE JIGSAW VARIANT

An iteration of the Jigsaw ransomware goes live that blemishes victims’ files with the .die extension.
LOCKOUT SAMPLE STARTS PROPAGATING

Appends the .Lockout extension to files, drops Payment-Instructions.txt ransom note and displays a warning message before startup.
SPORA WON’T STOP SPREADING

Although the Spora ransomware campaign slowed down lately, it is regaining momentum, according to ID Ransomware service.
POSSIBLE TIES BETWEEN LAZARUS GROUP AND WANNACRY

Some researchers claim WannaCry code resembles that of malware used by Lazarus Group, a North Korean cybercrime ring.
GLOBEIMPOSTER SPAWNS MORE VARIANTS

Two new editions of GlobeImposter ransomware surface. They use the .hNcrypt and .nCrypt extensions for encrypted files.
UIWIX TAKES AFTER WANNACRY IN A WAY

The new Uiwix ransomware (.UIWIX extension, _DECODE_FILES.txt how-to) is reportedly proliferating via EternalBlue exploit.
WALLET RANSOMWARE IS NOW DECRYPTABLE

An anonymous person posts Master Decryption Keys for Wallet ransomware on BleepingComputer forums. Avast releases a free fix.
HATERS STRAIN DISGUISED AS WANNACRY

Authors of the Haters ransomware release an Indonesian variant that pretends to be WannaCry. Includes a PayPal ransom option.
SOME EXPERT DISCUSSION ABOUT WANNACRY OUTBREAK

An entry is posted on Emsisoft blog, where researchers shed light on nuances of the WannaCry ransomware campaign.
ONE MORE REPLICA OF WANNACRY

Called WannaCry Decryptor v0.2, this one goes ahead and erases victims’ files with no recovery option.
RAY OF HOPE FOR WANNACRY VICTIMS

Security analyst Benjamin Delpy creates a tool called WanaKiwi that decrypts WannaCry ransomware under certain conditions.
MEDICAL EQUIPMENT EXPOSED TO WANNACRY ATTACKS

The WannaCry ransomware reported infected a Windows-based medical radiology device in a U.S. hospital.
XDATA SAMPLE WREAKING HAVOC IN UKRAINE

This one uses the .~xdata~ file extension and HOW_CAN_I_DECRYPT_MY_FILES.txt ransom note. Mostly spreads in Ukraine.
BCTWARE DECRYPTOR ENHANCED

Free decryption tool for BTCWare now supports the .onyon and .theva file extension variants of this strain.
YURIZ MA SCREEN LOCKER FAILS TO CAUSE DAMAGE

This new screen locker displays a warning message saying, “Hacked by Yuriz MA”. Fortunately, it can be closed via Alt+F4.
YET ANOTHER WANNACRY REPLICA

One more WannaCry lookalike called Wana Decrypt0r 3.0 is spotted in the wild. It fails to encrypt any files.
VISIONCRYPT 2.0 RANSOMWARE POPS UP

This specimen uses the .VisionCrypt extension and doesn’t change original filenames. Attackers’ email is VisionDep@sigaint.org.
RANSOMWARE PILFERING IMAGES

MHT spots a sample that transmits a victim’s image files to the attacker’s email address and then deletes them from the PC.
ONE MORE WANNACRY KNOCKOFF

Unlike the other copycats, this one’s warning screen is titled after the original ransomware (Wana Decryptor 2.0). No crypto so far.
DECRYPTION ASSISTANT RANSOMWARE

The development of this sample is still in progress. It is set to concatenate the .pwned string to enciphered entries.
IN-DEV D2+D RANSOMWARE

Another unfinished extortion program. While it does no crypto so far, the hard-coded password is 215249148.
“UNIDENTIFIED” SCREEN LOCKER

Althought this screen locker hasn’t gone live yet, researchers were able to get hold of the would-be unlock password.
BTCWARE DECRYPTOR TWEAK

The latest edition can decrypt .onyon extension files up to 1270896 bytes even if it fails to retrieve the decryption key.
NORTH KOREA’S STATEMENT ON WANNACRY EPIDEMIC

In response to security experts’ verdicts, North Korean representative at the UN claims his state has nothing to do with WannaCry.
WANNACRY SPINOFFS FRENZY CONTINUES

One more replica of WannaCry called Wana DecryptOr 2.0 pops up. The warning screen is identical of the original.
VMOLA RANSOMWARE HUNT KICKS OFF

Researchers declare a ransomware hunt for the sample that uses the (Encrypted_By_VMola.com) file extension token.
JAFF RANSOMWARE UPDATE

New edition switched to using the .WLU string to encoded files. It still uses spam to propagate.
CVLOCKER, A NEW CRUDE SAMPLE

This one is currently in development. It is configured to delete a victim’s files unless a payment is sent within a specified deadline.
ROMANIAN SCREEN LOCKER CALLED WIDIA

Widia’s warning states it has encrypted data, but it’s in fact just a primitive screen locker that can be bypassed via Alt+F4.
LAME FBI LOCKER IS OUT

Dubbed MemeWare, this screen locker pretends to be from the FBI. Accepts ransoms over MoneyPak. Unlock code is 290134884.
ELMER’S GLUE LOCKER V1.0

The lock screen says, “Your computer has been locked with very sticky Elmers Glue,” whatever that means. Removable in Safe Mode.
NEW HT SPINOFF SPOTTED

Another Hidden Tear POC derivative dubbed Deos demands 0.1 BTC for decryption. It has critical flaws and doesn’t encrypt right.
.WTDI FILE BADDIE ON THE TABLE

This sample is a .NET edition of CryptoWall ransom Trojan. It uses the .wtdi file extension and displays a warning message in Russian.
FRAUDSTERS CASHING IN ON WANNACRY EPIDEMIC

A scam alert is issued regarding growing tech support frauds that use the fuss around WannaCry to rip off gullible users.
MOWARE H.F.D PEST SURFACES

Said malware is an umpteenth offspring of Hidden Tear POC in the wild. Appends files with the .H_F_D_locked extension.
ONE MORE DECRYPTOR FOR BTCWARE CREATED

Avast devises a free decryption tool for BTCWare that supports all variants of this crypto hoax.
XDATA LOOKALIKE FROM A KNOWN FAMILY

A version of the Xorist ransomware is out that mimics the recent XData infection. Similarly to its prototype, it uses the .xdata file suffix.
ADONIS RANSOMWARE IS ALL ABOUT BLUFF

Coded in AutoIT, the Adonis ransomware claims to encrypt data but it actually doesn’t. And yet, it leaves DE.html and EN.html notes.
NEW THOR RANSOMWARE, NOTHING TO DO WITH LOCKY

This in-development sample doesn’t use any extension to flag ransomed files. Replaces desktop background and demands 0.5 BTC.
EXTREMELY DESTRUCTIVE STRAIN SPREADING

Ransomware that uses ‘mother of all viruses.exe’ process wipes all HDD volumes rather than encode data.
TIES BETWEEN 4RW5W PEST AND WANNACRY

The 4rw5w crypto virus also uses a kill switch principle and similar names for auxiliary files. The extension is .4rwcry4w.
MASTER DECRYPTION KEYS FOR AES-NI AVAILABLE

The author of the AES-NI ransomware releases decryption keys so that victims can restore their files for free.
WANNACRY DEV MOST LIKELY SPEAKS CHINESE

Having scrutinized WannaCry ransom how-to files, linguists concluded that the maker’s native language is most likely Chinese.
LIGHTNING CRYPT RANSOMWARE APPEARS

This new strain has moderate demands, asking for 0.17 BTC. Affixes the .lightning extension to ransomed data entries.
CRYSTALCRYPT RANSOM TROJAN

CrystalCrypt is a Lightning Crypt remake. It appends victims’ files with the .blocked extension.
MANCROS+AI4939 RANSOMWARE

The sample called Mancros+AI4939 is in fact a screen locker that doesn’t actually do crypto. It requests $50 worth of Bitcoin.
BTCWARE TWEAK

BTCWare ransom Trojan has switched to using the .xfile suffix to label hostage files. The existing decryptor already supports it.
DMA LOCKER 3, NEW VARIANT OF OLD RANSOMWARE

This fresh spinoff of the DMA Locker ransomware uses the !Encrypt! filemarker, data0001@tuta.io email address, and asks for 1 BTC.
AUTOMATIC TOOL NOW DECRYPTS AES-NI RANSOMWARE

Avast security vendor uses the previously released master decryption keys for AES-NI to create a free decryptor.
LOW-LEVEL WANADIE RANSOMWARE

It’s based on buggy open-source ransomware code. Appends the .WINDIE string to encrypted files. Crackable with StupidDecryptor.
ENHANCEMENTS MADE TO STUPIDDECRYPTOR

The StupidDecryptor solution by Michael Gillespie (@demonslay335) is updated to support .fucking and .WINDIE extension strains.
CRYING RANSOMWARE CODING IN PROGRESS

Analysts stumble upon an in-dev sample that uses the .crying file extension and READ_IT.txt ransom instructions.
ROBLOCKER X INFECTION BEING CREATED

In-dev Roblocker X claims to encrypt Roblox game files but only locks the screen instead. The unlock password is currently ‘PooPoo’.
GLOBEIMPOSTER REMAKE

The newest variant of GlobeImposter ransomware concatenates the .write_us_on_email string to each enciphered file.
DVIIDE, ANOTHER RUN-OF-THE-MILL RANSOMWARE

The sample with bizarre name “Dviide” appends encrypted files with the .dviide extension. Uses a primitive warning window.
NEW CHINESE SCREEN LOCKER

The lock screen is in Chinese. This low-impact Trojan also displays QR code to streamline the ransom payment routine.
LOCKEDBYTE RANSOMWARE

This one employs XOR encryption and stains hostage files with random extensions. The ransom note is hard to read due to font color.
EXTORTIONIST LEVERAGING REMOTE ACCESS TROJAN

An individual nicknamed “vicswors baghdad” is trying his hand at deploying the Houdini RAT and MoWare H.F.D. ransom Trojan.
BLACKSHEEP INFECTION DOESN’T LIVE UP TO ITS NAME

The ransomware called BlackSheep concatenates the .666 extension to files and demands $500 worth of BTC. Nothing special about it.
1337LOCKER RANSOMWARE

This new strain jumbles filenames and affixes the .adr string to them. Uses the AES-256 cryptosystem.
DOLPHINTEAR, AN UMPTEENTH HT OFFSPRING

Unidentified crooks used open-source code of Hidden Tear PoC to create yet another derivative called DolphinTear (.dolphin extension).
RANSOM TROJAN USING WINRAR

Rather than encipher files proper, the new sample moves one’s data to encrypted WinRAR archives. It’s currently in development.
SINTALOCKER STRAIN REPRESENTING A KNOWN FAMILY

Researchers from GData come across a CryPy spinoff called SintaLocker. It uses the README_FOR_DECRYPT.txt ransom note.
NEW RANSOMWARE WITH NO NAME

A sample is spotted that displays a window reading, “Your files have been blocked”. Demands $50 worth of Bitcoin.
JIGSAW VERSION WITH NEW BACKGROUND

The makers of Jigsaw ransomware switch to a new theme for their warning screen, which now depicts a scary clown.
IM SORRY RANSOMWARE FROM POLITE CROOK

Concatenates the .imsorry string to encrypted files and adds a ransom note called “Read me for help thanks.txt”.
ID RANSOMWARE ENHANCEMENTS ARE UNDERWAY

The ID Ransomware service by MalwareHunterTeam is now capable of recognizing 400 ransomware strains. Thumbs up to MHT.
SEVERAL MORE DECRYPTORS CREATED

Avast and CERT Polska cook up free decryption tools for the AES-NI, BTCWare and Mole ransomware.
R3STORE RANSOMWARE

The specimen in question uses the .r3store file extension and READ_IT.txt ransom note. Demands $450 worth of Bitcoin.
DMA LOCKER KNOCKOFF DISCOVERED

A replica of the DMA Locker ransomware pops up. Uses a slightly modified binary and the same GUI except for the name attribute.
WANNACRY STATS CORRECTION

According to new research, Chinese users – not Russian – suffered the heaviest blow from the WannaCry ransomware.
UNEXPECTED TURN OF EVENTS WITH XDATA

XData ransomware dev releases Master Decryption Keys. Security vendors, including Avast, ESET and Kaspersky, create decryptors.
BLOOPERS ENCRYPTER 1.0

This one claims to encode data but actually fails to. It is easy to remove with commonplace AV tools, which fixes the problem.
ANDONIO RANSOMWARE IS NO BIG DEAL

Only encrypts data on the desktop, uses the .andonio extension and a help file named READ ME.txt. It is a Hidden Tear variant.
GRODEXCRYPT IS CRYPT888 IN DISGUISE

New GrodexCrypt Trojan is based on Crypt888 ransomware but additionally uses a GUI. Demands $50 worth of BTC. Decryptable.
OOPS RAMENWARE SAMPLE SPOTTED

Instead of applying crypto, the strain called OoPS Ramenware moves files to password-protected ZIP archive with .ramen extension.
AMNESIA RANSOMWARE UPDATE

The latest Amnesia edition uses the .TRMT file extension and HOW TO RECOVER ENCRYPTED FILES.txt ransom how-to.
BRICKR STRAIN SURFACES

Concatenates the .brickr suffix to scrambled files and drops a recovery manual named READ_DECRYPT_FILES.txt.
THE UNUSUAL RESURRECTION-RANSOMWARE

Affixes the .resurrection extension to files and uses README.html ransom note. Also plays a music box-ish melody.
KILLSWITCH RANSOMWARE IS ALMOST HERE

The in-dev sample called KillSwitch appends the .switch extension to ransomed files. Quite crude at this point.
LUXNUT, ONE MORE POC SPINOFF

Crooks used the code of EDA2 proof-of-concept to create Luxnut ransomware, which concatenates the .locked extension to files.
CRYPTO HOAX POSING AS MS SECURITY ESSENTIALS

The ransom note of this new sample is titled “Microsoft Security Essentials”. It requests $400 worth of Bitcoin for decryption.

SCREEN LOCKER CALLED BLUEHOWL

Provides a 72-hour deadline for payment, demands 0.2 BTC and displays QR code to facilitate the process of submitting the ransom.
AMNESIA V2 DECRYPTED

Owing to Emsisoft, victims of the Amnesia2 variant can now decrypt their data through the use of ad hoc free decryption tool.
LOTS OF HADOOP SERVERS STILL HELD FOR RANSOM

About 200 Hadoop servers around the globe reportedly remain hijacked – either due to infamous January campaign or a current one.
GERMAN CAINXPII SCREEN LOCKER

The strain dubbed CainXPii most likely represents the same lineage as the older Hitler ransomware. Demands €20 via PaySafeCard.
THE SIMPLISTIC JOKSY RANSOMWARE

Joksy locks the screen with a warning message in Lithuanian. The ransom is payable in PayPal, which means bad OPSEC of the crooks.
LOCKCRYPT STRAIN POPS UP

This infection appends files with victim ID followed by the .lock string and drops a ransom how-to called ReadMe.txt.
TURKISH JIGSAW VARIANT RELEASED

Called the Ramsey Ransomware, this Jigsaw offspring displays a warning message in Turkish and uses the .ram file extension.
EXECUTIONER RANSOMWARE

This new Hidden Tear derivative blemishes encrypted files with random extensions and drops Sifre_Coz_Talimat.html ransom note.
HT-BASED MORA PROJECT RANSOMWARE

Another infection based on Hidden Tear PoC. Uses the .encrypted file extension and ReadMe_Important.txt recovery how-to.
STRUTTERGEAR, A FRESH JIGSAW VERSION

The Jigsaw ransomware edition dubbed StrutterGear displays a ransom note with lots of swear words and demands $500 worth of BTC.
TIES BETWEEN JAFF STRAIN AND CYBERCRIME WEB STORE

The Jaff ransomware turns out to use server space provided by the PaySell cybercrime marketplace based in St. Petersburg, Russia.
JIGSAW FAMILY KEEPS SPAWNING CLONES

A Jigsaw variant surfaces that concatenates the .lost extension to ransomed files.
THE DECEPTIVE MRLOCKER SAMPLE

The malware called Mr.Locker is quite an impostor. It claims to delete one’s files unless paid, but doesn’t pose any real risk in fact.
MORE JIGSAW EDITIONS ARE NOW DECRYPTABLE

ID Ransomware maker Michael Gillespie updates his Jigsaw decryption tool so that it supports .lost, .ram and .tax extension versions.
THE DARK ENCRYPTOR, A JIGSAW LOOKALIKE

This one stains hostage files with the .tdelf extension and generates a desktop background reminiscent of Jigsaw’s.
PRIMITIVE-LOOKING OGRE RANSOMWARE

The Ogre sample appears crude at this point. It requests a BTC equivalent of €20 and uses the .ogre file extension.
SCREEN LOCKER IMPERSONATING YOUTUBE

This low-level ransom Trojan states that the victim has “violated the YouTube law”. The code to unlock it is “law725”.
$UCYLOCKER BASED ON HIDDEN TEAR

New baddie called $ucyLocker subjoins the .windows string to filenames and leaves a help file named READ_IT.txt.
BTCWARE UPDATE

The latest iteration of BTCWare appends files with the .[3bitcoins@protonmail.com].blocking suffix.
CRYMORE RANSOMWARE

Uses the .encrypt extension to label hostage entries and threatens to make the ransom 1.5 times larger every 12 hours.
ENHANCEMENT OF CRYPTOSEARCH TOOL

Michael Gillespie’s CryptoSearch utility now identifies data locked by Amnesia, Amnesia2, Cry9, Cry128 and Cry36 strains.
ID RANSOMWARE SERVICE SPORTS USEFUL ADDITION

The ID Ransomware service by MalwareHunterTeam can now detect the Cry36 ransomware sample.
SIMPLISTIC ZILLA RANSOMWARE

This Turkish crypto threat concatenates the .zilla string to files and provides a decryption manual named OkuBeni.txt.
BEETHOVEN PEST IN DEVELOPMENT

This one is configured to append the .BeethoveN extension to scrambled files and provides a list thereof in FILELIST.txt document.
SCREEN-LOCKING VARIANT OF MRLOCKER

An edition of the relatively new MrLocker malware surfaces that locks one’s screen. The 6269521 code does the unlock trick.
JIGSAW MAKERS COIN ANOTHER VERSION

The most recent Jigsaw spinoff uses the .R3K7M9 extension to label encrypted files. Decryptable with Michael Gillespie’s tool.
WINDOWS 10 S ALLEGEDLY IMMUNE TO RANSOMWARE

According to Microsoft, the upcoming Windows 10 S edition is going to be bulletproof against ransomware attacks.
XXLECXX RANSOM TROJAN IS A FAIL

The sample called xXLecXx locks one’s screen and claims to encrypt data, while in fact it doesn’t.
NEW RUSSIAN RANSOMWARE APPEARS

Appends files with the .cr020801 extension and instructs victims to send email to unlckr@protonomail.com for recovery steps.
CRYPTOGOD STRAIN BASED ON MOWARE H.F.D. CODE

Displays a warning screen titled “Information Security” and concatenates the .payforunlock extension to affected files.
BLURRED ORIGINAL GOALS OF WANNACRY

WannaCry ransomware distributors may be unable to decrypt victim data individually, so it may have been created for other purposes.
IN-DEV SPECTRE RANSOMWARE SPOTTED

The Spectre strain appears to be professionally tailored. It scrambles filenames and affixes the .spectre extension to each one.
JAFF RANSOMWARE TWEAK

The latest variant of the quite successful Jaff ransomware concatenates the .sVn extension to locked data entries.
MACRANSOM RAAS DISCOVERED ON THE DARK WEB

Security experts spot a Ransomware-as-a-Service platform called MacRansom that props a new extortion campaign targeting Macs.
BEETHOVEN RANSOMWARE UPDATE

New variant of the BeethoveN ransom Trojan uses hard-coded encryption keys rather than request them from C2 server.
INITIATIVE COUNTERING WANNACRY CAMPAIGN

French law enforcement seized a server hosting two Tor relays purportedly associated with the WannaCry ransomware wave.
SVPPS.XYZ VIRUS THAT LOCKS SCREENS

Screen locker called svpps.xyz claims to encrypt files but actually doesn’t. It demands $50 worth of BTC to unlock.
RANSOMWARE USING .FACEBOOK EXTENSION

The process name is Facebook.exe and the appended extension is .Facebook. This sample is a Hidden Tear offspring.
RANSOMWARE HITTING DUTCH USERS

New Hidden Tear based Dutch strain appends files with the .R4bb0l0ck extension and drops LEES_MIJ.txt ransom note.
ANOTHER EXTENSION TWEAK OF JIGSAW

The latest Jigsaw ransomware edition stains encrypted files with the .Ghost extension.
CHILDISH-LOOKING “VIRUS RANSOMWARE”

Called the “Virus Ransomware”, the sample displays an image of a toy from My Little Pony line. Doesn’t do any real harm.
THE BUGGY CA$HOUT RANSOMWARE

In-dev crypto threat called CA$HOUT asks for $100 but fails to affect a victim’s data in any way.
NEW MAC MALWARE SERVICES FOR HIRE

Security analysts stumble upon MacSpy and MacRansom sites, the former propping Mac spyware and the latter – Mac ransomware.
GPAA RANSOMWARE EMPLOYS A REVOLTING TACTIC

Impersonating a rogue organization called “Global Poverty Aid Agency”, this strain claims to collect money for children in need.
NEW SAMPLE WITH UNWISE PAYMENT CHANNEL

Appends the .rnsmwre string to filenames, drops @decrypt_your_files.txt ransom note and demands payment in PaySafeCard.
JAFF RANSOMWARE UPDATED AGAIN

The latest edition of Jaff drops the following ransom notes: !!!SAVE YOUR FILES!.bmp and !!!!!SAVE YOUR FILES!!!!.txt.
JUNK STRAIN CALLED WHY-CRY

Based on low-quality open source code, this one concatenates the .whycry extension to hostage files and reguests $300 worth of BTC.
EREBUS RANSOMWARE INFECTS A HIGH-PROFILE TARGET

The sample called Erebus hits over 100 Linux servers belonging to South Korean web hosting provider Nayana.
KASPERSKY LAB CRACKS JAFF RANSOMWARE

Researchers at Kaspersky update their RakhniDecryptor tool to support all known variants (.jaff, .wlu, and .sVn) of the Jaff ransomware.
BTCWARE UPDATE FEATURES NEW EXTENSION

Fresh variant called BTCWare MasterLock uses the .[teroda@bigmir.net].master extension to stain enciphered files.
AVAST DEFEATS CRYPTO OF ENCRYPTILE RANSOMWARE

Avast replenishes their collection of free decryptors with a tool that restores data locked by multilingual EncrypTile ransom Trojan.
SAGE DEVS DROP NUMBERED VERSION NAMING

As opposed to predecessors, the latest edition of the Sage ransomware does not indicate version number in the decryption how-to.
CRYFORME RANSOMWARE

Someone is reportedly in the process of creating a Hidden Tear PoC spinoff called CryForMe, which will demand €250 worth of BTC.
RANSOMWARE ATTACKS UK COLLEGE

University College London (UCL) fell victim to unidentified ransomware that circumvented the institution’s AV defenses.
CRYPTOSPIDER RANSOMWARE SPOTTED

MHT comes across an in-dev Hidden Tear variant called CryptoSpider, which concatenates the .Cspider string to filenames.
WINUPDATESDISABLER, A NEW SAMPLE OUT THERE

One more Hidden Tear derivative called WinUpdatesDisabler appends the .zbt suffix to locked files.
WINBAN RANSOMWARE IS NO BIG DEAL

New screen locker appears that displays “Your Windows has been banned” alert. Victims can use code “4N2nfY5nn2991” to unlock.
EXECUTIONER STRAIN IS POTENTIALLY DECRYPTABLE

Turkish ransomware called Executioner has flaws in its crypto implementation, which makes it possible for analysts to decrypt the data.
SANDWICH RANSOMWARE IS EASY TO GET AROUND

Researchers spot a new screen locker displaying a picture of a sandwich on its lock screen. Codes to unlock are available.
SCREEN LOCKER IMPERSONATING CERBER

This fairly persistent Cerber-style infection doesn’t actually apply any crypto, although it claims to. Demands 0.1 BTC to unlock.
NEW JIGSAW EDITION, NEW EXTENSION

A spinoff of the Jigsaw ransomware surfaces that stains enciphered files with the .sux string and mainly targets Italian users.
HT-BASED WANNACRY KNOCKOFF

Built using the Hidden Tear PoC code, this WannaCry replica appends the “.Wana Decrypt0r Trojan-Syria Editi0n” extension to files.
WINBAMBOOZLE BADDIE IS ON ITS WAY

In-dev sample called WinBamboozle drops _README.txt note and appends files with random 4-character extensions.
SKULLLOCKER IS RIDICULOUSLY EASY TO BYPASS

New screen locking virus called SkullLocker can be closed down via Alt+F4 combo. Nothing special about it except scary warning.
RANSOMWARE TARGETING POLISH USERS

A Polish spinoff of the Dumb ransomware PoC is spotted. Demands 1880 zł worth of Bitcoin (0.2 BTC) for decryption.
RETURN OF SAMAS/SAMSAM RANSOMWARE

Fresh samples from the thought-extinct SamSam family appear that use the .breeding123, .mention9823 and .suppose666 extensions.
DECRPTOR 3.2 STRAIN POPS UP

Currently in development and doesn’t cause damage, simply displays a warning screen. Configured to demands $100 worth of BTC.
NSMF RANSOMWARE

Hidden Tear offspring. Uses the .nsmf file extension and readme.txt ransom note. Demands 5 BTC “or pizza”.
WHOPPING RANSOMWARE PAYOUT

South Korean hosting provider called Nayana agrees to pay a huge ransom of $1 million to recover from a ransomware attack.
KUNTZWARE, A BUGGY SAMPLE IN THE WILD

Concatenates the .kuntzware extension to encrypted files. Doesn’t work as intended, so no real encryption at this point.
TURKISH STRAIN CALLED ZILLA

Targets Turkish users and utilizes the .zilla string to label hostage files. The ransom note is named @@BurayaBak.txt (Eng. “Look here”)
GANSTA RANSOMWARE

Affixes the .enc extension to encrypted data entries. Claims to decrypt files for free as long as a victim contacts the devs via email.
ANOTHER SCREEN LOCKER SURFACES

What makes this new screen locker stand out from the rest is that it requests a victim’s credit card details.
CRYPT888 UPDATE

Fresh version of the old Crypt888 ransomware switches to a new desktop background and prepends the Lock. string to filenames.
WANNACRY IS STILL UP AND RUNNING

WannaCry ransomware compromised part of IT infrastructure of Honda car factory in Japan, causing the plant’s temporary halt.
TESLAWARE KIT FOR SALE

New customizeable sample called TeslaWare can be purchased on dark web for €35-70. Fortunately, it’s decryptable.
AZAZEL RANSOMWARE HUNT

MHT offers researchers to join a hunt for aZaZeL ransomware, which uses .Encrypted extension and File_Encryption_Notice.txt note.
NEW STRAIN WRITTEN IN RUBY

The Ruby ransomware leverages a DGA (domain generation algorithm) and Command & Control server to streamline the extortion.
ONECRYPT IS TOO CRUDE TO WORK RIGHT

This one is in the process of development thus far. Ransom note !!!.txt has a bunch of blanks to be filled out by the author.
ANOTHER HIGH-PROFILE TARGET OF WANNACRY

WannaCry infects 55 road safety cameras in Victoria state, Australia, forcing officials to suspend thousands of infringement tickets.
ANOTHER COMEBACK OF LOCKY

Once again, Locky ransomware architects resume their campaign. However, the pest only targets Windows XP and Vista.
CRYPTODARK RANSOMWARE

Said sample is pretty much harmless as it doesn’t engage real crypto. And yet, it demands $300 worth of BTC.
CERBER COPYCAT SPOTTED

Researchers bump into a specimen that imitates Cerber ransomware and concatenates the .encrypted suffix to files.
RANSOMWARE PILFERING GROWTOPIA CREDENTIALS

AlixSpy malware captures sensitive login info for Growtopia game and generates a “System locked” screen asking for $20 worth of BTC.
QUAKEWAY ISN’T THAT BAD

This ransomware appends the .org extension to locked files and ___iWasHere.txt ransom how-to. Decryptable, according to MHT.
RANSOMWARE INCIDENTS ARE SCARCELY REPORTED

According to FBI’s 2016 Internet Crime Report, few ransomware victims notify law enforcement of these attacks.
WINDOWS 10 S ISN’T THAT BULLETPROOF

Despite Microsoft’s claims of Windows 10 S edition being invulnerable to ransomware, white hat hackers proved the opposite.
UNIQUENESS OF THE REETNER RANSOMWARE

Sample called Reetner leverages ad hoc executables for different processes, or so-called modular principle of attack deployment.
NEW SCREEN LOCKER THAT DOESN’T WANT MONEY

Researchers discover a screen locker that acts like the average strain in this niche, except that it doesn’t demand a ransom to unlock.
EYLAMO RANSOMWARE IS RUN-OF-THE-MILL

Hidden Tear derivative. Concatenates the .lamo extension to filenames and provides instructions in READ_IT.txt document.
KRYPTONITE HAS INTERESTING CAMOUFLAGE

The payload of Kryptonite hoax is masqueraded as a Snake game. Crashes upon execution but demands $500 regardless.
JIGSAW UPDATED, ONCE AGAIN

New offspring of the Jigsaw ransomware family uses the .rat extension to flag encrypted data.
HT VARIANT INVOLVED IN TARGETED ATTACKS

Appends the .locked extension to filenames, drops READ_ME.txt note and specifically zeroes in on the Eurogate company.
ANDROID RANSOMWARE WITH ADULT FLAVOR

Dubbed Koler, this ransom Trojan spreads as a rogue PornHub applet. Displays FBI themed lock screen on infected Android device.
HIDDEN TEAR DERIVATIVE IN NEW DISGUISE

Another HT spinoff is discovered that mimics the Battlefield game to infect PCs. Uses the .locked file extension.
MMM RANSOMWARE

Said infection concatenates the .0x004867 string to encoded data and sprinkles numerous .info files with encryption keys.
SAMAS LINEAGE PRODUCES ANOTHER VARIANT

Brand-new edition of Samas/SamSam ransomware affixes the .moments2900 extension to locked files.
NAYANA CASE GOES TOXIC

After web host Nayana paid a $1 million ransom, crooks started shelling other South Korean companies with DDoS-for-ransom attacks.
KARO TROJAN WITH NOTHING SPECIAL UNDER THE HOOD

New ransomware called Karo concatenates the .ipygh string to filenames and creates ReadMe.html ransom manual.
VIACRYPT, A GARDEN-VARIETY SAMPLE

The main hallmark of this strain is the .via extension added to files. Displays a ransom note with Latvian text.
SHIFR RANSOMWARE-AS-A-SERVICE

This RaaS network lets cybercriminals create custom ransomware builds for a fee that’s much lower than the average.
PETYA RETURNS WITH LARGE-SCALE CAMPAIGN

A sample resembling the ill-famed Petya MFT encryptor infects numerous organizations in Ukraine and other European countries.
PETYA INBOX SUSPENDED

Email provider Posteo blocks account wowsmith123456@posteo.net, which is used in the new Petya ransomware wave.
POSSIBLE SOURCE OF PETYA EPIDEMIC DISCOVERED

Petya, or NotPetya as some researchers dubbed it, reportedly spreads as a contagious update for M.E.Doc accounting software.
METHOD FOUND TO AVOID PETYA

Turns out that creating a new read-only file named ‘perfc.dat’ inside Windows folder stops Petya attack in its tracks.
CRYPTOBUBBLE RANSOMWARE

Someone calling himself “Bob” starts spreading CryptoBubble, a sample that uses the .bubble file extension. This one is decryptable.
EXECUTIONER RANSOMWARE CHANGE

Turkish crypto malady called Executioner starts staining hostage files with a random 6-character extension.
PETYA IS NOT AN EXTORTION INSTRUMENT

Kaspersky researchers affirm that the new Petya does not accommodate MFT decryption feature, so paying ransoms has no effect.
CROOKS ARE TARGETING UKRAINE ALL THE TIME

Ransomware called PSCrypt had reportedly begun propagating in Ukraine several days before the Petya outbreak occurred.
PETYA MAY NOT BE RANSOMWARE AT ALL

Since classic ransomware is all about extortion, the Petya remake doesn’t fall into this category as it simply destroys systems.
MISICGUY SAMPLE

The only thing worth mentioning about the new MusicGuy ransomware is that it appends files with the .locked string.
STRAIN DUBBED RANDOM6

Analysts call it this way because it uses extensions consisting of random 6 chars. The ransom note is RESTORE-.[random]-FILES.txt.
GANK RANSOM

Uses the .gankLocked file extension and READ_ME_ASAP.txt ransom how-to, demands “one million bitcoins”, which is obviously a prank.
PIRATEWARE WITH NO CRYPTO MODULE THUS FAR

Warning screen of the new Pirateware asks for 0.1 BTC (about $250). The code is incomplete and doesn’t do crypto.
ANTI-RANSOMWARE WINDOWS FEATURE ANNOUNCED

Microsoft is planning to equip Windows Defender with “Controlled Folder Access” feature to prevent malicious encryption.
CRBR ENCRYPTOR, A CERBER HEIR

Cerber ransomware is renamed to CRBR ENCRYPTOR. Still scrambles filenames, adds 4-char extension and drops HTA ransom note.
UKRAINE KEEPS SUFFERING FROM RANSOMWARE ATTACKS

New strain specifically targeting Ukraine is a WannaCry copycat written in .NET and possibly circulating via M.E.Doc software.
ABCSCREENLOCKER IS TOO IMMATURE YET

As the name hints, in-dev ABCScreenLocker is supposed to lock the screen and demand money. Only does the locking part at this point.
NEMUCOD UPDATED

Brand new edition of the old Nemucod ransomware displays a revamped red warning background. Does not use any file extension.
PETYA WON’T DECRYPT SYSTEMS NO MATTER WHAT

Reputable security experts confirm that Petya (NotPetya or ExPetr) doesn’t go with decryption mechanism, so it’s meant for sabotage.

TIES BETWEEN PETYA AND PAST ATTACKS AGAINST UKRAINE

Several security companies state the (Not)Petya campaign is attributed to a group that targeted Ukrainian power grid back in 2015.
LALABITCH RANSOMWARE

This one uses the .lalabitch extension for locked files, base64 enciphers filenames and leaves a recovery how-to called lalabitch.php.
TAKEOM SAMPLE BEING CREATED

Analysts discover in-dev Takeom ransomware that demands $300 worth of BTC and provides a 24-hour deadline to pay up.
RANSRANS IS TOO IMMATURE TO PROSPER

This is a new Hidden Tear PoC offshoot. Subjoins the .ransrans string to encrypted files and keeps crashing all the time.
HELL, AKA RADIATION, RANSOMWARE

Another crude infection “made by KingCobra” that destroys data beyond recovery. Leaves decrypt.txt ransom note on desktop.
BTCWARE UPDATE

The latest iteration of BTCWare ransom Trojan concatenates the .aleta extension to hostage files.
HT VARIANT CALLED UNIKEY

Not much to say about this sample except that it’s a derivative of the academic Hidden Tear ransomware. Dev’s nickname is Nhan.
CRY36 FAMILY PRODUCES A NEW SPINOFF

Fresh edition of the Cry36 ransomware uses the .63vc4 file extension and ### DECRYPT MY FILES ###.txt decryption manual.
UKRAINIAN POLICE RAID AS PART OF PETYA INVESTIGATION

Ukrainian law enforcement seize servers belonging to vendor whose backdoored software (M.E.Doc) was used in Petya virus outbreak.
SHELLLOCKER RANSOMWARE UPDATE

New version appends files with the .L0cked string, jumbles filenames, displays ransom note in Russian and uses 5quish@mail.ru email.
ZERORANSOM SAMPLE SPOTTED

Concatenates the .z3r0 suffix to ransomed files and displays decryption how-to named EncryptNote_README.txt.
J-RANSOMWARE, A ZERORANSOM OFFSHOOT

Strain called J-Ransomware is based on the above ZeroRansom. Uses the .LoveYou extension to mark encoded files.
ZSCREENLOCKER VARIANT DISCOVERED

zScreenlocker was originally discovered in November 2016. Fresh iteration uses the following unlock password: Kate8Zlord.
NEW EXTENSION USED BY CRYPTOMIX

The most recent edition of CryptoMix, or Mole ransomware, affixes the .MOLE00 extension to locked files.
CRYPTER 1.0 IS A MESS

Sample called Crypter 1.0 fails to encrypt anything and generates messages with weird contents demanding 10 BTC.
CROOKS BEHIND PETYA GET OUT IN THE OPEN

Individuals reponsible for the recent Petya outbreak start transferring obtained cryptocurrency to other Bitcoin wallets.
UNEXPECTED FINDINGS OF AV-TEST

According to Security Report 2016/17 by AV-TEST, the share of ransomware in the global malware volume is only about 1%.
CRYPTOMIX VARIANT CRACKED

Thanks to combined efforts of security vendors and enthusiasts, free decryptor for the MOLE02 edition of CryptoMix is released.
ANDROID RANSOMWARE AUTHORS ARRESTED

Chinese police apprehend two individuals for spreading SLocker Android ransomware version that resembles WannaCry.
NEW CRYPTOMIX SPINOFF DISCOVERED

The latest incarnation of CryptoMix uses the .Azer file extension and drops _INTERESTING_INFORMATION_FOR_DECRYPT.txt note.
MASTER EDITION OF BTCWARE NOW DECRYPTABLE

MHT’s Michael Gillespie updates his BTCWareDecrypter that now supports the .master file extension variant of this ransomware.
EXECUTIONER RANSOMWARE – STILL NO BIG DEAL

In spite of Executioner ransomware makers’ efforts to make the pest uncrackable, newer iterations are still decryptable.
COUNTLOCKER SHAPING UP TO BE A SERIOUS ISSUE

In-dev ransomware called CountLocker claims to delete all data on C drive unless the victim pays 0.3 BTC in 72 hours.
FENRIR TROJAN IS UNUSUAL IN A WAY

This sample derives the file extension from infected host’s Hardware ID (HWID). The ransom note is Ransom.rtf.
ELMERSGLUE_3 RANSOMWARE

Screen locker called ElmersGlue_3 is a derivative of ElmersGlue Locker v1.0, which was spotted in May 2017. Easy to get around.
ORIGINAL PETYA IS NOW OFFICIALLY DECRYPTABLE

Member of the JANUS cybercrime ring dumps master decryption keys for the original Petya, Mischa and Goldeneye ransomware.
RANSOMWARE TELLING VICTIMS TO DO SURVEYS

Dubbed SurveyLocker, the new Trojan drags victims into a loop of surveys so that their screen can be unlocked.
RANDOM6 IS PART OF A KNOWN LINEAGE

According to some in-depth analysis, the recently spotted Random6 pest appears to be a Fantom ransomware derivative.
LEAKERLOCKER ANDROID RANSOMWARE

Spreading via 2 booby-trapped apps on Google Play, this one threatens to send victims’ sensitive data to all contacts. Demands $50.
PETYA COPYCAT DISCOVERED

Dubbed Petya+, this ransomware is programmed in .NET. The ransom screen is almost a replica of the original. No crypto so far.
SCORPIO RANSOMWARE USES APROPOS EXTENSION

Also referred to as Scarab, this sample scrambles filenames and appends them with the .[Help-Mails@Ya.Ru].Scorpio extension.
OXAR RANSOMWARE BASED ON HIDDEN TEAR

HT based strain called Oxar, or Locked In, concatenates the .OXR suffix to encoded files. Demands $100 worth of Bitcoin.
BIT PAYMER SPECIMEN APPEARS

Uses the .locked file extension and creates a separate .readme_txt recovery how-to for every hostage file.
NEWSMAKING ARREST OVER RANSOMWARE

Australian authorities apprehend a 75-year-old man for setting up rogue tech support companies involved in ransomware schemes.
NEMUCODAES STRAIN DECRYPTED

Emsisoft makes another breakthrough in fighting ransomware. This time they release a free decryptor for the NemucodAES strand.
ASLAHORA TROJAN – HIDDEN TEAR MISUSED AGAIN

Brand new HT offshoot called AslaHora subjoins the .Malki extension to ransomed files. The unlock password is MALKIMALKIMALKI.
DCRY RANSOMWARE DECRYPTED

Researchers come up with a free decryption tool that supports the Dcry ransomware appending files with the .dcry extension.
BLACKOUT RANSOMWARE SURFACES

New sample called BLACKOUT drops README_[random numbers].txt ransom note and base64 encodes filenames.
KEEP CALM RANSOMWARE

This one is based off of EDA2 PoC. Concatenates the .locked string to hostage files and leaves “Read Instructions.rtf” ransom note.
PURGE STRAIN TURNS OUT SHODDY

Blemishes files with the .purge extension. Keeps crashing during encryption process. The unlock password is “TotallyNotStupid”.
“YOUR ALL DATA IS ENCRYPT” SCREEN LOCKER

The name is the phrase this sample displays on its lock screen. Demands 1 BTC but is ridiculously easy to get around (Alt+F4).
BRAINLAG SPECIMEN SPOTTED

Currently in the process of development, so no crypto thus far. Displays a black lock screen with a smiley in the middle.
RANSED RANSOMWARE

Stains files with the appropos .Ransed extension. Reaches out to MySQL server, so server access credentials are hard coded.
EJIGSAW STRAND PRODUCES ANOTHER VARIANT

The newest iteration of the Jigsaw ransomware switches to using the .kill string to label hostage files.
SAMSAM RANSOMWARE UPDATED

Brand new edition of the SamSam/Samas ransomware concatenates the .country82000 extension to locked data entries.
ENDCRYPT0R SAMPLE IS NO BIG DEAL

Screen locker called ENDcrypt0r displays an alert saying that files have been encrypted, while they aren’t. Unlock code is A01B.
FUACKED RANSOMWARE IS A DULL ONE

Nothing special about the new specimen called Fuacked. Leaves a ransom note named dummy_file.txt.
STRIKED RANSOMWARE DECRYPTED

Free decryptor is out for the Striked ransomware, which appends the #rap@mortalkombat.top#id#[random] extension to locked files.
ANDROID TROJAN WITH RANSOMWARE CAPABILITIES

Remote Access Trojan for Android dubbed GhostCtrl can also reset the PINs of host devices and lock the screen with a ransom note.
ALOSIA TEAM SAMPLE BASED ON OPEN-SOURCE CODE

The latest iteration of the Stupid ransomware uses the .alosia file extension. The unlock code is CREATEDBYMR403FORBIDDEN.
ALMOST FRIENDLY-LOOKING JIGSAW EDITION

New Jigsaw variant stains encrypted files with the .korea string and displays a black background with a smiley on it.
REYPTSON RANSOMWARE

Targets Spanish-speaking users. Interestingly, it pilfers Thunderbird email credentials to generate spam on behalf of a victim.
VIRO STRAIN SPOTTED IN THE WILD

Uses the .locked extension, leaves “Computer compromised” ransom how-to, and displays a religion-themed background.
THE SELF-EXPLANATORY OOPS RANSOMWARE

Concatenates the .oops extension to hostage files, demands 0.1 BTC and uses only4you@protonmail.com contact email.
EXPLORER RANSOMWARE, NEW ONE OUT THERE

Based on Hidden Tear PoC, this one uses the .explorer file extension. Victims are instructed to contact decrypter.files@mail.ru.
GLOBEIMPOSTER KEEPS SPAWNING NEW VARIANTS

Fresh GlobeImposter editions use the .au1crypt or .s1crypt extension and leave decrypt manual named how_to_back_files.html.
FEDEX EVALUATES IMPACT OVER PETYA

According to official statement by FedEx, the damage incurred due to Petya ransomware attack is material and permanent.
RADIO STATION STRUGGLING TO RECOVER FROM ATTACK

San Francisco TV & radio station KQED is still suffering the consequences of a ransomware attack that took place in mid-June.
NEMUCODAES DECRYPTOR UPDATED

Emsisoft enhances their decryption tool for NemucodAES ransomware so that it supports large files.
NEW SAMPLE CALLED CHINA-YUNLONG

This specimen zeroes in on Chinese users. Concatenates the .yl string to all encoded data items.
CRYPTOMIX FAMILY GROWS

2 new CryptoMix iterations use the .ZAYKA and .NOOB extensions to stain files. Ransom note is still named _HELP_INSTRUCTION.txt.
STRIKED RANSOMWARE DECRYPTOR ENHANCED

MalwareHunterTeam’s Michael Gillespie updates the decryptor for Striked ransomware, so now it supports most recent editions.
MATROSKA STRAIN BASED ON HIDDEN TEAR

Said HT offspring concatenates the .hustonwehaveaproblem@keemail.me extension to no-longer-accessible files.
ANOTHER CRYPTOMIX EDITION RELEASED

A CryptoMix ransomware variant goes live that blemishes files with the .CK suffix. The ransom note hasn’t changed.
JIGSAW RANSOMWARE UPDATE

Brand-new spinoff of the Jigsaw ransomware lineage switches to using the .afc extension for encrypted data entries.
SYMBIOM RANSOMWARE DISCOVERED

Yet another Hidden Tear derivative. Appends files with the .symbiom_ransomware_locked extension and demands 0.1 BTC.
BITSHIFTER RANSOMWARE ALSO PILFERS DATA

Leaves a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt. Additionally attempts to steal sensitive information.
GLOBEIMPOSTER UPDATE ROLLED OUT

The latest version of the GlobeImposter ransomware speckles encrypted files with the .skunk extension token.
SNAKELOCKER IS ON ITS WAY

Written in Python, SnakeLocker concatenates the .snake or .TGIF extension to files and leaves INSTRUCTIONS-README.html note.
GLOBEIMPOSTER FAMILY ENLARGES

New offspring of the GlobeImposter ransomware pops up. It appends ransomed files with the .GOTHAM extension.
GLOBEIMPOSTER GETS ON STEROIDS

One more version of GlobeImposter starts making the rounds. It uses the .crypt extension and how_to_back_files.html ransom note.
THIRD GLOBEIMPOSTER VARIANT IN A DAY

Yet another edition stains scrambled files with the .HAPP suffix and still drops HTML ransom note named how_to_back_files.
ZILLA RANSOMWARE UPDATE

Brand new version of the Zilla Trojan concatenates the .Atom extension to files and uses ReadMeNow.txt how-to.
SIMPLERANSOMWARE IS MORE COMPLEX THAN IT APPEARS

This one attempts to plant a Visual Basic rootkit onto a host system and harnesses Pastebin to figure out if a victim has paid up.
BAM! RANSOMWARE GOES LIVE

Subjoins the .bam! extension to no-longer-accessible files and uses contact email addresses abc@xyz.com and acc@xyz.com.
JCODER MAKERS MUST BE PETYA FANS

JCoder sample is spotted that concatenates the .Petya extension to encrypted files.
DCRY KEEPS UPDATING AFTER BEING DECRYPTED

DCry ransomware, which had been cracked by MHT’s Michael Gillespie, spawns a new variant that adds the .qwqd extension to files.
TURKISH WANNACRY COUNTERFEIT SPOTTED

Looks similar to original WannaCry. Spreads via RDP, moves files to password-protected ZIP, and displays its demands in Turkish.
OLD PETYA EDITIONS CAN BE DECRYPTED

Malwarebytes confirms that the previously leaked private decryption key for early Petya versions is valid.
GLOBEIMPOSTER BECOMES INCREASINGLY TOXIC

Fresh version appends enciphered files with the .707 suffix and provides recovery steps in RECOVER-FILES.html document.
ONE MORE EDITION OF GLOBEIMPOSTER

New GlobeImposter iteration appends locked files with the attacker’s email address followed by the .BRT92 extension.
COMEBACK OF VINDOWSLOCKER

The currently active variant states the victim’s desktop was locked due to prohibited online activities. Demands iTunes gift cards.
RANDSOMEWARE SEEMS TO BE INSTRUCTIVE

Also known as RDW, it stains files with the .RDWF string and, surprisingly, lets the user know it is going to start encryption.
GLOBEIMPOSTER CONTINUES SPEWING OUT VARIANTS

New one concatenates the .p1crypt extension to encoded files and sticks with the invariable how_to_back_files.html note.
STRIKED RANSOMWARE DECRYPTOR FINE-TUNED

Michael Gillespie (@demonslay335) updates his decryptor for Striked ransomware, so it now supports newer variants.
SERPENT RANSOMWARE UPDATE

The latest edition uses the .srpx suffix for locked files and drops README_TO_RESTORE_FILES_t7Q.txt/html ransom notes.
NEW SAMPLE FROM POLISH EXTORTIONISTS

Researchers discover ransomware specimen that generates its warnings in Polish. Unnamed at this point.
ABC LOCKER, A CLOUDSWORD DERIVATIVE

Fresh spinoff of the CloudSword ransomware called ABC Locker surfaces. Demands 0.5 BTC within 5-day deadline.
INVINCIBLE RANSOMWARE IN DEVELOPMENT

Warning pane of the new Ransomware InVincible looks like WannaCry’s. This one does not perform encryption thus far.
SPONGEBOB RANSOMWARE PUTS SQUARE PANTS ON FILES

Features Spongebob theme in its victim interaction screens. Crude code lacking crypto. Provides 3 days of “special price”.
ZUAHAHHAH STRAIN STARTS CIRCULATING

Discovered by ESET, Zuahahhah ransomware appears to be a new variant of the prolific Crypt888 infection.
LAMBDALOCKER UPDATE

Concatenates the .MyChemicalRomance4EVER extension to encrypted files and drops UNLOCK_guiDE.tXT ransom note.
BIG RANSOM CASHOUT SCHEME UNCOVERED

Taking the floor at Black Hat USA 2017, Google’s security analysts claim 95% of ransomware payouts were cashed out via BTC-e service.
SHIELDFS, THE NEXT BIG THING TO COMBAT RANSOMWARE

Italian experts invent ShieldFS, a custom filesystem that effectively detects ransomware and undoes unauthorized data encryption.
OWNER OF BTC-E PLATFORM ARRESTED

BTC-e owner, Russian citizen Alexander Vinnik, is arrested in Greece on suspicion of ransomware-related money laundering.
A COUPLE OF NEW CRYPTOMIX VERSIONS SPOTTED

Two fresh editions of the CryptoMix ransomware use the .DG and .ZERO file extensions and _HELP_INSTRUCTION.txt ransom note.
GLOBEIMPOSTER UPDATED, ONCE AGAIN

Newest iteration of GlobeImposter concatenates the .725 extension to encrypted files. Spreads via malspam.
NEW RANSOMWARE CODEBASE SPOTTED

Its ransom note HOW TO DECRYPT FILES.txt says it’s “test” and asks for “cash” to create custom build of this unnamed sample.
STORM RANSOMWARE SPOTTED

Discovered by MHT. Uses StormRansomware@gmail.com contact email and goes with a hard-coded password.
RANSOMDEMON IS ON ITS WAY

Currently in development, the RansomDemoN sample has an “Encrypt” button and won’t apply crypto unless it’s clicked.
SAMSAM FAMILY SPAWNS NEW ITERATION

The latest version of the SamSam/Samas ransom Trojan uses the .supported2017 string to blemish encoded data.
NEW SPREADING TACTIC OF GLOBEIMPOSTER

The .crypt extension variant of GlobeImposter is making the rounds via Blank Slate spam with no subject line, just an attachment.
PRIVATE BUILDER AUTOMATING RANSOMWARE CREATION

Private Builder Ransomware V2.01 allows threat actors to define custom properties of their own build of the infection.
THE SHODDY FCP RANSOMWARE

Leaves a rescue note named READ_ME_HELP_ME.txt. Does not encrypt anything at this point, just renames files.
RANSOMWARE BUILDER CALLED OXAR

Provides several different forms to fill out, where wannabe cybercriminals can set their preferred campaign values.
GRYPHON SAMPLE REPRESENTING KNOWN FAMILY

Gryphon ransomware turns out to be a spinoff of the BTCWare strain. Appends files with the .[decr@cock.li].gryphon extension.
NEW POLISH SCREEN LOCKER IN THE WILD

Generates animated lock screen featuring a dancing person. Fortunately, it does not encrypt data and is easy to get around.
TEST RANSOMWARE UPDATED

Above-mentioned ransomware builder claiming to be a “test” gets an upgrade. Configured to append the .Node0 extension to files.
ROSE EDITION OF GLOBEIMPOSTER

Yet another version of GlobeImposter uses the .rose file extension prepended by [i-absolutus@bigmir.net] string.
GUESS WHAT’S UPDATED? GLOBEIMPOSTER

Fresh spinoff of GlobeImposter stains encoded files with the .ocean suffix and leaves a ransom how-to named !back_files!.html.
ANOTHER BTCWARE PERSONA DETECTED

Drops ransom note named !#_READ_ME_#!.hta and appends the .[avalona.toga@aol.com].blocking extension to files.
SCOTCH TAPE LOCKER V1.0

Trojan called Scotch Tape Locker v1.0 doesn’t do more damage than locking a victim’s screen. Uses fbifine@protonmail.com email.

LARGE PHARMA COMPANY IMPACTED BY NOTPETYA

Merck, large US based pharmaceutics company, is still struggling to recover from NotPetya attack that affected some of its servers.
RSA2048PRO PRIORITIZES DATA DURING ENCRYPTION

C# based ransomware RSA2048Pro applies a data filter to first encode items added during past 3 months.
SEVENDAYS RANSOMWARE

This video game themed specimen concatenates the .SEVENDAYS extension to files and does not provide any payment steps.
IN-DEVELOPMENT TPS 1.0 SAMPLE

Although TPS 1.0 claims to have encrypted one’s files, its effect is restricted to only showing a warning screen. Demands $300 in BTC.
GLOBEIMPOSTER PLAYING WITH NUMBERS

Another GlobeImposter offshoot is discovered that stains hostage files with the .726 extension.
RANAOMWARE TROJAN GOES ITS OWN ROUTE

Also known as Blackzd, the Ranaomware sample simply renames files without appending any extra extension.
LOCKBOX RANSOMWARE

Claims to use AES-256 algorithm to lock data. Instructs victims to contact trevinomason1@gmailcom for recovery steps.
CRYSTAL STRAIN GOES WITH MULTIPLE COMPONENTS

This one is equipped with a malware downloader and a DDoS module. Affixes the .CRYSTAL string to filenames.
ROBINHOOD RANSOMWARE

It displays a message asking for “five Bitcoins to help Yemeni people”. Provides a 72-hour deadline to pay up.
WANNAPAY SAMPLE SPOTTED

Currently in development. Downloads the executable to C:\Users\DORA path at this point.
EBAYWALL RANSOMWARE STANDS OUT FROM THE REST

Ransom note ebay-msg.html provides contemplations on present-day security issues. Appends files with the .ebay extension.
LAWSUIT OVER NOTPETYA OUTBREAK

Ukrainian law firm is prepping a case against the vendor of M.E.Doc accounting software for spreading NotPetya ransomware.
GLOBEIMPOSTER KEEPS GAINING MOMENTUM

One more GlobeImposter variant uses the .sea extension for locked files and drops !your_files!.html ransom how-to.
CERBER GETS A BIG ENHANCEMENT

The latest version of Cerber ransomware is capable of stealing browser passwords and Bitcoin wallet data.
SHUTDOWN57 SAMPLE DETECTED

Adds ransom note named shutdown57.php and subjoins the .shutdown57 extension to files. The warning says, “Encrypter 8y v1ru5.”
GLOBEIMPOSTER STILL ON THE RISE

Yet another clone of GlobeImposter uses the .490 file extension and leaves a ransom note named free_files!.html.
OXAR RANSOMWARE UPDATED

While Oxar still labels encrypted files with the .OXR extension, now it features fresh design of the ransom note.
3301 RANSOMWARE IN THE WILD

Appears to be an offshoot of Karmen Ransomware-as-a-Service. Uses the .3301 file extension and DECRYPT_MY_FILES.html note.
NO DAYS OFF FOR GLOBEIMPOSTER DEVS

Another iteration of GlobeImposter adds the .mtk118 string to filenames and drops how_to_back_files.html payment how-to.
POLSKI RANSOMWARE TARGETS POLISH USERS

This AESxWin spinoff uses the .ZABLOKOWANE extension and ### – ODZYSKAJ SWOJE DANE – ###.txt recovery manual.
BALBAZ 1.00 INFECTION, NEW ONE ON THE TABLE

Based off of HiddenTear PoC. Blemishes encrypted files with the .WAmarlocked extension and creates READ_IT.txt ransom note.
IN-DEV UEFI RANSOMWARE

Doesn’t implement crypto at this point. Drops ransom how-to named decrypt.txt and demands $350 worth of BTC.
TPS RANSOMWARE BECOMES WHY-CRY

TPS sample discovered on August 1 gets modified: it now manifests itself as Why-Cry. Demands $300 worth of BTC.
OGONIA EDITION OF CRYPTOMIX

Fresh iteration of CryptoMix ransomware surfaces that uses the .OGONIA extension and _HELP_INSTRUCTION.txt ransom how-to.
CRYPTOMIX SPINOFF CALLED CNC

Yet another CryptoMix variant is spotted. It appends the .CNC string to filenames and drops _HELP_INSTRUCTION.txt note.
RUSSIAN USERS TARGETED BY GLOBEIMPOSTER OFFSHOOT

New GlobeImposter variant pops up that zeroes in on Russian-speaking users. It stains hostage files with the .crypt exension.
GLOBEIMPOSTER UPDATE

One more version uses the .coded extension for ciphered files and decoder_master@aol.com / india.com contact emails.
ASTRA DERIVATIVE OF GLOBEIMPOSTER

The latest variant of GlobeImposter adds the .astra suffix to files and creates here_your_files!.html ransom notes.
FOURTH GLOBEIMPOSTER VARIANT IN A DAY

The spinoff uses the .492 extension and file_free@protonmail.com / koreajoin69@tutanota.com contact email addresses.
DIAMOND COMPUTER ENCRYPTION RANSOMWARE

This one concatenates random extensions to files and leaves a ransom note named _READ_IT_FOR_RECOVER_FILES.html.
SCREEN LOCKER CALLED LOCKD

The LOCKD virus pretends to come from the US Department of Justice and demands $200 payable with MoneyPak.
WANACRY4 RANSOMWARE DISCOVERED

WanaCry4 is in fact a modified version of CryptoWire. Prepends the ‘encrypted’ string to original file extension.
XORIST EDITION USING .HELLO EXTENSION

In addition to appending the .HELLO string to filenames, this sample drops HOW TO DECRYPT FILES.txt ransom note.
GLOBEIMPOSTER KEEPS ON CHANGING

Another GlobeImposter variant blemishes encrypted files with the ..TXT suffix and uses Read_ME.html recovery instructions.
SEXTORTIONIST TRACKED DOWN BY THE FBI

Although the suspect was using Tor, the FBI were able to get his IP address by duping him into opening a booby-trapped video.
TWO EDITIONS OF OXAR STRAIN SPOTTED

New versions of the Oxar ransomware versions concatenate the .PEDO and .ULOZ strings to encrypted files.
INFORMATIVE WRITE-UP ON CERBER PROPAGATION

Malwarebytes researchers dissect the way the Cerber ransomware (CRBR Encryptor) uses the Magnitude exploit kit to proliferate.
ISRABYE SAMPLE IS MEANT FOR SABOTAGE

Although the anti-Israel IsraBye infection passes itself off as ransomware, it actually erases data without any recovery options.
RUMBLEGOODBOY RANSOMWARE

This one is a GlobeImposter edition. Uses the .rumblegoodboy file extension and how_to_back_files.html ransom note.
A GLOBE LOOKALIKE APPEARS

Written in .NET, the sample in question displays Globe-style ransom notes. Appends the .[cho.dambler@yandex.com] extension to files.
NEW OXAR OFFSPRING SURFACES

The latest Oxar ransomware version uses the .FDP extension to label encrypted files. No other noteworthy changes have been made.
UKRAINIAN MAN ARRESTED FOR DISTRIBUTING PETYA

Ukraine’s Cyber Police apprehend a 51-year-old man for infecting companies with Petya.A virus as part of tax evasion hoax.
GRYPHON RANSOMWARE UPDATED

Gryphon, a variant of the BTCWare strain, gets an update. Its spinoff uses the .[gladius_rectus@aol.com ].crypton file extension.
NEW GLOBEIMPOSTER VARIANT

Another mod of GlobeImposter uses the .0402 extension for encrypted files and drops !SOS!.html ransom note.
GLOBEIMPOSTER FEATURING .TRUMP EXTENSION

Fresh edition of GlobeImposter stains encoded files with the .Trump string and uses Donald_Trump@derpymail.org contact email.
JIGSAW OFFSHOOT TARGETING POLISH USERS

While going after Polish-speaking users, new Jigsaw iteration concatenates the .pabluklocker extension to hostage entries.
SHINIGAMI RANSOMWARE

Displays Joker-style warning screen, uses symmetric DES (Data Encryption Standard), and appends the .shinigami extension to files.
MORE HIDDEN TEAR OFFSPRING IN THE WILD

Based on the educational Hidden Tear, the strain in question goes banal with the appended file extension, which is .locked.
MMM RANSOMWARE UPDATE

Originally discovered in late June, the MMM ransomware now switches to using the .0x009d8a extension for encrypted data.
CERBER COPYCAT FROM XORIST FAMILY

Brand new iteration of the Xorist virus blemishes victims’ files with the .Cerber_RansomWare@qq.com string. Potentially decryptable.
GLOBEIMPOSTER CAMPAIGN STILL UP AND RUNNING

Yet another version appends the .GRANNY extension to files and uses crazyfoot_granny@aol.com contact email address.
A COUPLE MORE GLOBEIMPOSTER’S

Researchers spot more editions that use the following file extensions: .zuzya, .LEGO, .UNLIS, and .D2550A49BF52DFC23F2C013C5.
SCREEN LOCKER FEATURING JIGSAW THEME

This one turns out more harmful than it appears, both locking the screen and also encrypting data on target computer.
MORE RANSOMWARE BASED ON OPEN SOURCE CODE

Crooks continue to use open source PHP ransomware uploaded to GitHub in 2016. Real-world threats target web servers.
INFINITE TEAR RANSOMWARE

New specimen called Infinite Tear uses the .JezRoz file extension and leaves Important_Read_Me.txt ransom note.
NULL RANSOMWARE SPOTTED

Goes with a GUI, claims to use AES-256 encryption algorithm and concatenates the .null extension to locked files.
ROTOCRYPT TROJAN GOES LIVE

RotoCrypt affixes the .OTR extension to encrypted files and instructs victims to send email to diligatmail7@tutanota.com.
NEW .NET RANSOMWARE DISCOVERED

Uses the following file renaming format: filename=id=email.crypt12. Equipped with a GUI. Replaces desktop wallpaper.
BRANSOMWARE USES BUGGY CRYPTO

New BRansomware sample concatenates the .GG extension to encoded files. Uses AES cipher but doesn’t do it properly.
SYNCCRYPT STRAIN EVADES AV

Malicious payload for SyncCrypt is obfuscated via booby-trapped image files, so most AV tools miss it. Uses the .KK file extension.
LOCKY UPDATED OUT OF THE BLUE

The latest variant of the Locky ransomware labels encrypted files with the .lukitus extension and uses lukitus.htm/bmp ransom notes.
CLICO CRYPTOR, ANOTHER POLISH SAMPLE

This Java based ransomware concatenates the .enc extension to files. Ransom note contents are in Polish. Might be a PoC.
SAMAS RANSOMWARE UPDATE

After a lengthy pause, the Samas family is back with the .prosperous666 file variant. Drops PLEASE-README-AFFECTED-FILES.html note.
LAMBDALOCKER DECRYPTED

Avast creates a free decryption tool for the LambdaLocker ransomware that appends the .MyChemicalRomance4EVER file extension.
NEW VERSION OF MATROSKA RANSOMWARE SPOTTED

The latest Matroska ransomware edition concatenates the .encrypted[Payfordecrypt@protonmail.com] string to locked files.
RANSOMWARE STATS FOR Q2 2017

Multiple security firms state that ransomware payloads outperformed all other threats distributed via email in Q2 2017.
SCREEN LOCKER CALLED WOODMAN

The WoodMan Trojan features a lock screen that looks like a 5-year-old drew it. The ‘mm2wood.mid’ code does the unlock trick.
MOON DECRYPTOR RANSOMWARE

Aka Moon Cryptor, this one boasts a well-designed GUI and appends the .fmoon string to files. Deletes one file per minute until paid.
DRACO PC RANSOMWARE DETECTED

New Draco PC Ransomware threatens to delete one file every hour and erase system32 folder in two days if a victim doesn’t pay up.
GLOBEIMPOSTER UPDATED AGAIN

Fresh version appends the .{saruman7@india.com}.BRT92 extension to encrypted files and drops #DECRYPT_FILES#.html note.
RANSOMWARE ATTACKS LG KIOSKS IN SOUTH KOREA

Ransomware, presumably WannaCry, infected numerous LG self-service kiosks in South Korea with unpatched OS.
CRYPTOMIX LINEAGE GETS BIGGER

New iteration of CryptoMix concatenates the .ERROR extension to files and creates _HELP_INSTRUCTION.txt ransom how-to.
SCREEN LOCKER WITH POLISH ROOTS

Unnamed screen locker starts infecting computers in Poland. Researchers figured out that the unlock code is 023135223.
UNUSUAL TACTIC OF THE CYRON RANSOMWARE

This one displays an alert about “children pornsites” detected in a victim’s browsing history. Appends the .CYRON extension to files.
KAPPA RANSOMWARE SPOTTED

The sample called Kappa is a derivative of the Oxar ransomware. Still uses the .OXR extension to blemish encrypted data.
TROJAN DZ RANSOMWARE

Trojan Dz turns out to be a CyberSplitter ransomware spinoff. Stains files with the .Isis string and demands 0.5 BTC.
OXAR STRAIN UPDATED AGAIN

The second Oxar variant surfaces during the day. Shows animated warnings, uses the .OXR file suffix and demands $20 worth of BTC.
RESEARCHER GETS A MESSAGE VIA NEW RANSOMWARE

Karsten Hahn, a well-known malware analyst from Germany, discovered a Hidden Tear spinoff displaying a picture of him.
INTERESTING FINDINGS OF MCAFEE ANALYSTS

According to McAfee, 30% of all ransomware the company detected in June were Hidden Tear offshoots.
XOLZSEC RANSOMWARE BASED ON POC

Based on EDA2 proof-of-concept, this one appends the .xolzsec extension to files. Claims to have been made by a script kiddie.
FRENCH OFFSHOOT OF HIDDEN TEAR

New HT variant is released that targets French users. Uses the .locked extension and TUTORIEL.bmp/READ_IT_FOR UNLOCK.txt notes.
UKRAINE MAY FACE ANOTHER RANSOMWARE OUTBREAK

Ukrainian security company ISSP warns about possible new series of ransomware attacks following another accounting software hack.
FLATCHESTWARE BADDIE POPS UP

The specimen called FlatChestWare is one more Hidden Tear offshoot. Concatenates the .flat extension to encoded files.
HIDDEN TEAR SPINOFFS KEEP COMING

New HT derivative called VideoBelle appears. It zeroes in on French users, uses the .locked extension and Message_Important.txt note.
CRYAKL-RELATED UTILITY SPOTTED

Researchers come across a manual counterpart of the encryptor used by the Cryakl ransomware family. It’s written in Delphi.
CYPHER RANSOMWARE BEING CREATED

Python-based Cypher ransomware (note the spelling) affixes the .enc extension to locked files. Currently in development.
WOOLY, ANOTHER CRUDE RANSOM TROJAN

This sample is written in .NET. Automatically installs Tor onto a targeted host and subjoins the .wooly suffix to encrypted data.
CRYPTOMIX GETS AN UPDATE

New variant of the CryptoMix ransomware appends the .EMPTY string to files and uses _HELP_INSTRUCTION.txt restore manual.
CHINESE APP HELPS CREATE ANDROID RANSOMWARE

Researchers spot a Chinese ‘Trojan Development Kit’ that fully automates the process of creating ransomware for Android.
PA-SIEM RANSOMWARE DETECTED

Predictably enough, this sample concatenates the .PA-SIEM extension to files, whatever that means. It is in-dev so far.
ARENA EDITION OF THE CRYSIS RANSOMWARE

New version of the Crysis/Dharma ransomware appears. Appends the .id-[victim ID].[chivas@aolonline.top].arena extension to files.
DEFRAY STRAIN TARGETING HIGH-PROFILE VICTIMS

Brand new specimen dubbed Defray zeroes in on healthcare, educational, manufacturing and technology organizations.
FALSE ALARM ON A HIDDEN TEAR VARIANT

Security analysts bump into an HT spinoff using the .locked extension, which turns out to be made for the EkoParty security conference.
NEW SAMPLE THAT DOESN’T DO ANY REAL DAMAGE

Dubbed RansomPrank, this one doesn’t go further than displaying a warning screen. No crypto is implemented. Demands 0.5 BTC.
WOOLY RANSOMWARE GOES LIVE

The specimen called Wooly switches its status from in-dev to real-life. Uses the .wooly extension for hostage data.
BTCWARE GETS “NUCLEAR”

New variant of BTCWare strain appears. It appends files with an attacker’s email address followed by the .nuclear extension.
STRAWHAT RANSOMWARE

Concatenates files with a random extension and drops ransom how-to’s named YOUR_FILES_ARE_ENCRYPTED.html/txt.
MINDSYSTEM SAMPLE DOES LITTLE DAMAGE

New one called the MindSystem ransomware actually encrypts data but provides the decryption service free of charge.
CRYING RANSOMWARE IN THE WILD

Created by a dev nicknamed ‘h4xor’. Goes with a GUI, doesn’t use any extra file extensions, and demands $600 worth of BTC.
UNREASONABLE MOVE BY THE TROLL RANSOMWARE

Leverages XOR crypto to encrypt all data on a computer, including system files. This can cause OS malfunctions.
SCOTTISH HOSPITALS FALL VICTIM TO A BLACKMAIL VIRUS

Several hospitals in Lanarkshire, Scotland, get infected with a ransomware strain called BitPaymer. Attackers demand 53 BTC.
IRS ISSUES A RANSOMWARE WARNING

US Internal Revenue Service advises users to exercise caution with ransomware malspam impersonating this government agency.
AKIRA RANSOMWARE COMING UP

Currently in development, this specimen uses the .akira extension for hostage files. Encrypts data in the Video folder only.
SAHER BLUE EAGLE RANSOMWARE UPDATE

Fresh version of the Saher Blue Eagle strand appears. The good news is, it’s crude and does not complete the encryption routine.
RESEARCHER SETS UP A RANSOMWARE DEMO

MHT’s Michael Gillespie joins the Hackable podcast and infects the host’s computer with ransomware to demonstrate how it works.
KEYMAKER RANSOMWARE WAVE TAKES ROOT

Based on Hidden Tear, the KeyMaker ransomware appends the .CryptedOpps extension to files and drops READ_IT.txt rescue note.
HAZE RANSOMWARE FAILS TO IMITATE PETYA

The strain called Haze shows a warning screen very similar to Petya’s. Fortunately, it does not actually encrypt anything.
OHNO! RANSOMWARE WITH OFFBEAT PAYMENT OPTION

The OhNo! strand instructs victims to pay ransoms in Monero (2 XMR), whereas almost all counterparts opt for Bitcoin.
PRINCESS LOCKER DISTRIBUTION ENHANCED

According to Malwarebytes analysts, the Princess Locker ransomware has started employing the RIG exploit kit for propagation.

CLEVER CONTAMINATION TRICK BY LOCKY

New Locky campaign uses on-close MS Word macros that download the infection when a user closes a file attached to malspam.
CRYPTOMIX FAMILY GETS LARGER

One more CryptoMix version pops up. It affixes the .arena string to encrypted files and drops _HELP_INSTRUCTION.txt ransom note.
MORE MONGODB SERVERS HACKED

In a new campaign, 3 cybercriminal groups hijack more than 26,000 MongoDB databases and hold their contents for ransom.
HIDDEN TEAR VARIANT CALLED NULLTICA

New HT spinoff called Nulltica uses the .lock file extension and sends booby-trapped messages to victims’ Facebook contacts.
ULTIMO STRAIN IS UNDERWAY

Ultimo is yet another Hidden Tear PoC derivative at large. Speckles encrypted files with the .locked string.
NEW VARIANT OF KNOWN SCREEN LOCKER SPOTTED

Like its precursor, this one displays “Your Windows Has Been BANNED” lock screen and demands $50 worth of BTC to unlock.
GLOBEIMPOSTER UPDATE

Fresh GlobeImposter offshoot appends files with the .clinTON suffix and instructs victims to contact Bill_Clinton@decrymail.org.
CONFICKER RANSOMWARE FINE-TUNED

This sample’s prototype was discovered in mid-April 2017. The newcomer uses the .Saramat file extension and asks for 0.5 BTC.
SYNACK, NEW STRAIN WITH AMBITIONS

New SynAck ransomware is on the rise. It uses extensions of 10 random hexadecimal chars and RESTORE_INFO-[id].txt ransom notes.
TEAMWINLOCKERWINDOWS TROJAN DISCOVERED

TeamWinLockerWindows screen locker has Russian origin. Additionally changes HOSTS file to block some sites, including Google.
APOLLOLOCKER TARGETING TURKISH USERS

Uses the .locked file extension and drops DOSYALARI-KURTAR[random].txt/url ransom how-to’s. Also pilfers personal data.
MULTILINGUAL “HACKED” RANSOMWARE

Appends the .hacked string to encrypted files. Ransom notes provide language choice out of English, Italian, Spanish, and Turkish.
FRANSOMWARE IN DEVELOPMENT

The sample called FRansomware is still crude and doesn’t encrypt any data. Demands $150 worth of Bitcoin regardless.
DILMALOCKER TARGETS SPANISH-SPEAKING AUDIENCE

DilmaLocker ransomware affixes the .__dilmaV1 extension to locked files and uses RECUPERE_SEUS_ARQUIVOS.html ransom note.
GLOBEIMPOSTER VERSION WITH VALID SIGNATURE

New GlobeImposter edition (.f41o1 extension, READ_IT.html note) now uses a signed payload file with verified signature.
AMNESIA SPINOFF POSING AS WANNACRY

An iteration of the Amnesia ransomware tries to mimic the WannaCry strain in a way, concatenating the .wncry string to files.
GLOBEIMPOSTER IS NO LONGER SIGNED

Another GlobeImposter variant is released in quick succession. Uses the .4035 extension and no longer features a valid certificate.
STRAIN TAKING AFTER LOCKY

Dubbed ArmaLocky, this Locky copycat uses similar ransom notes and concatenates the .armadilo1 string to hostage files.
SAMAS/SAMSAM RANSOMWARE UPDATE

New version of the Samas ransomware is released. It switches to using the .disposed2017 suffix for ransomed data.
NEW DELPHI-BASED STRAIN POPS UP

Affixes the .[restoreassistant2@tutanota.com].locked_file extension to files and uses !HOW_TO_UNLOCK_FILES!.html how-to’s.
PARADISE RANSOMWARE DISCOVERED

Appears to be an independently developed sample. Concatenates the .[info@decrypt.ws].paradise extension to files.
EXOLOCK SAMPLE IS NOTHING EXTRAORDINARY

New ExoLock ransomware subjoins the .exolocked string to encrypted files and demands 0.01 BTC ($40) for restoring them.
POLISH JIGSAW RANSOMWARE SPINOFFS SPOTTED

The two Jigsaw editions use the .pablukCRYPT and .pabluk300CrYpT! extensions for locked data and a new desktop background.
INTERESTING FINDINGS ABOUT RANION RAAS

It turns out that the Ranion Ransomware-as-a-Service distributes a blackmail Trojan that’s a Hidden Tear PoC derivative.
BLACKHAT RANSOMWARE

This one is an offshoot of MoWare_H.F.D. lineage based on Hidden Tear. Uses the .H_F_D_locked extension and XOR cipher.
REALLY VULGAR RANSOMWARE CALLED SOFUCKED

SoFucked ransomware is full of bad language, obviously. It uses the .fff file extension and READTHISHIT.txt ransom note.
HAPPY CRYPTER ISN’T SO FUN

Although still in development, Happy Crypter performs encryption but doesn’t add any extension to files. Demands 0.9 BTC.
LOCKED_FILE STRAIN UPDATED

Drops ransom how-to’s named !HOW_TO_UNLOCK_FILES!.html and still uses restoreassistant2@tutanota.com contact email.
IN-DEV PAYORDIE RANSOMWARE

This brand-new specimen encrypts files and base64 encodes filenames. Doesn’t affect data beyond Desktop directory.
GLOBEIMPOSTER STILL HYPERACTIVE

The latest edition of GlobeImposter uses the .reaGAN file extension and Ronald_Reagan@derpymail.org email for victim interaction.
MYSTIC RANSOMWARE RELEASED

Unlike most strains out there, the Mystic ransomware doesn’t concatenate any extension to filenames. Uses ransom.txt how-to.
CROOKS SEND HIDDEN MESSAGE TO A RESEARCHER

New Dcry ransomware version surfaces that uses the .dian file extension. Its code contains a message for MHT’s Michael Gillespie.
RESTOLOCKER, ONE MORE HT SPINOFF

New Hidden Tear based sample called RestoLocker appears. Speckles data with the .HeroesOftheStorm extension. Currently in-dev.
RBY RANSOMWARE DETECTED

RBY blackmail Trojan is a fresh version of the Kryptonite ransomware. Displays a warning screen in Russian and English.
NEW EXTENSION ADDED TO PSCRYPT’S ARSENAL

PSCrypt ransomware switches to using the .paxynok string to label encrypted files. Still spreads mostly in Ukraine.
HTA VIRUS DEVELOPMENT IN PROGRESS

Researchers come across fresh in-dev ransomware called HTA Virus. Based on ransom notes, it is intended to target German users.
BUD RANSOMWARE MAKING THE ROUNDS

This one is functionally similar to Jigsaw ransomware. Uses the .bud extension for ransomed data and demands €500 worth of Bitcoin.
HACKERS INVASION RANSOMWARE

Affixes the .Doxes extension to locked files and demands a ridiculous $120,000 for decryption. Can be decrypted for free.
LOUSY FBI-THEMED RANSOMWARE SPOTTED

A decryptable spinoff of the Stupid ransomware with FBI logo on the warning screen. Uses the .XmdXtazX extension and requests €35.
YKCOL VERSION OF LOCKY APPEARS

The Locky ransomware gets an update, introducing new .ykcol extension for ransomed data and ykcol.htm/bmp rescue notes.
PENDOR RANSOMWARE DISSECTED

Pendor displays a CMD style lock screen requesting numeric input. Demands $50 worth of BTC. May potentially be decryptable.
ZONEWARE STRAIN DETECTED

Currently in development. Concatenates the .ZW suffix to encoded data and extorts 0.025375 BTC for data recovery.
NEW SAMAS RANSOMWARE EDITION

The latest Samas/SamSam variant uses the .myransext2017 file extension and 005-DO-YOU-WANT_FILES.html ransom how-to.
FRESH SCREEN LOCKER APPEARS

Researchers spot a new screen locking virus that pretends to be from the FBI. Demands $300. The unlock code is ‘rhc@12345’.
HITLER RANSOMWARE IS IN PLAY AGAIN

New version of the almost forgotten Hitler ransomware appears. The warning message is in German. Extorts €10 for decryption.
RANSOMWARE DIVIDES CYBERCRIME UNDERGROUND

Admins of East European hacking forums are reportedly disputing over allowing ransomware promotion via their resources.
CRYPTOMIX RANSOMWARE UPDATE

The most recent version of CryptoMix appends the .SHARK extension to files and drops _HELP_INSTRUCTION.txt ransom note.
NEW ROTORCRYPT VARIANT SPOTTED

Uses the following file extension to blemish encrypted data: !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66.
CYBERDRILL_2 RANSOMWARE

Fresh Hidden Tear offshoot that concatenates the .cyberdrill string to encrypted files. GUI includes DDoS threats.
POLISH SAMPLE CALLED TECHNICY

This one’s code is based on Hidden Tear PoC. Concatenates the .technicy extension to locked files.
LOCKY BECOMES INCREASINGLY PREVALENT

The Ykcol variant of Locky is being distributed via six concurrent malspam waves generated by a new affiliate.
NRANSOM SAMPLE ACTS IN A VERY UNUSUAL FASHION

The new nRansom strain demands that victims send 10 nude pictures of themselves in order to unlock a hijacked computer.
BRAND NEW SCREEN LOCKER FOUND

Researchers stumble upon a fresh in-development screen locker whose binary is named ‘PoetralesanA Virus Maker.exe’.
MESSAGE OF DEATH RANSOMWARE

This one concatenates the .locked extension to hostage files and demands $350 worth of Bitcoin for recovery. Currently in-dev.
CYBERSOLDIER STRAIN RELEASED

Stains data with the .CyberSoldiersST extension. Crude so far, only renames files without actually encrypting them.
WYVERN VARIANT OF BTCWARE

The BTCWare family expands with an edition that appends files with the .wyvern extension preceded by attacker’s email and victim ID.
INFINITYLOCK BEHAVES DIFFERENTLY

Having encrypted one’s files, InfinityLock displays a bogus command prompt window imitating commands being typed in remotely.
GAME OF THRONES REFERENCES IN LOCKY CODE

Visual Basic scripting enaged in Locky/Ykcol ransomware distribution are found to contain references to the Game of Thrones series.
REDBOOT RANSOMWARE MIGHT BE A WIPER

RedBoot encrypts files with the .locked extension and corrupts MBR along with partition table. It provides no recovery option, though.
SUPERB STRAIN IS SOMEWHAT UNUSUAL

The sample called SuperB encrypts copies of files, affixes the .enc string to them and overwrites original ones with ransom how-to’s.
JOHN’S LOCKER DOESN’T DO MUCH HARM

This one fails to encrypt any files but still futilely demands Bitcoins for recovery. Closing the pest’s GUI addresses the problem.
NOTHING IMPRESSIVE ABOUT CRYPTOCLONE

Dubbed CryptoClone, this specimen is a CryptoLocker lookalike using the .crypted file extension. It is quite likely decryptable.
NEW SCREEN LOCKER CRACKED

Researchers come across a fresh screen locker that tries to extort $50 worth of BTC. Victims can use ‘qwerty’ code for unlocking.
ONION3 CRYPT V.3

This is one more Hidden Tear spinoff in the wild. It adds the .onion3cry-open-DECRYPTMYFILE string to encrypted files.
BILINGUAL THT LOCKER INFECTION

The brand-new ransom Trojan in question displays a lock screen containing an alert in Russian and English.
BLACKMIST SAMPLE SPOTTED

Currently in-dev, BlackMist ransomware appends ‘blackmist’ to files, without a dot before extension. Sets a 48-hour payment deadline.
BITDEFENDER’S TOOL FOR IDENTIFYING RANSOMWARE

Bitdefender Labs release Ransomware Recognition Tool that accurately identifies a crypto strain that the user is hit by.
ANOTHER DULL SCREEN LOCKER APPEARS

Security analysts discover a screen locking virus that generates a lock message in Portuguese. Nothing else is noteworthy about it.
A TRICKY HIDDEN TEAR OFFSHOOT

New unnamed HT variant attempts to send crypto keys over email. Drops READ_IT.txt note and affixes the .locked string to files.
LOCKY AND TRICKBOT SPREADING VIA THE SAME WAVE

A Necurs spam campaign is spotted that delivers either Locky or Trickbot banking malware depending on victim’s location.
PARADISE RANSOMWARE UPDATE

Fresh iteration of the Paradise culprit drops ransom how-to in HTML format. It used to leave instructions in a TXT file.
CYPHER RANSOMWARE MODIFIED

The Python-based Cypher pest switches to .crypt extension for locked data entries instead of the previously used .enc suffix.
LASER LOCKER BETA BUILDER SPOTTED

Laser Locker Beta is a tool allowing criminals to easily generate custom versions of the SurveyScreenlocker ransomware.
SLOVENIAN DMA LOCKER IMITATION DISCOVERED

The rogue DMA Locker ransomware sample uses a warning image that’s just a screenshot of the original taken from a security site.
NEW JIGSAW RANSOMWARE VERSION APPEARS

The newcomer uses Anonymous themed background for its ransom window and subjoins the .fun extension to hostage files.

BTCWARE STRAIN UPDATED

New BTCWare edition is released that concatenates the .payday extension to files and uses !! RETURN FILES !!.txt ransom note.
RANSOMWARE-THEMED TECH SUPPORT SCAM

A tech support fraud campaign takes root where users keep getting fake browser messages saying “Ransomware Detected”.
SAMAS RANSOMWARE TWEAK

Another detected iteration of the Samas ransomware lineage blemishes encoded files with the .loveransisgood extension.
U.S. CITY ATTACKED BY RANSOMWARE

The internal information system of the City of Englewood, Colorado, gets infected with an unidentified ransomware strain.
ARKANSAS HEALTHCARE FACITY HIT BY BLACKMAIL TROJAN

Arkansas Oral and Facial Surgery Center states its IT network was compromised by ransomware on July 26, 2017.
ENDER RANSOMWARE SPOTTED

Brand new ransomware called Ender locks the screen of an infected computer. Victims can use ‘aRmLgk8wboWK5q7’ unlock code.
NEW INFECTION TRICK BY GLOBEIMPOSTER DEVS

A GlobeImposter ransomware variant arrives via spam disguised as website job application containing malign Word macros.
LOCKON RANSOMWARE SPOTTED

This in-development strain is configured to concatenate the .lockon extension to encoded data. Somewhat crude at this point.
BUGWARE CULPRIT IN THE WILD

BugWare displays a rescue note in Portuguese and adds the .[SLAVIC@SECMAIL.PRO].BUGWARE string to locked files.
NEW LOCKY VERSION RELEASED

The latest iteration of Locky brings about new .asasin extension for encrypted files along with asasin.htm/bmp ransom how-to’s.
FRESH SCREEN LOCKER FROM NOTORIOUS LINEAGE

Another edition of the “Your Windows Has Been Banned” screen locking virus is detected. Presumably of Turkish origin.
ANONCRACK SPECIMEN

A Hidden Tear POC variant called AnonCrack takes root. It displays warnings in Spanish and subjoins the .crack suffix to skewed files.
ROTORCRYPT UNDERGOES AN UPDATE

New edition of the RotorCrypt ransomware uses the .biz extension to blemish encrypted files and a ransom note named DOCTOR.
ATCHBO RANSOMWARE

The brand-new blackmail malware called Atchbo concatenates the .ExoLock string to files and demands 0.007 BTC for decryption.
RANSOMWARE ECONOMY GROWING RAPIDLY

According to security firm Carbon Black, the underground marketplace propping ransomware reportedly grows by 2,500% per year.
MINOR UPDATE OF BTCWARE

The latest BTCWare variant appending the .payday file extension token switches to using Checkzip@india.com contact email.
BEW BUGWARE OFFSHOOT RELEASED

The build features new GUI and uses the .[SLAVIC@SECMAIL.PRO].CRIPTOGRAFADO extension for scrambled files.
TRICKY ANDROID RANSOMWARE SURFACES

Dubbed DoubleLocker, this Android infection gets recursively executed every time the device’s Home button is pressed.
CRYPTOMIX FINE-TUNED

Fresh version of the CryptoMix ransom Trojan subjoins the .x1881 suffix to files and drops _HELP_INSTRUCTION.txt ransom note.
ANUBI, A NEW SPECIMEN OUT THERE

The sample in question uses the .[anubi@cock.li].anubi string to label encrypted files and leaves __READ_ME__.txt ransom manual.
CCORD RANSOMWARE POPS UP

Brand-new screen locker called CCord SystemLocker might be a challenge game made by a German ‘enthusiast’ nicknamed MaxBe.
WANNACRY AS AN INTIMIDATION INSTRUMENT

Fresh tech support scam is spotted that involves browser redirects to a page stating the computer is contaminated with WannaCry.
A WRITE-UP ON SAGE 2.2 RANSOMWARE

Cybersecurity researcher Bart (@bartblaze) posts a detailed technical overview of the Sage v2.2 ransomware on his blog.
VIIPERWARE, ANOTHER FILE-ENCRYPTING TROJAN

This one is an in-development offshoot the educational Hidden Tear ransomware. Adds the .viiper extension to crypted data.
CRYPTODEMO PURSUING AN OFFBEAT GOAL

The CryptoDemo sample made by someone nicknamed Eicar resembles CryptoLocker and is used to check AV detection rate.
TYRANT RANSOMWARE

Aka Crypto Tyrant, the pest in question is a spinoff of the so-called Dumb ransomware codebase that was previously outsourced.
VORTEX STRAIN UPDATED

The latest edition of the fairly old Vortex ransomware uses a rescue note named “#$# JAK-ODZYSKAC-PLIKI.txt” written in Polish.
SCREEN LOCKER THAT LOOKS LIKE A PRANK

The lock screen says, “Your computer is running a pirated version of Windows”. Demands $100 worth of Ethereum and 20 nude pics.
RANSOMWARE USED TO HIDE THIEVES’ TRACKS

North Korean cybercrooks reportedly used the Hermes ransomware to distract attention from a recent Taiwan bank heist.
BLIND RANSOMWARE SPOTTED

Resembles CrySiS/Dharma, concatenates the .blind extension to locked files and uses How_Decrypt_Files.hta ransom how-to.
MORE HT OFFSPRING IN THE WILD

Analysts discover an Italian Hidden Tear version authored by somebody with the alias ‘The Magic’. Uses the .locked file extension.
ANOTHER ROTORCRYPT EDITION

One more iteration of RotorCrypt pest goes live. Affixes the !____________DESKRYPT@TUTAMAIL.COM________.rar string to files.
MAGNIBER, A LIKELY CERBER HEIR

New ransomware dubbed Magniber appears. It uses random exensions and bears a close resemblance to the Cerber ransom Trojan.
GEO RESTRICTIONS OF MAGNIBER

This quality strain appears to only zero in on South Korean useres at this point. This limited spreading may be a test run.
PARTIALLY EFFECTIVE MAGNIBER DECRYPTOR RELEASED

Researchers at Zimperium security company find a way to decrypt Magniber. Only works for a variant using hard coded crypto key.
NEW SPAM CAMPAIGN SPREADING BUGWARE

A WhatsApp malspam wave is spotted that disseminates the payload for Bugware strain using the .CRIPTOGRAFADO extension.
SAHER BLUE EAGLE SPECIMEN UPDATED

Fresh version switches to using the .SaherBlueEagleRansomware exension for hostage data items.
ANOTHER FBI THEMED RANSOMWARE

This one (.XmdXtazX file extension) was made by a cynical developer who emphasizes he can set the ransom size as he pleases.
LORDOFSHADOW PEST OUT THERE

Yet another Hidden Tear spinoff targeting Brazilian users. Adds the .lordofshadow string to files and drops LEIA_ME.txt ransom note.
ORDINAL, ONE MORE HIDDEN TEAR OFFSHOOT

New HT based Ordinal ransomware uses the .ordinal extension and READ Me To Get Your Files Back.txt.Ordinal rescue note.
FRESH TOOL CREATED TO ASSIST RANSOMWARE VICTIMS

Called McAfee Ransomware Recover (Mr²), the utility automatically identifies a strain and suggests a free decryptor if available.
ID RANSOMWARE CELEBRATES ANOTHER MILESTONE

The ID Ransomware online service devised by MalwareHunterTeam is now capable of identifying 500 ransomware lineages.
WINDOWS 10 UPDATE DELIVERS A USEFUL FEATURE

The latest build of Windows 10 goes equipped with ‘Controlled Folder Access’ functionality thwarting file changes by ransomware.
ALLCRY RANSOMWARE ON THE TABLE

The sample called AllCry subjoins the .allcry suffix to encrypted files and demands 1 BTC for decryption.
HALLOWEEN THEME IS ALREADY IN THE AIR

New Trick or Treat ransomware is discovered. Fortunately, it fails to perform data encryption and simply displays a spooky warning.
MEET PENNYWISE RANSOMWARE

This fresh incarnation of the Jigsaw strain concatenates the .beep extension to files and displays a pic of the Pennywise character.
COMRADE RANSOMWARE RELEASED

Yet another Hidden Tear variant. Affixes the .comrade string to locked files and creates a ransom how-to named DECRYPT_FILES.txt.
BADRABBIT RANSOMWARE IS AN OFFBEAT ONE

The baddie called BadRabbit behaves similarly to NotPetya (affects Master Boot Record) and spreads predominantly in Eastern Europe.
TIES BETWEEN BADRABBIT AND NOTPETYA ARE OBVIOUS

Several security firms unveil that the BadRabbit and NotPetya campaigns were operated by the same cybercriminal group.
BADRABBIT IMPACT NOT RESTRICTED TO EUROPE

According to some reports, a small fraction of BadRabbit ransomware victims are organizations based in the United States.
EXTENSIVE BREAKDOWN OF THE BADRABBIT ISSUE

A number of IT security companies post articles with comprehensive technical analysis of the newsmaking BadRabbit ransomware.
TYRANT RANSOMWARE ON THE RISE

The number of incidents involving the Tyrant, or Crypto Tyrant, ransomware is currently soaring in Iran. Pretends to be a VPN app.
BADRABBIT DIDN’T DO WITHOUT NSA EXPLOITS

Said outbreak of online extortion was reportedly bolstered by one of previously dumped NSA exploits dubbed Eternal Romance.
WANNABEHAPPY RANSOMWARE

Although WannaBeHappy sounds antonymous to the infamous WannaCry, it encrypts files (.encrypted extension) just as professionally.
KERKOPORTA IS A HECK OF A DANGEROUS COMBO

This Greek malware package encompasses a piece of crypto ransomware and a sneaky RAT (Remote Access Tool).
RUBINA5 RANSOMWARE SAMPLES BEING SOUGHT

MalwareHunterTeam’s Michael Gillespie starts a hunt for the scarcely analysed ransomware sample using the .rubina5 file extension.
LOSERS RANSOMWARE HAS SOME GEO PREFERENCES

This one is a spinoff of the Cry36/Nemesis codebase. Mainly targets Indonesian users and appends the .losers suffix to hostage files.
EXTORTION THROUGH SERVER HACKS

A new blackmail tactic is gaining momentum, where crooks breach servers, move data to password-protected ZIPs and demand ransoms.
MATRIX RANSOMWARE WAVE TAKEN A NOTCH FURTHER

The existing strain called Matrix ransomware gets enhanced in that it is now being distributed via the RIG exploit kit.
XIAOBA RANSOMWARE IN THE WILD

Zeroing in on Chinese users, the XiaoBa infection stains files with the .XiaoBa[number range 1-34] extension.
XRANSOM, NOT MUCH UNDER THE HOOD YET

The sample called xRansom is in testing mode at this point. Only encrypts 4 file types and doesn’t use any extension or how-to’s.
YYTO STRAIN UPDATED

YYTO has hardly ever been in active rotation, and yet it undergoes an update. The new file extension is colecyrus@mail.com.b007.
BADRABBIT MAY BE DECRYPTABLE, IF STARS ALIGN

The Trojan may fail to delete shadow copies of one’s data and take care of crypto keys right. So users may be able to restore files.
PLUS 1 FOR THE XORIST FAMILY

A fresh edition of the Xorist ransomware surfaces that concatenates the .error[victim ID] extension to locked files.
GLOBEIMPOSTER LINEAGE REFRESHED

The latest GlobeImposter ransomware variant switches to using the .apk extension token for ransomed data.
TRICK OR TREAT RANSOMWARE UPDATED

This Halloween themed ransomware now uses a different background for the warning screen and features updated text.
ONI RANSOMWARE USED FOR DISTRACTION MANEUVER

The sample called ONI is part of a well-orchestrated hoax targeting Japanese companies, in tandem with Ammyy Admin RAT.
RANSWARE STRAIN APPEARS

While failing to encrypt any data for real, RansWare instructs victims to submit a whopping 100 BTC ransom for recovery.

ANOTHER HT VARIANT, MADE IN FRANCE

Hidden Tear spinoff with French roots adds the .hacking extension to files and tells victims to contact the attacker via email.
THE POWER OF HIDDEN TEAR OVERSTATED BY CROOKS

New HT iteration uses the .locked extension to blemish encrypted files and says it’s “one of the most powerful ransomware’s around”.
MAGNIBER RANSOMWARE TWEAK

The most recent spotted edition of the Cerber-like Magniber strain concatenates the .skvtb suffix to encrypted data items.
NEW JIGSAW VERSION RELEASED

The newcomer to the Jigsaw syndicate affixes the .game extension to encoded data. No further changes have been made.
HERMES 2.1 RANSOMWARE

Hermes ransomware reaches version 2.1. Appends the .HRM string to files and drops DECRYPT_INFORMATION.html ransom note.
MATRIX RANSOMWARE UPDATE

Another Matrix variant subjoins the _[RELOCK001@TUTA.IO].[original extension] to files and uses !OoopsYourFilesLocked!.rtf note.
GIBON STRAIN IN THE WILD

Circulates via malicious Word macros, appends the .encrypt extension to hostage files and drops READ_ME_NOW.txt ransom how-to.
SAD RANSOMWARE RELEASED

Generates a unique ID for each victim and uses it as the file extension. The ransom notification is named _HELPME_DECRYPT_.html.
RANION BLACKMAIL VIRUS GETS A FACELIFT

Ranion switches to using the .ransom extension for encrypted files and README_TO_DECRYPT_FILES.html rescue note.
CURUMIM STRAIN, A BYPRODUCT OF HIDDEN TEAR

Portuguese spinoff of the Hidden Tear project surfaces called Curumim ransomware. Uses the .curumim extension for hostage files.
XIAOBA RANSOMWARE UPDATED

The new variant uses a different lock screen demanding 250 RMB (37.696 USD) worth of Bitcoin to unlock the computer.
ZIKA RANSOMWARE

Based on Hidden Tear PoC. Generates a ransom notification in Spanish and concatenates the .teamo string to encrypted files.
WAFFLE RANSOMWARE DOESN’T TASTE GOOD

This one is all about waffles: that’s what its ransom note is called, it displays an image of waffles, and uses the .waffle file extension.
GIBON RANSOMWARE PUSHED VIA DARK WEB RESOURCES

It turns out that the recently discovered GIBON ransomware has been advertised on hacker forums since May 2017.
SIGMA RANSOMWARE HUNTED DOWN

The brand new Sigma sample appends random extensions to hostage files, drops Readme.txt rescue note and demands $1,000 in BTC.
CHRISTMAS RANSOMWARE RELEASED WAY IN ADVANCE

Displays a gloomy picture of a tree with Christmas toys. The size of the ransom is 0.03 BTC (about $200). Based on open-source code.
U.S. CITY FALLS VICTIM TO RANSOMWARE

Computer system of Spring Hill, Tennessee, gets impacted by unknown ransomware. The crooks demand $250,000 for decryption.
JHASH RANSOMWARE APPEARS

Jhash is a Hidden Tear variant targeting Spanish-speaking users. Subjoins the .locky extension to encoded files.
DESTRUCTIVE GIST OF THE ORDINYPT RANSOMWARE

Going after German users, Ordinypt irreversibly damages victims’ data. The ransom note is named Wo_sind_meine_Dateien.html.
LOCKCRYPT REMADE TO HIT SERVERS

The extortionists behind LockCrypt ransomware access enterprise servers via RDP and deposit the file-encrypting infection manually.
CRYSIS RANSOMWARE TWEAK

The latest CrySiS ransomware edition appends the .[cranbery@colorendgrace.com].cobra extension to files and uses Info.hta note.
LOL RANSOMWARE USES INTERESTING CAMOUFLAGE

The payload of the LOL ransomware is disguised as a keygen program. It uses the .lol file extension and demands 0.1 BTC.
JIGSAW FAMILY CONTINUES TO EXPAND

Fresh mode of the Jigsaw ransomware affixes the .##ENCRYPTED_BY_pablukl0cker## string to encrypted files.
STRAIN MIMICKING A LAW ENFORCEMENT AGENCY

A Hidden Tear variant. The warning screen says, “Your computer is blocked by cyber police for unlicensed software’s usage.”
GLOBEIMPOSTER ADOPTS SOME NEW TACTICS

A big tweak in the new GlobeImposter variant has to do with the way it encrypts and extracts its configuration data.
STROMAN RANSOMWARE UPDATED

Although the original build hasn’t been very successful, the crooks have updated the code. Now uses .fat32 extension and info.txt note.
ONE MORE VERSION IN THE CRYPTOMIX LINEAGE

The most recent iteration switches to using the .XZZX extension for encrypted files. The how-to is still named _HELP_INSTRUCTION.txt.
JCANDY RANSOMWARE SURFACES

Concatenates the .locked-jCandy string to locked data entries, dropping READ_ME.txt and JCANDY_INSTRUCTIONS.txt ransom notes.
IN-DEV PEST TARGETING FRENCH USERS

Security analysts discover in-development ransom Trojan providing instructions in French. Uses the .lockon extension for victims’ files.
NEW DECRYPTION BREAKTHROUGH BY RESEARCHERS

Dr.Web anti-malware company releases the Rescue Pack tool that decrypts files encoded by Blind/Kill ransomware. Requires payment.
GLOBEIMPOSTER UPDATED ONCE AGAIN

New GlobeImposter ransomware persona adds the .kimchenyn extension to files and drops how_to_back_files.html rescue note.
AMNESIA2 VARIANT FAILS IN A WAY

This one adds the .am string to hostage files. The ENCRYPTED FILES.txt ransom note contains random digits instead of instructions.
GOOFED RANSOMWARE TAKES ROOT

A Hidden Tear offshoot that blemishes encrypted files with the .goofed extension and uses YOU_DONE_GOOFED.txt ransom how-to.
GLOBEIMPOSTER GOES SEXY

One more hastily released variant of GlobeImposter now subjoins the .SEXY string to encoded data items.
U.S. SCHOOL TARGETED BY TRICKY RANSOMWARE

The crude culprit zeroes in on J. Sterling Morton High School (Illinois) students. Pretends to be a student survey. No crypto so far.
RASTAKHIZ RANSOMWARE

This one is based off of Hidden Tear. Goes with a well-designed GUI and concatenates the .RASTAKHIZ extension to ransomed files.
CRYPTOMIX RANSOMWARE TWEAK

The second CryptoMix version in a week switches to using the .0000 extension for hostage files and new contact emails.
WANNASMILE STRAIN ISN’T SO OPTIMISTIC

The WannaSmile blackmail virus stains files with the .WSmile suffix and uses ‘How to decrypt files.html’ ransom note.
SOME FACTS ON NEW CORRUPTCRYPT RANSOMWARE

The sample called CorruptCrypt uses two different extensions for scrambled files: .corrupt and .acryhjccbb@protonmail.com.
HAND OF GOD RANSOMWARE

A screen locker targeting Canadians, displaying its warnings in French and featuring an FBI themed logo. Demands 0.06 BTC to unlock.
BASS-FES RANSOMWARE IN THE WILD

One of the multiple Hidden Tear variants released during the week. Concatenates the .basslock string to encoded files.
LOUSY RUSSIAN CLONE OF WANNACRY

Called ‘Wana die decrypt0r’, this one mimics WannaCry’s GUI and displays a ransom note in Russian. No real crypto so far.
CRYSIS RANSOMWARE UPDATED

A brand-new variant of the CrySiS/Dharma blackmail virus switches to concatenating the .java extension to encrypted files.
CRYAKL STRAIN UNDERGOES A CHANGE

The thought-extinct Cryakl ransomware species resurfaces with a fresh edition that adds the .fairytale string to ransomed data items.
LOCKET RANSOMWARE IS TOO CRUDE TO WORK RIGHT

Locket displays a ransom warning screen resembling that of CryptoLocker. Lacks encryption functionality at this point.
GLOBEIMPOSTER TWEAK

A new version of the GlobeImposter ransom Trojan uses the .Ipcrestore file extension and how_to_back_files.html rescue note.
QKG RANSOMWARE DISCOVERED

The qkG ransomware, aka qkG Filecoder, only encrypts Microsoft Office documents spotted on an infected computer.
IGOTYOU RANSOMWARE

This is an in-development ransom Trojan that affixes the .iGotYou extension to files and asks for 10,000 Indian rupee for recovery.
ANOTHER WANNACRY COPYCAT OUT THERE

One more imitation of the WannaCry ransomware generates a ransom alert in Portuguese and demands 0,006 BTC.
SCARAB RANSOMWARE ON A RAMPAGE

Propagates massively via the Necurs botnet. Appends the [suupport@protonmail.com].scarab extension to filenames.
SOME AFRICA-SPECIFIC RANSOMWARE STATS

According to Sophos, the top ransomware 2017 in Africa are Cerber (80%), WannaCry (17%), Locky, Jaff, and Petya (1% each).
CRYP70n1C ARMY RANSOMWARE

A Hidden Tear spinoff. Concatenates the .cryp70n1c extension to locked files and provides 3 days to submit the ransom.
GIRLSOMWARE MADE FOR FUN

This sample appears to be a joke, because a) it doesn’t encrypt, and b) it tells victims to click a bunch of checkboxes for decryption.
EXO BUILDER ALLOWS CREATING NEW RANSOMWARE

Newly discovered Exo Builder tool automates the process of making new ransomware (.exo extension, UnlockYourFiles.txt note).
STORAGECRYPT, A THREAT TO NAS DEVICES

StorageCrypt targets Western Digital My Cloud NAS devices. Uses the .locked extension and _READ_ME_FOR_DECRYPT.txt how-to file.
SAMAS STRAIN UPDATED

The newest edition of the Samas/SamSam ransom Trojan concatenates the .areyoulovemyrans string to hostage data items.
MAGNIBER GOES THROUGH A TWEAK

A fresh variant of the Magniber ransomware adds the .vpgvlkb extension to files and leaves ‘read me for decrypt.txt’ rescue note.
NEW SPECIMEN TARGETING FRENCH USERS

Not catalogued under any known family thus far. Appends the .locked extension and adds READ_ME_FOR_ALL_YOUR_FILES.txt note.
HC6 RANSOMWARE CRACKED

A decryptor is out for the HC6 blackmail virus that uses the .fucku file extension and drops recover_your_files.txt recovery manual.
CRYPTON PUTS ON SOME NEW DISGUISE

The prolific CryptON ransomware gets an update. It switches to the .encrptd extension and pretends to be EaseUS Keygen tool.
CRYPT12 DEFEATED AGAIN DESPITE ANOTHER UPDATE

MHT’s Michael Gillespie upgrades his decryptor for Crypt12 Trojan supporting a new version (hello@boomfile.ru.crypt12 extension).
MAXICRYPT BEING HUNTED DOWN

Researchers announce a hunt for a scarcely analyzed sample that uses the .[maxicrypt@cock.li].maxicrypt extension for locked files.
IN-DEV WANNAPEACE RANSOMWARE

This one prepends the original extension of a targeted file with the _enc string. Currently does not spread in the wild.
CRYPT888 RANSOMWARE UPDATED

The latest variant of the Crypt888 blackmail culprit instructs victims to contact the attacker at maya_157_ransom@hotmail.com.
HC7 RANSOMWARE TWEAK

The relatively new HC7 file-encrypting malware stains encrypted data with the .GOTYA extension. Extensive analysis not done yet.
LOCALIZED OUTBREAK OF ACCDFISA BADDIE

Security experts notice a spike in ACCDFISA v2.0 infection instances isolated to Brazil. This one is a remake of a notorious sample.
ONE MORE SCREEN LOCKER SPOTTED

The executable file of this infection is named REAL DANGEROUS RANSOMWARE.exe. Does not encrypt anything, only locks the screen.
GLOBEIMPOSTER DISTRIBUTION ON STEROIDS

New variants of the GlobeImposter ransom Trojan have been making the rounds via Necurs, one of the biggest botnets out there.

CRYPTOMIX STRAIN UPDATED

A fresh iteration of the CryptoMix ransomware brings about the .TEST extension being concatenated to hostage files.
HALLOWARE INFECTION FOR SALE

Someone nicknamed ‘Luc1F3R’ is selling a turnkey kit for new ransom Trojan called Halloware for only $40 on dark web forums.
BTCWARE GETS ‘SHADOWY’

A brand-new mod of the BTCWare ransom Trojan stains encrypted files with the .[attacker’s_email]-id-id.shadow extension.
GLOBE2 CONTINUES THE RECENT UPDATE TREND

The Globe2 ransomware follows suit of other widespread strains and spawns a new version using the .abc string for hostage files.
CLICO CRYPTOR PURSUES A BENIGN OBJECTIVE

While exhibiting basic ransomware characteristics, ClicoCrypter appears to be aimed at testing CheckPoint Software’s efficiency.
YET ANOTHER MAGNIBER VERSION IS OUT

The most recent edition of the Magniber ransomware uses the .dlenggrl suffix to label one’s encrypted files.
INTERESTING WRITEUP ON MALICIOUS CODE SHARING

Analysts provide comparative analysis of two ransomware strains, Vortex and Bugware, both of which are based on open source code.
BLIND RANSOMWARE UPDATED

A fresh version of the Blind ransomware uses the .napoleon extension for hostage files and How_Decrypt_Files.hta ransom note.
ETERNITY RANSOMWARE SPOTTED

This somewhat buggy infection stains encrypted data items with the .eTeRnItY extension. The unlock code is 1234567890.
JCODER CULPRIT GETS A BIT OF FINE-TUNING

New Vietnamese edition of the JCoder ransomware is discovered that uses the .MTC file extension and ‘WanaCry 0.2.ini’ ransom note.
MAGNIBER SPAWNS SEVERAL NEW SAMPLES

Three iterations of the Magniber Trojan take root, featuring the .dwbiwty, .fbuvkngy and .xhspythxn file extensions.
RANSOMWARE WITH SELF-EXPLANATORY NAME

Analysts come across a Spanish ransomware strain whose GUI is titled ‘PAYMENT’. Currently in development, with no crypto in place.
RANSOMMINE SAMPLE WITH KOREAN ROOTS

Appends the .RansomMine extension to enciphered files, hence the name. Restores data if it spots Minecraft 1.11.2 on a PC.
IN-DEPTH ANALYSIS OF HC6 RANSOMWARE RELEASED

In a post on Extreme Coders Blog, researchers dissect the modus operandi of the relatively new and quite offbeat HC6 ransomware.
HANDSOMEWARE SAMPLE IN THE WILD

The infection mimics ransomware behavior and does not encrypt any data for real. Displays a GUI with warning text in German.
CRYPT0 RANSOMWARE

The strain called Crypt0 is another spinoff of the academic Hidden Tear project. Adds random extensions to files while not encrypting.
A REALLY SMALL CHANGE OF THE CRYSIS RANSOMWARE

CrySiS/Dharma strain mutates with a minor change. Now uses curly braces instead of brackets prepending the .java extension string.
MAGNIBER CONTINUES TO BE UPDATED

Yet another variant of the Magniber ransomware surfaces that switches to using the .dxjay string for encrypted files.
SHADOW BLOOD RANSOMWARE

One more offshoot of the Hidden Tear PoC called Shadow Blood appears. Concatenates the .TEARS suffix to files. In-dev thus far.
HC7 POTENTIALLY DECRYPTABLE

Security analysts came up with a way that might allow HC7 ransomware victims to recover their encrypted files without paying up.
SPINOFF OF A HIDDEN TEAR SPINOFF? THAT’S RIGHT

A previously released Hidden Tear variant (.hacking extension) undergoes a tweak and now displays a politics-themed wallpaper.
ID RANSOMWARE NOW FULLY SUPPORTS MAGNIBER

The ID Ransomware online service created by MHT is declared capable of identifying all variants of the Magniber ransomware.
STORAGECRYPT INFECTION CHAIN UNEARTHED

It turns out that StorageCrypt, a ransom Trojan targeted NAS devices, is spreading using a Linux vulnerability dubbed SambaCry.
U.S. BASED FERTILITY CLINIC HIT BY RANSOMWARE

A fertility clinic in Edina, Minnesota, was reportedly attacked by unidentified ransomware strain that may have exposed patiets’ data.
BCTWARE SWITCHES TO .WALLET EXTENSION

A fresh version of the prolific BTCWare ransom Trojan appends files with the .wallet extension prepended with attackers’ email address.
EXECUTIONERPLUS RANSOMWARE OUT THERE

May be based on the CryptoJoker codebase. Subjoins the .destroy.executioner or .pluss.executioner extension to encrypted files.
HC7 RANSOMWARE UPDATE

The HC7 strain edition currently in rotation infects computers via PsExec and concatenates the .GOTYA extension to locked data items.
COUNTY IN NORTH CAROLINA ATTACKED BY RANSOMWARE

Computer systems of the Mecklenburg Country, NC, get contaminated with a ransom Trojan that cripples multiple services.
CHRISTMAS RANSOMWARE

This one surfaces at an apropos time. Demands $100 worth of Bitcoin to recover a victim’s encrypted data.
XORIST FAMILY GETS BIGGER

The latest variant of the Xorist ransomware blemishes encoded files with the .CerBerSysLocked0009881 extension.
SANTA ENCRYPTOR SOUNDS SARCASTIC

New in-dev sample called Santa Encryptor features an image of Santa Claus on its warning screen and demands $150 worth of BTC.
UNIQUE CASE OF RANSOMWARE MIMICKING

Brand new edition of the GlobeImposter ransomware imitates the CrySiS strain by using the .[paradisecity@cock.li].arena extension.
NAPOLEON RANSOMWARE ANALYSIS

Researchers at Malwarebytes release in-depth analysis of the Blind ransomware edition using the .napoleon extension.
D4RKL0CKER RANSOMWARE IN DEVELOPMENT

Another one of the table. Its GUI is titled D4rkL0cker Test, which gives a clue that it’s a crude sample whose creation is in progress.
FILE SPIDER FEATURING GEO-LIMITED DISTRIBUTION

New ransomware called File Spider is spreading in the Balkans via spam. It assigns the .spider extension to encrypted files.
FILE SPIDER CAMPAIGN DISSECTED

InfoSec experts provide a lowdown on the distribution vectors and code of the new File Spider ransomware in an informative blog post.
“I’LL MAKE YOU CRY” RANSOMWARE

The sample called “I’ll Make you Cry” appears to be a variant of the old NxRansomware. Pretends to be Google Chrome update.
SCREEN LOCKER WITH UNUSUAL PAYMENT DEMANDS

A fresh screen locking Trojan is spotted that wrongfully claims to have encrypted one’s files. Demands ransom via credit card payment.
CRYPTOMIX FAMILY UPDATED

The latest edition of the CryptoMix ransomware uses the .WORK file extension and an updated list of contact email addresses.
HC7 RANSOMWARE CHANGES AGAIN

Yet another version of the HC7 strain blemishes encoded files with the .DS335 extension without modifying filenames.
NOBLIS RANSOMWARE

This one targets Spanish-speaking audience, stains encrypted files with the .noblis extension and provides a 24-hour payment deadline.
BLIND RANSOMWARE UPDATED

The most recent Blind ransomware variant switches to the .[skeleton@rape.lol].skeleton extension. The note is How_Decrypt_Files.txt.
TROWX RANSOMWARE IN THE WILD

New Hidden Tear based TrOwX ransomware is discovered that adds the .locked extension to files and drops READ_AND_CRY note.
RSA-NI, A BARELY STUDIED SAMPLE

Nothing is known about new strain calling itself RSA-NI, except the name indicated in the ransom note. Researchers looking for samples.
NEWSMAKING MONGODB DATABASE HACK

Personal data of about 19 million voters in California got compromised in the upshot of the ongoing MongoDB ransom case.
SATAN’S DOOM CRYPTER

This spooky name denotes a new ransom Trojan (.locked extension, READ_IT.txt note). The unlock code is 63uh2372gASd@316.
CYCLONE RANSOMWARE

New one. According to the GUI, it’s Cyclone Ransomware v2.40. Appends the .cyclone extension to files and sets a 48-hour deadline.
CRYPTOMANIAC RANSOMWARE SPOTTED

This Python based sample uses the .maniac extension for hostage data and Readme_to_recover_files.txt/html ransom notes.
CROATIAN GODRA RANSOMWARE SURFACES

Displays ‘KAKO OTKLJUCATI VASE DATOTEKE.txt’ ransom note with instructions in Croatian and uses .godra file extension.
RSAUTIL RANSOMWARE UPDATED

The latest RSAUtil variant uses the .ID.GORILLA extension to label encrypted files and drops How_return_files.txt ransom note.
SATAN CRYPTOR 2.0

This one resembles WannaCry in a way, because it circulates via SMB. Concatenates the .satan string to hostage files.
OFFBEAT RANSOMWARE SPREADING METHOD

The @WannaDecryptor@ ransomware sample is camouflaged as a Bitcoin multiplier solution called Bitcoin-x2 v5.1.
WANNACRY ATTRIBUTION MADE PUBLIC

The White House releases a statement where North Korean state-sponsored cybercriminals are blamed for spreading WannaCry strain.
PROSAIC MOVE BY GLOBEIMPOSTER DEVS

The latest edition of the GlobeImposter ransomware switches to using the .wallet extension for encoded data objects.
RETIS RANSOMWARE

New one on the radar. Displays a warning screen similar to Petya’s and uses the .crypted extension for hostage files.
RSAUTIL CONTINUES THE UPDATE TREND

As if on steroids, the RSAUtil lineage spawns the second variant in two days. Concatenates the .ID.VENDETTA extension to files.
GROUP OF RANSOMWARE PEDDLERS ARRESTED

Five cybercrooks are arrested in Romania for distributing the notorious CTB-Locker and Cerber ransomware infections.
FURTHER FACTS ON THE ARRESTEES’ FELONIES

Two of the above-mentioned criminals are charged with hacking Washington D.C. police surveillance system to spread ransomware.
VENUSLOCKER CREW CHANGES TACTICS

The threat actors behind VenusLocker ransomware have reportedly abandoned the project in favor of Monero mining activities.
GLOBEIMPOSTER KEEPS MUTATING

Another version of GlobeImposter is making the rounds via malicious spam carrying toxic JS files. Uses the .doc file extension.
RETIS STRAIN DISSECTED

It turns out to be .NET based. Prioritizes the encryption workflow by first affecting Desktop, Pictures and Documents directories.
FILE-LOCKER SAMPLE ON THE TABLE

The new File-Locker ransomware targets Korean users. Uses the .locked extension and Warning!!!!!!.txt note. Demands 50,000 Won.
MORE DETAILS ON CURRENT GLOBEIMPOSTER CAMPAIGN

The latest ..doc variant of GlobeImposter is spreading by means of malspam with fake photos enclosed in 7z archive.
CRYPTOMIX UPDATED

The CryptoMix family produces a fresh edition. It subjoins the .FILE extension to encoded items and uses new contact email addresses.
BLIND RANSOMWARE MODIFIED

Another edition of the Blind ransom Trojan appears that uses the .blind2 file extension and How_Decrypt_Files.txt ransom note.
“DANGEROUS” RANSOMWARE

Also referred to as Damage ransomware, this new sample adds .wtf to filenames and drops HOWTODECRYPTFILES.html note.
NEW CRYPTOMIX VERSION

This lineage continues to expand, this time spawning a variant that stains encrypted files with the .tastylock extension.
SAMAS RANSOMWARE GETS A FACELIFT

The most recent Samas/SamSam ransomware edition appends .weapologize to files and uses 0009-SORRY-FOR-FILES.html how-to.
SQ_ RANSOMWARE UPDATED

A minor change made to the SQ_ strain is the new BA_ string prepended to filenames and BA_IN YOUR FILES..txt ransom note.
PULPY RANSOMWARE IN THE WILD

This one drops a rescue note named Instruction.txt that instructs victims to contact the attacker at pulpy2@cock.li.
MADBIT STRAIN SPOTTED

New one. Concatenates the .enc suffix to encoded files and leaves a ransom how-to named “madbit encryptor: Hello, you are encrypted!”

an ongoing list…

New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events

SAMAS RANSOMWARE UPDATED

GLOBE RANSOMWARE MIGRATED TO C/C++

NEW SAMPLE CALLED FIRSTRANSOMWARE

RED ALERT RANSOMWARE SPOTTED

N-SPLITTER USING RUSSIAN FILE EXTENSION

NEW EDA2 POC SPINOFF EXPOSED

ANOTHER KOOLOVA VARIANT APPEARS

RANSOMWARE TARGETING MONGODB DATABASES

MR. ROBOT SERIES THEMED INFECTIONS ON THE RISE

MERRY X-MAS RANSOMWARE DISCOVERED

TIES BETWEEN PSEUDO-DARKLEECH AND RANSOMWARE

GLOBE V3 DECRYPTED

FIRECRYPT THREAT EQUIPPED WITH DDOS FEATURE

CRYPTOMIX/CRYPTFILE2 DISSECTED

NEW LEGISLATION ON RANSOMWARE TAKES EFFECT

KILLDISK RANSOMWARE ENHANCED

ILOCK RANSOMWARE UPDATED

SKYNAME RANSOMWARE IS UNDERWAY

DEPSEX THREAT DISCOVERED IN THE WILD

NEW VIRUS PUSHING RANSOMWARE INTRICATELY

YET ANOTHER HIDDEN TEAR DERIVATIVE SPOTTED

THE ENLIGHTENING OCELOT RANSOMWARE

MONGODB APOCALYPSE STATS REVEALED

UK SCHOOL STAFF SOCIAL-ENGINEERED

“CRYPTORANSOMEWARE” MADE BY BULLIES

VBRANSOM 7 RANSOMWARE DISCOVERED

MONGODB APOCALYPSE CAMPAIGN GETS WORSE

RANSOMEER STRAIN IS UNDERWAY

MERRY X-MAS RANSOMWARE UPDATED

JAVASCRIPT-BASED “EVIL RANSOMWARE”

CERBER RANSOMWARE TWEAK

LA COLLEGE GIVES IN TO CYBERCROOKS

SPORA RANSOMWARE DISCOVERED

MONGODB RANSOMWARE SOURCE CODE SOLD OUT

MERRY X-MAS STRAIN DECRYPTED

NEW MARLBORO RANSOMWARE SURFACES

MARLBORO RANSOMWARE DEFEATED

MONGODB ATTACKERS SWITCH TO ELASTICSEARCH

ODCODC RANSOMWARE DECRYPTOR UPDATED

THE BUGGY “KAANDSONA” RANSOMWARE

CERBER CAMPAIGN DETAILS LEAKED

SAMSAM RANSOMWARE UPDATE

CRYPTOSEARCH TOOL HELPS DEAL WITH RANSOMWARE

A DECLINE IN LOCKY RANSOMWARE INFECTIONS

CERBER RANSOMWARE TWEAK TAKES EFFECT

CERBER AND SPORA SHARE DISTRIBUTION INFRASTRUCTURE

CANCER SERVICES ORGANIZATION HIT BY RANSOMWARE

ANOTHER SAMSAM RANSOMWARE VERSION SURFACES

CRIMINALS CAPITALIZE ON DATABASE VULNERABILITIES

SPORA TURNS OUT TO HAVE WORM-LIKE PROPERTIES

MERRY X-MAS RANSOMWARE DECRYPTOR UPDATE

LOCKY ENFEEBLED WHILE NECURS BOTNET IS OFFLINE

NEW SAMPLE TARGETING BRAZILIAN USERS

CERBER’S RANSOM NOTES CHANGED AGAIN

NEW ANDROID TROJAN HITTING RUSSIAN USERS

SATAN RANSOMWARE AS A SERVICE GOES LIVE

NEW TURKISH RANSOM TROJAN BEING CREATED

CRYPTOSHADOW STRAIN IS UNDERWAY

PUBLIC LIBRARIES IN SAINT LOUIS COMPROMISED

GLOBEIMPOSTER DECRYPTOR UPDATED

DNRANSOMWARE ISN’T THAT BAD

“JHON WODDY” RANSOMWARE TWEAK

CLOUDSWORD RANSOMWARE BEING CREATED

MINOR UPDATE OF THE APOCALYPSE RANSOMWARE

SAGE 2.0 STRAIN IS UNDERWAY

NEW SAMAS RANSOMWARE VERSION RELEASED

JIGSAW RANSOMWARE UPDATED

NEW CRYPTOMIX VARIANT SPOTTED

SPORA RANSOMWARE DISTRIBUTION EXPANDS

RUSSIANROULETTE RANSOMWARE SURFACES

VXLOCK RANSOMWARE LINEAGE APPEARS

CHARGER RANSOMWARE TARGETING ANDROID

GMAIL TO BLOCK .JS ATTACHMENTS SINCE FEBRUARY 13

ANOTHER SAMAS EDITION SPOTTED

NEW POTATO RANSOMWARE RELEASED

ONE MORE POLICE DEPARTMENT HIT BY RANSOMWARE

SPECIFICITY OF THE CRYPTCONSOLE RANSOMWARE

THE COMEBACK OF VIRLOCKER

UPSWING OF MERRY X-MAS RANSOMWARE CAMPAIGN

CRYPTCONSOLE RANSOMWARE DECRYPTED