Ransomware Chronicle 2017

0
627

This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

Read ransomware chronicle for 2016

Read ransomware chronicle for 2018

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events


  • SAMAS RANSOMWARE UPDATED

    The extension being appended is .helpmeencedfiles. Now creates the HELP-ME-ENCED-FILES.html ransom manual.

  • GLOBE RANSOMWARE MIGRATED TO C/C++

    While the same on the outside, Globe is now coded in C/C++. Uses the .locked extension.

  • NEW SAMPLE CALLED FIRSTRANSOMWARE

    The executable is firstransomware.exe. Appends the .locked extension and leaves READ_IT.txt ransom note.

  • RED ALERT RANSOMWARE SPOTTED

    A derivative of the open source Hidden Tear Offline ransomware. Displays the “Your Files Has [sic.] Been Blocked” alert.

  • N-SPLITTER USING RUSSIAN FILE EXTENSION

    Another Hidden Tear spinoff. Appends the “.кибер разветвитель” extension to encrypted entries.

  • NEW EDA2 POC SPINOFF EXPOSED

    Brand-new sample based on EDA2 proof of concept ransomware. Uses the .L0CKED extension and DecryptFile.txt ransom note.

  • ANOTHER KOOLOVA VARIANT APPEARS

    N-SpLiTTer replica called the “кибер разветвитель” (Russian for “cyber splitter”). Extension and the name are a match.

  • RANSOMWARE TARGETING MONGODB DATABASES

    The strain zeroes in on MongoDB servers. Threat actor nicknamed “Harak1r1” demands 0.2 BTC to return hostage databases.

  • MR. ROBOT SERIES THEMED INFECTIONS ON THE RISE

    A group of crooks calling themselves FSociety have been busy coining multiple screen lockers and crypto ransomware samples.

  • MERRY X-MAS RANSOMWARE DISCOVERED

    Uses the .MRCR1, .PEGS1 or .RARE1 file extension and creates YOUR_FILES_ARE_DEAD.hta ransom manual.

  • TIES BETWEEN PSEUDO-DARKLEECH AND RANSOMWARE

    The pseudo-Darkleech cybercrime network was found to be responsible for multiple ransomware campaigns in 2016.

  • GLOBE V3 DECRYPTED

    Emsisoft’s Fabian Wosar cracks Globe ransomware version 3, which uses the .decrypt2017 or .hnumkhotep extensions.

  • FIRECRYPT THREAT EQUIPPED WITH DDOS FEATURE

    Appends the .firecrypt extension and drops [random]-READ_ME.html ransom note. Also crams up HDD with junk files.

  • CRYPTOMIX/CRYPTFILE2 DISSECTED

    The CERT Polska team publishes a detailed analysis of the CryptoMix/CryptFile2 ransomware campaign.

  • NEW LEGISLATION ON RANSOMWARE TAKES EFFECT

    A law passed in California defines ransomware distribution as a standalone felony rather than part of money laundering schemes.

  • KILLDISK RANSOMWARE ENHANCED

    Now attacks Linux machines along with ones running Windows. The whopping size of the ransom is 222 BTC (more than $200,000).

  • ILOCK RANSOMWARE UPDATED

    Leaves the “WARNING OPEN-ME.txt” ransom note (Russian version available too). Separate files for encryptor, live chat and TOR.

  • SKYNAME RANSOMWARE IS UNDERWAY

    In-development Hidden Tear POC spinoff. Zeroes in on Czech victims and demands 1000 Czech Koruna (about $40) for decryption.

  • DEPSEX THREAT DISCOVERED IN THE WILD

    Also known as MafiaWare, the Depsex ransomware uses the .Locked-by-Mafia extension and READ_ME.txt decryption manual.

  • NEW VIRUS PUSHING RANSOMWARE INTRICATELY

    Researchers discovered malicious code adding multiple desktop shortcuts that, once clicked, execute ransomware.

  • YET ANOTHER HIDDEN TEAR DERIVATIVE SPOTTED

    Concatenates the .locked suffix to files and creates README.txt ransom note. Goes equipped with a remote shell.

  • THE ENLIGHTENING OCELOT RANSOMWARE

    The sample called Ocelot Locker is instructive because it doesn’t do crypto and instead demonstrates how bad a real attack can be.

  • MONGODB APOCALYPSE STATS REVEALED

    The number of online-accessible MongoDB databases hit by the MongoDB Apocalypse ransomware reaches a whopping 10,000.

  • UK SCHOOL STAFF SOCIAL-ENGINEERED

    Malefactors pretending to be government officials cold-call schools in the United Kingdom, duping staff into installing ransomware.

  • “CRYPTORANSOMEWARE” MADE BY BULLIES

    The warning screen displayed by the new “CryptoRansomeware” sample is crammed up with bad language.

  • VBRANSOM 7 RANSOMWARE DISCOVERED

    Written in Visual Basic .NET, this strain uses the .VBRANSOM file extension. It’s in-dev and doesn’t do actual crypto at this point.

  • MONGODB APOCALYPSE CAMPAIGN GETS WORSE

    Ever since the Kraken cybercrime ring had stepped in, the quantity of ransomed MongoDB databases went up to 28,000.

  • RANSOMEER STRAIN IS UNDERWAY

    New Ransomeer sample is being developed. Configured to demand 0.3169 BTC and provide a 48-hour payment deadline.

  • MERRY X-MAS RANSOMWARE UPDATED

    The latest edition of Merry X-Mas crypto ransomware also installs DiamondFox, a virus that harvests victims’ sensitive information.

  • JAVASCRIPT-BASED “EVIL RANSOMWARE”

    Appends the .file0locked extension to encrypted files and instructs victims to send email to r6789986@mail.kz for recovery steps.

  • CERBER RANSOMWARE TWEAK

    The only change is that Cerber now leaves ransom notes called _HELP_DECRYPT_[A-Z0-9]{4-8}_.hta/jpg.

  • LA COLLEGE GIVES IN TO CYBERCROOKS

    Los Angeles Valley College opts for the ransom route to recover from a crypto ransomware attack, coughing up $28,000.

  • SPORA RANSOMWARE DISCOVERED

    New Spora ransomware can operate offline, features unbeatable encryption and a professionally tailored payment service.

  • MONGODB RANSOMWARE SOURCE CODE SOLD OUT

    The Kraken cybercrime syndicate sells their MongoDB ransomware script for $200. The message was posted on GitHub.

  • MERRY X-MAS STRAIN DECRYPTED

    Emsisoft releases a decryptor for the Merry X-Mas ransomware, which appends .MRCR1, .PEGS1, .RARE1, or .RMCM1 extension.

  • NEW MARLBORO RANSOMWARE SURFACES

    Arrives with spam, concatenates the .oops extension to files and creates _HELP_Recover_Files_.html ransom manual.

  • MARLBORO RANSOMWARE DEFEATED

    Having looked into the code of the Marlboro ransomware, Emsisoft’s Fabian Wosar creates a decrypt tool in less than a day.

  • MONGODB ATTACKERS SWITCH TO ELASTICSEARCH

    The group behind MongoDB database attacks shift their focus to infecting ElasticSearch servers with ransomware.

  • ODCODC RANSOMWARE DECRYPTOR UPDATED

    Researcher nicknamed ‘BloodDolly’ updates his ODCODCDecoder that restores files locked by new ODCODC ransomware variant.

  • THE BUGGY “KAANDSONA” RANSOMWARE

    Currently in development. Appends files with the .kencf extension. Fails to encode data due to a flaw in crypto implementation.

  • CERBER CAMPAIGN DETAILS LEAKED

    Avast researchers accessed a server containing a fragment of Cerber ransomware’s global infection statistics.

  • SAMSAM RANSOMWARE UPDATE

    Appends the .powerfulldecrypt extension to encrypted files and drops a ransom note called WE-MUST-DEC-FILES.html.

  • CRYPTOSEARCH TOOL HELPS DEAL WITH RANSOMWARE

    The new CryptoSearch utility locates mutilated files and allows copying or moving them to a backup drive for future decryption.

  • A DECLINE IN LOCKY RANSOMWARE INFECTIONS

    According to security analysts, the distribution of Locky via spam campaigns decreased by around 80% in Dec-Jan 2017.

  • CERBER RANSOMWARE TWEAK TAKES EFFECT

    A new edition of Cerber leaves ransom notes called _HELP_HELP_HELP_[random].hta/jpg and uses new IP ranges for UDP stats.

  • CERBER AND SPORA SHARE DISTRIBUTION INFRASTRUCTURE

    Threat actors in charge of the Spora ransomware campaign were found to use the same proliferation sites as Cerber.

  • CANCER SERVICES ORGANIZATION HIT BY RANSOMWARE

    A cancer services agency in Indiana, U.S., suffers a ransomware attack, where crooks demand a ransom of 50 BTC (about $46,000).

  • ANOTHER SAMSAM RANSOMWARE VERSION SURFACES

    New SamSam/Samas variant uses the .noproblemwedecfiles extension and 000-No-PROBLEM-WE-DEC-FILES.html ransom manual.

  • CRIMINALS CAPITALIZE ON DATABASE VULNERABILITIES

    Unidentified cybercrime rings hijack Hadoop and CouchDB databases, erasing data or demanding ransoms for recovery.

  • SPORA TURNS OUT TO HAVE WORM-LIKE PROPERTIES

    The sophisticated Spora ransomware leverages an infection vector relying on .LNK files, so it may act as a shortcut worm.

  • MERRY X-MAS RANSOMWARE DECRYPTOR UPDATE

    Emsisoft’s Fabian Wosar adjusts his decryptor for the Merry X-Mas ransomware, which can now decode .MERRY extension files.

  • LOCKY ENFEEBLED WHILE NECURS BOTNET IS OFFLINE

    Analysts see a drastic decrease in spam spreading the Locky ransomware during temporary inactivity of the Necurs botnet.

  • NEW SAMPLE TARGETING BRAZILIAN USERS

    Uses the .id-[victim_ID]_garryweber@protonmail.ch file extension and HOW_OPEN_FILES.html ransom manual.

  • CERBER’S RANSOM NOTES CHANGED AGAIN

    As part of another tweak, Cerber ransomware has started to drop _HOW_TO_DECRYPT_[random_chars][4-8]_.hta/jpg ransom notes.

  • NEW ANDROID TROJAN HITTING RUSSIAN USERS

    The Russian language Android ransomware locks a device’s screen and instructs the user to hand over their credit card details.

  • SATAN RANSOMWARE AS A SERVICE GOES LIVE

    The RaaS allows crooks to build their custom version of Satan, which uses .stn extension and HELP_DECRYPT_FILES.html ransom note.

  • NEW TURKISH RANSOM TROJAN BEING CREATED

    The in-dev ransomware is supposed to target Turkish victims and append encrypted files with the .sifreli extension.

  • CRYPTOSHADOW STRAIN IS UNDERWAY

    Based off of the Hidden Tear POC. Adds the .doomed extension to files and leaves LEER_INMEDIATAMENTE.txt ransom manual.

  • PUBLIC LIBRARIES IN SAINT LOUIS COMPROMISED

    More than 700 machines of 16 Saint Lous Public Library’s branches get hit by ransomware that demands about $35,000.

  • GLOBEIMPOSTER DECRYPTOR UPDATED

    Emsisoft updates the decryptor to support the variant that uses .crypt extension and HOW_OPEN_FILES.hta ransom note.

  • DNRANSOMWARE ISN’T THAT BAD

    New strain called DNRansomware uses the .fucked file extension. The decrypt code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.

  • “JHON WODDY” RANSOMWARE TWEAK

    Uses the same source code as DNRansomware. Appends the .killedXXX extension. Decryption routine is buggy.

  • CLOUDSWORD RANSOMWARE BEING CREATED

    Researchers discover in-dev CloudSword sample, which drops Warning??.html ransom note and sets a 5-day payment deadline.

  • MINOR UPDATE OF THE APOCALYPSE RANSOMWARE

    Uses crypt32@mail.ru email address for interacting with victims, while ransom note and filename format is unaltered.

  • SAGE 2.0 STRAIN IS UNDERWAY

    Created by the same crooks as those behind Cerber, Locky and Spora. Uses the .sage extension and !Recovery_EMf.html ransom note.

  • NEW SAMAS RANSOMWARE VERSION RELEASED

    Appends the .weareyourfriends extension to encrypted files and leaves TRY-READ-ME-TO-DEC.html ransom manual.

  • JIGSAW RANSOMWARE UPDATED

    Concatenates the .paytounlock file extension. Expert-made free decryptor already supports this variant.

  • NEW CRYPTOMIX VARIANT SPOTTED

    Uses the [original_filename].email[email_address]_id[victim_ID].rdmk file format and “INSTRUCTION RESTORE FILE.txt” ransom note.

  • SPORA RANSOMWARE DISTRIBUTION EXPANDS

    While the Spora ransomware originally proliferated in Eastern Europe only, it starts targeting victims around the globe.

  • RUSSIANROULETTE RANSOMWARE SURFACES

    A spinoff of the Philadelphia strain. Demands a ransom of 0.3 BTC (about $270) for data decryption.

  • VXLOCK RANSOMWARE LINEAGE APPEARS

    The name of this new crypto ransomware family stems from the .vxLock extension being appended to scrambled files.

  • CHARGER RANSOMWARE TARGETING ANDROID

    A Charger ransomware variant, EnergyRescue, was distributed for a while via Google Play Store as a battery optimizer. Now removed.

  • GMAIL TO BLOCK .JS ATTACHMENTS SINCE FEBRUARY 13

    A change to Gmail will take effect as of February 13, 2017 – the service will block .js attachments to thwart ransomware attacks.

  • ANOTHER SAMAS EDITION SPOTTED

    New Samas/SamSam iteration adds the .otherinformation extension and drops 000-IF-YOU-WANT-DEC-FILES.html ransom note.

  • NEW POTATO RANSOMWARE RELEASED

    Concatenates the .potato extension to encoded data and leaves README.png/html ransom payment instructions.

  • ONE MORE POLICE DEPARTMENT HIT BY RANSOMWARE

    The Cockrell Hill Police Department in Texas admits to have been attacked by ransomware. Crooks demand $4,000 worth of Bitcoin.

  • SPECIFICITY OF THE CRYPTCONSOLE RANSOMWARE

    Scrambles filenames rather than encrypt files proper. Leaves the “How decrypt files.hta” ransom note.

  • THE COMEBACK OF VIRLOCKER

    Impersonates law enforcement agencies while blocking computers. Researchers discovered that the unlock code is 64 zeros.

  • UPSWING OF MERRY X-MAS RANSOMWARE CAMPAIGN

    Analysts note that the propagation of MRCR, aka Merry X-Mas, ransomware is starting to skyrocket.

  • CRYPTCONSOLE RANSOMWARE DECRYPTED

    Researcher Michael Gillespie creates a free decryptor for CryptConsole ransom Trojan (“unCrypte@outlook.com_[random]” filenames).

  • MERRY X-MAS RANSOMWARE DECRYPTOR UPDATED

    Emsisoft’s decryptor for MRCR now supports the latest variant, which leaves MERRY_I_LOVE_YOU_BRUCE.hta ransom note.

  • ANOTHER UPDATE OF THE JIGSAW RANSOMWARE

    New variant concatenates the .uk-dealer@sigaint.org extension to encoded files. Decryptable for free.

  • HITLER RANSOMWARE TWEAK

    Crooks label it as “FINAL version of Hitler Ransomware”. Distributed via booby-trapped YOUR-BILL.pdf email attachment.

  • RANSOMPLUS, NEW SAMPLE ON THE TABLE

    Adds the .encrypted extension to locked files. Instructs victims to reach attackers at andresaha82@gmail.com.

  • AUSTRIAN HOTEL HIT BY RANSOMWARE

    Ransomware wreaks havoc with electronic door locking system at Austrian “Romantic Seehotel Jagerwirt” hotel. Demands 2 BTC.

  • XCRYPT RANSOMWARE SPOTTED

    This new strain creates ransom note called Xhelp.jpg containing Cyrillic text. Victims are told to use ICQ to reach the criminals.

  • EMSISOFT SITE DDOSED OVER RANSOMWARE

    Emsisoft’s official website suffers a DDoS attack after the vendor updates their free decryptor for Merry X-Mas ransomware.

  • SAGE 2.0 RANSOMWARE DETAILS UNCOVERED

    Swiss Government CERT publishes a comprehensive report on the Sage 2.0 ransomware dissecting its main characteristics.

  • NEW RANSOMWARE CALLED ZYKA

    Zyka ransomware appends the .locked extension to files and demands a Bitcoin equivalent of $170.

  • TRICKY DISTRIBUTION OF THE NETIX RANSOMWARE

    The new Netix ransom Trojan proliferates as a rogue app called “Netflix Login Generator v1.1”. Demands $100 payable in Bitcoin.

  • NEW INFECTION VECTOR OF THE SPORA PEST

    Researchers discovered a Spora ransomware distribution campaign involving bogus Chrome Font Pack update.

  • CRYPTOSHIELD 1.0 RANSOMWARE DISCOVERED

    A replica of the CryptoMix strain. CryptoShield 1.0 is deposited onto computers via the RIG EK (exploit kit).

  • JIGSAW RANSOMWARE UPDATED AGAIN

    The only noteworthy change is the .gefickt extension being affixed to scrambled files.

  • CHANGES MADE TO EVIL-JS RANSOMWARE

    The latest version of Evil-JS appends the .evillock string to files and provides gena1983@mbx.kz email address to contact the dev.

  • LOCKY BART CAMPAIGN VIEWED FROM THE INSIDE

    Malwarebytes researchers publish Locky Bart ransomware details based on statistics from the crooks’ breached backend server.

  • SAMAS STRAIN UPDATE

    New Samas, or SamSam, ransomware edition uses the .letmetrydecfiles extension and LET-ME-TRY-DEC-FILES.html ransom note.

  • ANOTHER DECRYPTION BREAKTHROUGH

    Avast analysts release automatic free decrypt tools for Hidden Tear, Jigsaw and Stampado ransomware families.

  • RANSOMWARE ATTACKS ONE MORE ORGANIZATION

    A number of IT systems of Ohio’s Licking County government services get affected by unidentified ransomware.

  • TWO RANSOMWARE DISTRIBUTORS APPREHENDED

    London police arrest man and woman who infected Washington’s closed-circuit television network with ransomware in mid-January.

  • RANION RAAS DISCOVERED

    Security researchers stumble upon a new low-cost Ransomware-as-a-Service platform called Ranion.

  • YOURRANSOM VIRUS IS QUITE INSTRUCTIVE

    Appends files with .yourransom extension and uses README.txt ransom note. Author (i@bobiji.com) promises free decryption.

  • NEW PYTHON-BASED LAMBDALOCKER SPOTTED

    LambdaLocker uses .lambda_l0cked file extension and READ_IT.html decryption how-to. The size of the ransom is 0.5 BTC.

  • PADCRYPT DISTRIBUTION BACKED BY A RAAS

    It turns out that there is a Ransomware-as-a-Service platform behind the PadCrypt strain, so it’s a whole affiliate network.

  • YOURRANSOM POC GETS A NEW FAN

    Someone borrows the code of YourRansom proof of concept to infect users for real, still offering free decryption though.

  • SPORA STRAIN FEATURES RESPONSIVE TECH SUPPORT

    As bizarre as it sounds, operators behind the Spora ransomware deliver quality customer care as they respond to victims’ queries.

  • ANDROID RANSOMWARE GETS SMARTER

    The Android.Lockdroid.E virus was found to use a dropper that scrutinizes an infected device before deploying the right payload.

  • CRYPTOSHIELD UPGRADED TO VERSION 1.1

    CryptoShield 1.1 engages new email addresses, namely res_reserve@india.com, res_sup@india.com, and res_sup@computer4u.com.

  • UNIQUENESS OF THE EREBUS RANSOMWARE

    New sample. Circumvents UAC prompt while getting admin privileges. The size of the ransom is fairly small, amounting to $90.

  • JOBCRYPTER STILL ALIVE AND KICKING

    JobCrypter ransomware returns after a period of inactivity. No particular changes have been made to its code.

  • AW3S0M3SC0T7 RANSOMWARE SPOTTED IN THE WILD

    Researchers discover Aw3s0m3Sc0t7 ransom Trojan created by someone named Scott. Uses the .enc file extension.

  • NEW SAMPLE TARGETING HIGHLY SENSITIVE FILES ONLY

    Unnamed strain is discovered that pilfers .ie5, .key, .pem and .ppk files (private keys and certificates) and demands a ransom of 1 BTC.

  • ANOTHER PORTUGUESE RANSOM TROJAN SPOTTED

    Uses the .id-[random]_steaveiwalker@india.com_ file extension and COMO_ABRIR_ARQUIVOS.txt ransom note.

  • ID RANSOMWARE PROJECT KEEPS EXPANDING

    The ID Ransomware initiative by MalwareHunterTeam now identifies 300 different strains of file-encrypting threats.

  • SERPENT RANSOMWARE CAMPAIGN IS UNDERWAY

    Presumably a Hades Locker spinoff. Uses the .serpent extension and HOW_TO_DECRYPT_YOUR_FILES_[random].html/txt notes.

  • DYNA-CRYPT IS MORE THAN JUST RANSOMWARE

    The new DynA-Crypt infection encodes victims’ data and steals various personally identifiable information. Requests $50 in BTC.

  • DIGISOM, ONE MORE HIDDEN TEAR DERIVATIVE

    Based on open-source Hidden Tear. Adds the .[A-Za-z0-9]{3}.x extension to files and drops “Digisom Readme[0-9].txt” ransom note.

  • FADESOFT PEST PAYS HOMAGE TO A MOVIE

    Ransom warning contains a logo of Umbrella Corporation from Resident Evil series. Demands 0.33 BTC for data decryption.

  • SERBRANSOM 2017, A NEW ONE ON THE TABLE

    Concatenates the .velikasrbija extension to files and deletes a random file every 3 minutes. Asks for $500 worth of Bitcoins.

  • WCRY SPECIMEN IS RUN-OF-THE-MILL

    Appends the .wcry suffix to enciphered files and demands 0.1 BTC for decryption.

  • RDP-BASED RANSOMWARE ATTACKS ARE ON THE RISE

    TrendMicro found that the number of RDP brute-force attacks spreading CrySiS ransomware has grown dramatically in 2017.

  • SERBRANSOM 2017 AUTHOR DETAILS REVEALED

    Experts discover that SerbRansom 2017 dev advocates ideas of ultranationalism with his hatred toward Kosovo and Croatia.

  • NEW RANSOMWARE THAT ARCHIVES FILES

    A strain is spotted that moves a victim’s files to a password-protected RAR archive and requests 0.35 BTC for the unlock password.

  • SAMAS FAMILY KEEPS EXPANDING

    Another Samas/SamSam spinoff uses the .encryptedyourfiles extension and 001-READ-FOR-DECRYPT-FILES.html ransom note.

  • NEW CYBERSPLITTER VARIANT GOES LIVE

    Displays an FBI themed warning that says, “Your Computer Has Been Locked!”. The ransom amounts to 0.5 BTC.

  • POC RANSOMWARE FOR INDUSTRIAL CONTROL SYSTEMS

    Researchers from Georgia Institute of Technology present POC ransomware targeting ICS/SCADA systems at RSA Conference.

  • MOST RANSOMWARE DEVS SPEAK RUSSIAN

    According to Kaspersky Lab, 75% of all ransomware strains circulating in 2016 were created by Russian-speaking crooks.

  • MORE CYBERSPLITTER EDITIONS SPOTTED

    Two new CyberSplitterVBS versions appear, one of which impersonates “Saher Blue Eagle” remote administration tool.

  • NEW JOBCRYPTER VARIANT RELEASED

    The fresh JobCrypter edition uses a new set of email addresses: frthnfdsgalknbvfkj@outlook.fr (…@yahoo.com, …@gmail.com).

  • CERBER SKIPS AV-RELATED FILES

    When scouring infected computers for data, a new variant of the Cerber ransomware ignores files associated with security suites.

  • SMALL TWEAK OF THE N1N1N1 STRAIN

    The changes include a new filemarker (333333333333) and a different Tor address of the decryption service.

  • RESEARCHER DEMONSTRATES RANSOMWARE REVERSING

    Fabian Wosar of Emsisoft sets up a streaming session where he reverses new Hermes ransomware and finds its weaknesses.

  • PRINCESS LOCKER UPDATE

    The latest build of the Princess Locker ransomware drops a new ransom manual called @_USE_TO_FIX_JJnY.txt.

  • KASISKI RANSOM TROJAN APPEARS IN THE WILD

    This new Spanish sample uses the [KASISKI] prefix to label encrypted files and leaves INSTRUCCIONES.txt ransom note.

  • XYZWARE, NEW BADDIE ON CYBERCRIME STAGE

    New XYZWare is a Hidden Tear POC derivative most likely hailing from Indonesia. Drops README.txt ransom note.

  • MINOR TWEAK OF CRYPTCONSOLE RANSOMWARE

    The only change as compared to the previous edition is a new email address being used: something_ne@india.com.

  • MRCR RANSOMWARE DECRYPTOR UPDATED

    Emsisoft’s Fabian Wosar updates his decryptor for the Merry X-Mas ransomware so that it can handle new versions of the plague.

  • ANDROID RANSOMWARE TRENDS DISSECTED

    ESET publishes a whitepaper on how Android ransomware has mutated and grown in volume since 2014.

  • SAGE RANSOMWARE UPDATED TO VERSION 2.2

    Aside from the new version name, Sage 2.2 ransomware creates !HELP_SOS ransom notes on the desktop and inside folders.

  • NEW VARIANT OF THE SAMAS RANSOM TROJAN

    Concatenates the .weencedufiles extension to encrypted files and leaves READ_READ_READ.html recovery how-to.

  • CRYPTOMIX VARIANT DECRYPTED BY AVAST

    Avast, in cooperation with CERT.PL, releases a free decryptor for the offline edition of CryptoMix ransomware.

  • TRUMP LOCKER, A VENUSLOCKER REMAKE

    Uses two different extensions (.TheTrumpLockerf and .TheTrumpLockerp ) and drops “What happen to my files.txt” ransom note.

  • CRYPT888 RANSOMWARE MODIFIED

    New Crypt888 variant displays a beach view instead of ransom notes and puts the “Lock.” prefix before original filenames.

  • NEW SAMPLE CODED IN PYTHON

    Avast researchers spot a new Python-based strain that appends the .d4nk string to encrypted files.

  • PATCHER RANSOMWARE TARGETING MAC OS X

    Payloads are disguised as patchers for various Mac OS apps. Drops README!.txt ransom note. Files cannot be decrypted for free.

  • THE UNUSUAL UNLOCK26 RANSOMWARE

    Provides no contact details. Before submitting the ransom to unlock files, a victim is instructed to solve a math problem.

  • ANDROID RANSOMWARE THAT CAN LISTEN

    New Lockdroid ransomware spinoff unlocks a device after the victim pronounces the unlock code obtained after payment.

  • PICKLES RANSOMWARE EMERGES

    Written in Python. Appends files with .[random].EnCrYpTeD extension and creates READ_ME_TO_DECRYPT.txt ransom notes.

  • GO-BASED VANGUARD RANSOMWARE

    New Vanguard ransomware is written in Google’s Go programming language. Not very active at this point.

  • ANOTHER CRYPTOMIX UPDATE

    The latest iteration of CryptoMix stains the names of encoded files with the .CRYPTOSHIEL extension.

  • MYSQL SERVERS UNDER ATTACK

    Extortionists hijack numerous MySQL databases around the world, erase their content and demand a ransom of 0.2 BTC.

  • DAMAGE RANSOMWARE SPOTTED

    New sample that concatenates the .damage string to encrypted files, hence the name of the ransomware.

  • WEIRDNESS OF THE BARRAX RANSOMWARE

    This is a Hidden Tear spinoff that appends files with the .BarRax suffix. The strange thing is that it has a regular support forum.

  • RAAS BEHIND UNLOCK26 INFECTION

    Unlock26 trojan is now distributed on a Ransomware-as-a-Service basis. The operators get 50% of ransoms submitted by victims.

  • SARDONINIR RANSOMWARE IN DEVELOPMENT

    An in-dev ransomware that uses the .enc extension and sends encryption password to sardoninir@gmail.com.

  • CRYPT0L0CKER SPAM CAMPAIGN DISSECTED

    Italian security experts discover that Crypt0L0cker devs sign their spam emails with legit “posta elettronica certificata” (PEC).

  • CRYPTOGRAPHER ON THE FUTURE OF RANSOMWARE

    Matthew Green, cryptographer and professor at John Hopkins University, writes an article on ransomware evolution crypto-wise.

  • FILELOCKER GOING AFTER CZECH USERS

    New FileLocker ransomware displays ransom notes in Czech, uses the .ENCR file extension and asks for 0.8 BTC.

  • DEALING WITH FINDZIP ATTACK AFTERMATH

    Malwarebytes team devises a method to restore files encrypted by Mac OS X ransomware called Findzip.

  • DETAILS OF CRYPT0L0CKER RE-EMERGENCE

    Crypt0L0cker, aka TorrentLocker, is active again after almost a year of standstill. The updated infection mostly targets Europe.

  • LOCKY RANSOMWARE USES A GENUINE CERT

    It turns out that the .osiris variant of Locky is signed by a digital certificate issued by Comodo CA.

  • DHARMA RANSOMWARE MASTER KEYS LEAKED

    Someone nicknamed ‘gektar’ provided a Pastebin link on BleepingComputer forums leading to master decryption keys for Dharma.

  • THE ONSET OF KRIDER RANSOMWARE

    A new sample called KRider is underway. It concatenates the .kr3 extension to ciphered files.

  • RANSOMWARE IDENTIFICATION IS GETTING TOUGHER

    Two emails in the “.SN-[random_numbers]-info@kraken.cc_worldcza@email.cz” extension added by a new strain are confusing.

  • PODCAST FEATURING THE AUTHOR OF “ID RANSOMWARE”

    Michael Gillespie, the architect of ID Ransomware service, provides useful security tips in the FightRansomware podcast.

  • TIES BETWEEN RIG EK AND ASN1 RANSOMWARE

    The ASN1 ransom trojan is deposited on computers via RIG exploit kit. This sample drops “!!!!!readme!!!!!.htm” ransom note.

  • DHARMA RANSOMWARE DECRYPTED

    Kaspersky, followed by ESET and Avast, release free decryptors for the Dharma ransomware based on leaked master keys.

  • CERBER PRESUMABLY STEPPING INTO ANDROID OS

    Analysts discovered Cerber ransom note README.hta being embedded in the code of several official Android apps.

  • CREATION OF MAFIAWARE SPINOFF IN PROGRESS

    Somebody is reportedly working on a new ransomware sample based on the source code of MafiaWare threat.

  • FABSYSCRYPTO, A NEW LOCKY COPYCAT

    A strain called FabSysCrypto is spotted that drops ransom notes identical to Locky’s and uses the code of Hidden Tear POC.

  • JIGSAW RANSOMWARE VERSION 4.6 SPOTTED

    The newcomer features an updated warning screen, demands $150 worth of Bitcoin, and provides a 24-hour deadline.

  • RANSOMWARE ATTACKS PA. SENATE DEMOCRATS

    Computer network of the Pennsylvania Senate Democratic Caucus gets shut down due to a ransomware incident.

  • NEW FADESOFT VARIANT EMERGES

    The updated FadeSoft ransomware uses a warning screen that’s no longer Resident Evil movie themed. No more tweaks made.

  • CRYPTOJACKY TARGETING SPANISH-SPEAKING USERS

    Ransom notes by the new CryptoJacky ransomware are in Spanish. The pest uses Aescrypt.exe application to scramble files.

  • ENHANCEMENT MADE TO SHAMOON DISK WIPER

    The notorious Shamoon disk-wiping worm originally discovered in 2012 now goes equipped with a ransomware component.

  • THE ONSET OF ENJEY CRYPTER

    New Enjey Crypter ransomware bears a resemblance to the RemindMe strain. It uses ‘contact_here_me@india.com’ email address.

  • UNLOCK92 TROJAN GETS FINE-TUNED

    The only apparent change in comparison with the previous edition is the new name of the ransom note – READ_ME_!.txt.

  • NHTNWCUF RANSOMWARE IS AN ODD ONE

    Leaves ransom notes called !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt. Ends up scrambling files beyond recovery.

  • MEET PAUL, A WANNABE EXTORTIONIST

    Researchers discovered a crude Hidden Tear POC-based sample being developed by a person from France named Paul.

  • CRYPTON, AKA NEMESIS RANSOMWARE CRACKED

    Emsisoft creates a free decryptor for the CryptON ransom trojan, which otherwise demands 0.5 BTC ($620) for file recovery.

  • NEW CRYPT0L0CKER CAMPAIGN DISSECTED

    Cisco’s Talos Intelligence Group publishes a comprehensive write-up on the new variant of Crypt0L0cker / TorrentLocker.

  • CRYPTOLOCKER 1.0.0 IS JUST AN IMPOSTOR

    CryptoLocker 1.0.0 uses RSA crypto algo and displays ransom how-to’s in Turkish. Name borrowed from the infamous prototype.

  • RANRAN RANSOMWARE ISN’T RUN-OF-THE-MILL

    Spreads within a country in the Middle East and has clear political implications. Uses encryption tiers and adds the .zZz extension.

  • CERBER NOW KEEPS FILENAMES INTACT

    New variant of the Cerber ransomware doesn’t modify original filenames. Still appends a PC-specific 4-char extension, though.

  • VORTEX RANSOMWARE TARGETING POLISH USERS

    Concatenates the .aes extension to encrypted files and drops ODSZYFRUJ-DANE.txt (“DECRYPT-DATA”) ransom manual.

  • VAPELAUNCHER, A CRYPTOWIRE SPINOFF

    New VapeLauncher ransomware is based on the code of CryptoWire POC. Demands $200 worth of Bitcoin.

  • SPORA’S INFECTION VECTOR SCRUTINIZED

    Kevin Douglas from RSA Security publishes an article with in-depth analysis of the HTA contamination vector used by Spora devs.

  • PADCRYPT 3.4.0 DISCOVERED

    Researchers found a sample of new PadCrypt ransomware v3.4.0. It uses the same build and campaign ID as the predecessor.

  • UNIQUENESS OF SAMAS RANSOMWARE EXPLAINED

    Samas ransomware uses a worm-like tactic to affect all connected servers and backups. Its devs made $450,000 in one year.

  • EXHAUSTIVE ANALYSIS OF THE SPORA RANSOMWARE

    Malwarebytes Labs aggregate the totality of the top-notch Spora ransomware’s technical details into a single post.

  • TIES BETWEEN SAGE 2.2 AND AN INFO STEALER

    Analysts discover a connection between the Sage ransomware campaign and the distribution of August Stealer malware.

  • NEW ANDROID DEVICES WITH RANSOMWARE ON BOARD

    Pre-installed ransomware and adware were found on 38 Android smartphones shipped to two big technology companies.

  • ID RANSOMWARE SERVICE ENHANCED

    The ID Ransomware resource by MalwareHunterTeam is now capable of identifying files scrambled by Spora ransomware.

  • SAMSAM STRAIN UPDATE

    New SamSam variant uses the .iaufkakfhsaraf file extension and IF_YOU_WANT_FILES_BACK_PLS_READ.html ransom note.

  • DAMAGE RANSOMWARE DECRYPTED

    Emsisoft CTO Fabian Wosar defeats the crypto of the Damage Ransomware in another live streaming session.

  • NEW ROZALOCKER SPECIMEN

    RozaLocker appends the .ENC extension to files, drops ransom notes in Russian and requests 10,000 Rubles ($173) for recovery.

  • FRESH SAMPLE AFFECTING FRENCH AUDIENCE

    A new ransom Trojan is discovered that displays its recovery how-to called “Verrouille” in French.

  • ENJEY TROJAN DEV’S REVENGE

    Operator of the Enjey ransomware fires a series of DDoS attacks at ID Ransomware site following the release of ad hoc decryptor.

  • Ŧl๏tєгค гคภร๏๓ฬคгє IS VORTEX IN DISGUISE

    Researchers discover a sample called the Ŧl๏tєгค гคภร๏๓ฬคгє, which appears to be a spinoff of the Vortex strain.

  • PADCRYPT UPDATED AGAIN

    Although the PadCrypt ransomware isn’t in active rotation, its authors keep launching new versions, now it’s 3.4.1.

  • PROJECT34 RANSOMWARE HUNT STARTS

    Analysts declare an initiative against the Project34 ransomware, which prepends “project34@india.com” to locked files.

  • PETRWRAP, A PETYA RANSOMWARE DERIVATIVE

    New PetrWrap ransomware leverages Windows PsExec tool to infect enterprise networks and completely deny access to machines.

  • NEW RAAS COMPROMISED BY WHITE HAT HACKERS

    Malwarebytes researchers hack FileCrypter Shop, a Ransomware-as-a-Service resource that’s about to go live.

  • SPORA RANSOMWARE CAMPAIGN TWEAK

    The Spora crew registers a new C2 domain torifyme[dot]com and starts using it for victim interaction purposes.

  • JIGSAW RANSOMWARE UPDATE

    The latest edition of the Jigsaw ransomware concatenates the .nemo-hacks.at.sigaint.org extension to encoded files.

  • NEW ITERATION OF THE HERMES RANSOMWARE

    Hermes, a strain previously cracked by Emsisoft’s Fabian Wosar in a live video, is now at version 2.0.

  • HERMES ENCRYPTION DEFEATED

    Researcher Michael Gillespie, in cooperation with Fabian Wosar, releases a free decryptor for the Hermes ransomware.

  • AN INSTRUCTIVE SCREEN LOCKER DISCOVERED

    A Russian screen locker is spotted that allows for easy recovery as long as the victim reads how dangerous ransomware is.

  • KARMEN RAAS BEING DEVELOPED

    Malware watchers discover a new Ransomware-as-a-Service portal called Karmen, which is currently in development.

  • REVENGE TROJAN, A CRYPTOMIX SPINOFF

    The Revenge ransomware spreads via RIG exploit kit, uses the .REVENGE file extension and # !!!HELP_FILE!!! #.txt ransom note.

  • SAMPLE PRETENDING TO BE CTB-LOCKER

    New CTB-Locker copycat displays Beni Oku.txt ransom manual in Turkish and appends the .encrypted extension to files.

  • A VANITY-DRIVEN HIDDEN TEAR VERSION

    A Hidden Tear POC offspring appears that asks victims to post a specific message on Facebook to get the fix.

  • NSIS INSTALLERS ABUSED BY RANSOMWARE DEPLOYERS

    Microsoft discovered a trend of threat actors distributing ransomware by manipulating the Nullsoft Scriptable Install System (NSIS).

  • THE ECCENTRIC KIRK RANSOMWARE

    Uses Star Trek themed warnings and Monero payment system. Appends .Kirked extension and leaves RANSOM_NOTE.txt manual.

  • LICK RANSOMWARE BASED ON KIRK STRAIN

    The Lick ransomware acts similarly to Kirk, uses the same decryption how-to (RANSOM_NOTE.txt) and the .Licked file extension.

  • SCREEN LOCKER CALLED CRYPTODEVIL

    Reverse engineering of CryptoDevil revealed that its author’s nickname is “Mutr0l”. The “kjkszpg” code unlocks the screen.

  • ROSHALOCK 2.0 USES RAR TO LOCK FILES

    Moves data to a password-protected RAR archive and creates a ransom note called “All Your Files in Archive!.txt”.

  • DECRYPT TOOL FOR CRYPTON GETS FINE-TUNED

    Emsisoft CTO Fabian Wosar releases an updated decryptor for CryptON that supports the newest edition of the infection.

  • ZINOCRYPT RANSOMWARE – 2017 EDITION

    Concatenates the .ZINO extension to ciphered files and creates ZINO_NOTE.txt ransom manual.

  • CRPTXXX IS NOTHING OUT OF THE ORDINARY

    Affixes the .crptxxx string to scrambled files and drops the HOW_TO_FIX_!.txt document to instruct victims regarding recovery.

  • JIGSAW RANSOMWARE GETS A NEW LOOK AND FEEL

    New edition of the Jigsaw crypto infection uses a new background for its warning window and appends the .fun file extension.

  • DH_FILE_LOCKER RANSOMWARE BUILDER EXPOSED

    Analysts spot a tool called DH_File_Locker by Doddy Hackman 2016 applicable for building custom ransomware.

  • BUILDER FOR TRIDENT FILE LOCKER DISCOVERED

    Another ransomware builder is spotted. Called the Trident Builder, it allows crooks to easily generate a payload of their own.

  • MAC-AND-CHESS DEV CARES ABOUT MARKETING

    Hidden Tear based ransomware tells victims to post “I have been hacked by anonymous” phrase on their Facebook wall.

  • THE DECRYPTABLE BRAINCRYPT RANSOMWARE

    Appends one’s locked files with the .[braincrypt@india.com].braincrypt extension. A free decryptor is available.

  • MOTD RANSOMWARE SPOTTED

    Concatenates the .enc extension to encrypted files and drops a ransom note called motd.txt.

  • CRYPTODEVIL SAMPLE IN DEVELOPMENT

    Currently scrambles data only in sub-directories of a folder hosting its executable. Appends the .devil extension to files.

  • VIETNAMESE EDITION OF JIGSAW RANSOMWARE

    This variant of the notorious Jigsaw strain leaves a decryption how-to in Vietnamese. Still an in-dev sample at this point.

  • LOCKY CAMPAIGN STEADILY GOING DOWN

    Since the Necurs botnet stopped generating spam with Locky ransomware payloads, the campaign has been declining big time.

  • RANSOMWARE-RELATED BILL INTRODUCED

    The gist of a recent Indiana bill is to make ransomware distribution a standalone felony leading to 1-6 years in jail.

  • PADCRYPT WON’T STOP UPDATING

    Analysts discover a new variant of the PadCrypt ransomware, which now reaches v3.4.4. No noteworthy functional changes made.

  • SAMAS RANSOMWARE UPDATED ONCE AGAIN

    New edition uses the .cifgksaffsfyghd file extension and READ_READ_DEC_FILES.html ransom manual.

  • LLTP LOCKER TARGETING SPANISH-SPEAKING USERS

    Aka LLTP Ransomware. Researchers found that its code is based off of the VenusLocker strain.

  • SAP PRODUCTS EXPLOITABLE TO SERVE RANSOMWARE

    Security experts discover a vulnerability in SAP Windows client that may allow crooks to deploy ransomware remotely.

  • USER-FRIENDLY RANSOM TROJANS ARE ALREADY HERE

    An article is posted on Barkly blog, predicting that ransomware with quality customer service will make a future trend.

  • NEW ZORRO RANSOMWARE SURFACES

    Appends files with the .zorro suffix and creates a ransom note called Take_Seriously (Your saving grace).txt.

  • ANGLEWARE, ANOTHER HIDDEN TEAR OFFSPRING

    AngleWare appears to be a new derivative of the Hidden Tear proof of concept. Uses the .AngleWare file extension.

  • THE “MONUMENT” EDITION OF JIGSAW RANSOMWARE

    The payload is hidden in installer for the Imminent Monitor RAT. Provides recovery steps right in the extension added to files.

  • METEORITAN STRAIN SPREADING IN POLAND

    Leaves ransom notes called where_are_your_files.txt or readme_your_files_have_been_encrypted.txt.

  • GLOBE3 DECRYPTOR UPDATED

    Emsisoft updates their free decryptor for the Globe3 ransomware so that it restores files locked by the newest edition.

  • “MONUMENT” SAMPLE HAS NOW GOT COMPANY

    Jigsaw version called the “Monument” ransomware now propagates along with an adult-themed screen locker.

  • SOME SPORA RANSOMWARE STATS UNCOVERED

    MalwareHunterTeam provides details on the number of ransomed files (48466020) belonging to 646 Spora victims.

  • LK ENCRYPTER, ONE MORE HIDDEN TEAR SPINOFF

    The array of Hidden Tear POC derivatives gets replenished with new LK Encrypter, which uses the .locked file extension.

  • BTCWARE, NEW ONE ON THE RANSOMWARE ARENA

    Has common traits with the CrptXXX sample. Demands 0.5 BTC (about $500) for data decryption.

  • SADSTORY RANSOMWARE CAMPAIGN TAKES ROOT

    SADStory instructs victims to send email to tuyuljahat@hotmail.com for recovery steps and deletes one random file every 6 hours.

  • USEFUL CRYPTOSEARCH TOOL UPDATED

    The CryptoSearch utility by Michael Gillespie now identifies files affected by the Spora ransomware.

  • NEW VARIANT OF WCRY RANSOMWARE GOES LIVE

    The updated WCry, aka WANNACRY, ransomware drops “!WannaCryptor!.bmp” and “!Please Read Me!.txt” ransom notes.

  • SPANISH CRYPTO THREAT USING INTERESTING DISGUISE

    The strain targets Spanish-speaking audience, uses Smart Install Maker solution and displays a rogue Windows Update screen.

  • MEMELOCKER CAMPAIGN IS ABOUT TO BREAK OUT

    Researchers spot a new ransom Trojan called MemeLocker, which is still in development. Displays a bright-red warning window.

  • UNDERGROUND RANSOMWARE WORKSHOP UNCOVERED

    Cybercrime group dubbed “Mafia Malware Indonesia” is liable for creating CryPy, MafiaWare, SADStory and a few more strains.

  • iOS UPDATE FEATURING IMPORTANT SECURITY PATCH

    The latest iOS 10.3 update contains a fix for Safari security issue that will address a growing police ransomware campaign.

  • PYCL RANSOMWARE, A CTB-LOCKER COPYCAT

    New Python-based PyCL ransomware propagates via RIG exploit kit and displays ransom notes similar to CTB-Locker’s.

  • R RANSOMWARE, ANOTHER ONE ON THE TABLE

    Named simply “R”, this ransom Trojan leaves a self-explanatory Ransomware.txt how-to and demands 2 BTC for decryption.

  • STRAIN USING THE .ANDROID EXTENSION

    Fresh sample called AnDROid appends the .android extension to files and displays an animated image of a skull in its ransom note.

  • ANOTHER RANSOMWARE HUNT BEGINS

    Michael Gillespie, aka @demonslay335, declares a hunt for the .pr0tect file (READ ME ABOUT DECRYPTION.txt) ransomware.

  • GREAT WRITE-UP ON SAGE RANSOMWARE

    Malwarebytes Labs publishes an article dissecting multiple facets of the Sage ransomware, which is currently at version 2.2.

  • HAPPYDAYZZ RANSOMWARE DISCOVERED

    HappyDayzz strain can switch between different encryption algos. Uses the blackjockercrypter@gmail.com contact email.

  • DONOTCHANGE RANSOMWARE SPOTTED

    Requests $250 for decryption and warns victims that changing the names of encrypted files will make recovery impossible.

  • FILE FROZR RAAS LAUNCHED

    New Ransomware-as-a-Service portal called FILE FROZR starts functioning. Asks for $100 monthly, with $50 discount for first month.

  • DONOTCHANGE RANSOMWARE DECRYPTED

    Another win of the good guys – Michal Gillespie creates a free decryptor for the recently released DoNotChange strain.

  • GOOGLE STATES ANDROID RANSOMWARE ISN’T COMMON

    According to Google, ransomware infecting Android devices is extremely rare and the issue is blown out of proportion.

  • CRYPTOSEARCH APP FINE-TUNED

    FadeSoft ransomware victims can now use the CryptoSearch tool to detect encrypted files and move them to a new location.

  • ID RANSOMWARE SERVICE NOW IDENTIFIES FADESOFT

    The ID Ransomware online resource has been updated to identify the FadeSoft ransom Trojan by files and/or ransom notes.

  • ANDROID RANSOMWARE UNDETECTED BY AV TOOLS

    A new sample of Android ransomware is spotted that leverages an obfuscation mechanism to evade AV detection.

  • LANRAN RANSOMWARE EMERGES

    New LanRan infection displays a tasteles-looking warning screen that requests 0.5 BTC for purported recovery service.

  • FANTOM RANSOMWARE UPDATED AGAIN

    The latest edition of Fantom replaces filenames with base64 encoded strings and uses RESTORE-FILES.[random].hta ransom note.

  • NEW CRYPVAULT VARIANT IS OUT

    Spreads via spam deliving a phony CV and uses the helplovx@excite.co.jp email address to interact with victims.

  • ONE MORE RANSOMWARE HUNT LAUNCHED

    This time, researchers will try to hunt the Cradle ransomware down (.cradle extension and _HOW_TO_UNLOCK_FILES_.html note).

  • THE WITTY “SANCTIONS RANSOMWARE”

    The Sanctions ransomware takes root. It appends the .wallet extension to files and caricatures US sanctions against Russia.

  • UEFI FIRMWARE VULNERABILITY UNCOVERED

    Researchers from Cylance discover a firmware security loophole that may expose Gigabyte Brix devices to ransomware attacks.

  • GX40 RANSOMWARE MAY SPAWN LOTS OF SPINOFFS

    GX40 ransomware (.encrypted extension) employs a codebase that researchers predict may be used to coin malicious derivatives.

  • GX40 CODEBASE STARTS MAKING TROUBLE

    New sample is discovered that’s based on GX40 ransomware code. The fresh one uses geekhax@gmail.com contact address.

  • ANGRYKITE STRAIN SPOTTED

    AngryKite scrambles filenames and appends them with the .NumberDot string. Also instructs victims to dial a phone number.

  • DEATHNOTE HACKERS RANSOMWARE POPS UP

    Operated by DeathNote Hackers group, this one concatenates the .f*cked extension to encrypted files. Decryptable for free.

  • FLUFFY-TAR RANSOMWARE UNDERWAY

    Appends the .lock75 file extension, demands 0.039 BTC (about $50) for decryption, and uses a Tor gateway for communication.

  • NEW CERBER VERSION IS OUT

    Uses a new ransom note name (_READ_THI$_FILE_[random].hta/jpeg/txt or _READ_THIS_FILE_[random].hta/jpeg/txt).

  • AMADEOUS RANSOMWARE IS ALMOST HERE

    Security experts stay on top of the work of a crook named “Paul”, who came up with the “Amadeous” name for his ransomware.

  • FAIZAL, A HIDDEN TEAR OFFSPRING

    The new Faizal ransomware is based on Hidden Tear POC. It affixes the .gembok string to encoded files.

  • PADCRYPT DEVS REQUEST NICE REVIEWS

    Tor site used in the PadCrypt ransomware campaign suggests that victims give it good feedback to get a partial ransom refund.

  • NEW DECRYPTOR FOR BART RANSOMWARE RELEASED

    Bitdefender crafts a decryption tool supporting all variants of Bart ransomware, which uses the .bart.zip, .bart or .perl extension.

  • GX40 PROJECT KEEPS PRODUCING SPINOFFS

    The fresh one requests 0.02 BTC and instructs victims to contact the crooks via ransomwareinc@yopmail.com.

  • A TWEAK MADE TO THE JIGSAW PEST

    Concatenates the “.I’WANT MONEY” extension to filenames and uses ewsc77@mail2tor.com email address.

  • VORTEX RANSOMWARE CRACKED

    Michael Gillespie, ID Ransomware author, claims he can decrypt files locked by Vortex strain. Victims should contact him directly.

  • SAMAS RANSOMWARE UPDATE

    New edition uses the .skjdthghh extension and 009-READ-FOR-DECCCC-FILESSS.html ransom how-to.

  • PADCRYPT 3.5.0 GOES LIVE

    MalwareHunterTeam discovers a brand new version of PadCrypt that’s now at v3.5.0.

  • A LIKELY RAAS FOR THE FANTOM BADDIE

    Code of the latest Fantom ransomware edition contains a ‘partnerid’ attribute, so an associated RaaS may be on its way.

  • NEW CRYPTOWIRE SPINOFF SPOTTED

    The latest CryptoWire version is denominated “realfs0ciety@sigaint.org.fs0ciety”. The payload arrives as AA_V3.exe file.

  • ANOTHER PYTHON-BASED SAMPLE FOUND

    This one puts a lot of pressure on victims as it instructs them to pay 0.3 BTC within 3 hours.

  • HT SPINOFF DUBBED KRIPTO

    Security researchers come across a new Hidden Tear derivative called Dikkat (Eng. “Attention”). The ransom note is in Turkish.

  • LMAOXUS RANSOMWARE DISCOVERED

    LMAOxUS ransomware is based on open-source EDA2 POC. Its maker, however, eliminated a backdoor in the original code.

  • MAN FROM AUSTRIA ARRESTED OVER RANSOMWARE

    A 19-year-old Austrian citizen is apprehended for infecting a Linz based organization with the Philadelphia ransomware.

  • RENSENWARE FEATURES OFFBEAT TACTICS

    A sample called RansenWare tells a victim to score more than 0.2 billion in TH12 game, which is the only way to restore files.

  • $100,000+ MADE BY EXTORTION GROUP

    A single cybercrime ring reportedly made more than $100,000 by taking advantage of Apache Struts 0day vulnerability.

  • CRY9 RANSOMWARE DECRYPTED

    Emsisoft creates a decryptor for the Cry9 ransom Trojan, a CryptON spinoff that employs AES, RSA and SHA-512 crypto algos.

  • CRITICIZM OVER SCADA RANSOMWARE CLAIMS

    Experts criticize Security Affairs for publishing a far-fetched analysis on SCADA ransomware called Clear Energy.

  • MATRIX CAMPAIGN ON THE RISE

    Matrix ransomware is being reportedly distributed via RIG exploit kit, so it is shaping up to be a serious problem.

  • CERBEROS RANSOMWARE ISN’T CERBER AT ALL

    The new crypto-troublemaker called Cerberos is an offspring of the CyberSplitterVBS strain and has nothing to do with Cerber.

  • KILIT RANSOMWARE CREATION IN PROGRESS

    MalwareHunterTeam spots an in-dev sample configured to append the .kilit extension to files. No ransom note so far.

  • SERPENT STRAIN STILL ALIVE AND KICKING

    New Serpent edition uses the .serp file extension and README_TO_RESTORE_FILES.txt ransom how-to.

  • CRY9 DECRYPTOR ENHANCED

    Emsisoft updates their Cry9 decryptor to improve its performance and broaden ransomware version coverage.

  • NEW HIDDEN TEAR BASED RANSOMWARE SPOTTED

    Goes with a GUI, displays warning messages in Portuguese and concatenates the .locked string to hostage files.

  • BTCWARE INFECTION TWEAK

    The new variant of BTCWare strain instructs victims to contact the attackers via new email address lineasupport@protonmail.com.

  • ANOTHER INSTRUCTIVE RANSOMWARE SURFACES

    Called the “Kindest Ransomware ever”, this one locks files and decrypts them after the victim watches a security video online.

  • MOLE RANSOMWARE, NEW ONE ON THE TABLE

    Uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt decryption how-to.

  • REKT RANSOMWARE BEING CREATED

    According to researchers’ analysis, someone named (or nicknamed) Anthony is working on .rekt file ransomware.

  • NEW JIGSAW EDITION

    The latest Jigsaw ransomware variant displays ransom notes in French and concatenates the .crypte string to locked files.

  • IN-DEV EL-DIABLO RANSOMWARE FOUND

    MHT discovered an in-development sample dubbed El-Diablo. Its code contains references to the author’s name – SteveJenner.

  • DHARMA COPYCAT APPEARS

    New Globe v3 ransomware edition impersonates the Dharma strain. The file extension is .[no.torp3da@protonmail.ch].wallet.

  • FRESH JIGSAW RANSOMWARE SPINOFF IS UNDERWAY

    New Jigsaw variant uses the .lcked string to label scrambled files and displays a new desktop background to alert victims.

  • NEW RANSOMWARE BUILDER DISCOVERED

    Although this utility is quite primitive, it still provides wannabe crooks with source code to create viable ransomware.

  • CRADLE RANSOMWARE SOURCE CODE SOLD OUT

    Perpetrators behind the Cradle Ransomware start selling the source code they dubbed CradleCore. The price starts at 0.35 BTC.

  • CERBER AT THE TOP OF RANSOMWARE FOOD CHAIN

    According to Malwarebytes, the Cerber ransomware is today’s top crypto threat, with its current market share at 86.98%.

  • ONE MORE WANNABE CROOK ON THE RADAR

    A ne’er-do-well from Thailand is reportedly working on a Hidden Tear variant that uses the READ_IT_FOR_GET_YOUR_FILE.txt note.

  • HT VARIANT USING A SET OF EXTENSIONS

    New Hidden Tear offspring randomly chooses file extension out of .ranranranran, .okokokokok, .loveyouisreal, and .whatthefuck.

  • DISTRIBUTION CHANGE OF PYCL RANSOMWARE

    pyCL operators now use malign Word documents to spread the Trojan. The extension of locked files is .crypted.

  • DHARMA SWITCHES TO A NEW EXTENSION

    The latest edition of the Dharma ransomware concatenates the .onion string to encrypted files.

  • JIGSAW-STYLE SCREEN LOCKER

    New German screen locker displays an image of the Jigsaw movie character in its ransom note. Unlock code is HaltStopp! or 12344321.

  • SCHWERER RANSOMWARE SPOTTED

    Schwerer being the German for “harder”, this new ransomware is written in AutoIt. According to ESET, it’s potentially decryptable.

  • TROLDESH STRAIN UPDATED

    New Troldesh family rep affixes the .dexter extension to enciphered files. The ransom note is still README[random_number].txt.

  • RANSOMWARE WHOSE MAKERS ARE CONFICKER FANS

    Researchers spot a sample called C_o_N_F_i_c_k_e_r. It appends files with the .conficker suffix and uses Decrypt.txt ransom note.

  • MALABU RANSOM TROJAN

    The Malabu ransomware demands a $500 of Bitcoin for file recovery. The amount doubles in 48 hours.

  • SNAKEEYE RANSOMWARE IN DEVELOPMENT

    Security analysts come across a sample called the SnakeEye ransomware. Its development is attributed to SNAKE EYE SQUAD.

  • VERY BUGGY TURKISH RANSOMWARE

    MHT discovers a strain made by someone from Turkey, which completely erases files rather than encrypt them.

  • KARMEN RAAS LAUNCHED

    Ransomware-as-a-Service portal called Karmen is made available to would-be cybercrooks. The code is based on Hidden Tear.

  • ATLAS RANSOMWARE APPEARS

    Concatenates the .ATLAS extension to cipher-affected files and leaves a decryption how-to called ATLAS_FILES.txt.

  • LOLI STRAIN RELEASED

    The name of this one is spelled “LOLI RanSomeWare”. It uses the .LOLI string to blemish scrambled files.

  • EXTERNAL TWEAK OF JIGSAW RANSOMWARE

    This Jigsaw version displays a ransom note with images of Joker and Batman in it. The file extension is .fun.

  • KARMEN MORPHS INTO MORDOR

    Karmen ransomware, which has been distributed on a RaaS basis since April 18, gets renamed to Mordor.

  • ANOTHER HT DERIVATIVE POPS UP

    New Hidden Tear version is discovered that stains files with the .locked extension. It’s buggy, so encryption doesn’t go all the way.

  • HIGH-PROFILE DISTRIBUTION OF AES-NI RANSOMWARE

    Operators of the new AES-NI ransomware reportedly use NSA exploit called ETERNALBLUE to contaminate Windows servers.

  • LOCKY MAKES QUITE A REAPPEARANCE

    Locky ransomware devs resume their extortion campaign with a big spam wave featuring fake payment receipts.

  • LOCKY STILL OPTS FOR THE NECURS BOTNET

    Just like last year, the massive malspam wave spreading Locky is reportedly generated by the Necurs botnet.

  • ACTIVE LOCKY VARIANT IS THE SAME AS BEFORE

    Perpetrators behind Locky are still distributing the OSIRIS edition of their ransomware, the one that was in rotation last December.

  • JEEPERSCRYPT TRYING TO BE SCARY

    New JeepersCrypt ransomware with Brazilian origin stains files with the .jeepers string and demands 0.02 BTC for decryption.

  • ID RANSOMWARE BECOMES MORE INTELLIGENT

    ID Ransomware service by MHT now allows identifying strains by email, Bitcoin address or URL from a ransom note.

  • AES-NI RANSOMWARE APPEARS

    This one appends the .aes_ni_0day extension to locked files and drops !!! READ THIS – IMPORTANT !!!.txt ransom note.

  • “HOPELESS” RANSOMWARE POPS UP

    Uses the .encrypted extension. The warning screen is titled “Sem Solução”, which is the Portuguese for “Hopeless”. Password is 123.

  • BREAKTHROUGH IN XPAN DECRYPTION

    Kaspersky Lab contrives a workaround to restore files with the .one extension encrypted by XPan ransomware variant.

  • GETREKT SPINOFF OF JIGSAW SPOTTED AND CRACKED

    Michael Gillespie, aka Demonslay335, discovers a Jigsaw ransomware variant using the .getrekt extension. His decryptor handles it.

  • PSHCRYPT IS NO BIG DEAL

    New sample concatenating the .psh string to encrypted files is easy to decrypt. Just entering the HBGP serial code works wonders.

  • FAILEDACCESS TROJAN CRACKED WHILE STILL IN-DEV

    Michael Gillespie’s StupidDecryptor can defeat the crypto of in-development strain using the .FailedAccess extension.

  • CTF RANSOMWARE SURFACES

    Affixes the .CTF suffix to filenames and displays a fantasy-style background that says, “Hello… It’s me…”

  • PYTEHOLE RANSOMWARE UPDATE

    New spinoff of the pyteHole ransomware is discovered that concatenates the .adr extension to scrambled data entries.

  • MOLE RANSOMWARE DISTRIBUTION ON THE RISE

    This strain appends files with the .MOLE extension and propagates via phony Word sites that hosts rogue MS Office plugin.

  • NMOREIRA 4 VARIANT ON THE LOOSE

    The sample in question uses the .NM4 string to blemish encoded files and leaves “Recovers your files.html” recovery how-to.

  • TWEAK OF THE CERBER RANSOMWARE

    Cerber now harnesses CVE-2017-0199 vulnerability to spread and drops “_!!!_README_!!!_[random]_.hta/txt” ransom notes.

  • “INTERNATIONAL POLICE ASSOCIATION” RANSOMWARE

    Impersonates IPA, moves files to a password-protected ZIP archive, and uses the ” .locked” extension. Password is ddd123456.

  • FRESH UPDATE OF THE JIGSAW RANSOMWARE

    The latest Jigsaw variant appends scrambled files with the .Contact_TarineOZA@Gmail.com suffix. Still decryptable.

  • DETAILS OF CERBER’S NEW TACTIC UNVEILED

    The detailed write-up describes new malspam wave distributing Cerber ransomware and CVE-2017-0199 vulnerability use.

  • MORDOR RANSOMWARE CAMPAIGN KICKS OFF

    New Hidden Tear based Mordor (aka Milene) ransomware uses the .mordor file extension and READ_ME.html ransom manual.

  • INDONESIAN HT SPINOFF IN DEVELOPMENT

    A Hidden Tear variant is spotted that uses the .maya file extension and READ ME.txt ransom note with text in Indonesian.

  • DELPHI-BASED RSAUTIL RANSOMWARE RELEASED

    New RSAUtil sample stains files with the .helppme@india.com.ID[8_chars] suffix and drops How_return_files.txt help document.

  • DEADSEC-CRYPTO V2.1 IS ABOUT TO GO LIVE

    Brazilian in-dev strain called DeadSec-Crypto v2.1 is discovered. It uses thecracker0day@gmail.com email token.

  • CRYPTOMIX UPDATE

    The newest iteration of the CryptoMix ransom Trojan uses the .wallet extension and #_RESTORING_FILES_#.txt ransom note.

  • MIKOYAN ENCRYPTOR DISCOVERED

    Concatenates the .MIKOYAN extension to every ransomed file and uses mikoyan.ironsight@outlook.com email token.

  • EXTRACTOR RANSOMWARE

    Indicators of compromise for new Extractor ransomware include the .xxx extension and ReadMe_XXX.txt decryption help file.

  • RUBY RANSOMWARE IS NOTHING SPECIAL

    In-development Ruby pest appends files with an apropos .ruby string and drops a recovery how-to named rubyLeza.html.

  • ANOTHER TROLDESH OFFSPRING POPS UP

    Fresh variant from the Troldesh family blemishes locked files with the .crypted000007 extension and uses README.txt note.

  • MAYKOLIN RANSOMWARE SPOTTED

    Uses the .[maykolin1234@aol.com] string to label encoded data and leaves a help file named README.maykolin1234@aol.com.txt.

  • AMNESIA STRAIN’S NAME IS SELF-EXPLANATORY

    Denies access to personal files, appends the .amnesia extension to each one and drops a TXT ransom note.

  • FILEFROZR SHAPING UP TO BE A BIG PROBLEM

    Brand-new FileFrozr Ransomware accommodates data wiping capabilities. Drops a how-to recovery manual named READ_ME.txt.

  • ONE MORE BREAKTHROUGH BY EMSISOFT

    Emsisoft’s Fabian Wosar creates a free decryption tool for the Cry128 edition of CryptON ransomware.

  • CRYPTOBOSS SAMPLE APPEARS

    Amnesia ransomware spinoff jumbles filenames and stains them with the .cryptoboss extension.

  • GLOBEIMPOSTER EDITION WITH SOME FRESH MAKE-UP

    A GlobeImposter ransomware variant is spotted that uses the .keepcalm file extension and keepcalmpls@india.com email address.

  • F**KTHESYSTEM RANSOMWARE

    This one is quite primitive in terms of the design and crypto. Concatenates the .anon extension to locked files.

  • VCRYPT SAMPLE WITH GEO-RESTRICTIONS

    The vCrypt ransom Trojan zeroes in on Russian-speaking users. It appends the .vCrypt1 extension to every hostage data object.

  • RANSOMWARE CALLED PEC 2017

    Italian PEC 2017 strain affixes the .pec string to filenames and drops a help file called AIUTO_COME_DECIFRARE_FILE.html.

  • LOW-LEVEL HATERS RANSOMWARE

    Concatenates the .haters extension to ciphered entries. Has encryption flaws that allow for successful decryption free of charge.

  • XNCRYPT STRAIN SURFACES

    Locks the screen and blemishes files with the .xncrypt extension. The unlock code is 20faf12b60854f462c8725b18614deac.

  • SAMPLE SPOTTED THAT’S MORE THAN JUST RANSOMWARE

    Researchers from G Data came across a new in-dev ransom Trojan that combines regular extortion with spyware features.

  • CERBER VERSION 6 IS OUT

    The latest Cerber ransomware edition boasts improved encryption, AV evasion, anti-sandboxing and a few more new capacities.

  • BTCWARE MALADY UPDATED

    The only conspicuous change made to BTCWare as part of this update is the .cryptowin string added to filenames.

  • ANOTHER SCREEN LOCKER IS ON ITS WAY

    Security analysts discover a new unnamed in-development screen locking Trojan. The unlock password is KUrdS12@!#.

  • FIRST UPDATE OF SHELLLOCKER

    ShellLocker ransomware, which appeared in November 2016, spawns the first new variant ever since called X0LZS3C.

  • BTCWARE RANSOMWARE CRACKED

    Researchers create a decryptor for BTCWare. The tool can restore .cryptowin, .cryptobyte and .btcware extension files for free.

  • CLOUDED RANSOMWARE, A BUGGY ONE

    Generates a separate crypto key for each file and doesn’t store these keys anywhere. Concatenates the .cloud extension.

  • GLOBEIMPOSTER PROPPED BY NEW SPAM WAVE

    The so-called “Blank Slate” malspam campaign begins spreading the newest edition of the GlobeImposter ransomware.

  • RANS0MLOCKED SAMPLE

    The Rans0mLocked infection appends files with the .owned extension and demands 0.1 BTC for decryption.

  • PORTUGUESE ANTI-DDOS RANSOMWARE

    This open-source ransomware based sample is a combo of screen locker and file encoder. Arrives as Anti-DDos.exe file.

  • FATBOY RAAS LAUNCHED

    Russian crooks start an underground marketing campaign supporting new Ransomware-as-a-Service platform called Fatboy.

  • CCGEN 2017 VARIANT OF JIGSAW RANSOMWARE

    The payload for this new Jigsaw spinoff is disguised as a credit card generator. This pest adds the .fun extension to filenames.

  • INDICATORS OF COMPROMISE FOR NEWHT RANSOMWARE

    NewHT, which might stand for “New Hidden Tear”, uses the .htrs file extension and readme.txt help file.

  • NON-STANDARD TACTIC OF ZIPLOCKER SPECIMEN

    ZipLocker moves files to a password-protected ZIP archive (password is “Destroy”) and adds UnlockMe.txt ransom note.

  • ENJEY RANSOMWARE UPDATE

    New Enjey variant switches to using the .encrypted.decrypter_here@freemail.hu.enjey extension for hostage files.

  • DECRYPTOR AVAILABLE FOR AMNESIA RANSOMWARE

    Emsisoft security vendor creates a free decryption tool for the Amnesia ransom Trojan.

  • NEW JIGSAW VARIANT IS OUT

    The latest edition of Jigsaw ransomware uses the .PAY extension to label encrypted files. Still decryptable.

  • FILE FROZR RAAS DETAILS

    Crooks market the Ransomware-as-a-Service called File Frozr as a ” great security tool”. The usage cost is $220.

  • CRYPTO-BLOCKER CAMPAIGN FAILS

    Crude ransom Trojan called Crypto-Blocker appears, asks for 10 USD or EUR. Researchers retrieve the unlock code, which is 01001.

  • THUNDERCRYPT SPREADS VIA ONLINE FORUM

    IT analysts discover that the ThunderCrypt ransomware is using a Taiwan forum as a springboard for propagation.

  • RANSOMWARE-RELATED LAWSUIT

    Law firm from Rhode Island tries to get $700,000 compensation from insurance company over ransomware losses.

  • BITKANGOROO RANSOMWARE ERASES DATA

    Unless paid, the BitKangoroo ransomware, which appends the .bitkangoroo extension to files, will be deleting one file every hour.

  • GRUXER RANSOMWARE IS OFF THE BEATEN TRACK

    New sample called Gruxer arrives with a loader composed of a Hidden Tear based code, screen locker, and image-scrambling module.

  • BTCWARE STRAIN REFRESHED

    Another variant of BTCWare crypto pest concatenates the .[sql772@aol.com].theva string to every ransomed file.

  • NEMES1S RANSOMWARE-AS-A-SERVICE

    It turns out that newly discovered NemeS1S RaaS props a recent wave of PadCrypt ransomware attacks.

  • RSAUTIL SAMPLE PLANTED ON COMPUTERS MANUALLY

    RSAUtil ransomware, which uses the .helppme@india.com extension, arrives at PCs via RDP services cracked by extortionists.

  • RUSSIAN VCRYPT RANSOMWARE

    Targets Russian users, adds the .vCrypt1 suffix to files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.

  • SCREEN LOCKER FEATURING A BIT OF POLITICS

    A ransomware is spotted that displays images of South Korean election candidates on its warning screen.

  • A LIKELY NEW LOCKY VARIANT SURFACES

    Following the Osiris edition of the Locky ransomware, another possible spinoff appears that uses the .loptr file extension.

  • AMNESIA DECRYPTOR UPDATED

    Emsisoft’s CTO Fabian Wosar publishes an update for his Amnesia ransomware decryptor that supports all variants.

  • JAFF RANSOMWARE GOES LIVE

    A Locky lookalike is discovered that appends files with the .jaff extension and demands a whopping 2 BTC, or about $3500.

  • IN-DEPTH ANALYSIS OF JAFF PUBLISHED

    Emsisoft does a write-up on the new Jaff ransomware, analyzing its ostensible ties with the Locky plague.

  • SLOCKER TROJAN RE-EMERGES

    A cybercrime group behind Android ransomware called SLocker spawns 400 new spinoffs making the rounds after a long hiatus.

  • EXTERNAL CHANGE OF GRUXER

    Updated Gruxer strain displays a Matrix movie-style warning screen but fails to complete the encryption routine.

  • ACRYPT SAMPLE BECOMES BCRYPT

    This lineage started with vCrypt, then changed to aCrypt followed by bCrypt. The crooks must have run out of creativity, obviously.

  • WANA DECRYPT0R 2.0 IS ON A POWERFUL RISE

    Aka WannaCry, it labels locked files with the .WNCRY extension. Hits Spain’s telco provider Telefonica, disrupting its operations.

  • HIGH-PROFILE PROPAGATION OF WNCRY STRAIN

    The .WNCRY file ransomware (Wana Decrypt0r) uses previously leaked NSA exploits to infect numerous PCs around the globe.

  • WANA DECRYPT0R KEEPS IMPRESSING

    The specimen continues to affect home users and large companies, most of which are in the UK, Spain, Russia, Ukraine, and Taiwan.

  • USAGE OF NSA EXPLOITS BY WNCRY EXPLAINED

    Most infection instances involve the ETERNALBLUE exploit dumped by the Shadow Brokers hacker ring recently.

  • RESEARCHERS CREATE WANNACRY HEAT MAP

    The New York Times aggregates information on reported WannaCry infection instances and creates a live global heat map.

  • INTERESTING WRITE-UP ON WNCRY VIRUS

    Malwarebytes security firm publishes a comprehensive technical report on the newsmaking Wana Decrypt0r 2.0 threat.

  • WANNACRY CAMPAIGN INTERRUPTED BY CHANCE

    Researcher going by the alias MalwareTech registers a domain involved in WannaCry outbreak, thus disrupting the wave for a while.

  • MICROSOFT TRYING TO THWART WNCRY EPIDEMIC

    The corporation rolls out a patch for Windows XP/8/Server 2003, having previously done the same for newer OS editions.

  • IN-DEV TDELF SAMPLE

    Security experts come across a new in-development strain that’s configured to concatenate the .tdelf string to hostage files.

  • SECRETSYSTEM RANSOM TROJAN

    Uses the .slvpawned extension to mark encrypted data. Crackable with StupidDecryptor tool made by Michael Gillespie.

  • MINOR CHANGE OF VCRYPT

    Similarly to a few previous tweaks, the only change made to vCrypt ransomware is a different first letter, so it’s now xCrypt.

  • ZELTA RANSOMWARE REPRESENTS A KNOWN LINEAGE

    A new variant of the Stampado strain called Zelta surfaces. It subjoins the .locked suffix to enciphered files.

  • PROOF OF IMMENSE WANNACRY ACTIVITY

    Security analyst from France deliberately sets up a honeypot server, and its gets hit by WannaCry 6 times in an hour and a half.

  • MICROSOFT ON WANNACRY OUTBREAK

    Chief Legal Officer at Microsoft does a write-up where he accuses NSA for failing to properly protect discovered exploits.

  • FAKE JIGSAW RANSOMWARE

    This Jigsaw strain lookalike uses the .fun extension for locked files. The password to decrypt is FAKEJIGSAWRansomware.

  • GLOBEIMPOSTER UPDATE

    New GlobeImposter edition takes after Dharma in that it uses the .wallet extension. The ransom note is how_to_back_files.html.

  • GRUXER EVOLUTION MOVES ON

    Another version of the relatively new GruXer ransomware appears. Just like its predecessor, it has crypto imperfections.

  • WANNACRY COPYCATS POP UP

    Several replicas of WannaCry are spotted in the wild, including one called DarkoderCrypt0r and a customizeable ransomware builder.

  • WANNACRY VERSION WITH NEW KILL SWITCH

    WannaCry strain starts using a new domain as a kill switch. Researchers promptly register this domain and thus interrupt the wave.

  • EDITION OF WANNACRY WITH NO KILL SWITCH

    Someone reportedly tried to launch a WannaCry variant that doesn’t use a kill switch. Fortunately, the attempt failed.

  • PHILADELPHIA RANSOMWARE SPREADING WITH COMPANY

    New variant of the Philadelphia strain is deposited on computers via RIG exploit kit, along with the Pony info-stealing virus.

  • FRESH BTCWARE VARIANT IS OUT

    BTCWare edition dubbed Onyonlock appends the .onyon suffix to encrypted files and drops !#_DECRYPT_#!.inf ransom how-to.

  • MAY RANSOMWARE APPEARS

    The sample called May Ransomware uses the .locked or .maysomware extension and Restore_your_files.txt help file.

  • FOUL PLAY BY KEE RANSOMWARE

    This one displays a warning window titled @kee and does not provide any chance to restore data, not even through payment.

  • FARTPLZ SAMPLE IS NO JOKE

    The strain in question stains files with the .FartPlz extension and creates a ransom note named ReadME_Decrypt_Help_.html.

  • MONERO MINER TURNS OUT A VACCINE FOR WANNACRY

    A Monero cryptocurrency miner dubbed Adylkuzz blocks SMB ports, so it effectively prevents WannaCry from infecting a computer.

  • USERS MOCKING WANNACRY UBIQUITY

    People make Internet memes about WannaCry Trojan, posting self-made pictures with the ransom screen on various devices.

  • HAPPY ENDING FOR BTCWARE VICTIMS

    Someone posted Master Decryption Key for BTCWare infection. Researchers quickly came up with a free decryptor.

  • WANNA SUBSCRIBE 1.0

    This Java-based WannaCry copycat doesn’t do any crypto but instead instructs victims to subscribe to a specified YouTube channel.

  • NEW XORIST EDITION RELEASED

    Brand-new offspring of the Xorist family is spotted. It affixes the .SaMsUnG string to encoded data entries.

  • A PARTICULARLY HOSTILE JIGSAW VARIANT

    An iteration of the Jigsaw ransomware goes live that blemishes victims’ files with the .die extension.

  • LOCKOUT SAMPLE STARTS PROPAGATING

    Appends the .Lockout extension to files, drops Payment-Instructions.txt ransom note and displays a warning message before startup.

  • SPORA WON’T STOP SPREADING

    Although the Spora ransomware campaign slowed down lately, it is regaining momentum, according to ID Ransomware service.

  • POSSIBLE TIES BETWEEN LAZARUS GROUP AND WANNACRY

    Some researchers claim WannaCry code resembles that of malware used by Lazarus Group, a North Korean cybercrime ring.

  • GLOBEIMPOSTER SPAWNS MORE VARIANTS

    Two new editions of GlobeImposter ransomware surface. They use the .hNcrypt and .nCrypt extensions for encrypted files.

  • UIWIX TAKES AFTER WANNACRY IN A WAY

    The new Uiwix ransomware (.UIWIX extension, _DECODE_FILES.txt how-to) is reportedly proliferating via EternalBlue exploit.

  • WALLET RANSOMWARE IS NOW DECRYPTABLE

    An anonymous person posts Master Decryption Keys for Wallet ransomware on BleepingComputer forums. Avast releases a free fix.

  • HATERS STRAIN DISGUISED AS WANNACRY

    Authors of the Haters ransomware release an Indonesian variant that pretends to be WannaCry. Includes a PayPal ransom option.

  • SOME EXPERT DISCUSSION ABOUT WANNACRY OUTBREAK

    An entry is posted on Emsisoft blog, where researchers shed light on nuances of the WannaCry ransomware campaign.

  • ONE MORE REPLICA OF WANNACRY

    Called WannaCry Decryptor v0.2, this one goes ahead and erases victims’ files with no recovery option.

  • RAY OF HOPE FOR WANNACRY VICTIMS

    Security analyst Benjamin Delpy creates a tool called WanaKiwi that decrypts WannaCry ransomware under certain conditions.

  • MEDICAL EQUIPMENT EXPOSED TO WANNACRY ATTACKS

    The WannaCry ransomware reported infected a Windows-based medical radiology device in a U.S. hospital.

  • XDATA SAMPLE WREAKING HAVOC IN UKRAINE

    This one uses the .~xdata~ file extension and HOW_CAN_I_DECRYPT_MY_FILES.txt ransom note. Mostly spreads in Ukraine.

  • BCTWARE DECRYPTOR ENHANCED

    Free decryption tool for BTCWare now supports the .onyon and .theva file extension variants of this strain.

  • YURIZ MA SCREEN LOCKER FAILS TO CAUSE DAMAGE

    This new screen locker displays a warning message saying, “Hacked by Yuriz MA”. Fortunately, it can be closed via Alt+F4.

  • YET ANOTHER WANNACRY REPLICA

    One more WannaCry lookalike called Wana Decrypt0r 3.0 is spotted in the wild. It fails to encrypt any files.

  • VISIONCRYPT 2.0 RANSOMWARE POPS UP

    This specimen uses the .VisionCrypt extension and doesn’t change original filenames. Attackers’ email is VisionDep@sigaint.org.

  • RANSOMWARE PILFERING IMAGES

    MHT spots a sample that transmits a victim’s image files to the attacker’s email address and then deletes them from the PC.

  • ONE MORE WANNACRY KNOCKOFF

    Unlike the other copycats, this one’s warning screen is titled after the original ransomware (Wana Decryptor 2.0). No crypto so far.

  • DECRYPTION ASSISTANT RANSOMWARE

    The development of this sample is still in progress. It is set to concatenate the .pwned string to enciphered entries.

  • IN-DEV D2+D RANSOMWARE

    Another unfinished extortion program. While it does no crypto so far, the hard-coded password is 215249148.

  • “UNIDENTIFIED” SCREEN LOCKER

    Althought this screen locker hasn’t gone live yet, researchers were able to get hold of the would-be unlock password.

  • BTCWARE DECRYPTOR TWEAK

    The latest edition can decrypt .onyon extension files up to 1270896 bytes even if it fails to retrieve the decryption key.

  • NORTH KOREA’S STATEMENT ON WANNACRY EPIDEMIC

    In response to security experts’ verdicts, North Korean representative at the UN claims his state has nothing to do with WannaCry.

  • WANNACRY SPINOFFS FRENZY CONTINUES

    One more replica of WannaCry called Wana DecryptOr 2.0 pops up. The warning screen is identical of the original.

  • VMOLA RANSOMWARE HUNT KICKS OFF

    Researchers declare a ransomware hunt for the sample that uses the (Encrypted_By_VMola.com) file extension token.

  • JAFF RANSOMWARE UPDATE

    New edition switched to using the .WLU string to encoded files. It still uses spam to propagate.

  • CVLOCKER, A NEW CRUDE SAMPLE

    This one is currently in development. It is configured to delete a victim’s files unless a payment is sent within a specified deadline.

  • ROMANIAN SCREEN LOCKER CALLED WIDIA

    Widia’s warning states it has encrypted data, but it’s in fact just a primitive screen locker that can be bypassed via Alt+F4.

  • LAME FBI LOCKER IS OUT

    Dubbed MemeWare, this screen locker pretends to be from the FBI. Accepts ransoms over MoneyPak. Unlock code is 290134884.

  • ELMER’S GLUE LOCKER V1.0

    The lock screen says, “Your computer has been locked with very sticky Elmers Glue,” whatever that means. Removable in Safe Mode.

  • NEW HT SPINOFF SPOTTED

    Another Hidden Tear POC derivative dubbed Deos demands 0.1 BTC for decryption. It has critical flaws and doesn’t encrypt right.

  • .WTDI FILE BADDIE ON THE TABLE

    This sample is a .NET edition of CryptoWall ransom Trojan. It uses the .wtdi file extension and displays a warning message in Russian.

  • FRAUDSTERS CASHING IN ON WANNACRY EPIDEMIC

    A scam alert is issued regarding growing tech support frauds that use the fuss around WannaCry to rip off gullible users.

  • MOWARE H.F.D PEST SURFACES

    Said malware is an umpteenth offspring of Hidden Tear POC in the wild. Appends files with the .H_F_D_locked extension.

  • ONE MORE DECRYPTOR FOR BTCWARE CREATED

    Avast devises a free decryption tool for BTCWare that supports all variants of this crypto hoax.

  • XDATA LOOKALIKE FROM A KNOWN FAMILY

    A version of the Xorist ransomware is out that mimics the recent XData infection. Similarly to its prototype, it uses the .xdata file suffix.

  • ADONIS RANSOMWARE IS ALL ABOUT BLUFF

    Coded in AutoIT, the Adonis ransomware claims to encrypt data but it actually doesn’t. And yet, it leaves DE.html and EN.html notes.

  • NEW THOR RANSOMWARE, NOTHING TO DO WITH LOCKY

    This in-development sample doesn’t use any extension to flag ransomed files. Replaces desktop background and demands 0.5 BTC.

  • EXTREMELY DESTRUCTIVE STRAIN SPREADING

    Ransomware that uses ‘mother of all viruses.exe’ process wipes all HDD volumes rather than encode data.

  • TIES BETWEEN 4RW5W PEST AND WANNACRY

    The 4rw5w crypto virus also uses a kill switch principle and similar names for auxiliary files. The extension is .4rwcry4w.

  • MASTER DECRYPTION KEYS FOR AES-NI AVAILABLE

    The author of the AES-NI ransomware releases decryption keys so that victims can restore their files for free.

  • WANNACRY DEV MOST LIKELY SPEAKS CHINESE

    Having scrutinized WannaCry ransom how-to files, linguists concluded that the maker’s native language is most likely Chinese.

  • LIGHTNING CRYPT RANSOMWARE APPEARS

    This new strain has moderate demands, asking for 0.17 BTC. Affixes the .lightning extension to ransomed data entries.

  • CRYSTALCRYPT RANSOM TROJAN

    CrystalCrypt is a Lightning Crypt remake. It appends victims’ files with the .blocked extension.

  • MANCROS+AI4939 RANSOMWARE

    The sample called Mancros+AI4939 is in fact a screen locker that doesn’t actually do crypto. It requests $50 worth of Bitcoin.

  • BTCWARE TWEAK

    BTCWare ransom Trojan has switched to using the .xfile suffix to label hostage files. The existing decryptor already supports it.

  • DMA LOCKER 3, NEW VARIANT OF OLD RANSOMWARE

    This fresh spinoff of the DMA Locker ransomware uses the !Encrypt! filemarker, data0001@tuta.io email address, and asks for 1 BTC.

  • AUTOMATIC TOOL NOW DECRYPTS AES-NI RANSOMWARE

    Avast security vendor uses the previously released master decryption keys for AES-NI to create a free decryptor.

  • LOW-LEVEL WANADIE RANSOMWARE

    It’s based on buggy open-source ransomware code. Appends the .WINDIE string to encrypted files. Crackable with StupidDecryptor.

  • ENHANCEMENTS MADE TO STUPIDDECRYPTOR

    The StupidDecryptor solution by Michael Gillespie (@demonslay335) is updated to support .fucking and .WINDIE extension strains.

  • CRYING RANSOMWARE CODING IN PROGRESS

    Analysts stumble upon an in-dev sample that uses the .crying file extension and READ_IT.txt ransom instructions.

  • ROBLOCKER X INFECTION BEING CREATED

    In-dev Roblocker X claims to encrypt Roblox game files but only locks the screen instead. The unlock password is currently ‘PooPoo’.

  • GLOBEIMPOSTER REMAKE

    The newest variant of GlobeImposter ransomware concatenates the .write_us_on_email string to each enciphered file.

  • DVIIDE, ANOTHER RUN-OF-THE-MILL RANSOMWARE

    The sample with bizarre name “Dviide” appends encrypted files with the .dviide extension. Uses a primitive warning window.

  • NEW CHINESE SCREEN LOCKER

    The lock screen is in Chinese. This low-impact Trojan also displays QR code to streamline the ransom payment routine.

  • LOCKEDBYTE RANSOMWARE

    This one employs XOR encryption and stains hostage files with random extensions. The ransom note is hard to read due to font color.

  • EXTORTIONIST LEVERAGING REMOTE ACCESS TROJAN

    An individual nicknamed “vicswors baghdad” is trying his hand at deploying the Houdini RAT and MoWare H.F.D. ransom Trojan.

  • BLACKSHEEP INFECTION DOESN’T LIVE UP TO ITS NAME

    The ransomware called BlackSheep concatenates the .666 extension to files and demands $500 worth of BTC. Nothing special about it.

  • 1337LOCKER RANSOMWARE

    This new strain jumbles filenames and affixes the .adr string to them. Uses the AES-256 cryptosystem.

  • DOLPHINTEAR, AN UMPTEENTH HT OFFSPRING

    Unidentified crooks used open-source code of Hidden Tear PoC to create yet another derivative called DolphinTear (.dolphin extension).

  • RANSOM TROJAN USING WINRAR

    Rather than encipher files proper, the new sample moves one’s data to encrypted WinRAR archives. It’s currently in development.

  • SINTALOCKER STRAIN REPRESENTING A KNOWN FAMILY

    Researchers from GData come across a CryPy spinoff called SintaLocker. It uses the README_FOR_DECRYPT.txt ransom note.

  • NEW RANSOMWARE WITH NO NAME

    A sample is spotted that displays a window reading, “Your files have been blocked”. Demands $50 worth of Bitcoin.

  • JIGSAW VERSION WITH NEW BACKGROUND

    The makers of Jigsaw ransomware switch to a new theme for their warning screen, which now depicts a scary clown.

  • IM SORRY RANSOMWARE FROM POLITE CROOK

    Concatenates the .imsorry string to encrypted files and adds a ransom note called “Read me for help thanks.txt”.

  • ID RANSOMWARE ENHANCEMENTS ARE UNDERWAY

    The ID Ransomware service by MalwareHunterTeam is now capable of recognizing 400 ransomware strains. Thumbs up to MHT.

  • SEVERAL MORE DECRYPTORS CREATED

    Avast and CERT Polska cook up free decryption tools for the AES-NI, BTCWare and Mole ransomware.

  • R3STORE RANSOMWARE

    The specimen in question uses the .r3store file extension and READ_IT.txt ransom note. Demands $450 worth of Bitcoin.

  • DMA LOCKER KNOCKOFF DISCOVERED

    A replica of the DMA Locker ransomware pops up. Uses a slightly modified binary and the same GUI except for the name attribute.

  • WANNACRY STATS CORRECTION

    According to new research, Chinese users – not Russian – suffered the heaviest blow from the WannaCry ransomware.

  • UNEXPECTED TURN OF EVENTS WITH XDATA

    XData ransomware dev releases Master Decryption Keys. Security vendors, including Avast, ESET and Kaspersky, create decryptors.

  • BLOOPERS ENCRYPTER 1.0

    This one claims to encode data but actually fails to. It is easy to remove with commonplace AV tools, which fixes the problem.

  • ANDONIO RANSOMWARE IS NO BIG DEAL

    Only encrypts data on the desktop, uses the .andonio extension and a help file named READ ME.txt. It is a Hidden Tear variant.

  • GRODEXCRYPT IS CRYPT888 IN DISGUISE

    New GrodexCrypt Trojan is based on Crypt888 ransomware but additionally uses a GUI. Demands $50 worth of BTC. Decryptable.

  • OOPS RAMENWARE SAMPLE SPOTTED

    Instead of applying crypto, the strain called OoPS Ramenware moves files to password-protected ZIP archive with .ramen extension.

  • AMNESIA RANSOMWARE UPDATE

    The latest Amnesia edition uses the .TRMT file extension and HOW TO RECOVER ENCRYPTED FILES.txt ransom how-to.

  • BRICKR STRAIN SURFACES

    Concatenates the .brickr suffix to scrambled files and drops a recovery manual named READ_DECRYPT_FILES.txt.

  • THE UNUSUAL RESURRECTION-RANSOMWARE

    Affixes the .resurrection extension to files and uses README.html ransom note. Also plays a music box-ish melody.

  • KILLSWITCH RANSOMWARE IS ALMOST HERE

    The in-dev sample called KillSwitch appends the .switch extension to ransomed files. Quite crude at this point.

  • LUXNUT, ONE MORE POC SPINOFF

    Crooks used the code of EDA2 proof-of-concept to create Luxnut ransomware, which concatenates the .locked extension to files.

  • CRYPTO HOAX POSING AS MS SECURITY ESSENTIALS

    The ransom note of this new sample is titled “Microsoft Security Essentials”. It requests $400 worth of Bitcoin for decryption.

  • SCREEN LOCKER CALLED BLUEHOWL

    Provides a 72-hour deadline for payment, demands 0.2 BTC and displays QR code to facilitate the process of submitting the ransom.

  • AMNESIA V2 DECRYPTED

    Owing to Emsisoft, victims of the Amnesia2 variant can now decrypt their data through the use of ad hoc free decryption tool.

  • LOTS OF HADOOP SERVERS STILL HELD FOR RANSOM

    About 200 Hadoop servers around the globe reportedly remain hijacked – either due to infamous January campaign or a current one.

  • GERMAN CAINXPII SCREEN LOCKER

    The strain dubbed CainXPii most likely represents the same lineage as the older Hitler ransomware. Demands €20 via PaySafeCard.

  • THE SIMPLISTIC JOKSY RANSOMWARE

    Joksy locks the screen with a warning message in Lithuanian. The ransom is payable in PayPal, which means bad OPSEC of the crooks.

  • LOCKCRYPT STRAIN POPS UP

    This infection appends files with victim ID followed by the .lock string and drops a ransom how-to called ReadMe.txt.

  • TURKISH JIGSAW VARIANT RELEASED

    Called the Ramsey Ransomware, this Jigsaw offspring displays a warning message in Turkish and uses the .ram file extension.

  • EXECUTIONER RANSOMWARE

    This new Hidden Tear derivative blemishes encrypted files with random extensions and drops Sifre_Coz_Talimat.html ransom note.

  • HT-BASED MORA PROJECT RANSOMWARE

    Another infection based on Hidden Tear PoC. Uses the .encrypted file extension and ReadMe_Important.txt recovery how-to.

  • STRUTTERGEAR, A FRESH JIGSAW VERSION

    The Jigsaw ransomware edition dubbed StrutterGear displays a ransom note with lots of swear words and demands $500 worth of BTC.

  • TIES BETWEEN JAFF STRAIN AND CYBERCRIME WEB STORE

    The Jaff ransomware turns out to use server space provided by the PaySell cybercrime marketplace based in St. Petersburg, Russia.

  • JIGSAW FAMILY KEEPS SPAWNING CLONES

    A Jigsaw variant surfaces that concatenates the .lost extension to ransomed files.

  • THE DECEPTIVE MRLOCKER SAMPLE

    The malware called Mr.Locker is quite an impostor. It claims to delete one’s files unless paid, but doesn’t pose any real risk in fact.

  • MORE JIGSAW EDITIONS ARE NOW DECRYPTABLE

    ID Ransomware maker Michael Gillespie updates his Jigsaw decryption tool so that it supports .lost, .ram and .tax extension versions.

  • THE DARK ENCRYPTOR, A JIGSAW LOOKALIKE

    This one stains hostage files with the .tdelf extension and generates a desktop background reminiscent of Jigsaw’s.

  • PRIMITIVE-LOOKING OGRE RANSOMWARE

    The Ogre sample appears crude at this point. It requests a BTC equivalent of €20 and uses the .ogre file extension.

  • SCREEN LOCKER IMPERSONATING YOUTUBE

    This low-level ransom Trojan states that the victim has “violated the YouTube law”. The code to unlock it is “law725”.

  • $UCYLOCKER BASED ON HIDDEN TEAR

    New baddie called $ucyLocker subjoins the .windows string to filenames and leaves a help file named READ_IT.txt.

  • BTCWARE UPDATE

    The latest iteration of BTCWare appends files with the .[3bitcoins@protonmail.com].blocking suffix.

  • CRYMORE RANSOMWARE

    Uses the .encrypt extension to label hostage entries and threatens to make the ransom 1.5 times larger every 12 hours.

  • ENHANCEMENT OF CRYPTOSEARCH TOOL

    Michael Gillespie’s CryptoSearch utility now identifies data locked by Amnesia, Amnesia2, Cry9, Cry128 and Cry36 strains.

  • ID RANSOMWARE SERVICE SPORTS USEFUL ADDITION

    The ID Ransomware service by MalwareHunterTeam can now detect the Cry36 ransomware sample.

  • SIMPLISTIC ZILLA RANSOMWARE

    This Turkish crypto threat concatenates the .zilla string to files and provides a decryption manual named OkuBeni.txt.

  • BEETHOVEN PEST IN DEVELOPMENT

    This one is configured to append the .BeethoveN extension to scrambled files and provides a list thereof in FILELIST.txt document.

  • SCREEN-LOCKING VARIANT OF MRLOCKER

    An edition of the relatively new MrLocker malware surfaces that locks one’s screen. The 6269521 code does the unlock trick.

  • JIGSAW MAKERS COIN ANOTHER VERSION

    The most recent Jigsaw spinoff uses the .R3K7M9 extension to label encrypted files. Decryptable with Michael Gillespie’s tool.

  • WINDOWS 10 S ALLEGEDLY IMMUNE TO RANSOMWARE

    According to Microsoft, the upcoming Windows 10 S edition is going to be bulletproof against ransomware attacks.

  • XXLECXX RANSOM TROJAN IS A FAIL

    The sample called xXLecXx locks one’s screen and claims to encrypt data, while in fact it doesn’t.

  • NEW RUSSIAN RANSOMWARE APPEARS

    Appends files with the .cr020801 extension and instructs victims to send email to unlckr@protonomail.com for recovery steps.

  • CRYPTOGOD STRAIN BASED ON MOWARE H.F.D. CODE

    Displays a warning screen titled “Information Security” and concatenates the .payforunlock extension to affected files.

  • BLURRED ORIGINAL GOALS OF WANNACRY

    WannaCry ransomware distributors may be unable to decrypt victim data individually, so it may have been created for other purposes.

  • IN-DEV SPECTRE RANSOMWARE SPOTTED

    The Spectre strain appears to be professionally tailored. It scrambles filenames and affixes the .spectre extension to each one.

  • JAFF RANSOMWARE TWEAK

    The latest variant of the quite successful Jaff ransomware concatenates the .sVn extension to locked data entries.

  • MACRANSOM RAAS DISCOVERED ON THE DARK WEB

    Security experts spot a Ransomware-as-a-Service platform called MacRansom that props a new extortion campaign targeting Macs.

  • BEETHOVEN RANSOMWARE UPDATE

    New variant of the BeethoveN ransom Trojan uses hard-coded encryption keys rather than request them from C2 server.

  • INITIATIVE COUNTERING WANNACRY CAMPAIGN

    French law enforcement seized a server hosting two Tor relays purportedly associated with the WannaCry ransomware wave.

  • SVPPS.XYZ VIRUS THAT LOCKS SCREENS

    Screen locker called svpps.xyz claims to encrypt files but actually doesn’t. It demands $50 worth of BTC to unlock.

  • RANSOMWARE USING .FACEBOOK EXTENSION

    The process name is Facebook.exe and the appended extension is .Facebook. This sample is a Hidden Tear offspring.

  • RANSOMWARE HITTING DUTCH USERS

    New Hidden Tear based Dutch strain appends files with the .R4bb0l0ck extension and drops LEES_MIJ.txt ransom note.

  • ANOTHER EXTENSION TWEAK OF JIGSAW

    The latest Jigsaw ransomware edition stains encrypted files with the .Ghost extension.

  • CHILDISH-LOOKING “VIRUS RANSOMWARE”

    Called the “Virus Ransomware”, the sample displays an image of a toy from My Little Pony line. Doesn’t do any real harm.

  • THE BUGGY CA$HOUT RANSOMWARE

    In-dev crypto threat called CA$HOUT asks for $100 but fails to affect a victim’s data in any way.

  • NEW MAC MALWARE SERVICES FOR HIRE

    Security analysts stumble upon MacSpy and MacRansom sites, the former propping Mac spyware and the latter – Mac ransomware.

  • GPAA RANSOMWARE EMPLOYS A REVOLTING TACTIC

    Impersonating a rogue organization called “Global Poverty Aid Agency”, this strain claims to collect money for children in need.

  • NEW SAMPLE WITH UNWISE PAYMENT CHANNEL

    Appends the .rnsmwre string to filenames, drops @decrypt_your_files.txt ransom note and demands payment in PaySafeCard.

  • JAFF RANSOMWARE UPDATED AGAIN

    The latest edition of Jaff drops the following ransom notes: !!!SAVE YOUR FILES!.bmp and !!!!!SAVE YOUR FILES!!!!.txt.

  • JUNK STRAIN CALLED WHY-CRY

    Based on low-quality open source code, this one concatenates the .whycry extension to hostage files and reguests $300 worth of BTC.

  • EREBUS RANSOMWARE INFECTS A HIGH-PROFILE TARGET

    The sample called Erebus hits over 100 Linux servers belonging to South Korean web hosting provider Nayana.

  • KASPERSKY LAB CRACKS JAFF RANSOMWARE

    Researchers at Kaspersky update their RakhniDecryptor tool to support all known variants (.jaff, .wlu, and .sVn) of the Jaff ransomware.

  • BTCWARE UPDATE FEATURES NEW EXTENSION

    Fresh variant called BTCWare MasterLock uses the .[teroda@bigmir.net].master extension to stain enciphered files.

  • AVAST DEFEATS CRYPTO OF ENCRYPTILE RANSOMWARE

    Avast replenishes their collection of free decryptors with a tool that restores data locked by multilingual EncrypTile ransom Trojan.

  • SAGE DEVS DROP NUMBERED VERSION NAMING

    As opposed to predecessors, the latest edition of the Sage ransomware does not indicate version number in the decryption how-to.

  • CRYFORME RANSOMWARE

    Someone is reportedly in the process of creating a Hidden Tear PoC spinoff called CryForMe, which will demand €250 worth of BTC.

  • RANSOMWARE ATTACKS UK COLLEGE

    University College London (UCL) fell victim to unidentified ransomware that circumvented the institution’s AV defenses.

  • CRYPTOSPIDER RANSOMWARE SPOTTED

    MHT comes across an in-dev Hidden Tear variant called CryptoSpider, which concatenates the .Cspider string to filenames.

  • WINUPDATESDISABLER, A NEW SAMPLE OUT THERE

    One more Hidden Tear derivative called WinUpdatesDisabler appends the .zbt suffix to locked files.

  • WINBAN RANSOMWARE IS NO BIG DEAL

    New screen locker appears that displays “Your Windows has been banned” alert. Victims can use code “4N2nfY5nn2991” to unlock.

  • EXECUTIONER STRAIN IS POTENTIALLY DECRYPTABLE

    Turkish ransomware called Executioner has flaws in its crypto implementation, which makes it possible for analysts to decrypt the data.

  • SANDWICH RANSOMWARE IS EASY TO GET AROUND

    Researchers spot a new screen locker displaying a picture of a sandwich on its lock screen. Codes to unlock are available.

  • SCREEN LOCKER IMPERSONATING CERBER

    This fairly persistent Cerber-style infection doesn’t actually apply any crypto, although it claims to. Demands 0.1 BTC to unlock.

  • NEW JIGSAW EDITION, NEW EXTENSION

    A spinoff of the Jigsaw ransomware surfaces that stains enciphered files with the .sux string and mainly targets Italian users.

  • HT-BASED WANNACRY KNOCKOFF

    Built using the Hidden Tear PoC code, this WannaCry replica appends the “.Wana Decrypt0r Trojan-Syria Editi0n” extension to files.

  • WINBAMBOOZLE BADDIE IS ON ITS WAY

    In-dev sample called WinBamboozle drops _README.txt note and appends files with random 4-character extensions.

  • SKULLLOCKER IS RIDICULOUSLY EASY TO BYPASS

    New screen locking virus called SkullLocker can be closed down via Alt+F4 combo. Nothing special about it except scary warning.

  • RANSOMWARE TARGETING POLISH USERS

    A Polish spinoff of the Dumb ransomware PoC is spotted. Demands 1880 zł worth of Bitcoin (0.2 BTC) for decryption.

  • RETURN OF SAMAS/SAMSAM RANSOMWARE

    Fresh samples from the thought-extinct SamSam family appear that use the .breeding123, .mention9823 and .suppose666 extensions.

  • DECRPTOR 3.2 STRAIN POPS UP

    Currently in development and doesn’t cause damage, simply displays a warning screen. Configured to demands $100 worth of BTC.

  • NSMF RANSOMWARE

    Hidden Tear offspring. Uses the .nsmf file extension and readme.txt ransom note. Demands 5 BTC “or pizza”.

  • WHOPPING RANSOMWARE PAYOUT

    South Korean hosting provider called Nayana agrees to pay a huge ransom of $1 million to recover from a ransomware attack.

  • KUNTZWARE, A BUGGY SAMPLE IN THE WILD

    Concatenates the .kuntzware extension to encrypted files. Doesn’t work as intended, so no real encryption at this point.

  • TURKISH STRAIN CALLED ZILLA

    Targets Turkish users and utilizes the .zilla string to label hostage files. The ransom note is named @@BurayaBak.txt (Eng. “Look here”)

  • GANSTA RANSOMWARE

    Affixes the .enc extension to encrypted data entries. Claims to decrypt files for free as long as a victim contacts the devs via email.

  • ANOTHER SCREEN LOCKER SURFACES

    What makes this new screen locker stand out from the rest is that it requests a victim’s credit card details.

  • CRYPT888 UPDATE

    Fresh version of the old Crypt888 ransomware switches to a new desktop background and prepends the Lock. string to filenames.

  • WANNACRY IS STILL UP AND RUNNING

    WannaCry ransomware compromised part of IT infrastructure of Honda car factory in Japan, causing the plant’s temporary halt.

  • TESLAWARE KIT FOR SALE

    New customizeable sample called TeslaWare can be purchased on dark web for €35-70. Fortunately, it’s decryptable.

  • AZAZEL RANSOMWARE HUNT

    MHT offers researchers to join a hunt for aZaZeL ransomware, which uses .Encrypted extension and File_Encryption_Notice.txt note.

  • NEW STRAIN WRITTEN IN RUBY

    The Ruby ransomware leverages a DGA (domain generation algorithm) and Command & Control server to streamline the extortion.

  • ONECRYPT IS TOO CRUDE TO WORK RIGHT

    This one is in the process of development thus far. Ransom note !!!.txt has a bunch of blanks to be filled out by the author.

  • ANOTHER HIGH-PROFILE TARGET OF WANNACRY

    WannaCry infects 55 road safety cameras in Victoria state, Australia, forcing officials to suspend thousands of infringement tickets.

  • ANOTHER COMEBACK OF LOCKY

    Once again, Locky ransomware architects resume their campaign. However, the pest only targets Windows XP and Vista.

  • CRYPTODARK RANSOMWARE

    Said sample is pretty much harmless as it doesn’t engage real crypto. And yet, it demands $300 worth of BTC.

  • CERBER COPYCAT SPOTTED

    Researchers bump into a specimen that imitates Cerber ransomware and concatenates the .encrypted suffix to files.

  • RANSOMWARE PILFERING GROWTOPIA CREDENTIALS

    AlixSpy malware captures sensitive login info for Growtopia game and generates a “System locked” screen asking for $20 worth of BTC.

  • QUAKEWAY ISN’T THAT BAD

    This ransomware appends the .org extension to locked files and ___iWasHere.txt ransom how-to. Decryptable, according to MHT.

  • RANSOMWARE INCIDENTS ARE SCARCELY REPORTED

    According to FBI’s 2016 Internet Crime Report, few ransomware victims notify law enforcement of these attacks.

  • WINDOWS 10 S ISN’T THAT BULLETPROOF

    Despite Microsoft’s claims of Windows 10 S edition being invulnerable to ransomware, white hat hackers proved the opposite.

  • UNIQUENESS OF THE REETNER RANSOMWARE

    Sample called Reetner leverages ad hoc executables for different processes, or so-called modular principle of attack deployment.

  • NEW SCREEN LOCKER THAT DOESN’T WANT MONEY

    Researchers discover a screen locker that acts like the average strain in this niche, except that it doesn’t demand a ransom to unlock.

  • EYLAMO RANSOMWARE IS RUN-OF-THE-MILL

    Hidden Tear derivative. Concatenates the .lamo extension to filenames and provides instructions in READ_IT.txt document.

  • KRYPTONITE HAS INTERESTING CAMOUFLAGE

    The payload of Kryptonite hoax is masqueraded as a Snake game. Crashes upon execution but demands $500 regardless.

  • JIGSAW UPDATED, ONCE AGAIN

    New offspring of the Jigsaw ransomware family uses the .rat extension to flag encrypted data.

  • HT VARIANT INVOLVED IN TARGETED ATTACKS

    Appends the .locked extension to filenames, drops READ_ME.txt note and specifically zeroes in on the Eurogate company.

  • ANDROID RANSOMWARE WITH ADULT FLAVOR

    Dubbed Koler, this ransom Trojan spreads as a rogue PornHub applet. Displays FBI themed lock screen on infected Android device.

  • HIDDEN TEAR DERIVATIVE IN NEW DISGUISE

    Another HT spinoff is discovered that mimics the Battlefield game to infect PCs. Uses the .locked file extension.

  • MMM RANSOMWARE

    Said infection concatenates the .0x004867 string to encoded data and sprinkles numerous .info files with encryption keys.

  • SAMAS LINEAGE PRODUCES ANOTHER VARIANT

    Brand-new edition of Samas/SamSam ransomware affixes the .moments2900 extension to locked files.

  • NAYANA CASE GOES TOXIC

    After web host Nayana paid a $1 million ransom, crooks started shelling other South Korean companies with DDoS-for-ransom attacks.

  • KARO TROJAN WITH NOTHING SPECIAL UNDER THE HOOD

    New ransomware called Karo concatenates the .ipygh string to filenames and creates ReadMe.html ransom manual.

  • VIACRYPT, A GARDEN-VARIETY SAMPLE

    The main hallmark of this strain is the .via extension added to files. Displays a ransom note with Latvian text.

  • SHIFR RANSOMWARE-AS-A-SERVICE

    This RaaS network lets cybercriminals create custom ransomware builds for a fee that’s much lower than the average.

  • PETYA RETURNS WITH LARGE-SCALE CAMPAIGN

    A sample resembling the ill-famed Petya MFT encryptor infects numerous organizations in Ukraine and other European countries.

  • PETYA INBOX SUSPENDED

    Email provider Posteo blocks account wowsmith123456@posteo.net, which is used in the new Petya ransomware wave.

  • POSSIBLE SOURCE OF PETYA EPIDEMIC DISCOVERED

    Petya, or NotPetya as some researchers dubbed it, reportedly spreads as a contagious update for M.E.Doc accounting software.

  • METHOD FOUND TO AVOID PETYA

    Turns out that creating a new read-only file named ‘perfc.dat’ inside Windows folder stops Petya attack in its tracks.

  • CRYPTOBUBBLE RANSOMWARE

    Someone calling himself “Bob” starts spreading CryptoBubble, a sample that uses the .bubble file extension. This one is decryptable.

  • EXECUTIONER RANSOMWARE CHANGE

    Turkish crypto malady called Executioner starts staining hostage files with a random 6-character extension.

  • PETYA IS NOT AN EXTORTION INSTRUMENT

    Kaspersky researchers affirm that the new Petya does not accommodate MFT decryption feature, so paying ransoms has no effect.

  • CROOKS ARE TARGETING UKRAINE ALL THE TIME

    Ransomware called PSCrypt had reportedly begun propagating in Ukraine several days before the Petya outbreak occurred.

  • PETYA MAY NOT BE RANSOMWARE AT ALL

    Since classic ransomware is all about extortion, the Petya remake doesn’t fall into this category as it simply destroys systems.

  • MISICGUY SAMPLE

    The only thing worth mentioning about the new MusicGuy ransomware is that it appends files with the .locked string.

  • STRAIN DUBBED RANDOM6

    Analysts call it this way because it uses extensions consisting of random 6 chars. The ransom note is RESTORE-.[random]-FILES.txt.

  • GANK RANSOM

    Uses the .gankLocked file extension and READ_ME_ASAP.txt ransom how-to, demands “one million bitcoins”, which is obviously a prank.

  • PIRATEWARE WITH NO CRYPTO MODULE THUS FAR

    Warning screen of the new Pirateware asks for 0.1 BTC (about $250). The code is incomplete and doesn’t do crypto.

  • ANTI-RANSOMWARE WINDOWS FEATURE ANNOUNCED

    Microsoft is planning to equip Windows Defender with “Controlled Folder Access” feature to prevent malicious encryption.

  • CRBR ENCRYPTOR, A CERBER HEIR

    Cerber ransomware is renamed to CRBR ENCRYPTOR. Still scrambles filenames, adds 4-char extension and drops HTA ransom note.

  • UKRAINE KEEPS SUFFERING FROM RANSOMWARE ATTACKS

    New strain specifically targeting Ukraine is a WannaCry copycat written in .NET and possibly circulating via M.E.Doc software.

  • ABCSCREENLOCKER IS TOO IMMATURE YET

    As the name hints, in-dev ABCScreenLocker is supposed to lock the screen and demand money. Only does the locking part at this point.

  • NEMUCOD UPDATED

    Brand new edition of the old Nemucod ransomware displays a revamped red warning background. Does not use any file extension.

  • PETYA WON’T DECRYPT SYSTEMS NO MATTER WHAT

    Reputable security experts confirm that Petya (NotPetya or ExPetr) doesn’t go with decryption mechanism, so it’s meant for sabotage.

  • TIES BETWEEN PETYA AND PAST ATTACKS AGAINST UKRAINE

    Several security companies state the (Not)Petya campaign is attributed to a group that targeted Ukrainian power grid back in 2015.

  • LALABITCH RANSOMWARE

    This one uses the .lalabitch extension for locked files, base64 enciphers filenames and leaves a recovery how-to called lalabitch.php.

  • TAKEOM SAMPLE BEING CREATED

    Analysts discover in-dev Takeom ransomware that demands $300 worth of BTC and provides a 24-hour deadline to pay up.

  • RANSRANS IS TOO IMMATURE TO PROSPER

    This is a new Hidden Tear PoC offshoot. Subjoins the .ransrans string to encrypted files and keeps crashing all the time.

  • HELL, AKA RADIATION, RANSOMWARE

    Another crude infection “made by KingCobra” that destroys data beyond recovery. Leaves decrypt.txt ransom note on desktop.

  • BTCWARE UPDATE

    The latest iteration of BTCWare ransom Trojan concatenates the .aleta extension to hostage files.

  • HT VARIANT CALLED UNIKEY

    Not much to say about this sample except that it’s a derivative of the academic Hidden Tear ransomware. Dev’s nickname is Nhan.

  • CRY36 FAMILY PRODUCES A NEW SPINOFF

    Fresh edition of the Cry36 ransomware uses the .63vc4 file extension and ### DECRYPT MY FILES ###.txt decryption manual.

  • UKRAINIAN POLICE RAID AS PART OF PETYA INVESTIGATION

    Ukrainian law enforcement seize servers belonging to vendor whose backdoored software (M.E.Doc) was used in Petya virus outbreak.

  • SHELLLOCKER RANSOMWARE UPDATE

    New version appends files with the .L0cked string, jumbles filenames, displays ransom note in Russian and uses 5quish@mail.ru email.

  • ZERORANSOM SAMPLE SPOTTED

    Concatenates the .z3r0 suffix to ransomed files and displays decryption how-to named EncryptNote_README.txt.

  • J-RANSOMWARE, A ZERORANSOM OFFSHOOT

    Strain called J-Ransomware is based on the above ZeroRansom. Uses the .LoveYou extension to mark encoded files.

  • ZSCREENLOCKER VARIANT DISCOVERED

    zScreenlocker was originally discovered in November 2016. Fresh iteration uses the following unlock password: Kate8Zlord.

  • NEW EXTENSION USED BY CRYPTOMIX

    The most recent edition of CryptoMix, or Mole ransomware, affixes the .MOLE00 extension to locked files.

  • CRYPTER 1.0 IS A MESS

    Sample called Crypter 1.0 fails to encrypt anything and generates messages with weird contents demanding 10 BTC.

  • CROOKS BEHIND PETYA GET OUT IN THE OPEN

    Individuals reponsible for the recent Petya outbreak start transferring obtained cryptocurrency to other Bitcoin wallets.

  • UNEXPECTED FINDINGS OF AV-TEST

    According to Security Report 2016/17 by AV-TEST, the share of ransomware in the global malware volume is only about 1%.

  • CRYPTOMIX VARIANT CRACKED

    Thanks to combined efforts of security vendors and enthusiasts, free decryptor for the MOLE02 edition of CryptoMix is released.

  • ANDROID RANSOMWARE AUTHORS ARRESTED

    Chinese police apprehend two individuals for spreading SLocker Android ransomware version that resembles WannaCry.

  • NEW CRYPTOMIX SPINOFF DISCOVERED

    The latest incarnation of CryptoMix uses the .Azer file extension and drops _INTERESTING_INFORMATION_FOR_DECRYPT.txt note.

  • MASTER EDITION OF BTCWARE NOW DECRYPTABLE

    MHT’s Michael Gillespie updates his BTCWareDecrypter that now supports the .master file extension variant of this ransomware.

  • EXECUTIONER RANSOMWARE – STILL NO BIG DEAL

    In spite of Executioner ransomware makers’ efforts to make the pest uncrackable, newer iterations are still decryptable.

  • COUNTLOCKER SHAPING UP TO BE A SERIOUS ISSUE

    In-dev ransomware called CountLocker claims to delete all data on C drive unless the victim pays 0.3 BTC in 72 hours.

  • FENRIR TROJAN IS UNUSUAL IN A WAY

    This sample derives the file extension from infected host’s Hardware ID (HWID). The ransom note is Ransom.rtf.

  • ELMERSGLUE_3 RANSOMWARE

    Screen locker called ElmersGlue_3 is a derivative of ElmersGlue Locker v1.0, which was spotted in May 2017. Easy to get around.

  • ORIGINAL PETYA IS NOW OFFICIALLY DECRYPTABLE

    Member of the JANUS cybercrime ring dumps master decryption keys for the original Petya, Mischa and Goldeneye ransomware.

  • RANSOMWARE TELLING VICTIMS TO DO SURVEYS

    Dubbed SurveyLocker, the new Trojan drags victims into a loop of surveys so that their screen can be unlocked.

  • RANDOM6 IS PART OF A KNOWN LINEAGE

    According to some in-depth analysis, the recently spotted Random6 pest appears to be a Fantom ransomware derivative.

  • LEAKERLOCKER ANDROID RANSOMWARE

    Spreading via 2 booby-trapped apps on Google Play, this one threatens to send victims’ sensitive data to all contacts. Demands $50.

  • PETYA COPYCAT DISCOVERED

    Dubbed Petya+, this ransomware is programmed in .NET. The ransom screen is almost a replica of the original. No crypto so far.

  • SCORPIO RANSOMWARE USES APROPOS EXTENSION

    Also referred to as Scarab, this sample scrambles filenames and appends them with the .[Help-Mails@Ya.Ru].Scorpio extension.

  • OXAR RANSOMWARE BASED ON HIDDEN TEAR

    HT based strain called Oxar, or Locked In, concatenates the .OXR suffix to encoded files. Demands $100 worth of Bitcoin.

  • BIT PAYMER SPECIMEN APPEARS

    Uses the .locked file extension and creates a separate .readme_txt recovery how-to for every hostage file.

  • NEWSMAKING ARREST OVER RANSOMWARE

    Australian authorities apprehend a 75-year-old man for setting up rogue tech support companies involved in ransomware schemes.

  • NEMUCODAES STRAIN DECRYPTED

    Emsisoft makes another breakthrough in fighting ransomware. This time they release a free decryptor for the NemucodAES strand.

  • ASLAHORA TROJAN – HIDDEN TEAR MISUSED AGAIN

    Brand new HT offshoot called AslaHora subjoins the .Malki extension to ransomed files. The unlock password is MALKIMALKIMALKI.

  • DCRY RANSOMWARE DECRYPTED

    Researchers come up with a free decryption tool that supports the Dcry ransomware appending files with the .dcry extension.

  • BLACKOUT RANSOMWARE SURFACES

    New sample called BLACKOUT drops README_[random numbers].txt ransom note and base64 encodes filenames.

  • KEEP CALM RANSOMWARE

    This one is based off of EDA2 PoC. Concatenates the .locked string to hostage files and leaves “Read Instructions.rtf” ransom note.

  • PURGE STRAIN TURNS OUT SHODDY

    Blemishes files with the .purge extension. Keeps crashing during encryption process. The unlock password is “TotallyNotStupid”.

  • “YOUR ALL DATA IS ENCRYPT” SCREEN LOCKER

    The name is the phrase this sample displays on its lock screen. Demands 1 BTC but is ridiculously easy to get around (Alt+F4).

  • BRAINLAG SPECIMEN SPOTTED

    Currently in the process of development, so no crypto thus far. Displays a black lock screen with a smiley in the middle.

  • RANSED RANSOMWARE

    Stains files with the appropos .Ransed extension. Reaches out to MySQL server, so server access credentials are hard coded.

  • EJIGSAW STRAND PRODUCES ANOTHER VARIANT

    The newest iteration of the Jigsaw ransomware switches to using the .kill string to label hostage files.

  • SAMSAM RANSOMWARE UPDATED

    Brand new edition of the SamSam/Samas ransomware concatenates the .country82000 extension to locked data entries.

  • ENDCRYPT0R SAMPLE IS NO BIG DEAL

    Screen locker called ENDcrypt0r displays an alert saying that files have been encrypted, while they aren’t. Unlock code is A01B.

  • FUACKED RANSOMWARE IS A DULL ONE

    Nothing special about the new specimen called Fuacked. Leaves a ransom note named dummy_file.txt.

  • STRIKED RANSOMWARE DECRYPTED

    Free decryptor is out for the Striked ransomware, which appends the #rap@mortalkombat.top#id#[random] extension to locked files.

  • ANDROID TROJAN WITH RANSOMWARE CAPABILITIES

    Remote Access Trojan for Android dubbed GhostCtrl can also reset the PINs of host devices and lock the screen with a ransom note.

  • ALOSIA TEAM SAMPLE BASED ON OPEN-SOURCE CODE

    The latest iteration of the Stupid ransomware uses the .alosia file extension. The unlock code is CREATEDBYMR403FORBIDDEN.

  • ALMOST FRIENDLY-LOOKING JIGSAW EDITION

    New Jigsaw variant stains encrypted files with the .korea string and displays a black background with a smiley on it.

  • REYPTSON RANSOMWARE

    Targets Spanish-speaking users. Interestingly, it pilfers Thunderbird email credentials to generate spam on behalf of a victim.

  • VIRO STRAIN SPOTTED IN THE WILD

    Uses the .locked extension, leaves “Computer compromised” ransom how-to, and displays a religion-themed background.

  • THE SELF-EXPLANATORY OOPS RANSOMWARE

    Concatenates the .oops extension to hostage files, demands 0.1 BTC and uses only4you@protonmail.com contact email.

  • EXPLORER RANSOMWARE, NEW ONE OUT THERE

    Based on Hidden Tear PoC, this one uses the .explorer file extension. Victims are instructed to contact decrypter.files@mail.ru.

  • GLOBEIMPOSTER KEEPS SPAWNING NEW VARIANTS

    Fresh GlobeImposter editions use the .au1crypt or .s1crypt extension and leave decrypt manual named how_to_back_files.html.

  • FEDEX EVALUATES IMPACT OVER PETYA

    According to official statement by FedEx, the damage incurred due to Petya ransomware attack is material and permanent.

  • RADIO STATION STRUGGLING TO RECOVER FROM ATTACK

    San Francisco TV & radio station KQED is still suffering the consequences of a ransomware attack that took place in mid-June.

  • NEMUCODAES DECRYPTOR UPDATED

    Emsisoft enhances their decryption tool for NemucodAES ransomware so that it supports large files.

  • NEW SAMPLE CALLED CHINA-YUNLONG

    This specimen zeroes in on Chinese users. Concatenates the .yl string to all encoded data items.

  • CRYPTOMIX FAMILY GROWS

    2 new CryptoMix iterations use the .ZAYKA and .NOOB extensions to stain files. Ransom note is still named _HELP_INSTRUCTION.txt.

  • STRIKED RANSOMWARE DECRYPTOR ENHANCED

    MalwareHunterTeam’s Michael Gillespie updates the decryptor for Striked ransomware, so now it supports most recent editions.

  • MATROSKA STRAIN BASED ON HIDDEN TEAR

    Said HT offspring concatenates the .hustonwehaveaproblem@keemail.me extension to no-longer-accessible files.

  • ANOTHER CRYPTOMIX EDITION RELEASED

    A CryptoMix ransomware variant goes live that blemishes files with the .CK suffix. The ransom note hasn’t changed.

  • JIGSAW RANSOMWARE UPDATE

    Brand-new spinoff of the Jigsaw ransomware lineage switches to using the .afc extension for encrypted data entries.

  • SYMBIOM RANSOMWARE DISCOVERED

    Yet another Hidden Tear derivative. Appends files with the .symbiom_ransomware_locked extension and demands 0.1 BTC.

  • BITSHIFTER RANSOMWARE ALSO PILFERS DATA

    Leaves a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt. Additionally attempts to steal sensitive information.

  • GLOBEIMPOSTER UPDATE ROLLED OUT

    The latest version of the GlobeImposter ransomware speckles encrypted files with the .skunk extension token.

  • SNAKELOCKER IS ON ITS WAY

    Written in Python, SnakeLocker concatenates the .snake or .TGIF extension to files and leaves INSTRUCTIONS-README.html note.

  • GLOBEIMPOSTER FAMILY ENLARGES

    New offspring of the GlobeImposter ransomware pops up. It appends ransomed files with the .GOTHAM extension.

  • GLOBEIMPOSTER GETS ON STEROIDS

    One more version of GlobeImposter starts making the rounds. It uses the .crypt extension and how_to_back_files.html ransom note.

  • THIRD GLOBEIMPOSTER VARIANT IN A DAY

    Yet another edition stains scrambled files with the .HAPP suffix and still drops HTML ransom note named how_to_back_files.

  • ZILLA RANSOMWARE UPDATE

    Brand new version of the Zilla Trojan concatenates the .Atom extension to files and uses ReadMeNow.txt how-to.

  • SIMPLERANSOMWARE IS MORE COMPLEX THAN IT APPEARS

    This one attempts to plant a Visual Basic rootkit onto a host system and harnesses Pastebin to figure out if a victim has paid up.

  • BAM! RANSOMWARE GOES LIVE

    Subjoins the .bam! extension to no-longer-accessible files and uses contact email addresses abc@xyz.com and acc@xyz.com.

  • JCODER MAKERS MUST BE PETYA FANS

    JCoder sample is spotted that concatenates the .Petya extension to encrypted files.

  • DCRY KEEPS UPDATING AFTER BEING DECRYPTED

    DCry ransomware, which had been cracked by MHT’s Michael Gillespie, spawns a new variant that adds the .qwqd extension to files.

  • TURKISH WANNACRY COUNTERFEIT SPOTTED

    Looks similar to original WannaCry. Spreads via RDP, moves files to password-protected ZIP, and displays its demands in Turkish.

  • OLD PETYA EDITIONS CAN BE DECRYPTED

    Malwarebytes confirms that the previously leaked private decryption key for early Petya versions is valid.

  • GLOBEIMPOSTER BECOMES INCREASINGLY TOXIC

    Fresh version appends enciphered files with the .707 suffix and provides recovery steps in RECOVER-FILES.html document.

  • ONE MORE EDITION OF GLOBEIMPOSTER

    New GlobeImposter iteration appends locked files with the attacker’s email address followed by the .BRT92 extension.

  • COMEBACK OF VINDOWSLOCKER

    The currently active variant states the victim’s desktop was locked due to prohibited online activities. Demands iTunes gift cards.

  • RANDSOMEWARE SEEMS TO BE INSTRUCTIVE

    Also known as RDW, it stains files with the .RDWF string and, surprisingly, lets the user know it is going to start encryption.

  • GLOBEIMPOSTER CONTINUES SPEWING OUT VARIANTS

    New one concatenates the .p1crypt extension to encoded files and sticks with the invariable how_to_back_files.html note.

  • STRIKED RANSOMWARE DECRYPTOR FINE-TUNED

    Michael Gillespie (@demonslay335) updates his decryptor for Striked ransomware, so it now supports newer variants.

  • SERPENT RANSOMWARE UPDATE

    The latest edition uses the .srpx suffix for locked files and drops README_TO_RESTORE_FILES_t7Q.txt/html ransom notes.

  • NEW SAMPLE FROM POLISH EXTORTIONISTS

    Researchers discover ransomware specimen that generates its warnings in Polish. Unnamed at this point.

  • ABC LOCKER, A CLOUDSWORD DERIVATIVE

    Fresh spinoff of the CloudSword ransomware called ABC Locker surfaces. Demands 0.5 BTC within 5-day deadline.

  • INVINCIBLE RANSOMWARE IN DEVELOPMENT

    Warning pane of the new Ransomware InVincible looks like WannaCry’s. This one does not perform encryption thus far.

  • SPONGEBOB RANSOMWARE PUTS SQUARE PANTS ON FILES

    Features Spongebob theme in its victim interaction screens. Crude code lacking crypto. Provides 3 days of “special price”.

  • ZUAHAHHAH STRAIN STARTS CIRCULATING

    Discovered by ESET, Zuahahhah ransomware appears to be a new variant of the prolific Crypt888 infection.

  • LAMBDALOCKER UPDATE

    Concatenates the .MyChemicalRomance4EVER extension to encrypted files and drops UNLOCK_guiDE.tXT ransom note.

  • BIG RANSOM CASHOUT SCHEME UNCOVERED

    Taking the floor at Black Hat USA 2017, Google’s security analysts claim 95% of ransomware payouts were cashed out via BTC-e service.

  • SHIELDFS, THE NEXT BIG THING TO COMBAT RANSOMWARE

    Italian experts invent ShieldFS, a custom filesystem that effectively detects ransomware and undoes unauthorized data encryption.

  • OWNER OF BTC-E PLATFORM ARRESTED

    BTC-e owner, Russian citizen Alexander Vinnik, is arrested in Greece on suspicion of ransomware-related money laundering.

  • A COUPLE OF NEW CRYPTOMIX VERSIONS SPOTTED

    Two fresh editions of the CryptoMix ransomware use the .DG and .ZERO file extensions and _HELP_INSTRUCTION.txt ransom note.

  • GLOBEIMPOSTER UPDATED, ONCE AGAIN

    Newest iteration of GlobeImposter concatenates the .725 extension to encrypted files. Spreads via malspam.

  • NEW RANSOMWARE CODEBASE SPOTTED

    Its ransom note HOW TO DECRYPT FILES.txt says it’s “test” and asks for “cash” to create custom build of this unnamed sample.

  • STORM RANSOMWARE SPOTTED

    Discovered by MHT. Uses StormRansomware@gmail.com contact email and goes with a hard-coded password.

  • RANSOMDEMON IS ON ITS WAY

    Currently in development, the RansomDemoN sample has an “Encrypt” button and won’t apply crypto unless it’s clicked.

  • SAMSAM FAMILY SPAWNS NEW ITERATION

    The latest version of the SamSam/Samas ransom Trojan uses the .supported2017 string to blemish encoded data.

  • NEW SPREADING TACTIC OF GLOBEIMPOSTER

    The .crypt extension variant of GlobeImposter is making the rounds via Blank Slate spam with no subject line, just an attachment.

  • PRIVATE BUILDER AUTOMATING RANSOMWARE CREATION

    Private Builder Ransomware V2.01 allows threat actors to define custom properties of their own build of the infection.

  • THE SHODDY FCP RANSOMWARE

    Leaves a rescue note named READ_ME_HELP_ME.txt. Does not encrypt anything at this point, just renames files.

  • RANSOMWARE BUILDER CALLED OXAR

    Provides several different forms to fill out, where wannabe cybercriminals can set their preferred campaign values.

  • GRYPHON SAMPLE REPRESENTING KNOWN FAMILY

    Gryphon ransomware turns out to be a spinoff of the BTCWare strain. Appends files with the .[decr@cock.li].gryphon extension.

  • NEW POLISH SCREEN LOCKER IN THE WILD

    Generates animated lock screen featuring a dancing person. Fortunately, it does not encrypt data and is easy to get around.

  • TEST RANSOMWARE UPDATED

    Above-mentioned ransomware builder claiming to be a “test” gets an upgrade. Configured to append the .Node0 extension to files.

  • ROSE EDITION OF GLOBEIMPOSTER

    Yet another version of GlobeImposter uses the .rose file extension prepended by [i-absolutus@bigmir.net] string.

  • GUESS WHAT’S UPDATED? GLOBEIMPOSTER

    Fresh spinoff of GlobeImposter stains encoded files with the .ocean suffix and leaves a ransom how-to named !back_files!.html.

  • ANOTHER BTCWARE PERSONA DETECTED

    Drops ransom note named !#_READ_ME_#!.hta and appends the .[avalona.toga@aol.com].blocking extension to files.

  • SCOTCH TAPE LOCKER V1.0

    Trojan called Scotch Tape Locker v1.0 doesn’t do more damage than locking a victim’s screen. Uses fbifine@protonmail.com email.

  • LARGE PHARMA COMPANY IMPACTED BY NOTPETYA

    Merck, large US based pharmaceutics company, is still struggling to recover from NotPetya attack that affected some of its servers.

  • RSA2048PRO PRIORITIZES DATA DURING ENCRYPTION

    C# based ransomware RSA2048Pro applies a data filter to first encode items added during past 3 months.

  • SEVENDAYS RANSOMWARE

    This video game themed specimen concatenates the .SEVENDAYS extension to files and does not provide any payment steps.

  • IN-DEVELOPMENT TPS 1.0 SAMPLE

    Although TPS 1.0 claims to have encrypted one’s files, its effect is restricted to only showing a warning screen. Demands $300 in BTC.

  • GLOBEIMPOSTER PLAYING WITH NUMBERS

    Another GlobeImposter offshoot is discovered that stains hostage files with the .726 extension.

  • RANAOMWARE TROJAN GOES ITS OWN ROUTE

    Also known as Blackzd, the Ranaomware sample simply renames files without appending any extra extension.

  • LOCKBOX RANSOMWARE

    Claims to use AES-256 algorithm to lock data. Instructs victims to contact trevinomason1@gmailcom for recovery steps.

  • CRYSTAL STRAIN GOES WITH MULTIPLE COMPONENTS

    This one is equipped with a malware downloader and a DDoS module. Affixes the .CRYSTAL string to filenames.

  • ROBINHOOD RANSOMWARE

    It displays a message asking for “five Bitcoins to help Yemeni people”. Provides a 72-hour deadline to pay up.

  • WANNAPAY SAMPLE SPOTTED

    Currently in development. Downloads the executable to C:\Users\DORA path at this point.

  • EBAYWALL RANSOMWARE STANDS OUT FROM THE REST

    Ransom note ebay-msg.html provides contemplations on present-day security issues. Appends files with the .ebay extension.

  • LAWSUIT OVER NOTPETYA OUTBREAK

    Ukrainian law firm is prepping a case against the vendor of M.E.Doc accounting software for spreading NotPetya ransomware.

  • GLOBEIMPOSTER KEEPS GAINING MOMENTUM

    One more GlobeImposter variant uses the .sea extension for locked files and drops !your_files!.html ransom how-to.

  • CERBER GETS A BIG ENHANCEMENT

    The latest version of Cerber ransomware is capable of stealing browser passwords and Bitcoin wallet data.

  • SHUTDOWN57 SAMPLE DETECTED

    Adds ransom note named shutdown57.php and subjoins the .shutdown57 extension to files. The warning says, “Encrypter 8y v1ru5.”

  • GLOBEIMPOSTER STILL ON THE RISE

    Yet another clone of GlobeImposter uses the .490 file extension and leaves a ransom note named free_files!.html.

  • OXAR RANSOMWARE UPDATED

    While Oxar still labels encrypted files with the .OXR extension, now it features fresh design of the ransom note.

  • 3301 RANSOMWARE IN THE WILD

    Appears to be an offshoot of Karmen Ransomware-as-a-Service. Uses the .3301 file extension and DECRYPT_MY_FILES.html note.

  • NO DAYS OFF FOR GLOBEIMPOSTER DEVS

    Another iteration of GlobeImposter adds the .mtk118 string to filenames and drops how_to_back_files.html payment how-to.

  • POLSKI RANSOMWARE TARGETS POLISH USERS

    This AESxWin spinoff uses the .ZABLOKOWANE extension and ### – ODZYSKAJ SWOJE DANE – ###.txt recovery manual.

  • BALBAZ 1.00 INFECTION, NEW ONE ON THE TABLE

    Based off of HiddenTear PoC. Blemishes encrypted files with the .WAmarlocked extension and creates READ_IT.txt ransom note.

  • IN-DEV UEFI RANSOMWARE

    Doesn’t implement crypto at this point. Drops ransom how-to named decrypt.txt and demands $350 worth of BTC.

  • TPS RANSOMWARE BECOMES WHY-CRY

    TPS sample discovered on August 1 gets modified: it now manifests itself as Why-Cry. Demands $300 worth of BTC.

  • OGONIA EDITION OF CRYPTOMIX

    Fresh iteration of CryptoMix ransomware surfaces that uses the .OGONIA extension and _HELP_INSTRUCTION.txt ransom how-to.

  • CRYPTOMIX SPINOFF CALLED CNC

    Yet another CryptoMix variant is spotted. It appends the .CNC string to filenames and drops _HELP_INSTRUCTION.txt note.

  • RUSSIAN USERS TARGETED BY GLOBEIMPOSTER OFFSHOOT

    New GlobeImposter variant pops up that zeroes in on Russian-speaking users. It stains hostage files with the .crypt exension.

  • GLOBEIMPOSTER UPDATE

    One more version uses the .coded extension for ciphered files and decoder_master@aol.com / india.com contact emails.

  • ASTRA DERIVATIVE OF GLOBEIMPOSTER

    The latest variant of GlobeImposter adds the .astra suffix to files and creates here_your_files!.html ransom notes.

  • FOURTH GLOBEIMPOSTER VARIANT IN A DAY

    The spinoff uses the .492 extension and file_free@protonmail.com / koreajoin69@tutanota.com contact email addresses.

  • DIAMOND COMPUTER ENCRYPTION RANSOMWARE

    This one concatenates random extensions to files and leaves a ransom note named _READ_IT_FOR_RECOVER_FILES.html.

  • SCREEN LOCKER CALLED LOCKD

    The LOCKD virus pretends to come from the US Department of Justice and demands $200 payable with MoneyPak.

  • WANACRY4 RANSOMWARE DISCOVERED

    WanaCry4 is in fact a modified version of CryptoWire. Prepends the ‘encrypted’ string to original file extension.

  • XORIST EDITION USING .HELLO EXTENSION

    In addition to appending the .HELLO string to filenames, this sample drops HOW TO DECRYPT FILES.txt ransom note.

  • GLOBEIMPOSTER KEEPS ON CHANGING

    Another GlobeImposter variant blemishes encrypted files with the ..TXT suffix and uses Read_ME.html recovery instructions.

  • SEXTORTIONIST TRACKED DOWN BY THE FBI

    Although the suspect was using Tor, the FBI were able to get his IP address by duping him into opening a booby-trapped video.

  • TWO EDITIONS OF OXAR STRAIN SPOTTED

    New versions of the Oxar ransomware versions concatenate the .PEDO and .ULOZ strings to encrypted files.

  • INFORMATIVE WRITE-UP ON CERBER PROPAGATION

    Malwarebytes researchers dissect the way the Cerber ransomware (CRBR Encryptor) uses the Magnitude exploit kit to proliferate.

  • ISRABYE SAMPLE IS MEANT FOR SABOTAGE

    Although the anti-Israel IsraBye infection passes itself off as ransomware, it actually erases data without any recovery options.

  • RUMBLEGOODBOY RANSOMWARE

    This one is a GlobeImposter edition. Uses the .rumblegoodboy file extension and how_to_back_files.html ransom note.

  • A GLOBE LOOKALIKE APPEARS

    Written in .NET, the sample in question displays Globe-style ransom notes. Appends the .[cho.dambler@yandex.com] extension to files.

  • NEW OXAR OFFSPRING SURFACES

    The latest Oxar ransomware version uses the .FDP extension to label encrypted files. No other noteworthy changes have been made.

  • UKRAINIAN MAN ARRESTED FOR DISTRIBUTING PETYA

    Ukraine’s Cyber Police apprehend a 51-year-old man for infecting companies with Petya.A virus as part of tax evasion hoax.

  • GRYPHON RANSOMWARE UPDATED

    Gryphon, a variant of the BTCWare strain, gets an update. Its spinoff uses the .[gladius_rectus@aol.com ].crypton file extension.

  • NEW GLOBEIMPOSTER VARIANT

    Another mod of GlobeImposter uses the .0402 extension for encrypted files and drops !SOS!.html ransom note.

  • GLOBEIMPOSTER FEATURING .TRUMP EXTENSION

    Fresh edition of GlobeImposter stains encoded files with the .Trump string and uses Donald_Trump@derpymail.org contact email.

  • JIGSAW OFFSHOOT TARGETING POLISH USERS

    While going after Polish-speaking users, new Jigsaw iteration concatenates the .pabluklocker extension to hostage entries.

  • SHINIGAMI RANSOMWARE

    Displays Joker-style warning screen, uses symmetric DES (Data Encryption Standard), and appends the .shinigami extension to files.

  • MORE HIDDEN TEAR OFFSPRING IN THE WILD

    Based on the educational Hidden Tear, the strain in question goes banal with the appended file extension, which is .locked.

  • MMM RANSOMWARE UPDATE

    Originally discovered in late June, the MMM ransomware now switches to using the .0x009d8a extension for encrypted data.

  • CERBER COPYCAT FROM XORIST FAMILY

    Brand new iteration of the Xorist virus blemishes victims’ files with the .Cerber_RansomWare@qq.com string. Potentially decryptable.

  • GLOBEIMPOSTER CAMPAIGN STILL UP AND RUNNING

    Yet another version appends the .GRANNY extension to files and uses crazyfoot_granny@aol.com contact email address.

  • A COUPLE MORE GLOBEIMPOSTER’S

    Researchers spot more editions that use the following file extensions: .zuzya, .LEGO, .UNLIS, and .D2550A49BF52DFC23F2C013C5.

  • SCREEN LOCKER FEATURING JIGSAW THEME

    This one turns out more harmful than it appears, both locking the screen and also encrypting data on target computer.

  • MORE RANSOMWARE BASED ON OPEN SOURCE CODE

    Crooks continue to use open source PHP ransomware uploaded to GitHub in 2016. Real-world threats target web servers.

  • INFINITE TEAR RANSOMWARE

    New specimen called Infinite Tear uses the .JezRoz file extension and leaves Important_Read_Me.txt ransom note.

  • NULL RANSOMWARE SPOTTED

    Goes with a GUI, claims to use AES-256 encryption algorithm and concatenates the .null extension to locked files.

  • ROTOCRYPT TROJAN GOES LIVE

    RotoCrypt affixes the .OTR extension to encrypted files and instructs victims to send email to diligatmail7@tutanota.com.

  • NEW .NET RANSOMWARE DISCOVERED

    Uses the following file renaming format: filename=id=email.crypt12. Equipped with a GUI. Replaces desktop wallpaper.

  • BRANSOMWARE USES BUGGY CRYPTO

    New BRansomware sample concatenates the .GG extension to encoded files. Uses AES cipher but doesn’t do it properly.

  • SYNCCRYPT STRAIN EVADES AV

    Malicious payload for SyncCrypt is obfuscated via booby-trapped image files, so most AV tools miss it. Uses the .KK file extension.

  • LOCKY UPDATED OUT OF THE BLUE

    The latest variant of the Locky ransomware labels encrypted files with the .lukitus extension and uses lukitus.htm/bmp ransom notes.

  • CLICO CRYPTOR, ANOTHER POLISH SAMPLE

    This Java based ransomware concatenates the .enc extension to files. Ransom note contents are in Polish. Might be a PoC.

  • SAMAS RANSOMWARE UPDATE

    After a lengthy pause, the Samas family is back with the .prosperous666 file variant. Drops PLEASE-README-AFFECTED-FILES.html note.

  • LAMBDALOCKER DECRYPTED

    Avast creates a free decryption tool for the LambdaLocker ransomware that appends the .MyChemicalRomance4EVER file extension.

  • NEW VERSION OF MATROSKA RANSOMWARE SPOTTED

    The latest Matroska ransomware edition concatenates the .encrypted[Payfordecrypt@protonmail.com] string to locked files.

  • RANSOMWARE STATS FOR Q2 2017

    Multiple security firms state that ransomware payloads outperformed all other threats distributed via email in Q2 2017.

  • SCREEN LOCKER CALLED WOODMAN

    The WoodMan Trojan features a lock screen that looks like a 5-year-old drew it. The ‘mm2wood.mid’ code does the unlock trick.

  • MOON DECRYPTOR RANSOMWARE

    Aka Moon Cryptor, this one boasts a well-designed GUI and appends the .fmoon string to files. Deletes one file per minute until paid.

  • DRACO PC RANSOMWARE DETECTED

    New Draco PC Ransomware threatens to delete one file every hour and erase system32 folder in two days if a victim doesn’t pay up.

  • GLOBEIMPOSTER UPDATED AGAIN

    Fresh version appends the .{saruman7@india.com}.BRT92 extension to encrypted files and drops #DECRYPT_FILES#.html note.

  • RANSOMWARE ATTACKS LG KIOSKS IN SOUTH KOREA

    Ransomware, presumably WannaCry, infected numerous LG self-service kiosks in South Korea with unpatched OS.

  • CRYPTOMIX LINEAGE GETS BIGGER

    New iteration of CryptoMix concatenates the .ERROR extension to files and creates _HELP_INSTRUCTION.txt ransom how-to.

  • SCREEN LOCKER WITH POLISH ROOTS

    Unnamed screen locker starts infecting computers in Poland. Researchers figured out that the unlock code is 023135223.

  • UNUSUAL TACTIC OF THE CYRON RANSOMWARE

    This one displays an alert about “children pornsites” detected in a victim’s browsing history. Appends the .CYRON extension to files.

  • KAPPA RANSOMWARE SPOTTED

    The sample called Kappa is a derivative of the Oxar ransomware. Still uses the .OXR extension to blemish encrypted data.

  • TROJAN DZ RANSOMWARE

    Trojan Dz turns out to be a CyberSplitter ransomware spinoff. Stains files with the .Isis string and demands 0.5 BTC.

  • OXAR STRAIN UPDATED AGAIN

    The second Oxar variant surfaces during the day. Shows animated warnings, uses the .OXR file suffix and demands $20 worth of BTC.

  • RESEARCHER GETS A MESSAGE VIA NEW RANSOMWARE

    Karsten Hahn, a well-known malware analyst from Germany, discovered a Hidden Tear spinoff displaying a picture of him.

  • INTERESTING FINDINGS OF MCAFEE ANALYSTS

    According to McAfee, 30% of all ransomware the company detected in June were Hidden Tear offshoots.

  • XOLZSEC RANSOMWARE BASED ON POC

    Based on EDA2 proof-of-concept, this one appends the .xolzsec extension to files. Claims to have been made by a script kiddie.

  • FRENCH OFFSHOOT OF HIDDEN TEAR

    New HT variant is released that targets French users. Uses the .locked extension and TUTORIEL.bmp/READ_IT_FOR UNLOCK.txt notes.

  • UKRAINE MAY FACE ANOTHER RANSOMWARE OUTBREAK

    Ukrainian security company ISSP warns about possible new series of ransomware attacks following another accounting software hack.

  • FLATCHESTWARE BADDIE POPS UP

    The specimen called FlatChestWare is one more Hidden Tear offshoot. Concatenates the .flat extension to encoded files.

  • HIDDEN TEAR SPINOFFS KEEP COMING

    New HT derivative called VideoBelle appears. It zeroes in on French users, uses the .locked extension and Message_Important.txt note.

  • CRYAKL-RELATED UTILITY SPOTTED

    Researchers come across a manual counterpart of the encryptor used by the Cryakl ransomware family. It’s written in Delphi.

  • CYPHER RANSOMWARE BEING CREATED

    Python-based Cypher ransomware (note the spelling) affixes the .enc extension to locked files. Currently in development.

  • WOOLY, ANOTHER CRUDE RANSOM TROJAN

    This sample is written in .NET. Automatically installs Tor onto a targeted host and subjoins the .wooly suffix to encrypted data.

  • CRYPTOMIX GETS AN UPDATE

    New variant of the CryptoMix ransomware appends the .EMPTY string to files and uses _HELP_INSTRUCTION.txt restore manual.

  • CHINESE APP HELPS CREATE ANDROID RANSOMWARE

    Researchers spot a Chinese ‘Trojan Development Kit’ that fully automates the process of creating ransomware for Android.

  • PA-SIEM RANSOMWARE DETECTED

    Predictably enough, this sample concatenates the .PA-SIEM extension to files, whatever that means. It is in-dev so far.

  • ARENA EDITION OF THE CRYSIS RANSOMWARE

    New version of the Crysis/Dharma ransomware appears. Appends the .id-[victim ID].[chivas@aolonline.top].arena extension to files.

  • DEFRAY STRAIN TARGETING HIGH-PROFILE VICTIMS

    Brand new specimen dubbed Defray zeroes in on healthcare, educational, manufacturing and technology organizations.

  • FALSE ALARM ON A HIDDEN TEAR VARIANT

    Security analysts bump into an HT spinoff using the .locked extension, which turns out to be made for the EkoParty security conference.

  • NEW SAMPLE THAT DOESN’T DO ANY REAL DAMAGE

    Dubbed RansomPrank, this one doesn’t go further than displaying a warning screen. No crypto is implemented. Demands 0.5 BTC.

  • WOOLY RANSOMWARE GOES LIVE

    The specimen called Wooly switches its status from in-dev to real-life. Uses the .wooly extension for hostage data.

  • BTCWARE GETS “NUCLEAR”

    New variant of BTCWare strain appears. It appends files with an attacker’s email address followed by the .nuclear extension.

  • STRAWHAT RANSOMWARE

    Concatenates files with a random extension and drops ransom how-to’s named YOUR_FILES_ARE_ENCRYPTED.html/txt.

  • MINDSYSTEM SAMPLE DOES LITTLE DAMAGE

    New one called the MindSystem ransomware actually encrypts data but provides the decryption service free of charge.

  • CRYING RANSOMWARE IN THE WILD

    Created by a dev nicknamed ‘h4xor’. Goes with a GUI, doesn’t use any extra file extensions, and demands $600 worth of BTC.

  • UNREASONABLE MOVE BY THE TROLL RANSOMWARE

    Leverages XOR crypto to encrypt all data on a computer, including system files. This can cause OS malfunctions.

  • SCOTTISH HOSPITALS FALL VICTIM TO A BLACKMAIL VIRUS

    Several hospitals in Lanarkshire, Scotland, get infected with a ransomware strain called BitPaymer. Attackers demand 53 BTC.

  • IRS ISSUES A RANSOMWARE WARNING

    US Internal Revenue Service advises users to exercise caution with ransomware malspam impersonating this government agency.

  • AKIRA RANSOMWARE COMING UP

    Currently in development, this specimen uses the .akira extension for hostage files. Encrypts data in the Video folder only.

  • SAHER BLUE EAGLE RANSOMWARE UPDATE

    Fresh version of the Saher Blue Eagle strand appears. The good news is, it’s crude and does not complete the encryption routine.

  • RESEARCHER SETS UP A RANSOMWARE DEMO

    MHT’s Michael Gillespie joins the Hackable podcast and infects the host’s computer with ransomware to demonstrate how it works.

  • KEYMAKER RANSOMWARE WAVE TAKES ROOT

    Based on Hidden Tear, the KeyMaker ransomware appends the .CryptedOpps extension to files and drops READ_IT.txt rescue note.

  • HAZE RANSOMWARE FAILS TO IMITATE PETYA

    The strain called Haze shows a warning screen very similar to Petya’s. Fortunately, it does not actually encrypt anything.

  • OHNO! RANSOMWARE WITH OFFBEAT PAYMENT OPTION

    The OhNo! strand instructs victims to pay ransoms in Monero (2 XMR), whereas almost all counterparts opt for Bitcoin.

  • PRINCESS LOCKER DISTRIBUTION ENHANCED

    According to Malwarebytes analysts, the Princess Locker ransomware has started employing the RIG exploit kit for propagation.

  • CLEVER CONTAMINATION TRICK BY LOCKY

    New Locky campaign uses on-close MS Word macros that download the infection when a user closes a file attached to malspam.

  • CRYPTOMIX FAMILY GETS LARGER

    One more CryptoMix version pops up. It affixes the .arena string to encrypted files and drops _HELP_INSTRUCTION.txt ransom note.

  • MORE MONGODB SERVERS HACKED

    In a new campaign, 3 cybercriminal groups hijack more than 26,000 MongoDB databases and hold their contents for ransom.

  • HIDDEN TEAR VARIANT CALLED NULLTICA

    New HT spinoff called Nulltica uses the .lock file extension and sends booby-trapped messages to victims’ Facebook contacts.

  • ULTIMO STRAIN IS UNDERWAY

    Ultimo is yet another Hidden Tear PoC derivative at large. Speckles encrypted files with the .locked string.

  • NEW VARIANT OF KNOWN SCREEN LOCKER SPOTTED

    Like its precursor, this one displays “Your Windows Has Been BANNED” lock screen and demands $50 worth of BTC to unlock.

  • GLOBEIMPOSTER UPDATE

    Fresh GlobeImposter offshoot appends files with the .clinTON suffix and instructs victims to contact Bill_Clinton@decrymail.org.

  • CONFICKER RANSOMWARE FINE-TUNED

    This sample’s prototype was discovered in mid-April 2017. The newcomer uses the .Saramat file extension and asks for 0.5 BTC.

  • SYNACK, NEW STRAIN WITH AMBITIONS

    New SynAck ransomware is on the rise. It uses extensions of 10 random hexadecimal chars and RESTORE_INFO-[id].txt ransom notes.

  • TEAMWINLOCKERWINDOWS TROJAN DISCOVERED

    TeamWinLockerWindows screen locker has Russian origin. Additionally changes HOSTS file to block some sites, including Google.

  • APOLLOLOCKER TARGETING TURKISH USERS

    Uses the .locked file extension and drops DOSYALARI-KURTAR[random].txt/url ransom how-to’s. Also pilfers personal data.

  • MULTILINGUAL “HACKED” RANSOMWARE

    Appends the .hacked string to encrypted files. Ransom notes provide language choice out of English, Italian, Spanish, and Turkish.

  • FRANSOMWARE IN DEVELOPMENT

    The sample called FRansomware is still crude and doesn’t encrypt any data. Demands $150 worth of Bitcoin regardless.

  • DILMALOCKER TARGETS SPANISH-SPEAKING AUDIENCE

    DilmaLocker ransomware affixes the .__dilmaV1 extension to locked files and uses RECUPERE_SEUS_ARQUIVOS.html ransom note.

  • GLOBEIMPOSTER VERSION WITH VALID SIGNATURE

    New GlobeImposter edition (.f41o1 extension, READ_IT.html note) now uses a signed payload file with verified signature.

  • AMNESIA SPINOFF POSING AS WANNACRY

    An iteration of the Amnesia ransomware tries to mimic the WannaCry strain in a way, concatenating the .wncry string to files.

  • GLOBEIMPOSTER IS NO LONGER SIGNED

    Another GlobeImposter variant is released in quick succession. Uses the .4035 extension and no longer features a valid certificate.

  • STRAIN TAKING AFTER LOCKY

    Dubbed ArmaLocky, this Locky copycat uses similar ransom notes and concatenates the .armadilo1 string to hostage files.

  • SAMAS/SAMSAM RANSOMWARE UPDATE

    New version of the Samas ransomware is released. It switches to using the .disposed2017 suffix for ransomed data.

  • NEW DELPHI-BASED STRAIN POPS UP

    Affixes the .[restoreassistant2@tutanota.com].locked_file extension to files and uses !HOW_TO_UNLOCK_FILES!.html how-to’s.

  • PARADISE RANSOMWARE DISCOVERED

    Appears to be an independently developed sample. Concatenates the .[info@decrypt.ws].paradise extension to files.

  • EXOLOCK SAMPLE IS NOTHING EXTRAORDINARY

    New ExoLock ransomware subjoins the .exolocked string to encrypted files and demands 0.01 BTC ($40) for restoring them.

  • POLISH JIGSAW RANSOMWARE SPINOFFS SPOTTED

    The two Jigsaw editions use the .pablukCRYPT and .pabluk300CrYpT! extensions for locked data and a new desktop background.

  • INTERESTING FINDINGS ABOUT RANION RAAS

    It turns out that the Ranion Ransomware-as-a-Service distributes a blackmail Trojan that’s a Hidden Tear PoC derivative.

  • BLACKHAT RANSOMWARE

    This one is an offshoot of MoWare_H.F.D. lineage based on Hidden Tear. Uses the .H_F_D_locked extension and XOR cipher.

  • REALLY VULGAR RANSOMWARE CALLED SOFUCKED

    SoFucked ransomware is full of bad language, obviously. It uses the .fff file extension and READTHISHIT.txt ransom note.

  • HAPPY CRYPTER ISN’T SO FUN

    Although still in development, Happy Crypter performs encryption but doesn’t add any extension to files. Demands 0.9 BTC.

  • LOCKED_FILE STRAIN UPDATED

    Drops ransom how-to’s named !HOW_TO_UNLOCK_FILES!.html and still uses restoreassistant2@tutanota.com contact email.

  • IN-DEV PAYORDIE RANSOMWARE

    This brand-new specimen encrypts files and base64 encodes filenames. Doesn’t affect data beyond Desktop directory.

  • GLOBEIMPOSTER STILL HYPERACTIVE

    The latest edition of GlobeImposter uses the .reaGAN file extension and Ronald_Reagan@derpymail.org email for victim interaction.

  • MYSTIC RANSOMWARE RELEASED

    Unlike most strains out there, the Mystic ransomware doesn’t concatenate any extension to filenames. Uses ransom.txt how-to.

  • CROOKS SEND HIDDEN MESSAGE TO A RESEARCHER

    New Dcry ransomware version surfaces that uses the .dian file extension. Its code contains a message for MHT’s Michael Gillespie.

  • RESTOLOCKER, ONE MORE HT SPINOFF

    New Hidden Tear based sample called RestoLocker appears. Speckles data with the .HeroesOftheStorm extension. Currently in-dev.

  • RBY RANSOMWARE DETECTED

    RBY blackmail Trojan is a fresh version of the Kryptonite ransomware. Displays a warning screen in Russian and English.

  • NEW EXTENSION ADDED TO PSCRYPT’S ARSENAL

    PSCrypt ransomware switches to using the .paxynok string to label encrypted files. Still spreads mostly in Ukraine.

  • HTA VIRUS DEVELOPMENT IN PROGRESS

    Researchers come across fresh in-dev ransomware called HTA Virus. Based on ransom notes, it is intended to target German users.

  • BUD RANSOMWARE MAKING THE ROUNDS

    This one is functionally similar to Jigsaw ransomware. Uses the .bud extension for ransomed data and demands €500 worth of Bitcoin.

  • HACKERS INVASION RANSOMWARE

    Affixes the .Doxes extension to locked files and demands a ridiculous $120,000 for decryption. Can be decrypted for free.

  • LOUSY FBI-THEMED RANSOMWARE SPOTTED

    A decryptable spinoff of the Stupid ransomware with FBI logo on the warning screen. Uses the .XmdXtazX extension and requests €35.

  • YKCOL VERSION OF LOCKY APPEARS

    The Locky ransomware gets an update, introducing new .ykcol extension for ransomed data and ykcol.htm/bmp rescue notes.

  • PENDOR RANSOMWARE DISSECTED

    Pendor displays a CMD style lock screen requesting numeric input. Demands $50 worth of BTC. May potentially be decryptable.

  • ZONEWARE STRAIN DETECTED

    Currently in development. Concatenates the .ZW suffix to encoded data and extorts 0.025375 BTC for data recovery.

  • NEW SAMAS RANSOMWARE EDITION

    The latest Samas/SamSam variant uses the .myransext2017 file extension and 005-DO-YOU-WANT_FILES.html ransom how-to.

  • FRESH SCREEN LOCKER APPEARS

    Researchers spot a new screen locking virus that pretends to be from the FBI. Demands $300. The unlock code is ‘rhc@12345’.

  • HITLER RANSOMWARE IS IN PLAY AGAIN

    New version of the almost forgotten Hitler ransomware appears. The warning message is in German. Extorts €10 for decryption.

  • RANSOMWARE DIVIDES CYBERCRIME UNDERGROUND

    Admins of East European hacking forums are reportedly disputing over allowing ransomware promotion via their resources.

  • CRYPTOMIX RANSOMWARE UPDATE

    The most recent version of CryptoMix appends the .SHARK extension to files and drops _HELP_INSTRUCTION.txt ransom note.

  • NEW ROTORCRYPT VARIANT SPOTTED

    Uses the following file extension to blemish encrypted data: !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66.

  • CYBERDRILL_2 RANSOMWARE

    Fresh Hidden Tear offshoot that concatenates the .cyberdrill string to encrypted files. GUI includes DDoS threats.

  • POLISH SAMPLE CALLED TECHNICY

    This one’s code is based on Hidden Tear PoC. Concatenates the .technicy extension to locked files.

  • LOCKY BECOMES INCREASINGLY PREVALENT

    The Ykcol variant of Locky is being distributed via six concurrent malspam waves generated by a new affiliate.

  • NRANSOM SAMPLE ACTS IN A VERY UNUSUAL FASHION

    The new nRansom strain demands that victims send 10 nude pictures of themselves in order to unlock a hijacked computer.

  • BRAND NEW SCREEN LOCKER FOUND

    Researchers stumble upon a fresh in-development screen locker whose binary is named ‘PoetralesanA Virus Maker.exe’.

  • MESSAGE OF DEATH RANSOMWARE

    This one concatenates the .locked extension to hostage files and demands $350 worth of Bitcoin for recovery. Currently in-dev.

  • CYBERSOLDIER STRAIN RELEASED

    Stains data with the .CyberSoldiersST extension. Crude so far, only renames files without actually encrypting them.

  • WYVERN VARIANT OF BTCWARE

    The BTCWare family expands with an edition that appends files with the .wyvern extension preceded by attacker’s email and victim ID.

  • INFINITYLOCK BEHAVES DIFFERENTLY

    Having encrypted one’s files, InfinityLock displays a bogus command prompt window imitating commands being typed in remotely.

  • GAME OF THRONES REFERENCES IN LOCKY CODE

    Visual Basic scripting enaged in Locky/Ykcol ransomware distribution are found to contain references to the Game of Thrones series.

  • REDBOOT RANSOMWARE MIGHT BE A WIPER

    RedBoot encrypts files with the .locked extension and corrupts MBR along with partition table. It provides no recovery option, though.

  • SUPERB STRAIN IS SOMEWHAT UNUSUAL

    The sample called SuperB encrypts copies of files, affixes the .enc string to them and overwrites original ones with ransom how-to’s.

  • JOHN’S LOCKER DOESN’T DO MUCH HARM

    This one fails to encrypt any files but still futilely demands Bitcoins for recovery. Closing the pest’s GUI addresses the problem.

  • NOTHING IMPRESSIVE ABOUT CRYPTOCLONE

    Dubbed CryptoClone, this specimen is a CryptoLocker lookalike using the .crypted file extension. It is quite likely decryptable.

  • NEW SCREEN LOCKER CRACKED

    Researchers come across a fresh screen locker that tries to extort $50 worth of BTC. Victims can use ‘qwerty’ code for unlocking.

  • ONION3 CRYPT V.3

    This is one more Hidden Tear spinoff in the wild. It adds the .onion3cry-open-DECRYPTMYFILE string to encrypted files.

  • BILINGUAL THT LOCKER INFECTION

    The brand-new ransom Trojan in question displays a lock screen containing an alert in Russian and English.

  • BLACKMIST SAMPLE SPOTTED

    Currently in-dev, BlackMist ransomware appends ‘blackmist’ to files, without a dot before extension. Sets a 48-hour payment deadline.

  • BITDEFENDER’S TOOL FOR IDENTIFYING RANSOMWARE

    Bitdefender Labs release Ransomware Recognition Tool that accurately identifies a crypto strain that the user is hit by.

  • ANOTHER DULL SCREEN LOCKER APPEARS

    Security analysts discover a screen locking virus that generates a lock message in Portuguese. Nothing else is noteworthy about it.

  • A TRICKY HIDDEN TEAR OFFSHOOT

    New unnamed HT variant attempts to send crypto keys over email. Drops READ_IT.txt note and affixes the .locked string to files.

  • LOCKY AND TRICKBOT SPREADING VIA THE SAME WAVE

    A Necurs spam campaign is spotted that delivers either Locky or Trickbot banking malware depending on victim’s location.

  • PARADISE RANSOMWARE UPDATE

    Fresh iteration of the Paradise culprit drops ransom how-to in HTML format. It used to leave instructions in a TXT file.

  • CYPHER RANSOMWARE MODIFIED

    The Python-based Cypher pest switches to .crypt extension for locked data entries instead of the previously used .enc suffix.

  • LASER LOCKER BETA BUILDER SPOTTED

    Laser Locker Beta is a tool allowing criminals to easily generate custom versions of the SurveyScreenlocker ransomware.

  • SLOVENIAN DMA LOCKER IMITATION DISCOVERED

    The rogue DMA Locker ransomware sample uses a warning image that’s just a screenshot of the original taken from a security site.

  • NEW JIGSAW RANSOMWARE VERSION APPEARS

    The newcomer uses Anonymous themed background for its ransom window and subjoins the .fun extension to hostage files.

  • BTCWARE STRAIN UPDATED

    New BTCWare edition is released that concatenates the .payday extension to files and uses !! RETURN FILES !!.txt ransom note.

  • RANSOMWARE-THEMED TECH SUPPORT SCAM

    A tech support fraud campaign takes root where users keep getting fake browser messages saying “Ransomware Detected”.

  • SAMAS RANSOMWARE TWEAK

    Another detected iteration of the Samas ransomware lineage blemishes encoded files with the .loveransisgood extension.

  • U.S. CITY ATTACKED BY RANSOMWARE

    The internal information system of the City of Englewood, Colorado, gets infected with an unidentified ransomware strain.

  • ARKANSAS HEALTHCARE FACITY HIT BY BLACKMAIL TROJAN

    Arkansas Oral and Facial Surgery Center states its IT network was compromised by ransomware on July 26, 2017.

  • ENDER RANSOMWARE SPOTTED

    Brand new ransomware called Ender locks the screen of an infected computer. Victims can use ‘aRmLgk8wboWK5q7’ unlock code.

  • NEW INFECTION TRICK BY GLOBEIMPOSTER DEVS

    A GlobeImposter ransomware variant arrives via spam disguised as website job application containing malign Word macros.

  • LOCKON RANSOMWARE SPOTTED

    This in-development strain is configured to concatenate the .lockon extension to encoded data. Somewhat crude at this point.

  • BUGWARE CULPRIT IN THE WILD

    BugWare displays a rescue note in Portuguese and adds the .[SLAVIC@SECMAIL.PRO].BUGWARE string to locked files.

  • NEW LOCKY VERSION RELEASED

    The latest iteration of Locky brings about new .asasin extension for encrypted files along with asasin.htm/bmp ransom how-to’s.

  • FRESH SCREEN LOCKER FROM NOTORIOUS LINEAGE

    Another edition of the “Your Windows Has Been Banned” screen locking virus is detected. Presumably of Turkish origin.

  • ANONCRACK SPECIMEN

    A Hidden Tear POC variant called AnonCrack takes root. It displays warnings in Spanish and subjoins the .crack suffix to skewed files.

  • ROTORCRYPT UNDERGOES AN UPDATE

    New edition of the RotorCrypt ransomware uses the .biz extension to blemish encrypted files and a ransom note named DOCTOR.

  • ATCHBO RANSOMWARE

    The brand-new blackmail malware called Atchbo concatenates the .ExoLock string to files and demands 0.007 BTC for decryption.

  • RANSOMWARE ECONOMY GROWING RAPIDLY

    According to security firm Carbon Black, the underground marketplace propping ransomware reportedly grows by 2,500% per year.

  • MINOR UPDATE OF BTCWARE

    The latest BTCWare variant appending the .payday file extension token switches to using Checkzip@india.com contact email.

  • BEW BUGWARE OFFSHOOT RELEASED

    The build features new GUI and uses the .[SLAVIC@SECMAIL.PRO].CRIPTOGRAFADO extension for scrambled files.

  • TRICKY ANDROID RANSOMWARE SURFACES

    Dubbed DoubleLocker, this Android infection gets recursively executed every time the device’s Home button is pressed.

  • CRYPTOMIX FINE-TUNED

    Fresh version of the CryptoMix ransom Trojan subjoins the .x1881 suffix to files and drops _HELP_INSTRUCTION.txt ransom note.

  • ANUBI, A NEW SPECIMEN OUT THERE

    The sample in question uses the .[anubi@cock.li].anubi string to label encrypted files and leaves __READ_ME__.txt ransom manual.

  • CCORD RANSOMWARE POPS UP

    Brand-new screen locker called CCord SystemLocker might be a challenge game made by a German ‘enthusiast’ nicknamed MaxBe.

  • WANNACRY AS AN INTIMIDATION INSTRUMENT

    Fresh tech support scam is spotted that involves browser redirects to a page stating the computer is contaminated with WannaCry.

  • A WRITE-UP ON SAGE 2.2 RANSOMWARE

    Cybersecurity researcher Bart (@bartblaze) posts a detailed technical overview of the Sage v2.2 ransomware on his blog.

  • VIIPERWARE, ANOTHER FILE-ENCRYPTING TROJAN

    This one is an in-development offshoot the educational Hidden Tear ransomware. Adds the .viiper extension to crypted data.

  • CRYPTODEMO PURSUING AN OFFBEAT GOAL

    The CryptoDemo sample made by someone nicknamed Eicar resembles CryptoLocker and is used to check AV detection rate.

  • TYRANT RANSOMWARE

    Aka Crypto Tyrant, the pest in question is a spinoff of the so-called Dumb ransomware codebase that was previously outsourced.

  • VORTEX STRAIN UPDATED

    The latest edition of the fairly old Vortex ransomware uses a rescue note named “#$# JAK-ODZYSKAC-PLIKI.txt” written in Polish.

  • SCREEN LOCKER THAT LOOKS LIKE A PRANK

    The lock screen says, “Your computer is running a pirated version of Windows”. Demands $100 worth of Ethereum and 20 nude pics.

  • RANSOMWARE USED TO HIDE THIEVES’ TRACKS

    North Korean cybercrooks reportedly used the Hermes ransomware to distract attention from a recent Taiwan bank heist.

  • BLIND RANSOMWARE SPOTTED

    Resembles CrySiS/Dharma, concatenates the .blind extension to locked files and uses How_Decrypt_Files.hta ransom how-to.

  • MORE HT OFFSPRING IN THE WILD

    Analysts discover an Italian Hidden Tear version authored by somebody with the alias ‘The Magic’. Uses the .locked file extension.

  • ANOTHER ROTORCRYPT EDITION

    One more iteration of RotorCrypt pest goes live. Affixes the !____________DESKRYPT@TUTAMAIL.COM________.rar string to files.

  • MAGNIBER, A LIKELY CERBER HEIR

    New ransomware dubbed Magniber appears. It uses random exensions and bears a close resemblance to the Cerber ransom Trojan.

  • GEO RESTRICTIONS OF MAGNIBER

    This quality strain appears to only zero in on South Korean useres at this point. This limited spreading may be a test run.

  • PARTIALLY EFFECTIVE MAGNIBER DECRYPTOR RELEASED

    Researchers at Zimperium security company find a way to decrypt Magniber. Only works for a variant using hard coded crypto key.

  • NEW SPAM CAMPAIGN SPREADING BUGWARE

    A WhatsApp malspam wave is spotted that disseminates the payload for Bugware strain using the .CRIPTOGRAFADO extension.

  • SAHER BLUE EAGLE SPECIMEN UPDATED

    Fresh version switches to using the .SaherBlueEagleRansomware exension for hostage data items.

  • ANOTHER FBI THEMED RANSOMWARE

    This one (.XmdXtazX file extension) was made by a cynical developer who emphasizes he can set the ransom size as he pleases.

  • LORDOFSHADOW PEST OUT THERE

    Yet another Hidden Tear spinoff targeting Brazilian users. Adds the .lordofshadow string to files and drops LEIA_ME.txt ransom note.

  • ORDINAL, ONE MORE HIDDEN TEAR OFFSHOOT

    New HT based Ordinal ransomware uses the .ordinal extension and READ Me To Get Your Files Back.txt.Ordinal rescue note.

  • FRESH TOOL CREATED TO ASSIST RANSOMWARE VICTIMS

    Called McAfee Ransomware Recover (Mr2), the utility automatically identifies a strain and suggests a free decryptor if available.

  • ID RANSOMWARE CELEBRATES ANOTHER MILESTONE

    The ID Ransomware online service devised by MalwareHunterTeam is now capable of identifying 500 ransomware lineages.

  • WINDOWS 10 UPDATE DELIVERS A USEFUL FEATURE

    The latest build of Windows 10 goes equipped with ‘Controlled Folder Access’ functionality thwarting file changes by ransomware.

  • ALLCRY RANSOMWARE ON THE TABLE

    The sample called AllCry subjoins the .allcry suffix to encrypted files and demands 1 BTC for decryption.

  • HALLOWEEN THEME IS ALREADY IN THE AIR

    New Trick or Treat ransomware is discovered. Fortunately, it fails to perform data encryption and simply displays a spooky warning.

  • MEET PENNYWISE RANSOMWARE

    This fresh incarnation of the Jigsaw strain concatenates the .beep extension to files and displays a pic of the Pennywise character.

  • COMRADE RANSOMWARE RELEASED

    Yet another Hidden Tear variant. Affixes the .comrade string to locked files and creates a ransom how-to named DECRYPT_FILES.txt.

  • BADRABBIT RANSOMWARE IS AN OFFBEAT ONE

    The baddie called BadRabbit behaves similarly to NotPetya (affects Master Boot Record) and spreads predominantly in Eastern Europe.

  • TIES BETWEEN BADRABBIT AND NOTPETYA ARE OBVIOUS

    Several security firms unveil that the BadRabbit and NotPetya campaigns were operated by the same cybercriminal group.

  • BADRABBIT IMPACT NOT RESTRICTED TO EUROPE

    According to some reports, a small fraction of BadRabbit ransomware victims are organizations based in the United States.

  • EXTENSIVE BREAKDOWN OF THE BADRABBIT ISSUE

    A number of IT security companies post articles with comprehensive technical analysis of the newsmaking BadRabbit ransomware.

  • TYRANT RANSOMWARE ON THE RISE

    The number of incidents involving the Tyrant, or Crypto Tyrant, ransomware is currently soaring in Iran. Pretends to be a VPN app.

  • BADRABBIT DIDN’T DO WITHOUT NSA EXPLOITS

    Said outbreak of online extortion was reportedly bolstered by one of previously dumped NSA exploits dubbed Eternal Romance.

  • WANNABEHAPPY RANSOMWARE

    Although WannaBeHappy sounds antonymous to the infamous WannaCry, it encrypts files (.encrypted extension) just as professionally.

  • KERKOPORTA IS A HECK OF A DANGEROUS COMBO

    This Greek malware package encompasses a piece of crypto ransomware and a sneaky RAT (Remote Access Tool).

  • RUBINA5 RANSOMWARE SAMPLES BEING SOUGHT

    MalwareHunterTeam’s Michael Gillespie starts a hunt for the scarcely analysed ransomware sample using the .rubina5 file extension.

  • LOSERS RANSOMWARE HAS SOME GEO PREFERENCES

    This one is a spinoff of the Cry36/Nemesis codebase. Mainly targets Indonesian users and appends the .losers suffix to hostage files.

  • EXTORTION THROUGH SERVER HACKS

    A new blackmail tactic is gaining momentum, where crooks breach servers, move data to password-protected ZIPs and demand ransoms.

  • MATRIX RANSOMWARE WAVE TAKEN A NOTCH FURTHER

    The existing strain called Matrix ransomware gets enhanced in that it is now being distributed via the RIG exploit kit.

  • XIAOBA RANSOMWARE IN THE WILD

    Zeroing in on Chinese users, the XiaoBa infection stains files with the .XiaoBa[number range 1-34] extension.

  • XRANSOM, NOT MUCH UNDER THE HOOD YET

    The sample called xRansom is in testing mode at this point. Only encrypts 4 file types and doesn’t use any extension or how-to’s.

  • YYTO STRAIN UPDATED

    YYTO has hardly ever been in active rotation, and yet it undergoes an update. The new file extension is colecyrus@mail.com.b007.

  • BADRABBIT MAY BE DECRYPTABLE, IF STARS ALIGN

    The Trojan may fail to delete shadow copies of one’s data and take care of crypto keys right. So users may be able to restore files.

  • PLUS 1 FOR THE XORIST FAMILY

    A fresh edition of the Xorist ransomware surfaces that concatenates the .error[victim ID] extension to locked files.

  • GLOBEIMPOSTER LINEAGE REFRESHED

    The latest GlobeImposter ransomware variant switches to using the .apk extension token for ransomed data.

  • TRICK OR TREAT RANSOMWARE UPDATED

    This Halloween themed ransomware now uses a different background for the warning screen and features updated text.

  • ONI RANSOMWARE USED FOR DISTRACTION MANEUVER

    The sample called ONI is part of a well-orchestrated hoax targeting Japanese companies, in tandem with Ammyy Admin RAT.

  • RANSWARE STRAIN APPEARS

    While failing to encrypt any data for real, RansWare instructs victims to submit a whopping 100 BTC ransom for recovery.

  • ANOTHER HT VARIANT, MADE IN FRANCE

    Hidden Tear spinoff with French roots adds the .hacking extension to files and tells victims to contact the attacker via email.

  • THE POWER OF HIDDEN TEAR OVERSTATED BY CROOKS

    New HT iteration uses the .locked extension to blemish encrypted files and says it’s “one of the most powerful ransomware’s around”.

  • MAGNIBER RANSOMWARE TWEAK

    The most recent spotted edition of the Cerber-like Magniber strain concatenates the .skvtb suffix to encrypted data items.

  • NEW JIGSAW VERSION RELEASED

    The newcomer to the Jigsaw syndicate affixes the .game extension to encoded data. No further changes have been made.

  • HERMES 2.1 RANSOMWARE

    Hermes ransomware reaches version 2.1. Appends the .HRM string to files and drops DECRYPT_INFORMATION.html ransom note.

  • MATRIX RANSOMWARE UPDATE

    Another Matrix variant subjoins the _[RELOCK001@TUTA.IO].[original extension] to files and uses !OoopsYourFilesLocked!.rtf note.

  • GIBON STRAIN IN THE WILD

    Circulates via malicious Word macros, appends the .encrypt extension to hostage files and drops READ_ME_NOW.txt ransom how-to.

  • SAD RANSOMWARE RELEASED

    Generates a unique ID for each victim and uses it as the file extension. The ransom notification is named _HELPME_DECRYPT_.html.

  • RANION BLACKMAIL VIRUS GETS A FACELIFT

    Ranion switches to using the .ransom extension for encrypted files and README_TO_DECRYPT_FILES.html rescue note.

  • CURUMIM STRAIN, A BYPRODUCT OF HIDDEN TEAR

    Portuguese spinoff of the Hidden Tear project surfaces called Curumim ransomware. Uses the .curumim extension for hostage files.

  • XIAOBA RANSOMWARE UPDATED

    The new variant uses a different lock screen demanding 250 RMB (37.696 USD) worth of Bitcoin to unlock the computer.

  • ZIKA RANSOMWARE

    Based on Hidden Tear PoC. Generates a ransom notification in Spanish and concatenates the .teamo string to encrypted files.

  • WAFFLE RANSOMWARE DOESN’T TASTE GOOD

    This one is all about waffles: that’s what its ransom note is called, it displays an image of waffles, and uses the .waffle file extension.

  • GIBON RANSOMWARE PUSHED VIA DARK WEB RESOURCES

    It turns out that the recently discovered GIBON ransomware has been advertised on hacker forums since May 2017.

  • SIGMA RANSOMWARE HUNTED DOWN

    The brand new Sigma sample appends random extensions to hostage files, drops Readme.txt rescue note and demands $1,000 in BTC.

  • CHRISTMAS RANSOMWARE RELEASED WAY IN ADVANCE

    Displays a gloomy picture of a tree with Christmas toys. The size of the ransom is 0.03 BTC (about $200). Based on open-source code.

  • U.S. CITY FALLS VICTIM TO RANSOMWARE

    Computer system of Spring Hill, Tennessee, gets impacted by unknown ransomware. The crooks demand $250,000 for decryption.

  • JHASH RANSOMWARE APPEARS

    Jhash is a Hidden Tear variant targeting Spanish-speaking users. Subjoins the .locky extension to encoded files.

  • DESTRUCTIVE GIST OF THE ORDINYPT RANSOMWARE

    Going after German users, Ordinypt irreversibly damages victims’ data. The ransom note is named Wo_sind_meine_Dateien.html.

  • LOCKCRYPT REMADE TO HIT SERVERS

    The extortionists behind LockCrypt ransomware access enterprise servers via RDP and deposit the file-encrypting infection manually.

  • CRYSIS RANSOMWARE TWEAK

    The latest CrySiS ransomware edition appends the .[cranbery@colorendgrace.com].cobra extension to files and uses Info.hta note.

  • LOL RANSOMWARE USES INTERESTING CAMOUFLAGE

    The payload of the LOL ransomware is disguised as a keygen program. It uses the .lol file extension and demands 0.1 BTC.

  • JIGSAW FAMILY CONTINUES TO EXPAND

    Fresh mode of the Jigsaw ransomware affixes the .##ENCRYPTED_BY_pablukl0cker## string to encrypted files.

  • STRAIN MIMICKING A LAW ENFORCEMENT AGENCY

    A Hidden Tear variant. The warning screen says, “Your computer is blocked by cyber police for unlicensed software’s usage.”

  • GLOBEIMPOSTER ADOPTS SOME NEW TACTICS

    A big tweak in the new GlobeImposter variant has to do with the way it encrypts and extracts its configuration data.

  • STROMAN RANSOMWARE UPDATED

    Although the original build hasn’t been very successful, the crooks have updated the code. Now uses .fat32 extension and info.txt note.

  • ONE MORE VERSION IN THE CRYPTOMIX LINEAGE

    The most recent iteration switches to using the .XZZX extension for encrypted files. The how-to is still named _HELP_INSTRUCTION.txt.

  • JCANDY RANSOMWARE SURFACES

    Concatenates the .locked-jCandy string to locked data entries, dropping READ_ME.txt and JCANDY_INSTRUCTIONS.txt ransom notes.

  • IN-DEV PEST TARGETING FRENCH USERS

    Security analysts discover in-development ransom Trojan providing instructions in French. Uses the .lockon extension for victims’ files.

  • NEW DECRYPTION BREAKTHROUGH BY RESEARCHERS

    Dr.Web anti-malware company releases the Rescue Pack tool that decrypts files encoded by Blind/Kill ransomware. Requires payment.

  • GLOBEIMPOSTER UPDATED ONCE AGAIN

    New GlobeImposter ransomware persona adds the .kimchenyn extension to files and drops how_to_back_files.html rescue note.

  • AMNESIA2 VARIANT FAILS IN A WAY

    This one adds the .am string to hostage files. The ENCRYPTED FILES.txt ransom note contains random digits instead of instructions.

  • GOOFED RANSOMWARE TAKES ROOT

    A Hidden Tear offshoot that blemishes encrypted files with the .goofed extension and uses YOU_DONE_GOOFED.txt ransom how-to.

  • GLOBEIMPOSTER GOES SEXY

    One more hastily released variant of GlobeImposter now subjoins the .SEXY string to encoded data items.

  • U.S. SCHOOL TARGETED BY TRICKY RANSOMWARE

    The crude culprit zeroes in on J. Sterling Morton High School (Illinois) students. Pretends to be a student survey. No crypto so far.

  • RASTAKHIZ RANSOMWARE

    This one is based off of Hidden Tear. Goes with a well-designed GUI and concatenates the .RASTAKHIZ extension to ransomed files.

  • CRYPTOMIX RANSOMWARE TWEAK

    The second CryptoMix version in a week switches to using the .0000 extension for hostage files and new contact emails.

  • WANNASMILE STRAIN ISN’T SO OPTIMISTIC

    The WannaSmile blackmail virus stains files with the .WSmile suffix and uses ‘How to decrypt files.html’ ransom note.

  • SOME FACTS ON NEW CORRUPTCRYPT RANSOMWARE

    The sample called CorruptCrypt uses two different extensions for scrambled files: .corrupt and .acryhjccbb@protonmail.com.

  • HAND OF GOD RANSOMWARE

    A screen locker targeting Canadians, displaying its warnings in French and featuring an FBI themed logo. Demands 0.06 BTC to unlock.

  • BASS-FES RANSOMWARE IN THE WILD

    One of the multiple Hidden Tear variants released during the week. Concatenates the .basslock string to encoded files.

  • LOUSY RUSSIAN CLONE OF WANNACRY

    Called ‘Wana die decrypt0r’, this one mimics WannaCry’s GUI and displays a ransom note in Russian. No real crypto so far.

  • CRYSIS RANSOMWARE UPDATED

    A brand-new variant of the CrySiS/Dharma blackmail virus switches to concatenating the .java extension to encrypted files.

  • CRYAKL STRAIN UNDERGOES A CHANGE

    The thought-extinct Cryakl ransomware species resurfaces with a fresh edition that adds the .fairytale string to ransomed data items.

  • LOCKET RANSOMWARE IS TOO CRUDE TO WORK RIGHT

    Locket displays a ransom warning screen resembling that of CryptoLocker. Lacks encryption functionality at this point.

  • GLOBEIMPOSTER TWEAK

    A new version of the GlobeImposter ransom Trojan uses the .Ipcrestore file extension and how_to_back_files.html rescue note.

  • QKG RANSOMWARE DISCOVERED

    The qkG ransomware, aka qkG Filecoder, only encrypts Microsoft Office documents spotted on an infected computer.

  • IGOTYOU RANSOMWARE

    This is an in-development ransom Trojan that affixes the .iGotYou extension to files and asks for 10,000 Indian rupee for recovery.

  • ANOTHER WANNACRY COPYCAT OUT THERE

    One more imitation of the WannaCry ransomware generates a ransom alert in Portuguese and demands 0,006 BTC.

  • SCARAB RANSOMWARE ON A RAMPAGE

    Propagates massively via the Necurs botnet. Appends the [suupport@protonmail.com].scarab extension to filenames.

  • SOME AFRICA-SPECIFIC RANSOMWARE STATS

    According to Sophos, the top ransomware 2017 in Africa are Cerber (80%), WannaCry (17%), Locky, Jaff, and Petya (1% each).

  • CRYP70n1C ARMY RANSOMWARE

    A Hidden Tear spinoff. Concatenates the .cryp70n1c extension to locked files and provides 3 days to submit the ransom.

  • GIRLSOMWARE MADE FOR FUN

    This sample appears to be a joke, because a) it doesn’t encrypt, and b) it tells victims to click a bunch of checkboxes for decryption.

  • EXO BUILDER ALLOWS CREATING NEW RANSOMWARE

    Newly discovered Exo Builder tool automates the process of making new ransomware (.exo extension, UnlockYourFiles.txt note).

  • STORAGECRYPT, A THREAT TO NAS DEVICES

    StorageCrypt targets Western Digital My Cloud NAS devices. Uses the .locked extension and _READ_ME_FOR_DECRYPT.txt how-to file.

  • SAMAS STRAIN UPDATED

    The newest edition of the Samas/SamSam ransom Trojan concatenates the .areyoulovemyrans string to hostage data items.

  • MAGNIBER GOES THROUGH A TWEAK

    A fresh variant of the Magniber ransomware adds the .vpgvlkb extension to files and leaves ‘read me for decrypt.txt’ rescue note.

  • NEW SPECIMEN TARGETING FRENCH USERS

    Not catalogued under any known family thus far. Appends the .locked extension and adds READ_ME_FOR_ALL_YOUR_FILES.txt note.

  • HC6 RANSOMWARE CRACKED

    A decryptor is out for the HC6 blackmail virus that uses the .fucku file extension and drops recover_your_files.txt recovery manual.

  • CRYPTON PUTS ON SOME NEW DISGUISE

    The prolific CryptON ransomware gets an update. It switches to the .encrptd extension and pretends to be EaseUS Keygen tool.

  • CRYPT12 DEFEATED AGAIN DESPITE ANOTHER UPDATE

    MHT’s Michael Gillespie upgrades his decryptor for Crypt12 Trojan supporting a new version (hello@boomfile.ru.crypt12 extension).

  • MAXICRYPT BEING HUNTED DOWN

    Researchers announce a hunt for a scarcely analyzed sample that uses the .[maxicrypt@cock.li].maxicrypt extension for locked files.

  • IN-DEV WANNAPEACE RANSOMWARE

    This one prepends the original extension of a targeted file with the _enc string. Currently does not spread in the wild.

  • CRYPT888 RANSOMWARE UPDATED

    The latest variant of the Crypt888 blackmail culprit instructs victims to contact the attacker at maya_157_ransom@hotmail.com.

  • HC7 RANSOMWARE TWEAK

    The relatively new HC7 file-encrypting malware stains encrypted data with the .GOTYA extension. Extensive analysis not done yet.

  • LOCALIZED OUTBREAK OF ACCDFISA BADDIE

    Security experts notice a spike in ACCDFISA v2.0 infection instances isolated to Brazil. This one is a remake of a notorious sample.

  • ONE MORE SCREEN LOCKER SPOTTED

    The executable file of this infection is named REAL DANGEROUS RANSOMWARE.exe. Does not encrypt anything, only locks the screen.

  • GLOBEIMPOSTER DISTRIBUTION ON STEROIDS

    New variants of the GlobeImposter ransom Trojan have been making the rounds via Necurs, one of the biggest botnets out there.

  • CRYPTOMIX STRAIN UPDATED

    A fresh iteration of the CryptoMix ransomware brings about the .TEST extension being concatenated to hostage files.

  • HALLOWARE INFECTION FOR SALE

    Someone nicknamed ‘Luc1F3R’ is selling a turnkey kit for new ransom Trojan called Halloware for only $40 on dark web forums.

  • BTCWARE GETS ‘SHADOWY’

    A brand-new mod of the BTCWare ransom Trojan stains encrypted files with the .[attacker’s_email]-id-id.shadow extension.

  • GLOBE2 CONTINUES THE RECENT UPDATE TREND

    The Globe2 ransomware follows suit of other widespread strains and spawns a new version using the .abc string for hostage files.

  • CLICO CRYPTOR PURSUES A BENIGN OBJECTIVE

    While exhibiting basic ransomware characteristics, ClicoCrypter appears to be aimed at testing CheckPoint Software’s efficiency.

  • YET ANOTHER MAGNIBER VERSION IS OUT

    The most recent edition of the Magniber ransomware uses the .dlenggrl suffix to label one’s encrypted files.

  • INTERESTING WRITEUP ON MALICIOUS CODE SHARING

    Analysts provide comparative analysis of two ransomware strains, Vortex and Bugware, both of which are based on open source code.

  • BLIND RANSOMWARE UPDATED

    A fresh version of the Blind ransomware uses the .napoleon extension for hostage files and How_Decrypt_Files.hta ransom note.

  • ETERNITY RANSOMWARE SPOTTED

    This somewhat buggy infection stains encrypted data items with the .eTeRnItY extension. The unlock code is 1234567890.

  • JCODER CULPRIT GETS A BIT OF FINE-TUNING

    New Vietnamese edition of the JCoder ransomware is discovered that uses the .MTC file extension and ‘WanaCry 0.2.ini’ ransom note.

  • MAGNIBER SPAWNS SEVERAL NEW SAMPLES

    Three iterations of the Magniber Trojan take root, featuring the .dwbiwty, .fbuvkngy and .xhspythxn file extensions.

  • RANSOMWARE WITH SELF-EXPLANATORY NAME

    Analysts come across a Spanish ransomware strain whose GUI is titled ‘PAYMENT’. Currently in development, with no crypto in place.

  • RANSOMMINE SAMPLE WITH KOREAN ROOTS

    Appends the .RansomMine extension to enciphered files, hence the name. Restores data if it spots Minecraft 1.11.2 on a PC.

  • IN-DEPTH ANALYSIS OF HC6 RANSOMWARE RELEASED

    In a post on Extreme Coders Blog, researchers dissect the modus operandi of the relatively new and quite offbeat HC6 ransomware.

  • HANDSOMEWARE SAMPLE IN THE WILD

    The infection mimics ransomware behavior and does not encrypt any data for real. Displays a GUI with warning text in German.

  • CRYPT0 RANSOMWARE

    The strain called Crypt0 is another spinoff of the academic Hidden Tear project. Adds random extensions to files while not encrypting.

  • A REALLY SMALL CHANGE OF THE CRYSIS RANSOMWARE

    CrySiS/Dharma strain mutates with a minor change. Now uses curly braces instead of brackets prepending the .java extension string.

  • MAGNIBER CONTINUES TO BE UPDATED

    Yet another variant of the Magniber ransomware surfaces that switches to using the .dxjay string for encrypted files.

  • SHADOW BLOOD RANSOMWARE

    One more offshoot of the Hidden Tear PoC called Shadow Blood appears. Concatenates the .TEARS suffix to files. In-dev thus far.

  • HC7 POTENTIALLY DECRYPTABLE

    Security analysts came up with a way that might allow HC7 ransomware victims to recover their encrypted files without paying up.

  • SPINOFF OF A HIDDEN TEAR SPINOFF? THAT’S RIGHT

    A previously released Hidden Tear variant (.hacking extension) undergoes a tweak and now displays a politics-themed wallpaper.

  • ID RANSOMWARE NOW FULLY SUPPORTS MAGNIBER

    The ID Ransomware online service created by MHT is declared capable of identifying all variants of the Magniber ransomware.

  • STORAGECRYPT INFECTION CHAIN UNEARTHED

    It turns out that StorageCrypt, a ransom Trojan targeted NAS devices, is spreading using a Linux vulnerability dubbed SambaCry.

  • U.S. BASED FERTILITY CLINIC HIT BY RANSOMWARE

    A fertility clinic in Edina, Minnesota, was reportedly attacked by unidentified ransomware strain that may have exposed patiets’ data.

  • BCTWARE SWITCHES TO .WALLET EXTENSION

    A fresh version of the prolific BTCWare ransom Trojan appends files with the .wallet extension prepended with attackers’ email address.

  • EXECUTIONERPLUS RANSOMWARE OUT THERE

    May be based on the CryptoJoker codebase. Subjoins the .destroy.executioner or .pluss.executioner extension to encrypted files.

  • HC7 RANSOMWARE UPDATE

    The HC7 strain edition currently in rotation infects computers via PsExec and concatenates the .GOTYA extension to locked data items.

  • COUNTY IN NORTH CAROLINA ATTACKED BY RANSOMWARE

    Computer systems of the Mecklenburg Country, NC, get contaminated with a ransom Trojan that cripples multiple services.

  • CHRISTMAS RANSOMWARE

    This one surfaces at an apropos time. Demands $100 worth of Bitcoin to recover a victim’s encrypted data.

  • XORIST FAMILY GETS BIGGER

    The latest variant of the Xorist ransomware blemishes encoded files with the .CerBerSysLocked0009881 extension.

  • SANTA ENCRYPTOR SOUNDS SARCASTIC

    New in-dev sample called Santa Encryptor features an image of Santa Claus on its warning screen and demands $150 worth of BTC.

  • UNIQUE CASE OF RANSOMWARE MIMICKING

    Brand new edition of the GlobeImposter ransomware imitates the CrySiS strain by using the .[paradisecity@cock.li].arena extension.

  • NAPOLEON RANSOMWARE ANALYSIS

    Researchers at Malwarebytes release in-depth analysis of the Blind ransomware edition using the .napoleon extension.

  • D4RKL0CKER RANSOMWARE IN DEVELOPMENT

    Another one of the table. Its GUI is titled D4rkL0cker Test, which gives a clue that it’s a crude sample whose creation is in progress.

  • FILE SPIDER FEATURING GEO-LIMITED DISTRIBUTION

    New ransomware called File Spider is spreading in the Balkans via spam. It assigns the .spider extension to encrypted files.

  • FILE SPIDER CAMPAIGN DISSECTED

    InfoSec experts provide a lowdown on the distribution vectors and code of the new File Spider ransomware in an informative blog post.

  • “I’LL MAKE YOU CRY” RANSOMWARE

    The sample called “I’ll Make you Cry” appears to be a variant of the old NxRansomware. Pretends to be Google Chrome update.

  • SCREEN LOCKER WITH UNUSUAL PAYMENT DEMANDS

    A fresh screen locking Trojan is spotted that wrongfully claims to have encrypted one’s files. Demands ransom via credit card payment.

  • CRYPTOMIX FAMILY UPDATED

    The latest edition of the CryptoMix ransomware uses the .WORK file extension and an updated list of contact email addresses.

  • HC7 RANSOMWARE CHANGES AGAIN

    Yet another version of the HC7 strain blemishes encoded files with the .DS335 extension without modifying filenames.

  • NOBLIS RANSOMWARE

    This one targets Spanish-speaking audience, stains encrypted files with the .noblis extension and provides a 24-hour payment deadline.

  • BLIND RANSOMWARE UPDATED

    The most recent Blind ransomware variant switches to the .[skeleton@rape.lol].skeleton extension. The note is How_Decrypt_Files.txt.

  • TROWX RANSOMWARE IN THE WILD

    New Hidden Tear based TrOwX ransomware is discovered that adds the .locked extension to files and drops READ_AND_CRY note.

  • RSA-NI, A BARELY STUDIED SAMPLE

    Nothing is known about new strain calling itself RSA-NI, except the name indicated in the ransom note. Researchers looking for samples.

  • NEWSMAKING MONGODB DATABASE HACK

    Personal data of about 19 million voters in California got compromised in the upshot of the ongoing MongoDB ransom case.

  • SATAN’S DOOM CRYPTER

    This spooky name denotes a new ransom Trojan (.locked extension, READ_IT.txt note). The unlock code is 63uh2372gASd@316.

  • CYCLONE RANSOMWARE

    New one. According to the GUI, it’s Cyclone Ransomware v2.40. Appends the .cyclone extension to files and sets a 48-hour deadline.

  • CRYPTOMANIAC RANSOMWARE SPOTTED

    This Python based sample uses the .maniac extension for hostage data and Readme_to_recover_files.txt/html ransom notes.

  • CROATIAN GODRA RANSOMWARE SURFACES

    Displays ‘KAKO OTKLJUCATI VASE DATOTEKE.txt’ ransom note with instructions in Croatian and uses .godra file extension.

  • RSAUTIL RANSOMWARE UPDATED

    The latest RSAUtil variant uses the .ID.GORILLA extension to label encrypted files and drops How_return_files.txt ransom note.

  • SATAN CRYPTOR 2.0

    This one resembles WannaCry in a way, because it circulates via SMB. Concatenates the .satan string to hostage files.

  • OFFBEAT RANSOMWARE SPREADING METHOD

    The @WannaDecryptor@ ransomware sample is camouflaged as a Bitcoin multiplier solution called Bitcoin-x2 v5.1.

  • WANNACRY ATTRIBUTION MADE PUBLIC

    The White House releases a statement where North Korean state-sponsored cybercriminals are blamed for spreading WannaCry strain.

  • PROSAIC MOVE BY GLOBEIMPOSTER DEVS

    The latest edition of the GlobeImposter ransomware switches to using the .wallet extension for encoded data objects.

  • RETIS RANSOMWARE

    New one on the radar. Displays a warning screen similar to Petya’s and uses the .crypted extension for hostage files.

  • RSAUTIL CONTINUES THE UPDATE TREND

    As if on steroids, the RSAUtil lineage spawns the second variant in two days. Concatenates the .ID.VENDETTA extension to files.

  • GROUP OF RANSOMWARE PEDDLERS ARRESTED

    Five cybercrooks are arrested in Romania for distributing the notorious CTB-Locker and Cerber ransomware infections.

  • FURTHER FACTS ON THE ARRESTEES’ FELONIES

    Two of the above-mentioned criminals are charged with hacking Washington D.C. police surveillance system to spread ransomware.

  • VENUSLOCKER CREW CHANGES TACTICS

    The threat actors behind VenusLocker ransomware have reportedly abandoned the project in favor of Monero mining activities.

  • GLOBEIMPOSTER KEEPS MUTATING

    Another version of GlobeImposter is making the rounds via malicious spam carrying toxic JS files. Uses the .doc file extension.

  • RETIS STRAIN DISSECTED

    It turns out to be .NET based. Prioritizes the encryption workflow by first affecting Desktop, Pictures and Documents directories.

  • FILE-LOCKER SAMPLE ON THE TABLE

    The new File-Locker ransomware targets Korean users. Uses the .locked extension and Warning!!!!!!.txt note. Demands 50,000 Won.

  • MORE DETAILS ON CURRENT GLOBEIMPOSTER CAMPAIGN

    The latest ..doc variant of GlobeImposter is spreading by means of malspam with fake photos enclosed in 7z archive.

  • CRYPTOMIX UPDATED

    The CryptoMix family produces a fresh edition. It subjoins the .FILE extension to encoded items and uses new contact email addresses.

  • BLIND RANSOMWARE MODIFIED

    Another edition of the Blind ransom Trojan appears that uses the .blind2 file extension and How_Decrypt_Files.txt ransom note.

  • “DANGEROUS” RANSOMWARE

    Also referred to as Damage ransomware, this new sample adds .wtf to filenames and drops HOWTODECRYPTFILES.html note.

  • NEW CRYPTOMIX VERSION

    This lineage continues to expand, this time spawning a variant that stains encrypted files with the .tastylock extension.

  • SAMAS RANSOMWARE GETS A FACELIFT

    The most recent Samas/SamSam ransomware edition appends .weapologize to files and uses 0009-SORRY-FOR-FILES.html how-to.

  • SQ_ RANSOMWARE UPDATED

    A minor change made to the SQ_ strain is the new BA_ string prepended to filenames and BA_IN YOUR FILES..txt ransom note.

  • PULPY RANSOMWARE IN THE WILD

    This one drops a rescue note named Instruction.txt that instructs victims to contact the attacker at pulpy2@cock.li.

  • MADBIT STRAIN SPOTTED

    New one. Concatenates the .enc suffix to encoded files and leaves a ransom how-to named “madbit encryptor: Hello, you are encrypted!”

an ongoing list…

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

LEAVE A REPLY

Please enter your comment!
Please enter your name here