This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.
Read ransomware chronicle for 2016
Read ransomware chronicle for 2018
New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events
The extension being appended is .helpmeencedfiles. Now creates the HELP-ME-ENCED-FILES.html ransom manual.
While the same on the outside, Globe is now coded in C/C++. Uses the .locked extension.
The executable is firstransomware.exe. Appends the .locked extension and leaves READ_IT.txt ransom note.
A derivative of the open source Hidden Tear Offline ransomware. Displays the “Your Files Has [sic.] Been Blocked” alert.
Another Hidden Tear spinoff. Appends the “.кибер разветвитель” extension to encrypted entries.
Brand-new sample based on EDA2 proof of concept ransomware. Uses the .L0CKED extension and DecryptFile.txt ransom note.
N-SpLiTTer replica called the “кибер разветвитель” (Russian for “cyber splitter”). Extension and the name are a match.
The strain zeroes in on MongoDB servers. Threat actor nicknamed “Harak1r1” demands 0.2 BTC to return hostage databases.
A group of crooks calling themselves FSociety have been busy coining multiple screen lockers and crypto ransomware samples.
Uses the .MRCR1, .PEGS1 or .RARE1 file extension and creates YOUR_FILES_ARE_DEAD.hta ransom manual.
The pseudo-Darkleech cybercrime network was found to be responsible for multiple ransomware campaigns in 2016.
Emsisoft’s Fabian Wosar cracks Globe ransomware version 3, which uses the .decrypt2017 or .hnumkhotep extensions.
Appends the .firecrypt extension and drops [random]-READ_ME.html ransom note. Also crams up HDD with junk files.
The CERT Polska team publishes a detailed analysis of the CryptoMix/CryptFile2 ransomware campaign.
A law passed in California defines ransomware distribution as a standalone felony rather than part of money laundering schemes.
Now attacks Linux machines along with ones running Windows. The whopping size of the ransom is 222 BTC (more than $200,000).
Leaves the “WARNING OPEN-ME.txt” ransom note (Russian version available too). Separate files for encryptor, live chat and TOR.
In-development Hidden Tear POC spinoff. Zeroes in on Czech victims and demands 1000 Czech Koruna (about $40) for decryption.
Also known as MafiaWare, the Depsex ransomware uses the .Locked-by-Mafia extension and READ_ME.txt decryption manual.
Researchers discovered malicious code adding multiple desktop shortcuts that, once clicked, execute ransomware.
Concatenates the .locked suffix to files and creates README.txt ransom note. Goes equipped with a remote shell.
The sample called Ocelot Locker is instructive because it doesn’t do crypto and instead demonstrates how bad a real attack can be.
The number of online-accessible MongoDB databases hit by the MongoDB Apocalypse ransomware reaches a whopping 10,000.
Malefactors pretending to be government officials cold-call schools in the United Kingdom, duping staff into installing ransomware.
The warning screen displayed by the new “CryptoRansomeware” sample is crammed up with bad language.
Written in Visual Basic .NET, this strain uses the .VBRANSOM file extension. It’s in-dev and doesn’t do actual crypto at this point.
Ever since the Kraken cybercrime ring had stepped in, the quantity of ransomed MongoDB databases went up to 28,000.
New Ransomeer sample is being developed. Configured to demand 0.3169 BTC and provide a 48-hour payment deadline.
The latest edition of Merry X-Mas crypto ransomware also installs DiamondFox, a virus that harvests victims’ sensitive information.
Appends the .file0locked extension to encrypted files and instructs victims to send email to r6789986@mail.kz for recovery steps.
The only change is that Cerber now leaves ransom notes called _HELP_DECRYPT_[A-Z0-9]{4-8}_.hta/jpg.
Los Angeles Valley College opts for the ransom route to recover from a crypto ransomware attack, coughing up $28,000.
New Spora ransomware can operate offline, features unbeatable encryption and a professionally tailored payment service.
The Kraken cybercrime syndicate sells their MongoDB ransomware script for $200. The message was posted on GitHub.
Emsisoft releases a decryptor for the Merry X-Mas ransomware, which appends .MRCR1, .PEGS1, .RARE1, or .RMCM1 extension.
Arrives with spam, concatenates the .oops extension to files and creates _HELP_Recover_Files_.html ransom manual.
Having looked into the code of the Marlboro ransomware, Emsisoft’s Fabian Wosar creates a decrypt tool in less than a day.
The group behind MongoDB database attacks shift their focus to infecting ElasticSearch servers with ransomware.
Researcher nicknamed ‘BloodDolly’ updates his ODCODCDecoder that restores files locked by new ODCODC ransomware variant.
Currently in development. Appends files with the .kencf extension. Fails to encode data due to a flaw in crypto implementation.
Avast researchers accessed a server containing a fragment of Cerber ransomware’s global infection statistics.
Appends the .powerfulldecrypt extension to encrypted files and drops a ransom note called WE-MUST-DEC-FILES.html.
The new CryptoSearch utility locates mutilated files and allows copying or moving them to a backup drive for future decryption.
According to security analysts, the distribution of Locky via spam campaigns decreased by around 80% in Dec-Jan 2017.
A new edition of Cerber leaves ransom notes called _HELP_HELP_HELP_[random].hta/jpg and uses new IP ranges for UDP stats.
Threat actors in charge of the Spora ransomware campaign were found to use the same proliferation sites as Cerber.
A cancer services agency in Indiana, U.S., suffers a ransomware attack, where crooks demand a ransom of 50 BTC (about $46,000).
New SamSam/Samas variant uses the .noproblemwedecfiles extension and 000-No-PROBLEM-WE-DEC-FILES.html ransom manual.
Unidentified cybercrime rings hijack Hadoop and CouchDB databases, erasing data or demanding ransoms for recovery.
The sophisticated Spora ransomware leverages an infection vector relying on .LNK files, so it may act as a shortcut worm.
Emsisoft’s Fabian Wosar adjusts his decryptor for the Merry X-Mas ransomware, which can now decode .MERRY extension files.
Analysts see a drastic decrease in spam spreading the Locky ransomware during temporary inactivity of the Necurs botnet.
Uses the .id-[victim_ID]_garryweber@protonmail.ch file extension and HOW_OPEN_FILES.html ransom manual.
As part of another tweak, Cerber ransomware has started to drop _HOW_TO_DECRYPT_[random_chars][4-8]_.hta/jpg ransom notes.
The Russian language Android ransomware locks a device’s screen and instructs the user to hand over their credit card details.
The RaaS allows crooks to build their custom version of Satan, which uses .stn extension and HELP_DECRYPT_FILES.html ransom note.
The in-dev ransomware is supposed to target Turkish victims and append encrypted files with the .sifreli extension.
Based off of the Hidden Tear POC. Adds the .doomed extension to files and leaves LEER_INMEDIATAMENTE.txt ransom manual.
More than 700 machines of 16 Saint Lous Public Library’s branches get hit by ransomware that demands about $35,000.
Emsisoft updates the decryptor to support the variant that uses .crypt extension and HOW_OPEN_FILES.hta ransom note.
New strain called DNRansomware uses the .fucked file extension. The decrypt code is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.
Uses the same source code as DNRansomware. Appends the .killedXXX extension. Decryption routine is buggy.
Researchers discover in-dev CloudSword sample, which drops Warning??.html ransom note and sets a 5-day payment deadline.
Uses crypt32@mail.ru email address for interacting with victims, while ransom note and filename format is unaltered.
Created by the same crooks as those behind Cerber, Locky and Spora. Uses the .sage extension and !Recovery_EMf.html ransom note.
Appends the .weareyourfriends extension to encrypted files and leaves TRY-READ-ME-TO-DEC.html ransom manual.
Concatenates the .paytounlock file extension. Expert-made free decryptor already supports this variant.
Uses the [original_filename].email[email_address]_id[victim_ID].rdmk file format and “INSTRUCTION RESTORE FILE.txt” ransom note.
While the Spora ransomware originally proliferated in Eastern Europe only, it starts targeting victims around the globe.
A spinoff of the Philadelphia strain. Demands a ransom of 0.3 BTC (about $270) for data decryption.
The name of this new crypto ransomware family stems from the .vxLock extension being appended to scrambled files.
A Charger ransomware variant, EnergyRescue, was distributed for a while via Google Play Store as a battery optimizer. Now removed.
A change to Gmail will take effect as of February 13, 2017 – the service will block .js attachments to thwart ransomware attacks.
New Samas/SamSam iteration adds the .otherinformation extension and drops 000-IF-YOU-WANT-DEC-FILES.html ransom note.
Concatenates the .potato extension to encoded data and leaves README.png/html ransom payment instructions.
The Cockrell Hill Police Department in Texas admits to have been attacked by ransomware. Crooks demand $4,000 worth of Bitcoin.
Scrambles filenames rather than encrypt files proper. Leaves the “How decrypt files.hta” ransom note.
Impersonates law enforcement agencies while blocking computers. Researchers discovered that the unlock code is 64 zeros.
Analysts note that the propagation of MRCR, aka Merry X-Mas, ransomware is starting to skyrocket.
Researcher Michael Gillespie creates a free decryptor for CryptConsole ransom Trojan (“unCrypte@outlook.com_[random]” filenames).
Emsisoft’s decryptor for MRCR now supports the latest variant, which leaves MERRY_I_LOVE_YOU_BRUCE.hta ransom note.
New variant concatenates the .uk-dealer@sigaint.org extension to encoded files. Decryptable for free.
Crooks label it as “FINAL version of Hitler Ransomware”. Distributed via booby-trapped YOUR-BILL.pdf email attachment.
Adds the .encrypted extension to locked files. Instructs victims to reach attackers at andresaha82@gmail.com.
Ransomware wreaks havoc with electronic door locking system at Austrian “Romantic Seehotel Jagerwirt” hotel. Demands 2 BTC.
This new strain creates ransom note called Xhelp.jpg containing Cyrillic text. Victims are told to use ICQ to reach the criminals.
Emsisoft’s official website suffers a DDoS attack after the vendor updates their free decryptor for Merry X-Mas ransomware.
Swiss Government CERT publishes a comprehensive report on the Sage 2.0 ransomware dissecting its main characteristics.
Zyka ransomware appends the .locked extension to files and demands a Bitcoin equivalent of $170.
The new Netix ransom Trojan proliferates as a rogue app called “Netflix Login Generator v1.1”. Demands $100 payable in Bitcoin.
Researchers discovered a Spora ransomware distribution campaign involving bogus Chrome Font Pack update.
A replica of the CryptoMix strain. CryptoShield 1.0 is deposited onto computers via the RIG EK (exploit kit).
The only noteworthy change is the .gefickt extension being affixed to scrambled files.
The latest version of Evil-JS appends the .evillock string to files and provides gena1983@mbx.kz email address to contact the dev.
Malwarebytes researchers publish Locky Bart ransomware details based on statistics from the crooks’ breached backend server.
New Samas, or SamSam, ransomware edition uses the .letmetrydecfiles extension and LET-ME-TRY-DEC-FILES.html ransom note.
Avast analysts release automatic free decrypt tools for Hidden Tear, Jigsaw and Stampado ransomware families.
A number of IT systems of Ohio’s Licking County government services get affected by unidentified ransomware.
London police arrest man and woman who infected Washington’s closed-circuit television network with ransomware in mid-January.
Security researchers stumble upon a new low-cost Ransomware-as-a-Service platform called Ranion.
Appends files with .yourransom extension and uses README.txt ransom note. Author (i@bobiji.com) promises free decryption.
LambdaLocker uses .lambda_l0cked file extension and READ_IT.html decryption how-to. The size of the ransom is 0.5 BTC.
It turns out that there is a Ransomware-as-a-Service platform behind the PadCrypt strain, so it’s a whole affiliate network.
Someone borrows the code of YourRansom proof of concept to infect users for real, still offering free decryption though.
As bizarre as it sounds, operators behind the Spora ransomware deliver quality customer care as they respond to victims’ queries.
The Android.Lockdroid.E virus was found to use a dropper that scrutinizes an infected device before deploying the right payload.
CryptoShield 1.1 engages new email addresses, namely res_reserve@india.com, res_sup@india.com, and res_sup@computer4u.com.
New sample. Circumvents UAC prompt while getting admin privileges. The size of the ransom is fairly small, amounting to $90.
JobCrypter ransomware returns after a period of inactivity. No particular changes have been made to its code.
Researchers discover Aw3s0m3Sc0t7 ransom Trojan created by someone named Scott. Uses the .enc file extension.
Unnamed strain is discovered that pilfers .ie5, .key, .pem and .ppk files (private keys and certificates) and demands a ransom of 1 BTC.
Uses the .id-[random]_steaveiwalker@india.com_ file extension and COMO_ABRIR_ARQUIVOS.txt ransom note.
The ID Ransomware initiative by MalwareHunterTeam now identifies 300 different strains of file-encrypting threats.
Presumably a Hades Locker spinoff. Uses the .serpent extension and HOW_TO_DECRYPT_YOUR_FILES_[random].html/txt notes.
The new DynA-Crypt infection encodes victims’ data and steals various personally identifiable information. Requests $50 in BTC.
Based on open-source Hidden Tear. Adds the .[A-Za-z0-9]{3}.x extension to files and drops “Digisom Readme[0-9].txt” ransom note.
Ransom warning contains a logo of Umbrella Corporation from Resident Evil series. Demands 0.33 BTC for data decryption.
Concatenates the .velikasrbija extension to files and deletes a random file every 3 minutes. Asks for $500 worth of Bitcoins.
Appends the .wcry suffix to enciphered files and demands 0.1 BTC for decryption.
TrendMicro found that the number of RDP brute-force attacks spreading CrySiS ransomware has grown dramatically in 2017.
Experts discover that SerbRansom 2017 dev advocates ideas of ultranationalism with his hatred toward Kosovo and Croatia.
A strain is spotted that moves a victim’s files to a password-protected RAR archive and requests 0.35 BTC for the unlock password.
Another Samas/SamSam spinoff uses the .encryptedyourfiles extension and 001-READ-FOR-DECRYPT-FILES.html ransom note.
Displays an FBI themed warning that says, “Your Computer Has Been Locked!”. The ransom amounts to 0.5 BTC.
Researchers from Georgia Institute of Technology present POC ransomware targeting ICS/SCADA systems at RSA Conference.
According to Kaspersky Lab, 75% of all ransomware strains circulating in 2016 were created by Russian-speaking crooks.
Two new CyberSplitterVBS versions appear, one of which impersonates “Saher Blue Eagle” remote administration tool.
The fresh JobCrypter edition uses a new set of email addresses: frthnfdsgalknbvfkj@outlook.fr (…@yahoo.com, …@gmail.com).
When scouring infected computers for data, a new variant of the Cerber ransomware ignores files associated with security suites.
The changes include a new filemarker (333333333333) and a different Tor address of the decryption service.
Fabian Wosar of Emsisoft sets up a streaming session where he reverses new Hermes ransomware and finds its weaknesses.
The latest build of the Princess Locker ransomware drops a new ransom manual called @_USE_TO_FIX_JJnY.txt.
This new Spanish sample uses the [KASISKI] prefix to label encrypted files and leaves INSTRUCCIONES.txt ransom note.
New XYZWare is a Hidden Tear POC derivative most likely hailing from Indonesia. Drops README.txt ransom note.
The only change as compared to the previous edition is a new email address being used: something_ne@india.com.
Emsisoft’s Fabian Wosar updates his decryptor for the Merry X-Mas ransomware so that it can handle new versions of the plague.
ESET publishes a whitepaper on how Android ransomware has mutated and grown in volume since 2014.
Aside from the new version name, Sage 2.2 ransomware creates !HELP_SOS ransom notes on the desktop and inside folders.
Concatenates the .weencedufiles extension to encrypted files and leaves READ_READ_READ.html recovery how-to.
Avast, in cooperation with CERT.PL, releases a free decryptor for the offline edition of CryptoMix ransomware.
Uses two different extensions (.TheTrumpLockerf and .TheTrumpLockerp ) and drops “What happen to my files.txt” ransom note.
New Crypt888 variant displays a beach view instead of ransom notes and puts the “Lock.” prefix before original filenames.
Avast researchers spot a new Python-based strain that appends the .d4nk string to encrypted files.
Payloads are disguised as patchers for various Mac OS apps. Drops README!.txt ransom note. Files cannot be decrypted for free.
Provides no contact details. Before submitting the ransom to unlock files, a victim is instructed to solve a math problem.
New Lockdroid ransomware spinoff unlocks a device after the victim pronounces the unlock code obtained after payment.
Written in Python. Appends files with .[random].EnCrYpTeD extension and creates READ_ME_TO_DECRYPT.txt ransom notes.
New Vanguard ransomware is written in Google’s Go programming language. Not very active at this point.
The latest iteration of CryptoMix stains the names of encoded files with the .CRYPTOSHIEL extension.
Extortionists hijack numerous MySQL databases around the world, erase their content and demand a ransom of 0.2 BTC.
New sample that concatenates the .damage string to encrypted files, hence the name of the ransomware.
This is a Hidden Tear spinoff that appends files with the .BarRax suffix. The strange thing is that it has a regular support forum.
Unlock26 trojan is now distributed on a Ransomware-as-a-Service basis. The operators get 50% of ransoms submitted by victims.
An in-dev ransomware that uses the .enc extension and sends encryption password to sardoninir@gmail.com.
Italian security experts discover that Crypt0L0cker devs sign their spam emails with legit “posta elettronica certificata” (PEC).
Matthew Green, cryptographer and professor at John Hopkins University, writes an article on ransomware evolution crypto-wise.
New FileLocker ransomware displays ransom notes in Czech, uses the .ENCR file extension and asks for 0.8 BTC.
Malwarebytes team devises a method to restore files encrypted by Mac OS X ransomware called Findzip.
Crypt0L0cker, aka TorrentLocker, is active again after almost a year of standstill. The updated infection mostly targets Europe.
It turns out that the .osiris variant of Locky is signed by a digital certificate issued by Comodo CA.
Someone nicknamed ‘gektar’ provided a Pastebin link on BleepingComputer forums leading to master decryption keys for Dharma.
A new sample called KRider is underway. It concatenates the .kr3 extension to ciphered files.
Two emails in the “.SN-[random_numbers]-info@kraken.cc_worldcza@email.cz” extension added by a new strain are confusing.
Michael Gillespie, the architect of ID Ransomware service, provides useful security tips in the FightRansomware podcast.
The ASN1 ransom trojan is deposited on computers via RIG exploit kit. This sample drops “!!!!!readme!!!!!.htm” ransom note.
Kaspersky, followed by ESET and Avast, release free decryptors for the Dharma ransomware based on leaked master keys.
Analysts discovered Cerber ransom note README.hta being embedded in the code of several official Android apps.
Somebody is reportedly working on a new ransomware sample based on the source code of MafiaWare threat.
A strain called FabSysCrypto is spotted that drops ransom notes identical to Locky’s and uses the code of Hidden Tear POC.
The newcomer features an updated warning screen, demands $150 worth of Bitcoin, and provides a 24-hour deadline.
Computer network of the Pennsylvania Senate Democratic Caucus gets shut down due to a ransomware incident.
The updated FadeSoft ransomware uses a warning screen that’s no longer Resident Evil movie themed. No more tweaks made.
Ransom notes by the new CryptoJacky ransomware are in Spanish. The pest uses Aescrypt.exe application to scramble files.
The notorious Shamoon disk-wiping worm originally discovered in 2012 now goes equipped with a ransomware component.
New Enjey Crypter ransomware bears a resemblance to the RemindMe strain. It uses ‘contact_here_me@india.com’ email address.
The only apparent change in comparison with the previous edition is the new name of the ransom note – READ_ME_!.txt.
Leaves ransom notes called !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt. Ends up scrambling files beyond recovery.
Researchers discovered a crude Hidden Tear POC-based sample being developed by a person from France named Paul.
Emsisoft creates a free decryptor for the CryptON ransom trojan, which otherwise demands 0.5 BTC ($620) for file recovery.
Cisco’s Talos Intelligence Group publishes a comprehensive write-up on the new variant of Crypt0L0cker / TorrentLocker.
CryptoLocker 1.0.0 uses RSA crypto algo and displays ransom how-to’s in Turkish. Name borrowed from the infamous prototype.
Spreads within a country in the Middle East and has clear political implications. Uses encryption tiers and adds the .zZz extension.
New variant of the Cerber ransomware doesn’t modify original filenames. Still appends a PC-specific 4-char extension, though.
Concatenates the .aes extension to encrypted files and drops ODSZYFRUJ-DANE.txt (“DECRYPT-DATA”) ransom manual.
New VapeLauncher ransomware is based on the code of CryptoWire POC. Demands $200 worth of Bitcoin.
Kevin Douglas from RSA Security publishes an article with in-depth analysis of the HTA contamination vector used by Spora devs.
Researchers found a sample of new PadCrypt ransomware v3.4.0. It uses the same build and campaign ID as the predecessor.
Samas ransomware uses a worm-like tactic to affect all connected servers and backups. Its devs made $450,000 in one year.
Malwarebytes Labs aggregate the totality of the top-notch Spora ransomware’s technical details into a single post.
Analysts discover a connection between the Sage ransomware campaign and the distribution of August Stealer malware.
Pre-installed ransomware and adware were found on 38 Android smartphones shipped to two big technology companies.
The ID Ransomware resource by MalwareHunterTeam is now capable of identifying files scrambled by Spora ransomware.
New SamSam variant uses the .iaufkakfhsaraf file extension and IF_YOU_WANT_FILES_BACK_PLS_READ.html ransom note.
Emsisoft CTO Fabian Wosar defeats the crypto of the Damage Ransomware in another live streaming session.
RozaLocker appends the .ENC extension to files, drops ransom notes in Russian and requests 10,000 Rubles ($173) for recovery.
A new ransom Trojan is discovered that displays its recovery how-to called “Verrouille” in French.
Operator of the Enjey ransomware fires a series of DDoS attacks at ID Ransomware site following the release of ad hoc decryptor.
Researchers discover a sample called the Ŧl๏tєгค гคภร๏๓ฬคгє, which appears to be a spinoff of the Vortex strain.
Although the PadCrypt ransomware isn’t in active rotation, its authors keep launching new versions, now it’s 3.4.1.
Analysts declare an initiative against the Project34 ransomware, which prepends “project34@india.com” to locked files.
New PetrWrap ransomware leverages Windows PsExec tool to infect enterprise networks and completely deny access to machines.
Malwarebytes researchers hack FileCrypter Shop, a Ransomware-as-a-Service resource that’s about to go live.
The Spora crew registers a new C2 domain torifyme[dot]com and starts using it for victim interaction purposes.
The latest edition of the Jigsaw ransomware concatenates the .nemo-hacks.at.sigaint.org extension to encoded files.
Hermes, a strain previously cracked by Emsisoft’s Fabian Wosar in a live video, is now at version 2.0.
Researcher Michael Gillespie, in cooperation with Fabian Wosar, releases a free decryptor for the Hermes ransomware.
A Russian screen locker is spotted that allows for easy recovery as long as the victim reads how dangerous ransomware is.
Malware watchers discover a new Ransomware-as-a-Service portal called Karmen, which is currently in development.
The Revenge ransomware spreads via RIG exploit kit, uses the .REVENGE file extension and # !!!HELP_FILE!!! #.txt ransom note.
New CTB-Locker copycat displays Beni Oku.txt ransom manual in Turkish and appends the .encrypted extension to files.
A Hidden Tear POC offspring appears that asks victims to post a specific message on Facebook to get the fix.
Microsoft discovered a trend of threat actors distributing ransomware by manipulating the Nullsoft Scriptable Install System (NSIS).
Uses Star Trek themed warnings and Monero payment system. Appends .Kirked extension and leaves RANSOM_NOTE.txt manual.
The Lick ransomware acts similarly to Kirk, uses the same decryption how-to (RANSOM_NOTE.txt) and the .Licked file extension.
Reverse engineering of CryptoDevil revealed that its author’s nickname is “Mutr0l”. The “kjkszpg” code unlocks the screen.
Moves data to a password-protected RAR archive and creates a ransom note called “All Your Files in Archive!.txt”.
Emsisoft CTO Fabian Wosar releases an updated decryptor for CryptON that supports the newest edition of the infection.
Concatenates the .ZINO extension to ciphered files and creates ZINO_NOTE.txt ransom manual.
Affixes the .crptxxx string to scrambled files and drops the HOW_TO_FIX_!.txt document to instruct victims regarding recovery.
New edition of the Jigsaw crypto infection uses a new background for its warning window and appends the .fun file extension.
Analysts spot a tool called DH_File_Locker by Doddy Hackman 2016 applicable for building custom ransomware.
Another ransomware builder is spotted. Called the Trident Builder, it allows crooks to easily generate a payload of their own.
Hidden Tear based ransomware tells victims to post “I have been hacked by anonymous” phrase on their Facebook wall.
Appends one’s locked files with the .[braincrypt@india.com].braincrypt extension. A free decryptor is available.
Concatenates the .enc extension to encrypted files and drops a ransom note called motd.txt.
Currently scrambles data only in sub-directories of a folder hosting its executable. Appends the .devil extension to files.
This variant of the notorious Jigsaw strain leaves a decryption how-to in Vietnamese. Still an in-dev sample at this point.
Since the Necurs botnet stopped generating spam with Locky ransomware payloads, the campaign has been declining big time.
The gist of a recent Indiana bill is to make ransomware distribution a standalone felony leading to 1-6 years in jail.
Analysts discover a new variant of the PadCrypt ransomware, which now reaches v3.4.4. No noteworthy functional changes made.
New edition uses the .cifgksaffsfyghd file extension and READ_READ_DEC_FILES.html ransom manual.
Aka LLTP Ransomware. Researchers found that its code is based off of the VenusLocker strain.
Security experts discover a vulnerability in SAP Windows client that may allow crooks to deploy ransomware remotely.
An article is posted on Barkly blog, predicting that ransomware with quality customer service will make a future trend.
Appends files with the .zorro suffix and creates a ransom note called Take_Seriously (Your saving grace).txt.
AngleWare appears to be a new derivative of the Hidden Tear proof of concept. Uses the .AngleWare file extension.
The payload is hidden in installer for the Imminent Monitor RAT. Provides recovery steps right in the extension added to files.
Leaves ransom notes called where_are_your_files.txt or readme_your_files_have_been_encrypted.txt.
Emsisoft updates their free decryptor for the Globe3 ransomware so that it restores files locked by the newest edition.
Jigsaw version called the “Monument” ransomware now propagates along with an adult-themed screen locker.
MalwareHunterTeam provides details on the number of ransomed files (48466020) belonging to 646 Spora victims.
The array of Hidden Tear POC derivatives gets replenished with new LK Encrypter, which uses the .locked file extension.
Has common traits with the CrptXXX sample. Demands 0.5 BTC (about $500) for data decryption.
SADStory instructs victims to send email to tuyuljahat@hotmail.com for recovery steps and deletes one random file every 6 hours.
The CryptoSearch utility by Michael Gillespie now identifies files affected by the Spora ransomware.
The updated WCry, aka WANNACRY, ransomware drops “!WannaCryptor!.bmp” and “!Please Read Me!.txt” ransom notes.
The strain targets Spanish-speaking audience, uses Smart Install Maker solution and displays a rogue Windows Update screen.
Researchers spot a new ransom Trojan called MemeLocker, which is still in development. Displays a bright-red warning window.
Cybercrime group dubbed “Mafia Malware Indonesia” is liable for creating CryPy, MafiaWare, SADStory and a few more strains.
The latest iOS 10.3 update contains a fix for Safari security issue that will address a growing police ransomware campaign.
New Python-based PyCL ransomware propagates via RIG exploit kit and displays ransom notes similar to CTB-Locker’s.
Named simply “R”, this ransom Trojan leaves a self-explanatory Ransomware.txt how-to and demands 2 BTC for decryption.
Fresh sample called AnDROid appends the .android extension to files and displays an animated image of a skull in its ransom note.
Michael Gillespie, aka @demonslay335, declares a hunt for the .pr0tect file (READ ME ABOUT DECRYPTION.txt) ransomware.
Malwarebytes Labs publishes an article dissecting multiple facets of the Sage ransomware, which is currently at version 2.2.
HappyDayzz strain can switch between different encryption algos. Uses the blackjockercrypter@gmail.com contact email.
Requests $250 for decryption and warns victims that changing the names of encrypted files will make recovery impossible.
New Ransomware-as-a-Service portal called FILE FROZR starts functioning. Asks for $100 monthly, with $50 discount for first month.
Another win of the good guys – Michal Gillespie creates a free decryptor for the recently released DoNotChange strain.
According to Google, ransomware infecting Android devices is extremely rare and the issue is blown out of proportion.
FadeSoft ransomware victims can now use the CryptoSearch tool to detect encrypted files and move them to a new location.
The ID Ransomware online resource has been updated to identify the FadeSoft ransom Trojan by files and/or ransom notes.
A new sample of Android ransomware is spotted that leverages an obfuscation mechanism to evade AV detection.
New LanRan infection displays a tasteles-looking warning screen that requests 0.5 BTC for purported recovery service.
The latest edition of Fantom replaces filenames with base64 encoded strings and uses RESTORE-FILES.[random].hta ransom note.
Spreads via spam deliving a phony CV and uses the helplovx@excite.co.jp email address to interact with victims.
This time, researchers will try to hunt the Cradle ransomware down (.cradle extension and _HOW_TO_UNLOCK_FILES_.html note).
The Sanctions ransomware takes root. It appends the .wallet extension to files and caricatures US sanctions against Russia.
Researchers from Cylance discover a firmware security loophole that may expose Gigabyte Brix devices to ransomware attacks.
GX40 ransomware (.encrypted extension) employs a codebase that researchers predict may be used to coin malicious derivatives.
New sample is discovered that’s based on GX40 ransomware code. The fresh one uses geekhax@gmail.com contact address.
AngryKite scrambles filenames and appends them with the .NumberDot string. Also instructs victims to dial a phone number.
Operated by DeathNote Hackers group, this one concatenates the .f*cked extension to encrypted files. Decryptable for free.
Appends the .lock75 file extension, demands 0.039 BTC (about $50) for decryption, and uses a Tor gateway for communication.
Uses a new ransom note name (_READ_THI$_FILE_[random].hta/jpeg/txt or _READ_THIS_FILE_[random].hta/jpeg/txt).
Security experts stay on top of the work of a crook named “Paul”, who came up with the “Amadeous” name for his ransomware.
The new Faizal ransomware is based on Hidden Tear POC. It affixes the .gembok string to encoded files.
Tor site used in the PadCrypt ransomware campaign suggests that victims give it good feedback to get a partial ransom refund.
Bitdefender crafts a decryption tool supporting all variants of Bart ransomware, which uses the .bart.zip, .bart or .perl extension.
The fresh one requests 0.02 BTC and instructs victims to contact the crooks via ransomwareinc@yopmail.com.
Concatenates the “.I’WANT MONEY” extension to filenames and uses ewsc77@mail2tor.com email address.
Michael Gillespie, ID Ransomware author, claims he can decrypt files locked by Vortex strain. Victims should contact him directly.
New edition uses the .skjdthghh extension and 009-READ-FOR-DECCCC-FILESSS.html ransom how-to.
MalwareHunterTeam discovers a brand new version of PadCrypt that’s now at v3.5.0.
Code of the latest Fantom ransomware edition contains a ‘partnerid’ attribute, so an associated RaaS may be on its way.
The latest CryptoWire version is denominated “realfs0ciety@sigaint.org.fs0ciety”. The payload arrives as AA_V3.exe file.
This one puts a lot of pressure on victims as it instructs them to pay 0.3 BTC within 3 hours.
Security researchers come across a new Hidden Tear derivative called Dikkat (Eng. “Attention”). The ransom note is in Turkish.
LMAOxUS ransomware is based on open-source EDA2 POC. Its maker, however, eliminated a backdoor in the original code.
A 19-year-old Austrian citizen is apprehended for infecting a Linz based organization with the Philadelphia ransomware.
A sample called RansenWare tells a victim to score more than 0.2 billion in TH12 game, which is the only way to restore files.
A single cybercrime ring reportedly made more than $100,000 by taking advantage of Apache Struts 0day vulnerability.
Emsisoft creates a decryptor for the Cry9 ransom Trojan, a CryptON spinoff that employs AES, RSA and SHA-512 crypto algos.
Experts criticize Security Affairs for publishing a far-fetched analysis on SCADA ransomware called Clear Energy.
Matrix ransomware is being reportedly distributed via RIG exploit kit, so it is shaping up to be a serious problem.
The new crypto-troublemaker called Cerberos is an offspring of the CyberSplitterVBS strain and has nothing to do with Cerber.
MalwareHunterTeam spots an in-dev sample configured to append the .kilit extension to files. No ransom note so far.
New Serpent edition uses the .serp file extension and README_TO_RESTORE_FILES.txt ransom how-to.
Emsisoft updates their Cry9 decryptor to improve its performance and broaden ransomware version coverage.
Goes with a GUI, displays warning messages in Portuguese and concatenates the .locked string to hostage files.
The new variant of BTCWare strain instructs victims to contact the attackers via new email address lineasupport@protonmail.com.
Called the “Kindest Ransomware ever”, this one locks files and decrypts them after the victim watches a security video online.
Uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt decryption how-to.
According to researchers’ analysis, someone named (or nicknamed) Anthony is working on .rekt file ransomware.
The latest Jigsaw ransomware variant displays ransom notes in French and concatenates the .crypte string to locked files.
MHT discovered an in-development sample dubbed El-Diablo. Its code contains references to the author’s name – SteveJenner.
New Globe v3 ransomware edition impersonates the Dharma strain. The file extension is .[no.torp3da@protonmail.ch].wallet.
New Jigsaw variant uses the .lcked string to label scrambled files and displays a new desktop background to alert victims.
Although this utility is quite primitive, it still provides wannabe crooks with source code to create viable ransomware.
Perpetrators behind the Cradle Ransomware start selling the source code they dubbed CradleCore. The price starts at 0.35 BTC.
According to Malwarebytes, the Cerber ransomware is today’s top crypto threat, with its current market share at 86.98%.
A ne’er-do-well from Thailand is reportedly working on a Hidden Tear variant that uses the READ_IT_FOR_GET_YOUR_FILE.txt note.
New Hidden Tear offspring randomly chooses file extension out of .ranranranran, .okokokokok, .loveyouisreal, and .whatthefuck.
pyCL operators now use malign Word documents to spread the Trojan. The extension of locked files is .crypted.
The latest edition of the Dharma ransomware concatenates the .onion string to encrypted files.
New German screen locker displays an image of the Jigsaw movie character in its ransom note. Unlock code is HaltStopp! or 12344321.
Schwerer being the German for “harder”, this new ransomware is written in AutoIt. According to ESET, it’s potentially decryptable.
New Troldesh family rep affixes the .dexter extension to enciphered files. The ransom note is still README[random_number].txt.
Researchers spot a sample called C_o_N_F_i_c_k_e_r. It appends files with the .conficker suffix and uses Decrypt.txt ransom note.
The Malabu ransomware demands a $500 of Bitcoin for file recovery. The amount doubles in 48 hours.
Security analysts come across a sample called the SnakeEye ransomware. Its development is attributed to SNAKE EYE SQUAD.
MHT discovers a strain made by someone from Turkey, which completely erases files rather than encrypt them.
Ransomware-as-a-Service portal called Karmen is made available to would-be cybercrooks. The code is based on Hidden Tear.
Concatenates the .ATLAS extension to cipher-affected files and leaves a decryption how-to called ATLAS_FILES.txt.
The name of this one is spelled “LOLI RanSomeWare”. It uses the .LOLI string to blemish scrambled files.
This Jigsaw version displays a ransom note with images of Joker and Batman in it. The file extension is .fun.
Karmen ransomware, which has been distributed on a RaaS basis since April 18, gets renamed to Mordor.
New Hidden Tear version is discovered that stains files with the .locked extension. It’s buggy, so encryption doesn’t go all the way.
Operators of the new AES-NI ransomware reportedly use NSA exploit called ETERNALBLUE to contaminate Windows servers.
Locky ransomware devs resume their extortion campaign with a big spam wave featuring fake payment receipts.
Just like last year, the massive malspam wave spreading Locky is reportedly generated by the Necurs botnet.
Perpetrators behind Locky are still distributing the OSIRIS edition of their ransomware, the one that was in rotation last December.
New JeepersCrypt ransomware with Brazilian origin stains files with the .jeepers string and demands 0.02 BTC for decryption.
ID Ransomware service by MHT now allows identifying strains by email, Bitcoin address or URL from a ransom note.
This one appends the .aes_ni_0day extension to locked files and drops !!! READ THIS – IMPORTANT !!!.txt ransom note.
Uses the .encrypted extension. The warning screen is titled “Sem Solução”, which is the Portuguese for “Hopeless”. Password is 123.
Kaspersky Lab contrives a workaround to restore files with the .one extension encrypted by XPan ransomware variant.
Michael Gillespie, aka Demonslay335, discovers a Jigsaw ransomware variant using the .getrekt extension. His decryptor handles it.
New sample concatenating the .psh string to encrypted files is easy to decrypt. Just entering the HBGP serial code works wonders.
Michael Gillespie’s StupidDecryptor can defeat the crypto of in-development strain using the .FailedAccess extension.
Affixes the .CTF suffix to filenames and displays a fantasy-style background that says, “Hello… It’s me…”
New spinoff of the pyteHole ransomware is discovered that concatenates the .adr extension to scrambled data entries.
This strain appends files with the .MOLE extension and propagates via phony Word sites that hosts rogue MS Office plugin.
The sample in question uses the .NM4 string to blemish encoded files and leaves “Recovers your files.html” recovery how-to.
Cerber now harnesses CVE-2017-0199 vulnerability to spread and drops “_!!!_README_!!!_[random]_.hta/txt” ransom notes.
Impersonates IPA, moves files to a password-protected ZIP archive, and uses the ” .locked” extension. Password is ddd123456.
The latest Jigsaw variant appends scrambled files with the .Contact_TarineOZA@Gmail.com suffix. Still decryptable.
The detailed write-up describes new malspam wave distributing Cerber ransomware and CVE-2017-0199 vulnerability use.
New Hidden Tear based Mordor (aka Milene) ransomware uses the .mordor file extension and READ_ME.html ransom manual.
A Hidden Tear variant is spotted that uses the .maya file extension and READ ME.txt ransom note with text in Indonesian.
New RSAUtil sample stains files with the .helppme@india.com.ID[8_chars] suffix and drops How_return_files.txt help document.
Brazilian in-dev strain called DeadSec-Crypto v2.1 is discovered. It uses thecracker0day@gmail.com email token.
The newest iteration of the CryptoMix ransom Trojan uses the .wallet extension and #_RESTORING_FILES_#.txt ransom note.
Concatenates the .MIKOYAN extension to every ransomed file and uses mikoyan.ironsight@outlook.com email token.
Indicators of compromise for new Extractor ransomware include the .xxx extension and ReadMe_XXX.txt decryption help file.
In-development Ruby pest appends files with an apropos .ruby string and drops a recovery how-to named rubyLeza.html.
Fresh variant from the Troldesh family blemishes locked files with the .crypted000007 extension and uses README.txt note.
Uses the .[maykolin1234@aol.com] string to label encoded data and leaves a help file named README.maykolin1234@aol.com.txt.
Denies access to personal files, appends the .amnesia extension to each one and drops a TXT ransom note.
Brand-new FileFrozr Ransomware accommodates data wiping capabilities. Drops a how-to recovery manual named READ_ME.txt.
Emsisoft’s Fabian Wosar creates a free decryption tool for the Cry128 edition of CryptON ransomware.
Amnesia ransomware spinoff jumbles filenames and stains them with the .cryptoboss extension.
A GlobeImposter ransomware variant is spotted that uses the .keepcalm file extension and keepcalmpls@india.com email address.
This one is quite primitive in terms of the design and crypto. Concatenates the .anon extension to locked files.
The vCrypt ransom Trojan zeroes in on Russian-speaking users. It appends the .vCrypt1 extension to every hostage data object.
Italian PEC 2017 strain affixes the .pec string to filenames and drops a help file called AIUTO_COME_DECIFRARE_FILE.html.
Concatenates the .haters extension to ciphered entries. Has encryption flaws that allow for successful decryption free of charge.
Locks the screen and blemishes files with the .xncrypt extension. The unlock code is 20faf12b60854f462c8725b18614deac.
Researchers from G Data came across a new in-dev ransom Trojan that combines regular extortion with spyware features.
The latest Cerber ransomware edition boasts improved encryption, AV evasion, anti-sandboxing and a few more new capacities.
The only conspicuous change made to BTCWare as part of this update is the .cryptowin string added to filenames.
Security analysts discover a new unnamed in-development screen locking Trojan. The unlock password is KUrdS12@!#.
ShellLocker ransomware, which appeared in November 2016, spawns the first new variant ever since called X0LZS3C.
Researchers create a decryptor for BTCWare. The tool can restore .cryptowin, .cryptobyte and .btcware extension files for free.
Generates a separate crypto key for each file and doesn’t store these keys anywhere. Concatenates the .cloud extension.
The so-called “Blank Slate” malspam campaign begins spreading the newest edition of the GlobeImposter ransomware.
The Rans0mLocked infection appends files with the .owned extension and demands 0.1 BTC for decryption.
This open-source ransomware based sample is a combo of screen locker and file encoder. Arrives as Anti-DDos.exe file.
Russian crooks start an underground marketing campaign supporting new Ransomware-as-a-Service platform called Fatboy.
The payload for this new Jigsaw spinoff is disguised as a credit card generator. This pest adds the .fun extension to filenames.
NewHT, which might stand for “New Hidden Tear”, uses the .htrs file extension and readme.txt help file.
ZipLocker moves files to a password-protected ZIP archive (password is “Destroy”) and adds UnlockMe.txt ransom note.
New Enjey variant switches to using the .encrypted.decrypter_here@freemail.hu.enjey extension for hostage files.
Emsisoft security vendor creates a free decryption tool for the Amnesia ransom Trojan.
The latest edition of Jigsaw ransomware uses the .PAY extension to label encrypted files. Still decryptable.
Crooks market the Ransomware-as-a-Service called File Frozr as a ” great security tool”. The usage cost is $220.
Crude ransom Trojan called Crypto-Blocker appears, asks for 10 USD or EUR. Researchers retrieve the unlock code, which is 01001.
IT analysts discover that the ThunderCrypt ransomware is using a Taiwan forum as a springboard for propagation.
Law firm from Rhode Island tries to get $700,000 compensation from insurance company over ransomware losses.
Unless paid, the BitKangoroo ransomware, which appends the .bitkangoroo extension to files, will be deleting one file every hour.
New sample called Gruxer arrives with a loader composed of a Hidden Tear based code, screen locker, and image-scrambling module.
Another variant of BTCWare crypto pest concatenates the .[sql772@aol.com].theva string to every ransomed file.
It turns out that newly discovered NemeS1S RaaS props a recent wave of PadCrypt ransomware attacks.
RSAUtil ransomware, which uses the .helppme@india.com extension, arrives at PCs via RDP services cracked by extortionists.
Targets Russian users, adds the .vCrypt1 suffix to files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.
A ransomware is spotted that displays images of South Korean election candidates on its warning screen.
Following the Osiris edition of the Locky ransomware, another possible spinoff appears that uses the .loptr file extension.
Emsisoft’s CTO Fabian Wosar publishes an update for his Amnesia ransomware decryptor that supports all variants.
A Locky lookalike is discovered that appends files with the .jaff extension and demands a whopping 2 BTC, or about $3500.
Emsisoft does a write-up on the new Jaff ransomware, analyzing its ostensible ties with the Locky plague.
A cybercrime group behind Android ransomware called SLocker spawns 400 new spinoffs making the rounds after a long hiatus.
Updated Gruxer strain displays a Matrix movie-style warning screen but fails to complete the encryption routine.
This lineage started with vCrypt, then changed to aCrypt followed by bCrypt. The crooks must have run out of creativity, obviously.
Aka WannaCry, it labels locked files with the .WNCRY extension. Hits Spain’s telco provider Telefonica, disrupting its operations.
The .WNCRY file ransomware (Wana Decrypt0r) uses previously leaked NSA exploits to infect numerous PCs around the globe.
The specimen continues to affect home users and large companies, most of which are in the UK, Spain, Russia, Ukraine, and Taiwan.
Most infection instances involve the ETERNALBLUE exploit dumped by the Shadow Brokers hacker ring recently.
The New York Times aggregates information on reported WannaCry infection instances and creates a live global heat map.
Malwarebytes security firm publishes a comprehensive technical report on the newsmaking Wana Decrypt0r 2.0 threat.
Researcher going by the alias MalwareTech registers a domain involved in WannaCry outbreak, thus disrupting the wave for a while.
The corporation rolls out a patch for Windows XP/8/Server 2003, having previously done the same for newer OS editions.
Security experts come across a new in-development strain that’s configured to concatenate the .tdelf string to hostage files.
Uses the .slvpawned extension to mark encrypted data. Crackable with StupidDecryptor tool made by Michael Gillespie.
Similarly to a few previous tweaks, the only change made to vCrypt ransomware is a different first letter, so it’s now xCrypt.
A new variant of the Stampado strain called Zelta surfaces. It subjoins the .locked suffix to enciphered files.
Security analyst from France deliberately sets up a honeypot server, and its gets hit by WannaCry 6 times in an hour and a half.
Chief Legal Officer at Microsoft does a write-up where he accuses NSA for failing to properly protect discovered exploits.
This Jigsaw strain lookalike uses the .fun extension for locked files. The password to decrypt is FAKEJIGSAWRansomware.
New GlobeImposter edition takes after Dharma in that it uses the .wallet extension. The ransom note is how_to_back_files.html.
Another version of the relatively new GruXer ransomware appears. Just like its predecessor, it has crypto imperfections.
Several replicas of WannaCry are spotted in the wild, including one called DarkoderCrypt0r and a customizeable ransomware builder.
WannaCry strain starts using a new domain as a kill switch. Researchers promptly register this domain and thus interrupt the wave.
Someone reportedly tried to launch a WannaCry variant that doesn’t use a kill switch. Fortunately, the attempt failed.
New variant of the Philadelphia strain is deposited on computers via RIG exploit kit, along with the Pony info-stealing virus.
BTCWare edition dubbed Onyonlock appends the .onyon suffix to encrypted files and drops !#_DECRYPT_#!.inf ransom how-to.
The sample called May Ransomware uses the .locked or .maysomware extension and Restore_your_files.txt help file.
This one displays a warning window titled @kee and does not provide any chance to restore data, not even through payment.
The strain in question stains files with the .FartPlz extension and creates a ransom note named ReadME_Decrypt_Help_.html.
A Monero cryptocurrency miner dubbed Adylkuzz blocks SMB ports, so it effectively prevents WannaCry from infecting a computer.
People make Internet memes about WannaCry Trojan, posting self-made pictures with the ransom screen on various devices.
Someone posted Master Decryption Key for BTCWare infection. Researchers quickly came up with a free decryptor.
This Java-based WannaCry copycat doesn’t do any crypto but instead instructs victims to subscribe to a specified YouTube channel.
Brand-new offspring of the Xorist family is spotted. It affixes the .SaMsUnG string to encoded data entries.
An iteration of the Jigsaw ransomware goes live that blemishes victims’ files with the .die extension.
Appends the .Lockout extension to files, drops Payment-Instructions.txt ransom note and displays a warning message before startup.
Although the Spora ransomware campaign slowed down lately, it is regaining momentum, according to ID Ransomware service.
Some researchers claim WannaCry code resembles that of malware used by Lazarus Group, a North Korean cybercrime ring.
Two new editions of GlobeImposter ransomware surface. They use the .hNcrypt and .nCrypt extensions for encrypted files.
The new Uiwix ransomware (.UIWIX extension, _DECODE_FILES.txt how-to) is reportedly proliferating via EternalBlue exploit.
An anonymous person posts Master Decryption Keys for Wallet ransomware on BleepingComputer forums. Avast releases a free fix.
Authors of the Haters ransomware release an Indonesian variant that pretends to be WannaCry. Includes a PayPal ransom option.
An entry is posted on Emsisoft blog, where researchers shed light on nuances of the WannaCry ransomware campaign.
Called WannaCry Decryptor v0.2, this one goes ahead and erases victims’ files with no recovery option.
Security analyst Benjamin Delpy creates a tool called WanaKiwi that decrypts WannaCry ransomware under certain conditions.
The WannaCry ransomware reported infected a Windows-based medical radiology device in a U.S. hospital.
This one uses the .~xdata~ file extension and HOW_CAN_I_DECRYPT_MY_FILES.txt ransom note. Mostly spreads in Ukraine.
Free decryption tool for BTCWare now supports the .onyon and .theva file extension variants of this strain.
This new screen locker displays a warning message saying, “Hacked by Yuriz MA”. Fortunately, it can be closed via Alt+F4.
One more WannaCry lookalike called Wana Decrypt0r 3.0 is spotted in the wild. It fails to encrypt any files.
This specimen uses the .VisionCrypt extension and doesn’t change original filenames. Attackers’ email is VisionDep@sigaint.org.
MHT spots a sample that transmits a victim’s image files to the attacker’s email address and then deletes them from the PC.
Unlike the other copycats, this one’s warning screen is titled after the original ransomware (Wana Decryptor 2.0). No crypto so far.
The development of this sample is still in progress. It is set to concatenate the .pwned string to enciphered entries.
Another unfinished extortion program. While it does no crypto so far, the hard-coded password is 215249148.
Althought this screen locker hasn’t gone live yet, researchers were able to get hold of the would-be unlock password.
The latest edition can decrypt .onyon extension files up to 1270896 bytes even if it fails to retrieve the decryption key.
In response to security experts’ verdicts, North Korean representative at the UN claims his state has nothing to do with WannaCry.
One more replica of WannaCry called Wana DecryptOr 2.0 pops up. The warning screen is identical of the original.
Researchers declare a ransomware hunt for the sample that uses the (Encrypted_By_VMola.com) file extension token.
New edition switched to using the .WLU string to encoded files. It still uses spam to propagate.
This one is currently in development. It is configured to delete a victim’s files unless a payment is sent within a specified deadline.
Widia’s warning states it has encrypted data, but it’s in fact just a primitive screen locker that can be bypassed via Alt+F4.
Dubbed MemeWare, this screen locker pretends to be from the FBI. Accepts ransoms over MoneyPak. Unlock code is 290134884.
The lock screen says, “Your computer has been locked with very sticky Elmers Glue,” whatever that means. Removable in Safe Mode.
Another Hidden Tear POC derivative dubbed Deos demands 0.1 BTC for decryption. It has critical flaws and doesn’t encrypt right.
This sample is a .NET edition of CryptoWall ransom Trojan. It uses the .wtdi file extension and displays a warning message in Russian.
A scam alert is issued regarding growing tech support frauds that use the fuss around WannaCry to rip off gullible users.
Said malware is an umpteenth offspring of Hidden Tear POC in the wild. Appends files with the .H_F_D_locked extension.
Avast devises a free decryption tool for BTCWare that supports all variants of this crypto hoax.
A version of the Xorist ransomware is out that mimics the recent XData infection. Similarly to its prototype, it uses the .xdata file suffix.
Coded in AutoIT, the Adonis ransomware claims to encrypt data but it actually doesn’t. And yet, it leaves DE.html and EN.html notes.
This in-development sample doesn’t use any extension to flag ransomed files. Replaces desktop background and demands 0.5 BTC.
Ransomware that uses ‘mother of all viruses.exe’ process wipes all HDD volumes rather than encode data.
The 4rw5w crypto virus also uses a kill switch principle and similar names for auxiliary files. The extension is .4rwcry4w.
The author of the AES-NI ransomware releases decryption keys so that victims can restore their files for free.
Having scrutinized WannaCry ransom how-to files, linguists concluded that the maker’s native language is most likely Chinese.
This new strain has moderate demands, asking for 0.17 BTC. Affixes the .lightning extension to ransomed data entries.
CrystalCrypt is a Lightning Crypt remake. It appends victims’ files with the .blocked extension.
The sample called Mancros+AI4939 is in fact a screen locker that doesn’t actually do crypto. It requests $50 worth of Bitcoin.
BTCWare ransom Trojan has switched to using the .xfile suffix to label hostage files. The existing decryptor already supports it.
This fresh spinoff of the DMA Locker ransomware uses the !Encrypt! filemarker, data0001@tuta.io email address, and asks for 1 BTC.
Avast security vendor uses the previously released master decryption keys for AES-NI to create a free decryptor.
It’s based on buggy open-source ransomware code. Appends the .WINDIE string to encrypted files. Crackable with StupidDecryptor.
The StupidDecryptor solution by Michael Gillespie (@demonslay335) is updated to support .fucking and .WINDIE extension strains.
Analysts stumble upon an in-dev sample that uses the .crying file extension and READ_IT.txt ransom instructions.
In-dev Roblocker X claims to encrypt Roblox game files but only locks the screen instead. The unlock password is currently ‘PooPoo’.
The newest variant of GlobeImposter ransomware concatenates the .write_us_on_email string to each enciphered file.
The sample with bizarre name “Dviide” appends encrypted files with the .dviide extension. Uses a primitive warning window.
The lock screen is in Chinese. This low-impact Trojan also displays QR code to streamline the ransom payment routine.
This one employs XOR encryption and stains hostage files with random extensions. The ransom note is hard to read due to font color.
An individual nicknamed “vicswors baghdad” is trying his hand at deploying the Houdini RAT and MoWare H.F.D. ransom Trojan.
The ransomware called BlackSheep concatenates the .666 extension to files and demands $500 worth of BTC. Nothing special about it.
This new strain jumbles filenames and affixes the .adr string to them. Uses the AES-256 cryptosystem.
Unidentified crooks used open-source code of Hidden Tear PoC to create yet another derivative called DolphinTear (.dolphin extension).
Rather than encipher files proper, the new sample moves one’s data to encrypted WinRAR archives. It’s currently in development.
Researchers from GData come across a CryPy spinoff called SintaLocker. It uses the README_FOR_DECRYPT.txt ransom note.
A sample is spotted that displays a window reading, “Your files have been blocked”. Demands $50 worth of Bitcoin.
The makers of Jigsaw ransomware switch to a new theme for their warning screen, which now depicts a scary clown.
Concatenates the .imsorry string to encrypted files and adds a ransom note called “Read me for help thanks.txt”.
The ID Ransomware service by MalwareHunterTeam is now capable of recognizing 400 ransomware strains. Thumbs up to MHT.
Avast and CERT Polska cook up free decryption tools for the AES-NI, BTCWare and Mole ransomware.
The specimen in question uses the .r3store file extension and READ_IT.txt ransom note. Demands $450 worth of Bitcoin.
A replica of the DMA Locker ransomware pops up. Uses a slightly modified binary and the same GUI except for the name attribute.
According to new research, Chinese users – not Russian – suffered the heaviest blow from the WannaCry ransomware.
XData ransomware dev releases Master Decryption Keys. Security vendors, including Avast, ESET and Kaspersky, create decryptors.
This one claims to encode data but actually fails to. It is easy to remove with commonplace AV tools, which fixes the problem.
Only encrypts data on the desktop, uses the .andonio extension and a help file named READ ME.txt. It is a Hidden Tear variant.
New GrodexCrypt Trojan is based on Crypt888 ransomware but additionally uses a GUI. Demands $50 worth of BTC. Decryptable.
Instead of applying crypto, the strain called OoPS Ramenware moves files to password-protected ZIP archive with .ramen extension.
The latest Amnesia edition uses the .TRMT file extension and HOW TO RECOVER ENCRYPTED FILES.txt ransom how-to.
Concatenates the .brickr suffix to scrambled files and drops a recovery manual named READ_DECRYPT_FILES.txt.
Affixes the .resurrection extension to files and uses README.html ransom note. Also plays a music box-ish melody.
The in-dev sample called KillSwitch appends the .switch extension to ransomed files. Quite crude at this point.
Crooks used the code of EDA2 proof-of-concept to create Luxnut ransomware, which concatenates the .locked extension to files.
The ransom note of this new sample is titled “Microsoft Security Essentials”. It requests $400 worth of Bitcoin for decryption.
Provides a 72-hour deadline for payment, demands 0.2 BTC and displays QR code to facilitate the process of submitting the ransom.
Owing to Emsisoft, victims of the Amnesia2 variant can now decrypt their data through the use of ad hoc free decryption tool.
About 200 Hadoop servers around the globe reportedly remain hijacked – either due to infamous January campaign or a current one.
The strain dubbed CainXPii most likely represents the same lineage as the older Hitler ransomware. Demands €20 via PaySafeCard.
Joksy locks the screen with a warning message in Lithuanian. The ransom is payable in PayPal, which means bad OPSEC of the crooks.
This infection appends files with victim ID followed by the .lock string and drops a ransom how-to called ReadMe.txt.
Called the Ramsey Ransomware, this Jigsaw offspring displays a warning message in Turkish and uses the .ram file extension.
This new Hidden Tear derivative blemishes encrypted files with random extensions and drops Sifre_Coz_Talimat.html ransom note.
Another infection based on Hidden Tear PoC. Uses the .encrypted file extension and ReadMe_Important.txt recovery how-to.
The Jigsaw ransomware edition dubbed StrutterGear displays a ransom note with lots of swear words and demands $500 worth of BTC.
The Jaff ransomware turns out to use server space provided by the PaySell cybercrime marketplace based in St. Petersburg, Russia.
A Jigsaw variant surfaces that concatenates the .lost extension to ransomed files.
The malware called Mr.Locker is quite an impostor. It claims to delete one’s files unless paid, but doesn’t pose any real risk in fact.
ID Ransomware maker Michael Gillespie updates his Jigsaw decryption tool so that it supports .lost, .ram and .tax extension versions.
This one stains hostage files with the .tdelf extension and generates a desktop background reminiscent of Jigsaw’s.
The Ogre sample appears crude at this point. It requests a BTC equivalent of €20 and uses the .ogre file extension.
This low-level ransom Trojan states that the victim has “violated the YouTube law”. The code to unlock it is “law725”.
New baddie called $ucyLocker subjoins the .windows string to filenames and leaves a help file named READ_IT.txt.
The latest iteration of BTCWare appends files with the .[3bitcoins@protonmail.com].blocking suffix.
Uses the .encrypt extension to label hostage entries and threatens to make the ransom 1.5 times larger every 12 hours.
Michael Gillespie’s CryptoSearch utility now identifies data locked by Amnesia, Amnesia2, Cry9, Cry128 and Cry36 strains.
The ID Ransomware service by MalwareHunterTeam can now detect the Cry36 ransomware sample.
This Turkish crypto threat concatenates the .zilla string to files and provides a decryption manual named OkuBeni.txt.
This one is configured to append the .BeethoveN extension to scrambled files and provides a list thereof in FILELIST.txt document.
An edition of the relatively new MrLocker malware surfaces that locks one’s screen. The 6269521 code does the unlock trick.
The most recent Jigsaw spinoff uses the .R3K7M9 extension to label encrypted files. Decryptable with Michael Gillespie’s tool.
According to Microsoft, the upcoming Windows 10 S edition is going to be bulletproof against ransomware attacks.
The sample called xXLecXx locks one’s screen and claims to encrypt data, while in fact it doesn’t.
Appends files with the .cr020801 extension and instructs victims to send email to unlckr@protonomail.com for recovery steps.
Displays a warning screen titled “Information Security” and concatenates the .payforunlock extension to affected files.
WannaCry ransomware distributors may be unable to decrypt victim data individually, so it may have been created for other purposes.
The Spectre strain appears to be professionally tailored. It scrambles filenames and affixes the .spectre extension to each one.
The latest variant of the quite successful Jaff ransomware concatenates the .sVn extension to locked data entries.
Security experts spot a Ransomware-as-a-Service platform called MacRansom that props a new extortion campaign targeting Macs.
New variant of the BeethoveN ransom Trojan uses hard-coded encryption keys rather than request them from C2 server.
French law enforcement seized a server hosting two Tor relays purportedly associated with the WannaCry ransomware wave.
Screen locker called svpps.xyz claims to encrypt files but actually doesn’t. It demands $50 worth of BTC to unlock.
The process name is Facebook.exe and the appended extension is .Facebook. This sample is a Hidden Tear offspring.
New Hidden Tear based Dutch strain appends files with the .R4bb0l0ck extension and drops LEES_MIJ.txt ransom note.
The latest Jigsaw ransomware edition stains encrypted files with the .Ghost extension.
Called the “Virus Ransomware”, the sample displays an image of a toy from My Little Pony line. Doesn’t do any real harm.
In-dev crypto threat called CA$HOUT asks for $100 but fails to affect a victim’s data in any way.
Security analysts stumble upon MacSpy and MacRansom sites, the former propping Mac spyware and the latter – Mac ransomware.
Impersonating a rogue organization called “Global Poverty Aid Agency”, this strain claims to collect money for children in need.
Appends the .rnsmwre string to filenames, drops @decrypt_your_files.txt ransom note and demands payment in PaySafeCard.
The latest edition of Jaff drops the following ransom notes: !!!SAVE YOUR FILES!.bmp and !!!!!SAVE YOUR FILES!!!!.txt.
Based on low-quality open source code, this one concatenates the .whycry extension to hostage files and reguests $300 worth of BTC.
The sample called Erebus hits over 100 Linux servers belonging to South Korean web hosting provider Nayana.
Researchers at Kaspersky update their RakhniDecryptor tool to support all known variants (.jaff, .wlu, and .sVn) of the Jaff ransomware.
Fresh variant called BTCWare MasterLock uses the .[teroda@bigmir.net].master extension to stain enciphered files.
Avast replenishes their collection of free decryptors with a tool that restores data locked by multilingual EncrypTile ransom Trojan.
As opposed to predecessors, the latest edition of the Sage ransomware does not indicate version number in the decryption how-to.
Someone is reportedly in the process of creating a Hidden Tear PoC spinoff called CryForMe, which will demand €250 worth of BTC.
University College London (UCL) fell victim to unidentified ransomware that circumvented the institution’s AV defenses.
MHT comes across an in-dev Hidden Tear variant called CryptoSpider, which concatenates the .Cspider string to filenames.
One more Hidden Tear derivative called WinUpdatesDisabler appends the .zbt suffix to locked files.
New screen locker appears that displays “Your Windows has been banned” alert. Victims can use code “4N2nfY5nn2991” to unlock.
Turkish ransomware called Executioner has flaws in its crypto implementation, which makes it possible for analysts to decrypt the data.
Researchers spot a new screen locker displaying a picture of a sandwich on its lock screen. Codes to unlock are available.
This fairly persistent Cerber-style infection doesn’t actually apply any crypto, although it claims to. Demands 0.1 BTC to unlock.
A spinoff of the Jigsaw ransomware surfaces that stains enciphered files with the .sux string and mainly targets Italian users.
Built using the Hidden Tear PoC code, this WannaCry replica appends the “.Wana Decrypt0r Trojan-Syria Editi0n” extension to files.
In-dev sample called WinBamboozle drops _README.txt note and appends files with random 4-character extensions.
New screen locking virus called SkullLocker can be closed down via Alt+F4 combo. Nothing special about it except scary warning.
A Polish spinoff of the Dumb ransomware PoC is spotted. Demands 1880 zł worth of Bitcoin (0.2 BTC) for decryption.
Fresh samples from the thought-extinct SamSam family appear that use the .breeding123, .mention9823 and .suppose666 extensions.
Currently in development and doesn’t cause damage, simply displays a warning screen. Configured to demands $100 worth of BTC.
Hidden Tear offspring. Uses the .nsmf file extension and readme.txt ransom note. Demands 5 BTC “or pizza”.
South Korean hosting provider called Nayana agrees to pay a huge ransom of $1 million to recover from a ransomware attack.
Concatenates the .kuntzware extension to encrypted files. Doesn’t work as intended, so no real encryption at this point.
Targets Turkish users and utilizes the .zilla string to label hostage files. The ransom note is named @@BurayaBak.txt (Eng. “Look here”)
Affixes the .enc extension to encrypted data entries. Claims to decrypt files for free as long as a victim contacts the devs via email.
What makes this new screen locker stand out from the rest is that it requests a victim’s credit card details.
Fresh version of the old Crypt888 ransomware switches to a new desktop background and prepends the Lock. string to filenames.
WannaCry ransomware compromised part of IT infrastructure of Honda car factory in Japan, causing the plant’s temporary halt.
New customizeable sample called TeslaWare can be purchased on dark web for €35-70. Fortunately, it’s decryptable.
MHT offers researchers to join a hunt for aZaZeL ransomware, which uses .Encrypted extension and File_Encryption_Notice.txt note.
The Ruby ransomware leverages a DGA (domain generation algorithm) and Command & Control server to streamline the extortion.
This one is in the process of development thus far. Ransom note !!!.txt has a bunch of blanks to be filled out by the author.
WannaCry infects 55 road safety cameras in Victoria state, Australia, forcing officials to suspend thousands of infringement tickets.
Once again, Locky ransomware architects resume their campaign. However, the pest only targets Windows XP and Vista.
Said sample is pretty much harmless as it doesn’t engage real crypto. And yet, it demands $300 worth of BTC.
Researchers bump into a specimen that imitates Cerber ransomware and concatenates the .encrypted suffix to files.
AlixSpy malware captures sensitive login info for Growtopia game and generates a “System locked” screen asking for $20 worth of BTC.
This ransomware appends the .org extension to locked files and ___iWasHere.txt ransom how-to. Decryptable, according to MHT.
According to FBI’s 2016 Internet Crime Report, few ransomware victims notify law enforcement of these attacks.
Despite Microsoft’s claims of Windows 10 S edition being invulnerable to ransomware, white hat hackers proved the opposite.
Sample called Reetner leverages ad hoc executables for different processes, or so-called modular principle of attack deployment.
Researchers discover a screen locker that acts like the average strain in this niche, except that it doesn’t demand a ransom to unlock.
Hidden Tear derivative. Concatenates the .lamo extension to filenames and provides instructions in READ_IT.txt document.
The payload of Kryptonite hoax is masqueraded as a Snake game. Crashes upon execution but demands $500 regardless.
New offspring of the Jigsaw ransomware family uses the .rat extension to flag encrypted data.
Appends the .locked extension to filenames, drops READ_ME.txt note and specifically zeroes in on the Eurogate company.
Dubbed Koler, this ransom Trojan spreads as a rogue PornHub applet. Displays FBI themed lock screen on infected Android device.
Another HT spinoff is discovered that mimics the Battlefield game to infect PCs. Uses the .locked file extension.
Said infection concatenates the .0x004867 string to encoded data and sprinkles numerous .info files with encryption keys.
Brand-new edition of Samas/SamSam ransomware affixes the .moments2900 extension to locked files.
After web host Nayana paid a $1 million ransom, crooks started shelling other South Korean companies with DDoS-for-ransom attacks.
New ransomware called Karo concatenates the .ipygh string to filenames and creates ReadMe.html ransom manual.
The main hallmark of this strain is the .via extension added to files. Displays a ransom note with Latvian text.
This RaaS network lets cybercriminals create custom ransomware builds for a fee that’s much lower than the average.
A sample resembling the ill-famed Petya MFT encryptor infects numerous organizations in Ukraine and other European countries.
Email provider Posteo blocks account wowsmith123456@posteo.net, which is used in the new Petya ransomware wave.
Petya, or NotPetya as some researchers dubbed it, reportedly spreads as a contagious update for M.E.Doc accounting software.
Turns out that creating a new read-only file named ‘perfc.dat’ inside Windows folder stops Petya attack in its tracks.
Someone calling himself “Bob” starts spreading CryptoBubble, a sample that uses the .bubble file extension. This one is decryptable.
Turkish crypto malady called Executioner starts staining hostage files with a random 6-character extension.
Kaspersky researchers affirm that the new Petya does not accommodate MFT decryption feature, so paying ransoms has no effect.
Ransomware called PSCrypt had reportedly begun propagating in Ukraine several days before the Petya outbreak occurred.
Since classic ransomware is all about extortion, the Petya remake doesn’t fall into this category as it simply destroys systems.
The only thing worth mentioning about the new MusicGuy ransomware is that it appends files with the .locked string.
Analysts call it this way because it uses extensions consisting of random 6 chars. The ransom note is RESTORE-.[random]-FILES.txt.
Uses the .gankLocked file extension and READ_ME_ASAP.txt ransom how-to, demands “one million bitcoins”, which is obviously a prank.
Warning screen of the new Pirateware asks for 0.1 BTC (about $250). The code is incomplete and doesn’t do crypto.
Microsoft is planning to equip Windows Defender with “Controlled Folder Access” feature to prevent malicious encryption.
Cerber ransomware is renamed to CRBR ENCRYPTOR. Still scrambles filenames, adds 4-char extension and drops HTA ransom note.
New strain specifically targeting Ukraine is a WannaCry copycat written in .NET and possibly circulating via M.E.Doc software.
As the name hints, in-dev ABCScreenLocker is supposed to lock the screen and demand money. Only does the locking part at this point.
Brand new edition of the old Nemucod ransomware displays a revamped red warning background. Does not use any file extension.
Reputable security experts confirm that Petya (NotPetya or ExPetr) doesn’t go with decryption mechanism, so it’s meant for sabotage.
Several security companies state the (Not)Petya campaign is attributed to a group that targeted Ukrainian power grid back in 2015.
This one uses the .lalabitch extension for locked files, base64 enciphers filenames and leaves a recovery how-to called lalabitch.php.
Analysts discover in-dev Takeom ransomware that demands $300 worth of BTC and provides a 24-hour deadline to pay up.
This is a new Hidden Tear PoC offshoot. Subjoins the .ransrans string to encrypted files and keeps crashing all the time.
Another crude infection “made by KingCobra” that destroys data beyond recovery. Leaves decrypt.txt ransom note on desktop.
The latest iteration of BTCWare ransom Trojan concatenates the .aleta extension to hostage files.
Not much to say about this sample except that it’s a derivative of the academic Hidden Tear ransomware. Dev’s nickname is Nhan.
Fresh edition of the Cry36 ransomware uses the .63vc4 file extension and ### DECRYPT MY FILES ###.txt decryption manual.
Ukrainian law enforcement seize servers belonging to vendor whose backdoored software (M.E.Doc) was used in Petya virus outbreak.
New version appends files with the .L0cked string, jumbles filenames, displays ransom note in Russian and uses 5quish@mail.ru email.
Concatenates the .z3r0 suffix to ransomed files and displays decryption how-to named EncryptNote_README.txt.
Strain called J-Ransomware is based on the above ZeroRansom. Uses the .LoveYou extension to mark encoded files.
zScreenlocker was originally discovered in November 2016. Fresh iteration uses the following unlock password: Kate8Zlord.
The most recent edition of CryptoMix, or Mole ransomware, affixes the .MOLE00 extension to locked files.
Sample called Crypter 1.0 fails to encrypt anything and generates messages with weird contents demanding 10 BTC.
Individuals reponsible for the recent Petya outbreak start transferring obtained cryptocurrency to other Bitcoin wallets.
According to Security Report 2016/17 by AV-TEST, the share of ransomware in the global malware volume is only about 1%.
Thanks to combined efforts of security vendors and enthusiasts, free decryptor for the MOLE02 edition of CryptoMix is released.
Chinese police apprehend two individuals for spreading SLocker Android ransomware version that resembles WannaCry.
The latest incarnation of CryptoMix uses the .Azer file extension and drops _INTERESTING_INFORMATION_FOR_DECRYPT.txt note.
MHT’s Michael Gillespie updates his BTCWareDecrypter that now supports the .master file extension variant of this ransomware.
In spite of Executioner ransomware makers’ efforts to make the pest uncrackable, newer iterations are still decryptable.
In-dev ransomware called CountLocker claims to delete all data on C drive unless the victim pays 0.3 BTC in 72 hours.
This sample derives the file extension from infected host’s Hardware ID (HWID). The ransom note is Ransom.rtf.
Screen locker called ElmersGlue_3 is a derivative of ElmersGlue Locker v1.0, which was spotted in May 2017. Easy to get around.
Member of the JANUS cybercrime ring dumps master decryption keys for the original Petya, Mischa and Goldeneye ransomware.
Dubbed SurveyLocker, the new Trojan drags victims into a loop of surveys so that their screen can be unlocked.
According to some in-depth analysis, the recently spotted Random6 pest appears to be a Fantom ransomware derivative.
Spreading via 2 booby-trapped apps on Google Play, this one threatens to send victims’ sensitive data to all contacts. Demands $50.
Dubbed Petya+, this ransomware is programmed in .NET. The ransom screen is almost a replica of the original. No crypto so far.
Also referred to as Scarab, this sample scrambles filenames and appends them with the .[Help-Mails@Ya.Ru].Scorpio extension.
HT based strain called Oxar, or Locked In, concatenates the .OXR suffix to encoded files. Demands $100 worth of Bitcoin.
Uses the .locked file extension and creates a separate .readme_txt recovery how-to for every hostage file.
Australian authorities apprehend a 75-year-old man for setting up rogue tech support companies involved in ransomware schemes.
Emsisoft makes another breakthrough in fighting ransomware. This time they release a free decryptor for the NemucodAES strand.
Brand new HT offshoot called AslaHora subjoins the .Malki extension to ransomed files. The unlock password is MALKIMALKIMALKI.
Researchers come up with a free decryption tool that supports the Dcry ransomware appending files with the .dcry extension.
New sample called BLACKOUT drops README_[random numbers].txt ransom note and base64 encodes filenames.
This one is based off of EDA2 PoC. Concatenates the .locked string to hostage files and leaves “Read Instructions.rtf” ransom note.
Blemishes files with the .purge extension. Keeps crashing during encryption process. The unlock password is “TotallyNotStupid”.
The name is the phrase this sample displays on its lock screen. Demands 1 BTC but is ridiculously easy to get around (Alt+F4).
Currently in the process of development, so no crypto thus far. Displays a black lock screen with a smiley in the middle.
Stains files with the appropos .Ransed extension. Reaches out to MySQL server, so server access credentials are hard coded.
The newest iteration of the Jigsaw ransomware switches to using the .kill string to label hostage files.
Brand new edition of the SamSam/Samas ransomware concatenates the .country82000 extension to locked data entries.
Screen locker called ENDcrypt0r displays an alert saying that files have been encrypted, while they aren’t. Unlock code is A01B.
Nothing special about the new specimen called Fuacked. Leaves a ransom note named dummy_file.txt.
Free decryptor is out for the Striked ransomware, which appends the #rap@mortalkombat.top#id#[random] extension to locked files.
Remote Access Trojan for Android dubbed GhostCtrl can also reset the PINs of host devices and lock the screen with a ransom note.
The latest iteration of the Stupid ransomware uses the .alosia file extension. The unlock code is CREATEDBYMR403FORBIDDEN.
New Jigsaw variant stains encrypted files with the .korea string and displays a black background with a smiley on it.
Targets Spanish-speaking users. Interestingly, it pilfers Thunderbird email credentials to generate spam on behalf of a victim.
Uses the .locked extension, leaves “Computer compromised” ransom how-to, and displays a religion-themed background.
Concatenates the .oops extension to hostage files, demands 0.1 BTC and uses only4you@protonmail.com contact email.
Based on Hidden Tear PoC, this one uses the .explorer file extension. Victims are instructed to contact decrypter.files@mail.ru.
Fresh GlobeImposter editions use the .au1crypt or .s1crypt extension and leave decrypt manual named how_to_back_files.html.
According to official statement by FedEx, the damage incurred due to Petya ransomware attack is material and permanent.
San Francisco TV & radio station KQED is still suffering the consequences of a ransomware attack that took place in mid-June.
Emsisoft enhances their decryption tool for NemucodAES ransomware so that it supports large files.
This specimen zeroes in on Chinese users. Concatenates the .yl string to all encoded data items.
2 new CryptoMix iterations use the .ZAYKA and .NOOB extensions to stain files. Ransom note is still named _HELP_INSTRUCTION.txt.
MalwareHunterTeam’s Michael Gillespie updates the decryptor for Striked ransomware, so now it supports most recent editions.
Said HT offspring concatenates the .hustonwehaveaproblem@keemail.me extension to no-longer-accessible files.
A CryptoMix ransomware variant goes live that blemishes files with the .CK suffix. The ransom note hasn’t changed.
Brand-new spinoff of the Jigsaw ransomware lineage switches to using the .afc extension for encrypted data entries.
Yet another Hidden Tear derivative. Appends files with the .symbiom_ransomware_locked extension and demands 0.1 BTC.
Leaves a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt. Additionally attempts to steal sensitive information.
The latest version of the GlobeImposter ransomware speckles encrypted files with the .skunk extension token.
Written in Python, SnakeLocker concatenates the .snake or .TGIF extension to files and leaves INSTRUCTIONS-README.html note.
New offspring of the GlobeImposter ransomware pops up. It appends ransomed files with the .GOTHAM extension.
One more version of GlobeImposter starts making the rounds. It uses the .crypt extension and how_to_back_files.html ransom note.
Yet another edition stains scrambled files with the .HAPP suffix and still drops HTML ransom note named how_to_back_files.
Brand new version of the Zilla Trojan concatenates the .Atom extension to files and uses ReadMeNow.txt how-to.
This one attempts to plant a Visual Basic rootkit onto a host system and harnesses Pastebin to figure out if a victim has paid up.
Subjoins the .bam! extension to no-longer-accessible files and uses contact email addresses abc@xyz.com and acc@xyz.com.
JCoder sample is spotted that concatenates the .Petya extension to encrypted files.
DCry ransomware, which had been cracked by MHT’s Michael Gillespie, spawns a new variant that adds the .qwqd extension to files.
Looks similar to original WannaCry. Spreads via RDP, moves files to password-protected ZIP, and displays its demands in Turkish.
Malwarebytes confirms that the previously leaked private decryption key for early Petya versions is valid.
Fresh version appends enciphered files with the .707 suffix and provides recovery steps in RECOVER-FILES.html document.
New GlobeImposter iteration appends locked files with the attacker’s email address followed by the .BRT92 extension.
The currently active variant states the victim’s desktop was locked due to prohibited online activities. Demands iTunes gift cards.
Also known as RDW, it stains files with the .RDWF string and, surprisingly, lets the user know it is going to start encryption.
New one concatenates the .p1crypt extension to encoded files and sticks with the invariable how_to_back_files.html note.
Michael Gillespie (@demonslay335) updates his decryptor for Striked ransomware, so it now supports newer variants.
The latest edition uses the .srpx suffix for locked files and drops README_TO_RESTORE_FILES_t7Q.txt/html ransom notes.
Researchers discover ransomware specimen that generates its warnings in Polish. Unnamed at this point.
Fresh spinoff of the CloudSword ransomware called ABC Locker surfaces. Demands 0.5 BTC within 5-day deadline.
Warning pane of the new Ransomware InVincible looks like WannaCry’s. This one does not perform encryption thus far.
Features Spongebob theme in its victim interaction screens. Crude code lacking crypto. Provides 3 days of “special price”.
Discovered by ESET, Zuahahhah ransomware appears to be a new variant of the prolific Crypt888 infection.
Concatenates the .MyChemicalRomance4EVER extension to encrypted files and drops UNLOCK_guiDE.tXT ransom note.
Taking the floor at Black Hat USA 2017, Google’s security analysts claim 95% of ransomware payouts were cashed out via BTC-e service.
Italian experts invent ShieldFS, a custom filesystem that effectively detects ransomware and undoes unauthorized data encryption.
BTC-e owner, Russian citizen Alexander Vinnik, is arrested in Greece on suspicion of ransomware-related money laundering.
Two fresh editions of the CryptoMix ransomware use the .DG and .ZERO file extensions and _HELP_INSTRUCTION.txt ransom note.
Newest iteration of GlobeImposter concatenates the .725 extension to encrypted files. Spreads via malspam.
Its ransom note HOW TO DECRYPT FILES.txt says it’s “test” and asks for “cash” to create custom build of this unnamed sample.
Discovered by MHT. Uses StormRansomware@gmail.com contact email and goes with a hard-coded password.
Currently in development, the RansomDemoN sample has an “Encrypt” button and won’t apply crypto unless it’s clicked.
The latest version of the SamSam/Samas ransom Trojan uses the .supported2017 string to blemish encoded data.
The .crypt extension variant of GlobeImposter is making the rounds via Blank Slate spam with no subject line, just an attachment.
Private Builder Ransomware V2.01 allows threat actors to define custom properties of their own build of the infection.
Leaves a rescue note named READ_ME_HELP_ME.txt. Does not encrypt anything at this point, just renames files.
Provides several different forms to fill out, where wannabe cybercriminals can set their preferred campaign values.
Gryphon ransomware turns out to be a spinoff of the BTCWare strain. Appends files with the .[decr@cock.li].gryphon extension.
Generates animated lock screen featuring a dancing person. Fortunately, it does not encrypt data and is easy to get around.
Above-mentioned ransomware builder claiming to be a “test” gets an upgrade. Configured to append the .Node0 extension to files.
Yet another version of GlobeImposter uses the .rose file extension prepended by [i-absolutus@bigmir.net] string.
Fresh spinoff of GlobeImposter stains encoded files with the .ocean suffix and leaves a ransom how-to named !back_files!.html.
Drops ransom note named !#_READ_ME_#!.hta and appends the .[avalona.toga@aol.com].blocking extension to files.
Trojan called Scotch Tape Locker v1.0 doesn’t do more damage than locking a victim’s screen. Uses fbifine@protonmail.com email.
Merck, large US based pharmaceutics company, is still struggling to recover from NotPetya attack that affected some of its servers.
C# based ransomware RSA2048Pro applies a data filter to first encode items added during past 3 months.
This video game themed specimen concatenates the .SEVENDAYS extension to files and does not provide any payment steps.
Although TPS 1.0 claims to have encrypted one’s files, its effect is restricted to only showing a warning screen. Demands $300 in BTC.
Another GlobeImposter offshoot is discovered that stains hostage files with the .726 extension.
Also known as Blackzd, the Ranaomware sample simply renames files without appending any extra extension.
Claims to use AES-256 algorithm to lock data. Instructs victims to contact trevinomason1@gmailcom for recovery steps.
This one is equipped with a malware downloader and a DDoS module. Affixes the .CRYSTAL string to filenames.
It displays a message asking for “five Bitcoins to help Yemeni people”. Provides a 72-hour deadline to pay up.
Currently in development. Downloads the executable to C:\Users\DORA path at this point.
Ransom note ebay-msg.html provides contemplations on present-day security issues. Appends files with the .ebay extension.
Ukrainian law firm is prepping a case against the vendor of M.E.Doc accounting software for spreading NotPetya ransomware.
One more GlobeImposter variant uses the .sea extension for locked files and drops !your_files!.html ransom how-to.
The latest version of Cerber ransomware is capable of stealing browser passwords and Bitcoin wallet data.
Adds ransom note named shutdown57.php and subjoins the .shutdown57 extension to files. The warning says, “Encrypter 8y v1ru5.”
Yet another clone of GlobeImposter uses the .490 file extension and leaves a ransom note named free_files!.html.
While Oxar still labels encrypted files with the .OXR extension, now it features fresh design of the ransom note.
Appears to be an offshoot of Karmen Ransomware-as-a-Service. Uses the .3301 file extension and DECRYPT_MY_FILES.html note.
Another iteration of GlobeImposter adds the .mtk118 string to filenames and drops how_to_back_files.html payment how-to.
This AESxWin spinoff uses the .ZABLOKOWANE extension and ### – ODZYSKAJ SWOJE DANE – ###.txt recovery manual.
Based off of HiddenTear PoC. Blemishes encrypted files with the .WAmarlocked extension and creates READ_IT.txt ransom note.
Doesn’t implement crypto at this point. Drops ransom how-to named decrypt.txt and demands $350 worth of BTC.
TPS sample discovered on August 1 gets modified: it now manifests itself as Why-Cry. Demands $300 worth of BTC.
Fresh iteration of CryptoMix ransomware surfaces that uses the .OGONIA extension and _HELP_INSTRUCTION.txt ransom how-to.
Yet another CryptoMix variant is spotted. It appends the .CNC string to filenames and drops _HELP_INSTRUCTION.txt note.
New GlobeImposter variant pops up that zeroes in on Russian-speaking users. It stains hostage files with the .crypt exension.
One more version uses the .coded extension for ciphered files and decoder_master@aol.com / india.com contact emails.
The latest variant of GlobeImposter adds the .astra suffix to files and creates here_your_files!.html ransom notes.
The spinoff uses the .492 extension and file_free@protonmail.com / koreajoin69@tutanota.com contact email addresses.
This one concatenates random extensions to files and leaves a ransom note named _READ_IT_FOR_RECOVER_FILES.html.
The LOCKD virus pretends to come from the US Department of Justice and demands $200 payable with MoneyPak.
WanaCry4 is in fact a modified version of CryptoWire. Prepends the ‘encrypted’ string to original file extension.
In addition to appending the .HELLO string to filenames, this sample drops HOW TO DECRYPT FILES.txt ransom note.
Another GlobeImposter variant blemishes encrypted files with the ..TXT suffix and uses Read_ME.html recovery instructions.
Although the suspect was using Tor, the FBI were able to get his IP address by duping him into opening a booby-trapped video.
New versions of the Oxar ransomware versions concatenate the .PEDO and .ULOZ strings to encrypted files.
Malwarebytes researchers dissect the way the Cerber ransomware (CRBR Encryptor) uses the Magnitude exploit kit to proliferate.
Although the anti-Israel IsraBye infection passes itself off as ransomware, it actually erases data without any recovery options.
This one is a GlobeImposter edition. Uses the .rumblegoodboy file extension and how_to_back_files.html ransom note.
Written in .NET, the sample in question displays Globe-style ransom notes. Appends the .[cho.dambler@yandex.com] extension to files.
The latest Oxar ransomware version uses the .FDP extension to label encrypted files. No other noteworthy changes have been made.
Ukraine’s Cyber Police apprehend a 51-year-old man for infecting companies with Petya.A virus as part of tax evasion hoax.
Gryphon, a variant of the BTCWare strain, gets an update. Its spinoff uses the .[gladius_rectus@aol.com ].crypton file extension.
Another mod of GlobeImposter uses the .0402 extension for encrypted files and drops !SOS!.html ransom note.
Fresh edition of GlobeImposter stains encoded files with the .Trump string and uses Donald_Trump@derpymail.org contact email.
While going after Polish-speaking users, new Jigsaw iteration concatenates the .pabluklocker extension to hostage entries.
Displays Joker-style warning screen, uses symmetric DES (Data Encryption Standard), and appends the .shinigami extension to files.
Based on the educational Hidden Tear, the strain in question goes banal with the appended file extension, which is .locked.
Originally discovered in late June, the MMM ransomware now switches to using the .0x009d8a extension for encrypted data.
Brand new iteration of the Xorist virus blemishes victims’ files with the .Cerber_RansomWare@qq.com string. Potentially decryptable.
Yet another version appends the .GRANNY extension to files and uses crazyfoot_granny@aol.com contact email address.
Researchers spot more editions that use the following file extensions: .zuzya, .LEGO, .UNLIS, and .D2550A49BF52DFC23F2C013C5.
This one turns out more harmful than it appears, both locking the screen and also encrypting data on target computer.
Crooks continue to use open source PHP ransomware uploaded to GitHub in 2016. Real-world threats target web servers.
New specimen called Infinite Tear uses the .JezRoz file extension and leaves Important_Read_Me.txt ransom note.
Goes with a GUI, claims to use AES-256 encryption algorithm and concatenates the .null extension to locked files.
RotoCrypt affixes the .OTR extension to encrypted files and instructs victims to send email to diligatmail7@tutanota.com.
Uses the following file renaming format: filename=id=email.crypt12. Equipped with a GUI. Replaces desktop wallpaper.
New BRansomware sample concatenates the .GG extension to encoded files. Uses AES cipher but doesn’t do it properly.
Malicious payload for SyncCrypt is obfuscated via booby-trapped image files, so most AV tools miss it. Uses the .KK file extension.
The latest variant of the Locky ransomware labels encrypted files with the .lukitus extension and uses lukitus.htm/bmp ransom notes.
This Java based ransomware concatenates the .enc extension to files. Ransom note contents are in Polish. Might be a PoC.
After a lengthy pause, the Samas family is back with the .prosperous666 file variant. Drops PLEASE-README-AFFECTED-FILES.html note.
Avast creates a free decryption tool for the LambdaLocker ransomware that appends the .MyChemicalRomance4EVER file extension.
The latest Matroska ransomware edition concatenates the .encrypted[Payfordecrypt@protonmail.com] string to locked files.
Multiple security firms state that ransomware payloads outperformed all other threats distributed via email in Q2 2017.
The WoodMan Trojan features a lock screen that looks like a 5-year-old drew it. The ‘mm2wood.mid’ code does the unlock trick.
Aka Moon Cryptor, this one boasts a well-designed GUI and appends the .fmoon string to files. Deletes one file per minute until paid.
New Draco PC Ransomware threatens to delete one file every hour and erase system32 folder in two days if a victim doesn’t pay up.
Fresh version appends the .{saruman7@india.com}.BRT92 extension to encrypted files and drops #DECRYPT_FILES#.html note.
Ransomware, presumably WannaCry, infected numerous LG self-service kiosks in South Korea with unpatched OS.
New iteration of CryptoMix concatenates the .ERROR extension to files and creates _HELP_INSTRUCTION.txt ransom how-to.
Unnamed screen locker starts infecting computers in Poland. Researchers figured out that the unlock code is 023135223.
This one displays an alert about “children pornsites” detected in a victim’s browsing history. Appends the .CYRON extension to files.
The sample called Kappa is a derivative of the Oxar ransomware. Still uses the .OXR extension to blemish encrypted data.
Trojan Dz turns out to be a CyberSplitter ransomware spinoff. Stains files with the .Isis string and demands 0.5 BTC.
The second Oxar variant surfaces during the day. Shows animated warnings, uses the .OXR file suffix and demands $20 worth of BTC.
Karsten Hahn, a well-known malware analyst from Germany, discovered a Hidden Tear spinoff displaying a picture of him.
According to McAfee, 30% of all ransomware the company detected in June were Hidden Tear offshoots.
Based on EDA2 proof-of-concept, this one appends the .xolzsec extension to files. Claims to have been made by a script kiddie.
New HT variant is released that targets French users. Uses the .locked extension and TUTORIEL.bmp/READ_IT_FOR UNLOCK.txt notes.
Ukrainian security company ISSP warns about possible new series of ransomware attacks following another accounting software hack.
The specimen called FlatChestWare is one more Hidden Tear offshoot. Concatenates the .flat extension to encoded files.
New HT derivative called VideoBelle appears. It zeroes in on French users, uses the .locked extension and Message_Important.txt note.
Researchers come across a manual counterpart of the encryptor used by the Cryakl ransomware family. It’s written in Delphi.
Python-based Cypher ransomware (note the spelling) affixes the .enc extension to locked files. Currently in development.
This sample is written in .NET. Automatically installs Tor onto a targeted host and subjoins the .wooly suffix to encrypted data.
New variant of the CryptoMix ransomware appends the .EMPTY string to files and uses _HELP_INSTRUCTION.txt restore manual.
Researchers spot a Chinese ‘Trojan Development Kit’ that fully automates the process of creating ransomware for Android.
Predictably enough, this sample concatenates the .PA-SIEM extension to files, whatever that means. It is in-dev so far.
New version of the Crysis/Dharma ransomware appears. Appends the .id-[victim ID].[chivas@aolonline.top].arena extension to files.
Brand new specimen dubbed Defray zeroes in on healthcare, educational, manufacturing and technology organizations.
Security analysts bump into an HT spinoff using the .locked extension, which turns out to be made for the EkoParty security conference.
Dubbed RansomPrank, this one doesn’t go further than displaying a warning screen. No crypto is implemented. Demands 0.5 BTC.
The specimen called Wooly switches its status from in-dev to real-life. Uses the .wooly extension for hostage data.
New variant of BTCWare strain appears. It appends files with an attacker’s email address followed by the .nuclear extension.
Concatenates files with a random extension and drops ransom how-to’s named YOUR_FILES_ARE_ENCRYPTED.html/txt.
New one called the MindSystem ransomware actually encrypts data but provides the decryption service free of charge.
Created by a dev nicknamed ‘h4xor’. Goes with a GUI, doesn’t use any extra file extensions, and demands $600 worth of BTC.
Leverages XOR crypto to encrypt all data on a computer, including system files. This can cause OS malfunctions.
Several hospitals in Lanarkshire, Scotland, get infected with a ransomware strain called BitPaymer. Attackers demand 53 BTC.
US Internal Revenue Service advises users to exercise caution with ransomware malspam impersonating this government agency.
Currently in development, this specimen uses the .akira extension for hostage files. Encrypts data in the Video folder only.
Fresh version of the Saher Blue Eagle strand appears. The good news is, it’s crude and does not complete the encryption routine.
MHT’s Michael Gillespie joins the Hackable podcast and infects the host’s computer with ransomware to demonstrate how it works.
Based on Hidden Tear, the KeyMaker ransomware appends the .CryptedOpps extension to files and drops READ_IT.txt rescue note.
The strain called Haze shows a warning screen very similar to Petya’s. Fortunately, it does not actually encrypt anything.
The OhNo! strand instructs victims to pay ransoms in Monero (2 XMR), whereas almost all counterparts opt for Bitcoin.
According to Malwarebytes analysts, the Princess Locker ransomware has started employing the RIG exploit kit for propagation.
New Locky campaign uses on-close MS Word macros that download the infection when a user closes a file attached to malspam.
One more CryptoMix version pops up. It affixes the .arena string to encrypted files and drops _HELP_INSTRUCTION.txt ransom note.
In a new campaign, 3 cybercriminal groups hijack more than 26,000 MongoDB databases and hold their contents for ransom.
New HT spinoff called Nulltica uses the .lock file extension and sends booby-trapped messages to victims’ Facebook contacts.
Ultimo is yet another Hidden Tear PoC derivative at large. Speckles encrypted files with the .locked string.
Like its precursor, this one displays “Your Windows Has Been BANNED” lock screen and demands $50 worth of BTC to unlock.
Fresh GlobeImposter offshoot appends files with the .clinTON suffix and instructs victims to contact Bill_Clinton@decrymail.org.
This sample’s prototype was discovered in mid-April 2017. The newcomer uses the .Saramat file extension and asks for 0.5 BTC.
New SynAck ransomware is on the rise. It uses extensions of 10 random hexadecimal chars and RESTORE_INFO-[id].txt ransom notes.
TeamWinLockerWindows screen locker has Russian origin. Additionally changes HOSTS file to block some sites, including Google.
Uses the .locked file extension and drops DOSYALARI-KURTAR[random].txt/url ransom how-to’s. Also pilfers personal data.
Appends the .hacked string to encrypted files. Ransom notes provide language choice out of English, Italian, Spanish, and Turkish.
The sample called FRansomware is still crude and doesn’t encrypt any data. Demands $150 worth of Bitcoin regardless.
DilmaLocker ransomware affixes the .__dilmaV1 extension to locked files and uses RECUPERE_SEUS_ARQUIVOS.html ransom note.
New GlobeImposter edition (.f41o1 extension, READ_IT.html note) now uses a signed payload file with verified signature.
An iteration of the Amnesia ransomware tries to mimic the WannaCry strain in a way, concatenating the .wncry string to files.
Another GlobeImposter variant is released in quick succession. Uses the .4035 extension and no longer features a valid certificate.
Dubbed ArmaLocky, this Locky copycat uses similar ransom notes and concatenates the .armadilo1 string to hostage files.
New version of the Samas ransomware is released. It switches to using the .disposed2017 suffix for ransomed data.
Affixes the .[restoreassistant2@tutanota.com].locked_file extension to files and uses !HOW_TO_UNLOCK_FILES!.html how-to’s.
Appears to be an independently developed sample. Concatenates the .[info@decrypt.ws].paradise extension to files.
New ExoLock ransomware subjoins the .exolocked string to encrypted files and demands 0.01 BTC ($40) for restoring them.
The two Jigsaw editions use the .pablukCRYPT and .pabluk300CrYpT! extensions for locked data and a new desktop background.
It turns out that the Ranion Ransomware-as-a-Service distributes a blackmail Trojan that’s a Hidden Tear PoC derivative.
This one is an offshoot of MoWare_H.F.D. lineage based on Hidden Tear. Uses the .H_F_D_locked extension and XOR cipher.
SoFucked ransomware is full of bad language, obviously. It uses the .fff file extension and READTHISHIT.txt ransom note.
Although still in development, Happy Crypter performs encryption but doesn’t add any extension to files. Demands 0.9 BTC.
Drops ransom how-to’s named !HOW_TO_UNLOCK_FILES!.html and still uses restoreassistant2@tutanota.com contact email.
This brand-new specimen encrypts files and base64 encodes filenames. Doesn’t affect data beyond Desktop directory.
The latest edition of GlobeImposter uses the .reaGAN file extension and Ronald_Reagan@derpymail.org email for victim interaction.
Unlike most strains out there, the Mystic ransomware doesn’t concatenate any extension to filenames. Uses ransom.txt how-to.
New Dcry ransomware version surfaces that uses the .dian file extension. Its code contains a message for MHT’s Michael Gillespie.
New Hidden Tear based sample called RestoLocker appears. Speckles data with the .HeroesOftheStorm extension. Currently in-dev.
RBY blackmail Trojan is a fresh version of the Kryptonite ransomware. Displays a warning screen in Russian and English.
PSCrypt ransomware switches to using the .paxynok string to label encrypted files. Still spreads mostly in Ukraine.
Researchers come across fresh in-dev ransomware called HTA Virus. Based on ransom notes, it is intended to target German users.
This one is functionally similar to Jigsaw ransomware. Uses the .bud extension for ransomed data and demands €500 worth of Bitcoin.
Affixes the .Doxes extension to locked files and demands a ridiculous $120,000 for decryption. Can be decrypted for free.
A decryptable spinoff of the Stupid ransomware with FBI logo on the warning screen. Uses the .XmdXtazX extension and requests €35.
The Locky ransomware gets an update, introducing new .ykcol extension for ransomed data and ykcol.htm/bmp rescue notes.
Pendor displays a CMD style lock screen requesting numeric input. Demands $50 worth of BTC. May potentially be decryptable.
Currently in development. Concatenates the .ZW suffix to encoded data and extorts 0.025375 BTC for data recovery.
The latest Samas/SamSam variant uses the .myransext2017 file extension and 005-DO-YOU-WANT_FILES.html ransom how-to.
Researchers spot a new screen locking virus that pretends to be from the FBI. Demands $300. The unlock code is ‘rhc@12345’.
New version of the almost forgotten Hitler ransomware appears. The warning message is in German. Extorts €10 for decryption.
Admins of East European hacking forums are reportedly disputing over allowing ransomware promotion via their resources.
The most recent version of CryptoMix appends the .SHARK extension to files and drops _HELP_INSTRUCTION.txt ransom note.
Uses the following file extension to blemish encrypted data: !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66.
Fresh Hidden Tear offshoot that concatenates the .cyberdrill string to encrypted files. GUI includes DDoS threats.
This one’s code is based on Hidden Tear PoC. Concatenates the .technicy extension to locked files.
The Ykcol variant of Locky is being distributed via six concurrent malspam waves generated by a new affiliate.
The new nRansom strain demands that victims send 10 nude pictures of themselves in order to unlock a hijacked computer.
Researchers stumble upon a fresh in-development screen locker whose binary is named ‘PoetralesanA Virus Maker.exe’.
This one concatenates the .locked extension to hostage files and demands $350 worth of Bitcoin for recovery. Currently in-dev.
Stains data with the .CyberSoldiersST extension. Crude so far, only renames files without actually encrypting them.
The BTCWare family expands with an edition that appends files with the .wyvern extension preceded by attacker’s email and victim ID.
Having encrypted one’s files, InfinityLock displays a bogus command prompt window imitating commands being typed in remotely.
Visual Basic scripting enaged in Locky/Ykcol ransomware distribution are found to contain references to the Game of Thrones series.
RedBoot encrypts files with the .locked extension and corrupts MBR along with partition table. It provides no recovery option, though.
The sample called SuperB encrypts copies of files, affixes the .enc string to them and overwrites original ones with ransom how-to’s.
This one fails to encrypt any files but still futilely demands Bitcoins for recovery. Closing the pest’s GUI addresses the problem.
Dubbed CryptoClone, this specimen is a CryptoLocker lookalike using the .crypted file extension. It is quite likely decryptable.
Researchers come across a fresh screen locker that tries to extort $50 worth of BTC. Victims can use ‘qwerty’ code for unlocking.
This is one more Hidden Tear spinoff in the wild. It adds the .onion3cry-open-DECRYPTMYFILE string to encrypted files.
The brand-new ransom Trojan in question displays a lock screen containing an alert in Russian and English.
Currently in-dev, BlackMist ransomware appends ‘blackmist’ to files, without a dot before extension. Sets a 48-hour payment deadline.
Bitdefender Labs release Ransomware Recognition Tool that accurately identifies a crypto strain that the user is hit by.
Security analysts discover a screen locking virus that generates a lock message in Portuguese. Nothing else is noteworthy about it.
New unnamed HT variant attempts to send crypto keys over email. Drops READ_IT.txt note and affixes the .locked string to files.
A Necurs spam campaign is spotted that delivers either Locky or Trickbot banking malware depending on victim’s location.
Fresh iteration of the Paradise culprit drops ransom how-to in HTML format. It used to leave instructions in a TXT file.
The Python-based Cypher pest switches to .crypt extension for locked data entries instead of the previously used .enc suffix.
Laser Locker Beta is a tool allowing criminals to easily generate custom versions of the SurveyScreenlocker ransomware.
The rogue DMA Locker ransomware sample uses a warning image that’s just a screenshot of the original taken from a security site.
The newcomer uses Anonymous themed background for its ransom window and subjoins the .fun extension to hostage files.
New BTCWare edition is released that concatenates the .payday extension to files and uses !! RETURN FILES !!.txt ransom note.
A tech support fraud campaign takes root where users keep getting fake browser messages saying “Ransomware Detected”.
Another detected iteration of the Samas ransomware lineage blemishes encoded files with the .loveransisgood extension.
The internal information system of the City of Englewood, Colorado, gets infected with an unidentified ransomware strain.
Arkansas Oral and Facial Surgery Center states its IT network was compromised by ransomware on July 26, 2017.
Brand new ransomware called Ender locks the screen of an infected computer. Victims can use ‘aRmLgk8wboWK5q7’ unlock code.
A GlobeImposter ransomware variant arrives via spam disguised as website job application containing malign Word macros.
This in-development strain is configured to concatenate the .lockon extension to encoded data. Somewhat crude at this point.
BugWare displays a rescue note in Portuguese and adds the .[SLAVIC@SECMAIL.PRO].BUGWARE string to locked files.
The latest iteration of Locky brings about new .asasin extension for encrypted files along with asasin.htm/bmp ransom how-to’s.
Another edition of the “Your Windows Has Been Banned” screen locking virus is detected. Presumably of Turkish origin.
A Hidden Tear POC variant called AnonCrack takes root. It displays warnings in Spanish and subjoins the .crack suffix to skewed files.
New edition of the RotorCrypt ransomware uses the .biz extension to blemish encrypted files and a ransom note named DOCTOR.
The brand-new blackmail malware called Atchbo concatenates the .ExoLock string to files and demands 0.007 BTC for decryption.
According to security firm Carbon Black, the underground marketplace propping ransomware reportedly grows by 2,500% per year.
The latest BTCWare variant appending the .payday file extension token switches to using Checkzip@india.com contact email.
The build features new GUI and uses the .[SLAVIC@SECMAIL.PRO].CRIPTOGRAFADO extension for scrambled files.
Dubbed DoubleLocker, this Android infection gets recursively executed every time the device’s Home button is pressed.
Fresh version of the CryptoMix ransom Trojan subjoins the .x1881 suffix to files and drops _HELP_INSTRUCTION.txt ransom note.
The sample in question uses the .[anubi@cock.li].anubi string to label encrypted files and leaves __READ_ME__.txt ransom manual.
Brand-new screen locker called CCord SystemLocker might be a challenge game made by a German ‘enthusiast’ nicknamed MaxBe.
Fresh tech support scam is spotted that involves browser redirects to a page stating the computer is contaminated with WannaCry.
Cybersecurity researcher Bart (@bartblaze) posts a detailed technical overview of the Sage v2.2 ransomware on his blog.
This one is an in-development offshoot the educational Hidden Tear ransomware. Adds the .viiper extension to crypted data.
The CryptoDemo sample made by someone nicknamed Eicar resembles CryptoLocker and is used to check AV detection rate.
Aka Crypto Tyrant, the pest in question is a spinoff of the so-called Dumb ransomware codebase that was previously outsourced.
The latest edition of the fairly old Vortex ransomware uses a rescue note named “#$# JAK-ODZYSKAC-PLIKI.txt” written in Polish.
The lock screen says, “Your computer is running a pirated version of Windows”. Demands $100 worth of Ethereum and 20 nude pics.
North Korean cybercrooks reportedly used the Hermes ransomware to distract attention from a recent Taiwan bank heist.
Resembles CrySiS/Dharma, concatenates the .blind extension to locked files and uses How_Decrypt_Files.hta ransom how-to.
Analysts discover an Italian Hidden Tear version authored by somebody with the alias ‘The Magic’. Uses the .locked file extension.
One more iteration of RotorCrypt pest goes live. Affixes the !____________DESKRYPT@TUTAMAIL.COM________.rar string to files.
New ransomware dubbed Magniber appears. It uses random exensions and bears a close resemblance to the Cerber ransom Trojan.
This quality strain appears to only zero in on South Korean useres at this point. This limited spreading may be a test run.
Researchers at Zimperium security company find a way to decrypt Magniber. Only works for a variant using hard coded crypto key.
A WhatsApp malspam wave is spotted that disseminates the payload for Bugware strain using the .CRIPTOGRAFADO extension.
Fresh version switches to using the .SaherBlueEagleRansomware exension for hostage data items.
This one (.XmdXtazX file extension) was made by a cynical developer who emphasizes he can set the ransom size as he pleases.
Yet another Hidden Tear spinoff targeting Brazilian users. Adds the .lordofshadow string to files and drops LEIA_ME.txt ransom note.
New HT based Ordinal ransomware uses the .ordinal extension and READ Me To Get Your Files Back.txt.Ordinal rescue note.
Called McAfee Ransomware Recover (Mr2), the utility automatically identifies a strain and suggests a free decryptor if available.
The ID Ransomware online service devised by MalwareHunterTeam is now capable of identifying 500 ransomware lineages.
The latest build of Windows 10 goes equipped with ‘Controlled Folder Access’ functionality thwarting file changes by ransomware.
The sample called AllCry subjoins the .allcry suffix to encrypted files and demands 1 BTC for decryption.
New Trick or Treat ransomware is discovered. Fortunately, it fails to perform data encryption and simply displays a spooky warning.
This fresh incarnation of the Jigsaw strain concatenates the .beep extension to files and displays a pic of the Pennywise character.
Yet another Hidden Tear variant. Affixes the .comrade string to locked files and creates a ransom how-to named DECRYPT_FILES.txt.
The baddie called BadRabbit behaves similarly to NotPetya (affects Master Boot Record) and spreads predominantly in Eastern Europe.
Several security firms unveil that the BadRabbit and NotPetya campaigns were operated by the same cybercriminal group.
According to some reports, a small fraction of BadRabbit ransomware victims are organizations based in the United States.
A number of IT security companies post articles with comprehensive technical analysis of the newsmaking BadRabbit ransomware.
The number of incidents involving the Tyrant, or Crypto Tyrant, ransomware is currently soaring in Iran. Pretends to be a VPN app.
Said outbreak of online extortion was reportedly bolstered by one of previously dumped NSA exploits dubbed Eternal Romance.
Although WannaBeHappy sounds antonymous to the infamous WannaCry, it encrypts files (.encrypted extension) just as professionally.
This Greek malware package encompasses a piece of crypto ransomware and a sneaky RAT (Remote Access Tool).
MalwareHunterTeam’s Michael Gillespie starts a hunt for the scarcely analysed ransomware sample using the .rubina5 file extension.
This one is a spinoff of the Cry36/Nemesis codebase. Mainly targets Indonesian users and appends the .losers suffix to hostage files.
A new blackmail tactic is gaining momentum, where crooks breach servers, move data to password-protected ZIPs and demand ransoms.
The existing strain called Matrix ransomware gets enhanced in that it is now being distributed via the RIG exploit kit.
Zeroing in on Chinese users, the XiaoBa infection stains files with the .XiaoBa[number range 1-34] extension.
The sample called xRansom is in testing mode at this point. Only encrypts 4 file types and doesn’t use any extension or how-to’s.
YYTO has hardly ever been in active rotation, and yet it undergoes an update. The new file extension is colecyrus@mail.com.b007.
The Trojan may fail to delete shadow copies of one’s data and take care of crypto keys right. So users may be able to restore files.
A fresh edition of the Xorist ransomware surfaces that concatenates the .error[victim ID] extension to locked files.
The latest GlobeImposter ransomware variant switches to using the .apk extension token for ransomed data.
This Halloween themed ransomware now uses a different background for the warning screen and features updated text.
The sample called ONI is part of a well-orchestrated hoax targeting Japanese companies, in tandem with Ammyy Admin RAT.
While failing to encrypt any data for real, RansWare instructs victims to submit a whopping 100 BTC ransom for recovery.
Hidden Tear spinoff with French roots adds the .hacking extension to files and tells victims to contact the attacker via email.
New HT iteration uses the .locked extension to blemish encrypted files and says it’s “one of the most powerful ransomware’s around”.
The most recent spotted edition of the Cerber-like Magniber strain concatenates the .skvtb suffix to encrypted data items.
The newcomer to the Jigsaw syndicate affixes the .game extension to encoded data. No further changes have been made.
Hermes ransomware reaches version 2.1. Appends the .HRM string to files and drops DECRYPT_INFORMATION.html ransom note.
Another Matrix variant subjoins the _[RELOCK001@TUTA.IO].[original extension] to files and uses !OoopsYourFilesLocked!.rtf note.
Circulates via malicious Word macros, appends the .encrypt extension to hostage files and drops READ_ME_NOW.txt ransom how-to.
Generates a unique ID for each victim and uses it as the file extension. The ransom notification is named _HELPME_DECRYPT_.html.
Ranion switches to using the .ransom extension for encrypted files and README_TO_DECRYPT_FILES.html rescue note.
Portuguese spinoff of the Hidden Tear project surfaces called Curumim ransomware. Uses the .curumim extension for hostage files.
The new variant uses a different lock screen demanding 250 RMB (37.696 USD) worth of Bitcoin to unlock the computer.
Based on Hidden Tear PoC. Generates a ransom notification in Spanish and concatenates the .teamo string to encrypted files.
This one is all about waffles: that’s what its ransom note is called, it displays an image of waffles, and uses the .waffle file extension.
It turns out that the recently discovered GIBON ransomware has been advertised on hacker forums since May 2017.
The brand new Sigma sample appends random extensions to hostage files, drops Readme.txt rescue note and demands $1,000 in BTC.
Displays a gloomy picture of a tree with Christmas toys. The size of the ransom is 0.03 BTC (about $200). Based on open-source code.
Computer system of Spring Hill, Tennessee, gets impacted by unknown ransomware. The crooks demand $250,000 for decryption.
Jhash is a Hidden Tear variant targeting Spanish-speaking users. Subjoins the .locky extension to encoded files.
Going after German users, Ordinypt irreversibly damages victims’ data. The ransom note is named Wo_sind_meine_Dateien.html.
The extortionists behind LockCrypt ransomware access enterprise servers via RDP and deposit the file-encrypting infection manually.
The latest CrySiS ransomware edition appends the .[cranbery@colorendgrace.com].cobra extension to files and uses Info.hta note.
The payload of the LOL ransomware is disguised as a keygen program. It uses the .lol file extension and demands 0.1 BTC.
Fresh mode of the Jigsaw ransomware affixes the .##ENCRYPTED_BY_pablukl0cker## string to encrypted files.
A Hidden Tear variant. The warning screen says, “Your computer is blocked by cyber police for unlicensed software’s usage.”
A big tweak in the new GlobeImposter variant has to do with the way it encrypts and extracts its configuration data.
Although the original build hasn’t been very successful, the crooks have updated the code. Now uses .fat32 extension and info.txt note.
The most recent iteration switches to using the .XZZX extension for encrypted files. The how-to is still named _HELP_INSTRUCTION.txt.
Concatenates the .locked-jCandy string to locked data entries, dropping READ_ME.txt and JCANDY_INSTRUCTIONS.txt ransom notes.
Security analysts discover in-development ransom Trojan providing instructions in French. Uses the .lockon extension for victims’ files.
Dr.Web anti-malware company releases the Rescue Pack tool that decrypts files encoded by Blind/Kill ransomware. Requires payment.
New GlobeImposter ransomware persona adds the .kimchenyn extension to files and drops how_to_back_files.html rescue note.
This one adds the .am string to hostage files. The ENCRYPTED FILES.txt ransom note contains random digits instead of instructions.
A Hidden Tear offshoot that blemishes encrypted files with the .goofed extension and uses YOU_DONE_GOOFED.txt ransom how-to.
One more hastily released variant of GlobeImposter now subjoins the .SEXY string to encoded data items.
The crude culprit zeroes in on J. Sterling Morton High School (Illinois) students. Pretends to be a student survey. No crypto so far.
This one is based off of Hidden Tear. Goes with a well-designed GUI and concatenates the .RASTAKHIZ extension to ransomed files.
The second CryptoMix version in a week switches to using the .0000 extension for hostage files and new contact emails.
The WannaSmile blackmail virus stains files with the .WSmile suffix and uses ‘How to decrypt files.html’ ransom note.
The sample called CorruptCrypt uses two different extensions for scrambled files: .corrupt and .acryhjccbb@protonmail.com.
A screen locker targeting Canadians, displaying its warnings in French and featuring an FBI themed logo. Demands 0.06 BTC to unlock.
One of the multiple Hidden Tear variants released during the week. Concatenates the .basslock string to encoded files.
Called ‘Wana die decrypt0r’, this one mimics WannaCry’s GUI and displays a ransom note in Russian. No real crypto so far.
A brand-new variant of the CrySiS/Dharma blackmail virus switches to concatenating the .java extension to encrypted files.
The thought-extinct Cryakl ransomware species resurfaces with a fresh edition that adds the .fairytale string to ransomed data items.
Locket displays a ransom warning screen resembling that of CryptoLocker. Lacks encryption functionality at this point.
A new version of the GlobeImposter ransom Trojan uses the .Ipcrestore file extension and how_to_back_files.html rescue note.
The qkG ransomware, aka qkG Filecoder, only encrypts Microsoft Office documents spotted on an infected computer.
This is an in-development ransom Trojan that affixes the .iGotYou extension to files and asks for 10,000 Indian rupee for recovery.
One more imitation of the WannaCry ransomware generates a ransom alert in Portuguese and demands 0,006 BTC.
Propagates massively via the Necurs botnet. Appends the [suupport@protonmail.com].scarab extension to filenames.
According to Sophos, the top ransomware 2017 in Africa are Cerber (80%), WannaCry (17%), Locky, Jaff, and Petya (1% each).
A Hidden Tear spinoff. Concatenates the .cryp70n1c extension to locked files and provides 3 days to submit the ransom.
This sample appears to be a joke, because a) it doesn’t encrypt, and b) it tells victims to click a bunch of checkboxes for decryption.
Newly discovered Exo Builder tool automates the process of making new ransomware (.exo extension, UnlockYourFiles.txt note).
StorageCrypt targets Western Digital My Cloud NAS devices. Uses the .locked extension and _READ_ME_FOR_DECRYPT.txt how-to file.
The newest edition of the Samas/SamSam ransom Trojan concatenates the .areyoulovemyrans string to hostage data items.
A fresh variant of the Magniber ransomware adds the .vpgvlkb extension to files and leaves ‘read me for decrypt.txt’ rescue note.
Not catalogued under any known family thus far. Appends the .locked extension and adds READ_ME_FOR_ALL_YOUR_FILES.txt note.
A decryptor is out for the HC6 blackmail virus that uses the .fucku file extension and drops recover_your_files.txt recovery manual.
The prolific CryptON ransomware gets an update. It switches to the .encrptd extension and pretends to be EaseUS Keygen tool.
MHT’s Michael Gillespie upgrades his decryptor for Crypt12 Trojan supporting a new version (hello@boomfile.ru.crypt12 extension).
Researchers announce a hunt for a scarcely analyzed sample that uses the .[maxicrypt@cock.li].maxicrypt extension for locked files.
This one prepends the original extension of a targeted file with the _enc string. Currently does not spread in the wild.
The latest variant of the Crypt888 blackmail culprit instructs victims to contact the attacker at maya_157_ransom@hotmail.com.
The relatively new HC7 file-encrypting malware stains encrypted data with the .GOTYA extension. Extensive analysis not done yet.
Security experts notice a spike in ACCDFISA v2.0 infection instances isolated to Brazil. This one is a remake of a notorious sample.
The executable file of this infection is named REAL DANGEROUS RANSOMWARE.exe. Does not encrypt anything, only locks the screen.
New variants of the GlobeImposter ransom Trojan have been making the rounds via Necurs, one of the biggest botnets out there.
A fresh iteration of the CryptoMix ransomware brings about the .TEST extension being concatenated to hostage files.
Someone nicknamed ‘Luc1F3R’ is selling a turnkey kit for new ransom Trojan called Halloware for only $40 on dark web forums.
A brand-new mod of the BTCWare ransom Trojan stains encrypted files with the .[attacker’s_email]-id-id.shadow extension.
The Globe2 ransomware follows suit of other widespread strains and spawns a new version using the .abc string for hostage files.
While exhibiting basic ransomware characteristics, ClicoCrypter appears to be aimed at testing CheckPoint Software’s efficiency.
The most recent edition of the Magniber ransomware uses the .dlenggrl suffix to label one’s encrypted files.
Analysts provide comparative analysis of two ransomware strains, Vortex and Bugware, both of which are based on open source code.
A fresh version of the Blind ransomware uses the .napoleon extension for hostage files and How_Decrypt_Files.hta ransom note.
This somewhat buggy infection stains encrypted data items with the .eTeRnItY extension. The unlock code is 1234567890.
New Vietnamese edition of the JCoder ransomware is discovered that uses the .MTC file extension and ‘WanaCry 0.2.ini’ ransom note.
Three iterations of the Magniber Trojan take root, featuring the .dwbiwty, .fbuvkngy and .xhspythxn file extensions.
Analysts come across a Spanish ransomware strain whose GUI is titled ‘PAYMENT’. Currently in development, with no crypto in place.
Appends the .RansomMine extension to enciphered files, hence the name. Restores data if it spots Minecraft 1.11.2 on a PC.
In a post on Extreme Coders Blog, researchers dissect the modus operandi of the relatively new and quite offbeat HC6 ransomware.
The infection mimics ransomware behavior and does not encrypt any data for real. Displays a GUI with warning text in German.
The strain called Crypt0 is another spinoff of the academic Hidden Tear project. Adds random extensions to files while not encrypting.
CrySiS/Dharma strain mutates with a minor change. Now uses curly braces instead of brackets prepending the .java extension string.
Yet another variant of the Magniber ransomware surfaces that switches to using the .dxjay string for encrypted files.
One more offshoot of the Hidden Tear PoC called Shadow Blood appears. Concatenates the .TEARS suffix to files. In-dev thus far.
Security analysts came up with a way that might allow HC7 ransomware victims to recover their encrypted files without paying up.
A previously released Hidden Tear variant (.hacking extension) undergoes a tweak and now displays a politics-themed wallpaper.
The ID Ransomware online service created by MHT is declared capable of identifying all variants of the Magniber ransomware.
It turns out that StorageCrypt, a ransom Trojan targeted NAS devices, is spreading using a Linux vulnerability dubbed SambaCry.
A fertility clinic in Edina, Minnesota, was reportedly attacked by unidentified ransomware strain that may have exposed patiets’ data.
A fresh version of the prolific BTCWare ransom Trojan appends files with the .wallet extension prepended with attackers’ email address.
May be based on the CryptoJoker codebase. Subjoins the .destroy.executioner or .pluss.executioner extension to encrypted files.
The HC7 strain edition currently in rotation infects computers via PsExec and concatenates the .GOTYA extension to locked data items.
Computer systems of the Mecklenburg Country, NC, get contaminated with a ransom Trojan that cripples multiple services.
This one surfaces at an apropos time. Demands $100 worth of Bitcoin to recover a victim’s encrypted data.
The latest variant of the Xorist ransomware blemishes encoded files with the .CerBerSysLocked0009881 extension.
New in-dev sample called Santa Encryptor features an image of Santa Claus on its warning screen and demands $150 worth of BTC.
Brand new edition of the GlobeImposter ransomware imitates the CrySiS strain by using the .[paradisecity@cock.li].arena extension.
Researchers at Malwarebytes release in-depth analysis of the Blind ransomware edition using the .napoleon extension.
Another one of the table. Its GUI is titled D4rkL0cker Test, which gives a clue that it’s a crude sample whose creation is in progress.
New ransomware called File Spider is spreading in the Balkans via spam. It assigns the .spider extension to encrypted files.
InfoSec experts provide a lowdown on the distribution vectors and code of the new File Spider ransomware in an informative blog post.
The sample called “I’ll Make you Cry” appears to be a variant of the old NxRansomware. Pretends to be Google Chrome update.
A fresh screen locking Trojan is spotted that wrongfully claims to have encrypted one’s files. Demands ransom via credit card payment.
The latest edition of the CryptoMix ransomware uses the .WORK file extension and an updated list of contact email addresses.
Yet another version of the HC7 strain blemishes encoded files with the .DS335 extension without modifying filenames.
This one targets Spanish-speaking audience, stains encrypted files with the .noblis extension and provides a 24-hour payment deadline.
The most recent Blind ransomware variant switches to the .[skeleton@rape.lol].skeleton extension. The note is How_Decrypt_Files.txt.
New Hidden Tear based TrOwX ransomware is discovered that adds the .locked extension to files and drops READ_AND_CRY note.
Nothing is known about new strain calling itself RSA-NI, except the name indicated in the ransom note. Researchers looking for samples.
Personal data of about 19 million voters in California got compromised in the upshot of the ongoing MongoDB ransom case.
This spooky name denotes a new ransom Trojan (.locked extension, READ_IT.txt note). The unlock code is 63uh2372gASd@316.
New one. According to the GUI, it’s Cyclone Ransomware v2.40. Appends the .cyclone extension to files and sets a 48-hour deadline.
This Python based sample uses the .maniac extension for hostage data and Readme_to_recover_files.txt/html ransom notes.
Displays ‘KAKO OTKLJUCATI VASE DATOTEKE.txt’ ransom note with instructions in Croatian and uses .godra file extension.
The latest RSAUtil variant uses the .ID.GORILLA extension to label encrypted files and drops How_return_files.txt ransom note.
This one resembles WannaCry in a way, because it circulates via SMB. Concatenates the .satan string to hostage files.
The @WannaDecryptor@ ransomware sample is camouflaged as a Bitcoin multiplier solution called Bitcoin-x2 v5.1.
The White House releases a statement where North Korean state-sponsored cybercriminals are blamed for spreading WannaCry strain.
The latest edition of the GlobeImposter ransomware switches to using the .wallet extension for encoded data objects.
New one on the radar. Displays a warning screen similar to Petya’s and uses the .crypted extension for hostage files.
As if on steroids, the RSAUtil lineage spawns the second variant in two days. Concatenates the .ID.VENDETTA extension to files.
Five cybercrooks are arrested in Romania for distributing the notorious CTB-Locker and Cerber ransomware infections.
Two of the above-mentioned criminals are charged with hacking Washington D.C. police surveillance system to spread ransomware.
The threat actors behind VenusLocker ransomware have reportedly abandoned the project in favor of Monero mining activities.
Another version of GlobeImposter is making the rounds via malicious spam carrying toxic JS files. Uses the .doc file extension.
It turns out to be .NET based. Prioritizes the encryption workflow by first affecting Desktop, Pictures and Documents directories.
The new File-Locker ransomware targets Korean users. Uses the .locked extension and Warning!!!!!!.txt note. Demands 50,000 Won.
The latest ..doc variant of GlobeImposter is spreading by means of malspam with fake photos enclosed in 7z archive.
The CryptoMix family produces a fresh edition. It subjoins the .FILE extension to encoded items and uses new contact email addresses.
Another edition of the Blind ransom Trojan appears that uses the .blind2 file extension and How_Decrypt_Files.txt ransom note.
Also referred to as Damage ransomware, this new sample adds .wtf to filenames and drops HOWTODECRYPTFILES.html note.
This lineage continues to expand, this time spawning a variant that stains encrypted files with the .tastylock extension.
The most recent Samas/SamSam ransomware edition appends .weapologize to files and uses 0009-SORRY-FOR-FILES.html how-to.
A minor change made to the SQ_ strain is the new BA_ string prepended to filenames and BA_IN YOUR FILES..txt ransom note.
This one drops a rescue note named Instruction.txt that instructs victims to contact the attacker at pulpy2@cock.li.
New one. Concatenates the .enc suffix to encoded files and leaves a ransom how-to named “madbit encryptor: Hello, you are encrypted!”
an ongoing list…
New ransomware released
Old ransomware updated
Ransomware decrypted
Other important ransomware related events
Exposure management is changing the way we assess risk, but not everyone is out in… Read More
Introduction: Navigating the SOCaaS Revolution In today's hyperconnected digital landscape, where cyber threats evolve faster… Read More
The Middle East and Asia are fast-growing hubs for both digital innovation and cyber threats,… Read More
In Europe, digital forensics and incident response firms operate within a complex landscape shaped by… Read More
The United States is home to many of the world’s leading digital forensics and incident… Read More
Third-party vendors have transformed operations for many entities. Tasks like payroll, shipping logistics, and IT… Read More