This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

New ransomware released

Old ransomware updated

Ransomware decrypted

Other important ransomware related events

HEROPOINT RANSOMWARE DISSECTED In-dev sample called HeroPoint appends random numbers to filenames and demands $20 worth of Bitcoin for recovery.

In-dev sample called HeroPoint appends random numbers to filenames and demands $20 worth of Bitcoin for recovery. FILE-LOCKER RANSOMWARE TWEAK This Korean ransomware switches from using the .locked file extension to .razy string for labeling hostage data items.

This Korean ransomware switches from using the .locked file extension to .razy string for labeling hostage data items. TRIPLEM (MMM) RANSOMWARE Subjoins the .triple_m or .0x009d8a string to encrypted files and drops RESTORE_triple_m__FILES.html ransom notification.

Subjoins the .triple_m or .0x009d8a string to encrypted files and drops RESTORE_triple_m__FILES.html ransom notification. GOOGLE CRYPT SOUNDS MORE PROFESSIONAL THAN IT IS Currently in development, the Google Crypt strain claims to encrypt data but actually just locks the screen of an infected machine.

Currently in development, the Google Crypt strain claims to encrypt data but actually just locks the screen of an infected machine. A DECRYPTABLE EDITION OF XORIST DISCOVERED Researchers come across a Xorist ransomware variant that has been around for quite some time. Uses the .cryptedx file extension.

Researchers come across a Xorist ransomware variant that has been around for quite some time. Uses the .cryptedx file extension. ANOTHER DAY, ANOTHER CRYPTOMIX TWEAK The CryptoMix ransomware mutates again. Its newest version switches to using the .SERVER extension for ransomed data entries.

The CryptoMix ransomware mutates again. Its newest version switches to using the .SERVER extension for ransomed data entries. ONE MORE GLOBE2 SPINOFF A fresh Turkish variant of the Globe2 ransomware is discovered. It concatenates the .vrmrkz string to ciphered files. Decryptable.

A fresh Turkish variant of the Globe2 ransomware is discovered. It concatenates the .vrmrkz string to ciphered files. Decryptable. LEON EDITION OF THE BLIND RANSOMWARE The Blind ransomware lineage produces another mod that blemishes data with the .leon extension prepended with attacker’s email.

The Blind ransomware lineage produces another mod that blemishes data with the .leon extension prepended with attacker’s email. KOREANLOCKER RANSOMWARE SPOTTED New sample called KoreanLocker is a spinoff of the academic Hidden Tear project. Uses the .locked extension to label hostage files.

New sample called KoreanLocker is a spinoff of the academic Hidden Tear project. Uses the .locked extension to label hostage files. JIGSAW RANSOMWARE GETS A MAKEOVER Fresh variant of the Jigsaw blackmail virus targets Polish users and displays an x-rated picture on its warning screen.

Fresh variant of the Jigsaw blackmail virus targets Polish users and displays an x-rated picture on its warning screen. KRYPTON RANSOMWARE, A NEW ONE Another Hidden Tear variant called the Krypton Ransomware uses the .kryptonite extension and KRYPTON_RANSOMWARE.txt note.

Another Hidden Tear variant called the Krypton Ransomware uses the .kryptonite extension and KRYPTON_RANSOMWARE.txt note. REVOLUTIONARY HC7 VERSION New edition of the HC7 ransomware adds .PLANETARY string to filenames and accepts payments in Bitcoin, Monero and Ethereum.

New edition of the HC7 ransomware adds .PLANETARY string to filenames and accepts payments in Bitcoin, Monero and Ethereum. D.KOPORUSHKIN VIRUS DISCOVERED Named after a TXT file it creates, the D.Koporushkin culprit encrypts files adding the .aes extension and also acts as a data stealer.

Named after a TXT file it creates, the D.Koporushkin culprit encrypts files adding the .aes extension and also acts as a data stealer. FROG RANSOMWARE HAILING FROM VIETNAM Unsurprisingly, one more derivative of Hidden Tear PoC. Appends the .frog extension to files and drops frog.txt ransom note.

Unsurprisingly, one more derivative of Hidden Tear PoC. Appends the .frog extension to files and drops frog.txt ransom note. JIGSAW GETS ANOTHER UPDATE An umpteenth edition of the Jigsaw ransomware is spotted that concatenates the .CryptWalker suffix to encrypted files.

An umpteenth edition of the Jigsaw ransomware is spotted that concatenates the .CryptWalker suffix to encrypted files. LONGTERMMEMORYLOSS RANSOMWARE Currently in development, the LongTermMemoryLoss ransom Trojan uses an apropos .LTML extension to stain encoded data.

Currently in development, the LongTermMemoryLoss ransom Trojan uses an apropos .LTML extension to stain encoded data. DEATH N0TE RANSOMWARE SURFACES Rather than encrypt a victim’s files, the Death N0te infection moves them to a RAR archive protected by a password.

Rather than encrypt a victim’s files, the Death N0te infection moves them to a RAR archive protected by a password. CRYPTWALKER, ONE MORE BADDIE ON THE TABLE The sample called CryptWalker turns out to be a DUMB ransomware spinoff. Does not modify filenames. In-dev at this point.

The sample called CryptWalker turns out to be a DUMB ransomware spinoff. Does not modify filenames. In-dev at this point. SHADY APPLICATION CALLED D4CK3R C0NTR01 This one is a paid decrypt tool for the ransomware called D4CK3R. Interestingly, analysts haven’t spotted the ransomware itself yet.

This one is a paid decrypt tool for the ransomware called D4CK3R. Interestingly, analysts haven’t spotted the ransomware itself yet. LAZAGNECRYPT CULPRIT IN THE WILD New blackmail virus called LazagneCrypt encrypts files while staining them with the .encr extension and steals victims’ passwords.

New blackmail virus called LazagneCrypt encrypts files while staining them with the .encr extension and steals victims’ passwords. NEW VARIANT OF KILLDISK A fresh edition of KillDisk, a destructive data wiper, wreaks havoc in Latin America, destroying data while posing as classic ransomware.

A fresh edition of KillDisk, a destructive data wiper, wreaks havoc in Latin America, destroying data while posing as classic ransomware. U.S. HOSPITAL GIVES IN TO EXTORTIONISTS The Hancock Health hospital in Greenfield, IN, pays a ransom of $55,000 to restore data crippled by SamSam ransomware.

The Hancock Health hospital in Greenfield, IN, pays a ransom of $55,000 to restore data crippled by SamSam ransomware. KILLBOT VIRUS BEING DEVELOPED Researchers spot in-dev ransomware calling itself the Killbot Virus. It simply displays a warning screen so far, with no crypto in place.

Researchers spot in-dev ransomware calling itself the Killbot Virus. It simply displays a warning screen so far, with no crypto in place. R3VO RANSOMWARE SPOTTED New sample called R3vo ransomware appends the .Lime string to hostage files and demands $100 worth of Bitcoin for decryption.

New sample called R3vo ransomware appends the .Lime string to hostage files and demands $100 worth of Bitcoin for decryption. NEW BACKUP FEATURE ANNOUNCED BY MICROSOFT Microsoft is reportedly planning to include “Files Restore” function to OneDrive for Business that will allow restoring lost data.

Microsoft is reportedly planning to include “Files Restore” function to OneDrive for Business that will allow restoring lost data. SAMSAM STRAIN SPREADING LIKE WILDFIRE The gang behind SamSam/Samas ransomware was able to infect high-profile victims recently, including hospitals and a U.S. city council.

The gang behind SamSam/Samas ransomware was able to infect high-profile victims recently, including hospitals and a U.S. city council. JIGSAW RANSOMWARE GETS A SMALL TWEAK The latest Jigsaw edition called Mada stains encrypted files with the .LOCKED_BY_pabluklocker extension and uses a new background.

The latest Jigsaw edition called Mada stains encrypted files with the .LOCKED_BY_pabluklocker extension and uses a new background. TALK RANSOMWARE SURFACES This one is a Hidden Tear spinoff that targets Korean-speaking audience. Uses the .암호화됨 (means “.encrypted”) extension.

This one is a Hidden Tear spinoff that targets Korean-speaking audience. Uses the .암호화됨 (means “.encrypted”) extension. RANSOMUSERLOCKER STRAIN OUT THERE Another Korean offshoot of Hidden Tear PoC from the creators of Talk Ransomware. Uses the .RansomUserLocker file extension.

Another Korean offshoot of Hidden Tear PoC from the creators of Talk Ransomware. Uses the .RansomUserLocker file extension. GHACK RANSOMWARE Currently in development, the GHack specimen turns out really buggy. Does not encrypt and simply generates a warning screen.

Currently in development, the GHack specimen turns out really buggy. Does not encrypt and simply generates a warning screen. SURERANSOM INFECTION BEING CREATED One more in-dev sample discovered by security analysts. No crypto at this point. Claims to use AES-256 and demands £50.

One more in-dev sample discovered by security analysts. No crypto at this point. Claims to use AES-256 and demands £50. ANOTHER CRUDE STRAIN CALLED RANCIDLOCKER Aka Rancidware Screen Locker, this pest purports to block access to the desktop and demands $150. Only displays a warning screen.

Aka Rancidware Screen Locker, this pest purports to block access to the desktop and demands $150. Only displays a warning screen. QWERTY RANSOMARE RELEASED Hidden Tear based Qwerty ransomware targets Portuguese-speaking users. Uses the .qwerty file extension and demands 0.05 Bitcoin.

Hidden Tear based Qwerty ransomware targets Portuguese-speaking users. Uses the .qwerty file extension and demands 0.05 Bitcoin. DESUCRYPT SPINOFFS BEING DISTRIBUTED Two variants of open-source desuCrypt ransomware start making the rounds, appending the .insane and .deuscrypt extension to locked files.

Two variants of open-source desuCrypt ransomware start making the rounds, appending the .insane and .deuscrypt extension to locked files. RAPID RANSOMWARE STANDS OUT FROM THE REST This sample (.rapid extension, How Recovery Files.txt note) encodes data spotted at attack point and any new files created on the computer.

This sample (.rapid extension, How Recovery Files.txt note) encodes data spotted at attack point and any new files created on the computer. GLOBEIMPOSTER 2.0 UPDATED The latest GlobeImposter 2.0 version switches to the .crypted! suffix for encrypted data items and sticks with how_to_back_files.html note.

The latest GlobeImposter 2.0 version switches to the .crypted! suffix for encrypted data items and sticks with how_to_back_files.html note. THE INTRICATE MONEROPAY RANSOMWARE New file-encrypting threat called MoneroPay masquerades itself as a wallet application for rogue altcoin called SpriteCoin.

New file-encrypting threat called MoneroPay masquerades itself as a wallet application for rogue altcoin called SpriteCoin. NOTPETYA CAUSED LOTS OF TROUBLE TO MAERSK Maersk, Danish transportation company, claims to have reinstalled thousands of servers and PCs to recover from last year’s NotPetya incident.

Maersk, Danish transportation company, claims to have reinstalled thousands of servers and PCs to recover from last year’s NotPetya incident. NEW ADULT SITES BORNE INFECTION SURFACES Dubbed PornBlackmailer, this culprit spreads via x-rated sites and threatens to notify law enforcement that the victim distributes child porn.

Dubbed PornBlackmailer, this culprit spreads via x-rated sites and threatens to notify law enforcement that the victim distributes child porn. FRESH RANSOMWARE STATISTICS RELEASED According to a report by Malwarebytes, ransomware attacks against end users and businesses grew by 93% and 90% in 2017, respectively.

According to a report by Malwarebytes, ransomware attacks against end users and businesses grew by 93% and 90% in 2017, respectively. ROTORCRYPT UPDATED The most recent variant of the RotorCrypt ransomware appends files with an unusually long extension ending with .Black_OFFserve.

The most recent variant of the RotorCrypt ransomware appends files with an unusually long extension ending with .Black_OFFserve. VELSO RANSOMWARE IN THE WILD The baddie in question spreads via compromised remote desktop services and concatenates the .velso extension to scrambled files.

The baddie in question spreads via compromised remote desktop services and concatenates the .velso extension to scrambled files. TIES BETWEEN DRIDEX GANG AND BITPAYMER THREAT According to ESET, the BitPaymer/FriedEx ransomware was most likely created by the crooks behind the notorious Dridex banking Trojan.

According to ESET, the BitPaymer/FriedEx ransomware was most likely created by the crooks behind the notorious Dridex banking Trojan. GANDCRAB RANSOMWARE RELEASED The GandCrab ransomware spreading via exploit kits is revolutionary as it accepts ransoms in DASH cryptocurrency rather than Bitcoin.

The GandCrab ransomware spreading via exploit kits is revolutionary as it accepts ransoms in DASH cryptocurrency rather than Bitcoin. TOR-TO-WEB PROXY OPERATOR PLAYS NAUGHTY The Onion.top Tor proxy service was found to replace Bitcoin addresses on some ransomware payment sites with its own wallet addresses.

The Onion.top Tor proxy service was found to replace Bitcoin addresses on some ransomware payment sites with its own wallet addresses. SCHOOL DISTRICT IN THE U.S. HIT BY RANSOMWARE Chester County School District, South Carolina, is trying to recover data after unidentified ransomware crippled it over the weekend.

Chester County School District, South Carolina, is trying to recover data after unidentified ransomware crippled it over the weekend. CRYSIS/DHARMA RANSOMWARE UPDATED The latest discovered variant of the CrySiS/Dharma ransomware lineage switches to using the .write extension for hostage files.

The latest discovered variant of the CrySiS/Dharma ransomware lineage switches to using the .write extension for hostage files. SPRING HILL, TN, RECOVERING FROM CRYPTO ONSLAUGHT The city of Spring Hill, Tennessee, continues to rebuild its servers after last year’s ransomwrae attack, putting utility payments back online.

The city of Spring Hill, Tennessee, continues to rebuild its servers after last year’s ransomwrae attack, putting utility payments back online. PUBLIC LIBRARY FALLS VICTIM TO RANSOMWARE Unknown ransom Trojan infects the computer network of Spartanburg County Public Library in South Carolina. Staff refuses to pay the ransom.

Unknown ransom Trojan infects the computer network of Spartanburg County Public Library in South Carolina. Staff refuses to pay the ransom. “RANSOMWARE” TERM ADDED TO POPULAR DICTIONARY The word “ransomware” has been added to the latest edition of Oxford English Dictionary. No wonder, it’s such a common term these days.

The word “ransomware” has been added to the latest edition of Oxford English Dictionary. No wonder, it’s such a common term these days. MINDLOST RANSOMWARE HARVESTS SENSITIVE DATA The new strain called MindLost instructs victims to provide their credit card information and pay $200 ransom for data decryption.

The new strain called MindLost instructs victims to provide their credit card information and pay $200 ransom for data decryption. ANOTHER GLOBEIMPOSTER VERSION RELEASED Malware analysts come across a brand new variant of the GlobeImposter ransom Trojan that appends the .DREAM string to locked files.

FAMOUS RANSOMWARE FIGHTER TO BE AWARDED The FBI is going to give the FBI Director’s Community Leadership Award to Michael Gillespie (@demonslay335) for his anti-ransomware work.

The FBI is going to give the FBI Director’s Community Leadership Award to Michael Gillespie (@demonslay335) for his anti-ransomware work. GANDCRAB MARKETED AS A RAAS It turns out that the recently released GandCrab ransomware is backed by a Ransomware-as-a-Service model being pushed via shady forums.

It turns out that the recently released GandCrab ransomware is backed by a Ransomware-as-a-Service model being pushed via shady forums. SCARABEY RANSOMWARE, OFFSHOOT OF THE SCARAB PEST Researchers discover the new Scarabey ransomware that’s a spinoff of the Scarab strain infecting companies via hacked RDP services.

Researchers discover the new Scarabey ransomware that’s a spinoff of the Scarab strain infecting companies via hacked RDP services. CRYPTOMIX UNDERGOES A TWEAK The most recent mod of the prolific CryptoMix blackmail virus switches to concatenating the .SYSTEM extension to encrypted files.

The most recent mod of the prolific CryptoMix blackmail virus switches to concatenating the .SYSTEM extension to encrypted files. TEAR DR0P V1 CULPRIT DISCOVERED AND DECRYPTED The sample called TEAR DR0P V1 employs SpeechSynthesizer tool to produce audio alerts. Analysts were able to crack it fairly fast.

The sample called TEAR DR0P V1 employs SpeechSynthesizer tool to produce audio alerts. Analysts were able to crack it fairly fast. INFINITE TEAR BADDIE FINE-TUNED New iteration called InfiniteTear 3 uses the .Infinite extension for ransomed files and #How_Decrypt_Files.txt ransom note.

New iteration called InfiniteTear 3 uses the .Infinite extension for ransomed files and #How_Decrypt_Files.txt ransom note. COUCHDB SERVERS STILL EXPOSED TO EXTORTION Security researchers discover a new wave of CouchDB database hacks for ransom. The crooks demand 0.2 BTC for restoring the content.

Security researchers discover a new wave of CouchDB database hacks for ransom. The crooks demand 0.2 BTC for restoring the content. RARUCRYPT USES PASSWORD-PROTECTED ARCHIVES RaruCrypt is a Russian ransomware strain demanding 200 RUB for unlocking a RAR archive with data. Password is S?{DCO^C!{L@CR^+<7E}2.

RaruCrypt is a Russian ransomware strain demanding 200 RUB for unlocking a RAR archive with data. Password is S?{DCO^C!{L@CR^+<7E}2. HERMES 2.1 STRAIN GETS FINE-TUNED The previously released Hermes 2.1 ransomware undergoes a tweak, switching to a new filemarker and appending no extension to filenames.

The previously released Hermes 2.1 ransomware undergoes a tweak, switching to a new filemarker and appending no extension to filenames. MONEROPAY RANSOMWARE DECRYPTED Analysts from NioGuard Security Lab create a free decryption tool for the MoneroPay ransomware, which pretends to be a SpriteCoin wallet.

Analysts from NioGuard Security Lab create a free decryption tool for the MoneroPay ransomware, which pretends to be a SpriteCoin wallet. ONE MORE SAMPLE IN THE JIGSAW LINEAGE The most recent mod of the Jigsaw ransomware concatenates the .# suffix to encoded files. Still decryptable courtesy of @demonslay335.

The most recent mod of the Jigsaw ransomware concatenates the .# suffix to encoded files. Still decryptable courtesy of @demonslay335. CRYPT12 PEST UPDATED A fresh edition of the Crypt12 strain switches to using hernansec@protonmail.ch email address for interaction with victims.

A fresh edition of the Crypt12 strain switches to using hernansec@protonmail.ch email address for interaction with victims. INTERESTING STATS REGARDING RANSOMWARE According to a survey by Sophos, 54% of organizations fell victim to ransomware in 2017. Most suffered such attacks twice during the year.

According to a survey by Sophos, 54% of organizations fell victim to ransomware in 2017. Most suffered such attacks twice during the year. WINDOWS’ CFA FEATURE SUSCEPTIBLE TO ABUSE Spanish researcher Yago Jesus was able to get around Controlled Folder Access feature that’s supposed to protect against ransomware.

Spanish researcher Yago Jesus was able to get around Controlled Folder Access feature that’s supposed to protect against ransomware. YET ANOTHER JIGSAW EDITION SPOTTED New Turkish version of the Jigsaw ransomware is discovered that concatenates the .justice string to encoded files. Decryptable.

New Turkish version of the Jigsaw ransomware is discovered that concatenates the .justice string to encoded files. Decryptable. ADAMLOCKER RANSOMWARE UPDATED The latest iteration disables Task Manager, displays a ransom note in Korean and subjoins the .adam extension to encrypted files.

The latest iteration disables Task Manager, displays a ransom note in Korean and subjoins the .adam extension to encrypted files. GANDCRAB SPREADING VIA BOOBY-TRAPPED SPAM Operators of the GandCrab ransomware campaign switch to malicious spam for distribution. The emails contain rogue receipts.

Operators of the GandCrab ransomware campaign switch to malicious spam for distribution. The emails contain rogue receipts. HONOR RANSOMWARE IN THE WILD This one replaces filenames with random hexadecimal characters and adds the .honor extension to each. Does not leave a ransom how-to.

This one replaces filenames with random hexadecimal characters and adds the .honor extension to each. Does not leave a ransom how-to. CALIFORNIA VOTER DATABASE HACKED ONCE AGAIN Threat actors were able to breach and steal data from MongoDB database of California voters, demanding ransom for reinstating the records.

Threat actors were able to breach and steal data from MongoDB database of California voters, demanding ransom for reinstating the records. BLACK RUBY RANSOMWARE SPOTTED Prepends the ‘Encrypted_’ string and appends .BlackRuby extension to filenames. Additionally installs a Monero cryptocurrency miner.

Prepends the ‘Encrypted_’ string and appends .BlackRuby extension to filenames. Additionally installs a Monero cryptocurrency miner. DEXCRYPT CRIPPLES MASTER BOOT RECORD DexCrypt is a Chinese blackmail virus affecting the MBR of target hosts, thus denying access to Windows. Demands 30 Yuan (about $5).

DexCrypt is a Chinese blackmail virus affecting the MBR of target hosts, thus denying access to Windows. Demands 30 Yuan (about $5). DCRTR RANSOMWARE DISCOVERED Affixes the .[decryptor@cock.li].dcrtr string to encrypted files and provides recovery steps in ReadMe_Decryptor.txt document.

Affixes the .[decryptor@cock.li].dcrtr string to encrypted files and provides recovery steps in ReadMe_Decryptor.txt document. ROTORCRYPT KEEPS ON CHANGING The latest edition of the RotorCrypt ransomware concatenates the !decrfile@tutanota.com.crypo extension to encoded files.

The latest edition of the RotorCrypt ransomware concatenates the !decrfile@tutanota.com.crypo extension to encoded files. THE NEW TBLOCKER RANSOMWARE TBlocker appends the “_” extension to encrypted files and demands $250 worth of Bitcoin. Decryptable beyond ransom.

TBlocker appends the “_” extension to encrypted files and demands $250 worth of Bitcoin. Decryptable beyond ransom. RAPID RANSOMWARE DISTRIBUTION DETAILS The Rapid ransomware strain is spreading via phishing emails disguised as urgent notifications from the U.S. Internal Revenue Service.

The Rapid ransomware strain is spreading via phishing emails disguised as urgent notifications from the U.S. Internal Revenue Service. DEFENDER RANSOMWARE SURFACES This one tries to mimic Windows Defender. Concatenates the .defender extension to locked files and has a flaw that thwarts decryption.

This one tries to mimic Windows Defender. Concatenates the .defender extension to locked files and has a flaw that thwarts decryption. BLANK RANSOMWARE IS SOMEBODY’S PRANK This sample appends the apropos .blank extension to filenames and provides the decryption key after a victim hits the right button.

This sample appends the apropos .blank extension to filenames and provides the decryption key after a victim hits the right button. DESUCRYPT RANSOMWARE UPDATED The latest version of the desuCrypt strain stains hostage files with the .Tornado extension and drops a ransom note named key.txt.

The latest version of the desuCrypt strain stains hostage files with the .Tornado extension and drops a ransom note named key.txt. PENDOR RANSOMWARE CRACKED Well-known security researcher Michael Gillespie, aka demonslay335, releases a free decryptor for Pendor (.pnr files) ransomware.

Well-known security researcher Michael Gillespie, aka demonslay335, releases a free decryptor for Pendor (.pnr files) ransomware. FRESH JIGSAW RANSOMWARE VERSION OUT THERE Brand-new Korean mod of the prolific Jigsaw ransom Trojan switches to using the .locked extension for crippled files.

Brand-new Korean mod of the prolific Jigsaw ransom Trojan switches to using the .locked extension for crippled files. NOTPETYA ATTRIBUTION UNVEILED BY THE UK The United Kingdom officially accuses Russian government for the NotPetya ransomware outbreak that took place in June 2017.

The United Kingdom officially accuses Russian government for the NotPetya ransomware outbreak that took place in June 2017. GLOBEIMPOSTER GOING AFTER HIGH-PROFILE VICTIMS New variant of the GlobeImposter ransomware adds the .suddentax extension to files and targets enterprise computer networks.

New variant of the GlobeImposter ransomware adds the .suddentax extension to files and targets enterprise computer networks. UMARU RANSOMWARE RELEASED The Umaru ransomware is a Japanese strain that concatenates the .干物妹！suffix to encrypted files and doesn’t leave a ransom note.

The Umaru ransomware is a Japanese strain that concatenates the .干物妹！suffix to encrypted files and doesn’t leave a ransom note. SATURN RANSOMWARE SPREADING ON A LARGE SCALE New sample called Saturn ransomware uses the .saturn extension for encoded files and drops #DECRYPT_MY_FILES#.txt/html ransom notes.

New sample called Saturn ransomware uses the .saturn extension for encoded files and drops #DECRYPT_MY_FILES#.txt/html ransom notes. RELEC RANSOMWARE TURNS OUT A PIECE OF JUNK Relec ransomware is a new in-development sample configured to demand 1 BTC for decryption, although it fails to encrypt anything.

Relec ransomware is a new in-development sample configured to demand 1 BTC for decryption, although it fails to encrypt anything. DEADRANSOMWARE DOESN’T DO MUCH DAMAGE While this one claims to encrypt data, it is actually a screen locker. The password to unlock is “DeadRansomwareDecryptMyFiles”.

While this one claims to encrypt data, it is actually a screen locker. The password to unlock is “DeadRansomwareDecryptMyFiles”. NEW ONE USING .RANSOMWARED EXTENSION A fresh strain is spotted that concatenates the .ransomwared string to encrypted items. Currently in development.

A fresh strain is spotted that concatenates the .ransomwared string to encrypted items. Currently in development. WANNACRYPT DISCOVERED AND CRACKED The sample called WannaCrypt displays a warning screen with a barcode and demands 0.05 BTC. Decrypted by researchers.

The sample called WannaCrypt displays a warning screen with a barcode and demands 0.05 BTC. Decrypted by researchers. SATURN RAAS WAITING FOR AFFILIATES Analysts discover a new Ransomware-as-a-Service platform backing the distribution of the Saturn ransomware. No registration fee required.

Analysts discover a new Ransomware-as-a-Service platform backing the distribution of the Saturn ransomware. No registration fee required. U.S. COUNTIES STAY VULNERABLE TO RANSOM ATTACKS The computer network of Davidson Country, North Carolina, suffers a ransomware attack. There are reportedly good backups in place.

The computer network of Davidson Country, North Carolina, suffers a ransomware attack. There are reportedly good backups in place. ANDROID RANSOMWARE’S DECLINE IN 2017 According to the findings of researchers at ESET, the number of reported Android ransomware infections went down last year.

According to the findings of researchers at ESET, the number of reported Android ransomware infections went down last year. BANANACRYPT RANSOMWARE SURFACES The brand-new BananaCrypt ransomware speckles encrypted files with the .bananaCrypt extension and demands $300 worth of Bitcoin.

The brand-new BananaCrypt ransomware speckles encrypted files with the .bananaCrypt extension and demands $300 worth of Bitcoin. RUSSENGER RANSOMWARE SPOTTED This one zeroes in on Russian-speaking computer users. Appends the .messenger-[random] extension to encoded files.

This one zeroes in on Russian-speaking computer users. Appends the .messenger-[random] extension to encoded files. NEW LOCKCRYPT VARIANT SPREADING VIA RDP An edition of the LockCrypt ransomware is released that spreads over breached remote desktop services and uses the .1BTC file extension.

An edition of the LockCrypt ransomware is released that spreads over breached remote desktop services and uses the .1BTC file extension. SHIFR STRAIN UPDATED The latest version of the Shifr ransomware switches to using the .cypher extension and How_To_Decrypt_Files.html rescue note.

The latest version of the Shifr ransomware switches to using the .cypher extension and How_To_Decrypt_Files.html rescue note. INTERVIEW WITH PROMINENT RANSOMWARE ANALYST MonsterCloud Cyber Security publishes an interview with Michael Gillespie, a ransomware fighter who got the FBI’s special award.

MonsterCloud Cyber Security publishes an interview with Michael Gillespie, a ransomware fighter who got the FBI’s special award. THE NASTY IMPACT OF ANNABELLE RANSOMWARE The Annabelle blackmail strain terminates numerous programs, encrypts a victim’s data and cripples the MBR (master boot record).

The Annabelle blackmail strain terminates numerous programs, encrypts a victim’s data and cripples the MBR (master boot record). NEW HIGH-PROFILE VICTIM MADE BY SAMSAM STRAIN The SamSam/Samas ransomware infects the Colorado Department of Transportation, forcing the shutdown of more than 2,000 computers.

The SamSam/Samas ransomware infects the Colorado Department of Transportation, forcing the shutdown of more than 2,000 computers. GLOBE2 RANSOMWARE UPDATED A new mod of the Globe2 ransom Trojan targets Turkish users and subjoins the .frmvrlr2017 suffix to locked files. Decryptable.

A new mod of the Globe2 ransom Trojan targets Turkish users and subjoins the .frmvrlr2017 suffix to locked files. Decryptable. BALILUWARE SAMPLE POPS UP Baliluware is a Hidden Tear PoC derivative that uses the .you-are-f*cked-by-baliluware-(coded-by-heropoint) extension for hostage files.

Baliluware is a Hidden Tear PoC derivative that uses the .you-are-f*cked-by-baliluware-(coded-by-heropoint) extension for hostage files. DATA KEEPER RANSOMWARE GAINS TRACTION Having been launched on a RaaS basis a couple of days ago, the Data Keeper ransom Trojan starts contaminating PCs in the wild.

Having been launched on a RaaS basis a couple of days ago, the Data Keeper ransom Trojan starts contaminating PCs in the wild. THANATOS STRAIN DOESN’T WORK AS INTENDED The new Thanatos (“Death” in Greek) ransomware doesn’t save the crypto keys, so recovery is impossible. Accepts Bitcoin Cash for ransoms.

The new Thanatos (“Death” in Greek) ransomware doesn’t save the crypto keys, so recovery is impossible. Accepts Bitcoin Cash for ransoms. RIG EK OPERATORS ABANDON RANSOMWARE BUSINESS According to researchers, one of the most common exploit kits called RIG has switched from spreading ransomware to delivering coin miners.

According to researchers, one of the most common exploit kits called RIG has switched from spreading ransomware to delivering coin miners. NEW XIAOBA VARIANT RELEASED The latest persona of this blackmail virus uses the .Encrypted[BaYuCheng@yeah.net].XiaoBa extension and _XiaoBa_Info_.hta ransom note.

The latest persona of this blackmail virus uses the .Encrypted[BaYuCheng@yeah.net].XiaoBa extension and _XiaoBa_Info_.hta ransom note. GANDCRAB RANSOMWARE CRACKED Bitdefender finds a workaround for the crypto utlized by GandCrab ransomware, allowing those infected to recover their data for free.

Bitdefender finds a workaround for the crypto utlized by GandCrab ransomware, allowing those infected to recover their data for free. NEW DISTRIBUTION TACTIC BY GANDCRAB OPERATORS A recent wave of GandCrab ransomware propagation leverages the notorious “HoeflerText font wasn’t found” scam.

A recent wave of GandCrab ransomware propagation leverages the notorious “HoeflerText font wasn’t found” scam. KWAAK RANSOMWARE, A HIDDEN TEAR SPINOFF Yet another incarnation of the academic Hidden Tear ransomware dubbed Kwaak uses the .kwaaklocked suffix to label hostage data entries.

JIGSAW LINEAGE PRODUCES ONE MORE SPINOFF Another variant of the Jigsaw ransomware appears that appends .contact-me-here-for-the-key-admin@adsoleware.com to locked files.

Another variant of the Jigsaw ransomware appears that appends .contact-me-here-for-the-key-admin@adsoleware.com to locked files. NEW CRYPTCONSOLE VERSION DECRYPTABLE FOR FREE Having found the original decryptor for CryptConsole’s qar48@tutanota.com edition, Michael Gillespie adds support for it to his decrypt tool.

Having found the original decryptor for CryptConsole’s qar48@tutanota.com edition, Michael Gillespie adds support for it to his decrypt tool. DHARMA RANSOMWARE SHOOTING ‘ARROWS’ A version of the Dharma ransomware is discovered in the wild that concatenates the .id-[victim ID].arrow extension to encrypted files.

A version of the Dharma ransomware is discovered in the wild that concatenates the .id-[victim ID].arrow extension to encrypted files. SAMPLE USING GNUPG FREE ENCRYPTION TOOL Security experts stumble upon a ransomware strain that leverages GnuPG, aka GPG, solution to encrypt. Uses the .[number].qwerty extension.

Security experts stumble upon a ransomware strain that leverages GnuPG, aka GPG, solution to encrypt. Uses the .[number].qwerty extension. PRINCESS LOCKER RESURFACES A new mod of the Princess Locker culprit is spotted after a long hiatus of this family. It drops “=_HOW_TO_FIX_RQZLIN.txt” recovery how-to.

A new mod of the Princess Locker culprit is spotted after a long hiatus of this family. It drops “=_HOW_TO_FIX_RQZLIN.txt” recovery how-to. MAGNIBER ON THE RISE IN SOUTH KOREA According to analysts’ observations, there is an ongoing powerful wave of Magniber ransomware attacks zeroing in on South Korean users.

According to analysts’ observations, there is an ongoing powerful wave of Magniber ransomware attacks zeroing in on South Korean users. GLOBEIMPOSTER STRAIN KEEPS MUTATING The latest build of the GlobeImposter ransomware uses the .encrypt extension for hostage files and instructions.html rescue note.

The latest build of the GlobeImposter ransomware uses the .encrypt extension for hostage files and instructions.html rescue note. JIGSAW STARTS USING AN OFFBEAT EXTORTION TACTIC New variant of the Jigsaw blackmail virus appends .Bitconnect to files and instructs victims to post photos of themselves on Instagram.

New variant of the Jigsaw blackmail virus appends .Bitconnect to files and instructs victims to post photos of themselves on Instagram. ROTORCRYPT GETS A BIT OF FINE-TUNING Fresh version of RotorCrypt ransomware appends the “! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2” extension to files.

Fresh version of RotorCrypt ransomware appends the “! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2” extension to files. GANDCRAB RANSOMWARE UPDATED GandCrab v2 is out. It switches to using the .CRAB extension for encrypted data items and a ransom note named CRAB-DECRYPT.txt.

GandCrab v2 is out. It switches to using the .CRAB extension for encrypted data items and a ransom note named CRAB-DECRYPT.txt. PLUS ONE MOD FOR THE CRYAKL FAMILY Cryakl, a ransomware old stager, is updated to version 1.5.1.0 and starts using email-dorispackman@tuta.io contact address.

Cryakl, a ransomware old stager, is updated to version 1.5.1.0 and starts using email-dorispackman@tuta.io contact address. JIGSAW EDITION TARGETING SPANISH-SPEAKING USERS Yet another version of the Jigsaw culprit concatenates the .jes extension to files and features Cthulhu image on its warning screen.

Yet another version of the Jigsaw culprit concatenates the .jes extension to files and features Cthulhu image on its warning screen. GLOBEIMPOSTER AND GANDCRAB CAMPAIGNS DISSECTED Security analysts provide in-depth information on the latest spam campaigns spreading the GlobeImposter and GandCrab strains.

Security analysts provide in-depth information on the latest spam campaigns spreading the GlobeImposter and GandCrab strains. SILENTSPRING SAMPLE SPOTTED This is a new one that doesn’t appear to represent any known family. Affixes the .Sil3nt5pring extension to ransomed files.

This is a new one that doesn’t appear to represent any known family. Affixes the .Sil3nt5pring extension to ransomed files. CRYPTO CRACKING MASTERCLASS FROM EXPERTS Researchers at Malwarebytes post a write-up regarding weak links in ransomware crypto that allow for data decryption beyond ransom.

Researchers at Malwarebytes post a write-up regarding weak links in ransomware crypto that allow for data decryption beyond ransom. RESEARCH PROVES PAYING RANSOMS IS A SLIPPERY SLOPE International survey by CyberEdge Group shows that less than 50% of ransomware victims who paid up were able to decrypt their files.

International survey by CyberEdge Group shows that less than 50% of ransomware victims who paid up were able to decrypt their files. FRESH DETAILS RELEASED ON QWERTY RANSOMWARE The pest in question overwrites original files with encrypted copies and drops a ransom notification named README_DECRYPT.txt.

The pest in question overwrites original files with encrypted copies and drops a ransom notification named README_DECRYPT.txt. FRS RANSOMWARE ON THE TABLE This brand-new strain blemishes encrypted files with the .FRS suffix and drops a combo of READ_ME_HELP.txt/png ransom notes.

This brand-new strain blemishes encrypted files with the .FRS suffix and drops a combo of READ_ME_HELP.txt/png ransom notes. CROOKS MAKE ANOTHER HIGH-PROFILE VICTIM The computer network of Connecticut state judicial branch gets hit by ransomware infection that impacts protective order registry service.

The computer network of Connecticut state judicial branch gets hit by ransomware infection that impacts protective order registry service. ULTIMO, A HIDDEN TEAR SPINOFF, GETS A MINOR UPDATE Originally spotted in September 2017, Ultimo ransomware speckles files with the .locked string and uses READ_IT.txt decryption how-to.

Originally spotted in September 2017, Ultimo ransomware speckles files with the .locked string and uses READ_IT.txt decryption how-to. THE ODDITY OF CRYPT888 RANSOMWARE G DATA analysts provide an insight into imperfections of the Crypt888 strain and the fact it demands YouTube subscriptions, not money.

G DATA analysts provide an insight into imperfections of the Crypt888 strain and the fact it demands YouTube subscriptions, not money. MOST SPAM IN 2017 CAME FROM TWO BOTNETS According to McAfee researchers’ findings, two botnets – Necurs and Gamut – produced 97% of all web spam volume last year.

According to McAfee researchers’ findings, two botnets – Necurs and Gamut – produced 97% of all web spam volume last year. SIGMA RANSOMWARE DISTRIBUTION FINE-TUNED A new wave of malspam delivering the Sigma ransom Trojan revolves around booby-trapped emails disguised as messages from Craigslist.

A new wave of malspam delivering the Sigma ransom Trojan revolves around booby-trapped emails disguised as messages from Craigslist. PARADISE RANSOMWARE UPDATED The latest variant uses the .[id-…].[support@all-ransomware.info].sell extension and #DECRYPT MY FILES# {random}.html ransom note.

The latest variant uses the .[id-…].[support@all-ransomware.info].sell extension and #DECRYPT MY FILES# {random}.html ransom note. VBRANSOM SAMPLE IN DEVELOPMENT Fresh strain called VBRansom replaces desktop wallpaper with a warning message and drops Important.txt how-to. No crypto so far.

Fresh strain called VBRansom replaces desktop wallpaper with a warning message and drops Important.txt how-to. No crypto so far. L0CKED RANSOMWARE GETS A REFRESH Made by crooks calling themselves #TEAM-UINA, this edition replaces filenames with random strings and uses the .L0cked extension.

Made by crooks calling themselves #TEAM-UINA, this edition replaces filenames with random strings and uses the .L0cked extension. JIGSAW CONTINUES TO UNDERGO TWEAKS Jigsaw ransomware family gets a new one targeting Korean users. The file extension is .email-[powerhacker03@hotmail.com].koreaGame.

Jigsaw ransomware family gets a new one targeting Korean users. The file extension is .email-[powerhacker03@hotmail.com].koreaGame. HERMES CULPRIT USES A NEW SPREADING TACTIC Another spin of the Hermes ransomware distribution campaign that broke out in South Korea involves a zero-day Flash exploit.

Another spin of the Hermes ransomware distribution campaign that broke out in South Korea involves a zero-day Flash exploit. ASIA WAS MOST TARGETED BY RANSOMWARE IN 2017 As per a report by Microsoft, end users and companies in Asian countries suffered the bulk of all ransomware attacks recorded last year.

As per a report by Microsoft, end users and companies in Asian countries suffered the bulk of all ransomware attacks recorded last year. MORE ANTI-RUSSIAN SANCTIONS BY THE U.S. Additional sanctions take effect over U.S. power grid attacks, NotPetya campaign, and 2016 presidential election interference attempts.

Additional sanctions take effect over U.S. power grid attacks, NotPetya campaign, and 2016 presidential election interference attempts. ZENIS RANSOMWARE WAVE TAKES ROOT The new Zenis strain uses AES cipher to encrypt victims’ data, prepends ‘Zenis’ to scrambled filenames and erases data backups.

The new Zenis strain uses AES cipher to encrypt victims’ data, prepends ‘Zenis’ to scrambled filenames and erases data backups. U.S. ENTITY RE-INFECTED WITH SAMSAM RANSOMWARE Having been hit by SamSam/Samas strain in February, the Colorado Department of Transportation falls victim to the same pest again.

Having been hit by SamSam/Samas strain in February, the Colorado Department of Transportation falls victim to the same pest again. INFAMOUS RANSOMWARE MAKER APPREHENDED Polish police arrest an individual nicknamed Tomasz ‘Armagedon’ T., the developer of Vortex, Flotera and Polski ransomware lineages.

Polish police arrest an individual nicknamed Tomasz ‘Armagedon’ T., the developer of Vortex, Flotera and Polski ransomware lineages. TOMASZ T. HACKER BACKGROUND REVEALED Virus Bulletin publishes an article dissecting the story of the above-mentioned ransomware dev, who might not be too tech-savvy in fact.

Virus Bulletin publishes an article dissecting the story of the above-mentioned ransomware dev, who might not be too tech-savvy in fact. STINGER RANSOMWARE SPOTTED IN THE WILD This one concatenates the .Stinger suffix to filenames and drops a ransom note named ‘About .Stinger unlocking instructions.txt.

This one concatenates the .Stinger suffix to filenames and drops a ransom note named ‘About .Stinger unlocking instructions.txt. U.S. HEALTHCARE AGENCY HIT BY RANSOMWARE Finger Lakes Health, a New York based healthcare agency, falls victim to an unidentified ransomware infection. The FBI is investigating.

Finger Lakes Health, a New York based healthcare agency, falls victim to an unidentified ransomware infection. The FBI is investigating. R2D2 METHOD COMBATTING DATA-WIPING MALWARE R2D2 (Reactive Redundancy for Data Destruction) is a technique devised by Purdue University researchers to protect against data wipers.

R2D2 (Reactive Redundancy for Data Destruction) is a technique devised by Purdue University researchers to protect against data wipers. RANSOMWARE INFECTS IT NETWORK OF A U.S. CITY The computer infrastructure of the City of Atlanta, Georgia, suffers a cyber attack, the infection being the SamSam/Samas ransomware.

The computer infrastructure of the City of Atlanta, Georgia, suffers a cyber attack, the infection being the SamSam/Samas ransomware. NOTORIOUS BANKING TROJAN GETS A RANSOMWARE TRAIT The latest mod of the TrickBot banking malware now goes with a screen locking module, so victims who don’t use e-banking are still at risk.

The latest mod of the TrickBot banking malware now goes with a screen locking module, so victims who don’t use e-banking are still at risk. YET ANOTHER BUILD OF THE L0CKED RANSOMWARE The L0cked blackmail virus gets updated once again. The new edition subjoins the %s%s%s.lckd extension to encrypted files.

The L0cked blackmail virus gets updated once again. The new edition subjoins the %s%s%s.lckd extension to encrypted files. NEW AVCRYPT USES BIZARRE TACTICS Brand-new sample called AVCrypt uninstalls AV software found on a computer and doesn’t provide any contact details. May be a data wiper.

Brand-new sample called AVCrypt uninstalls AV software found on a computer and doesn’t provide any contact details. May be a data wiper. RAPID RANSOMWARE V2.0 IS OUT Rapid 2.0 affixes a random extension to files, drops DECRYPT.[random].txt ransom note and does no harm to Russian-speaking victims.

Rapid 2.0 affixes a random extension to files, drops DECRYPT.[random].txt ransom note and does no harm to Russian-speaking victims. DISKWRITER ISN’T CLASSIC RANSOMWARE New wiper-like strain called DiskWriter, aka UselessDisk, messes up MBR and demands $300 worth of BTC. No working recovery, though.

New wiper-like strain called DiskWriter, aka UselessDisk, messes up MBR and demands $300 worth of BTC. No working recovery, though. PARADISE RANSOMWARE GETS A DOUBLE TWEAK One of the oldies called the Paradise ransomware has been updated with new variants using the .ransom and .logger file extensions.

One of the oldies called the Paradise ransomware has been updated with new variants using the .ransom and .logger file extensions. EGGLOCKER SAMPLE SPOTTED Malware analysts come across a fresh in-dev culprit called EggLocker that’s configured to append the .EGG string to encrypted files.

Malware analysts come across a fresh in-dev culprit called EggLocker that’s configured to append the .EGG string to encrypted files. WHITEROSE RANSOMWARE IN THE WILD New WhiteRose sample replaces filenames with [random]_ENCRYPTED_BY.WHITEROSE string and uses HOW-TO-RECOVERY-FILES.txt note.

New WhiteRose sample replaces filenames with [random]_ENCRYPTED_BY.WHITEROSE string and uses HOW-TO-RECOVERY-FILES.txt note. THE SARCASTIC SORRY RANSOMWARE A Hidden Tear PoC spinoff called Sorry Ransomware uses the .sorry extension and ‘How Recovery Files.txt’/hrf.txt rescue notes.

A Hidden Tear PoC spinoff called Sorry Ransomware uses the .sorry extension and ‘How Recovery Files.txt’/hrf.txt rescue notes. JFRANSOMWARE IS NO BIG DEAL Blackmail virus called JFRansomware claims to encrypt data but actually just locks the screen. Victims can simply enter ‘Saus2018’ to unlock.

Blackmail virus called JFRansomware claims to encrypt data but actually just locks the screen. Victims can simply enter ‘Saus2018’ to unlock. HAXERBOI BADDIE IS A MALICIOUS COMBO Researchers spot an entity called Haxerboi that turns out to be a malware construction tool as well as a crypto ransomware infection.

Researchers spot an entity called Haxerboi that turns out to be a malware construction tool as well as a crypto ransomware infection. FINE-TUNING OF THE L0CKED RANSOMWARE Another iteration of the L0cked ransomware appears that concatenates the .lckd extension to encoded files. Not yet in active distribution.

Another iteration of the L0cked ransomware appears that concatenates the .lckd extension to encoded files. Not yet in active distribution. BANSOMQARE MANNA STRAIN The sample going by a weird name of BansomQare Manna mimics WannaCry and subjoins the .bitcoin extension to hostage files.

The sample going by a weird name of BansomQare Manna mimics WannaCry and subjoins the .bitcoin extension to hostage files. BOEING CONFRONTED WITH WANNACRY ATTACK Boeing was reportedly hit by the WannaCry ransomware. Executives state the attack surface is minor and remediations were applied.

Boeing was reportedly hit by the WannaCry ransomware. Executives state the attack surface is minor and remediations were applied. FIRST CRYPTOMIX UPDATE IN A LONG TIME The CryptoMix ransomware undergoes an update after a two-month hiatus. New build appends the .MOLE66 string to locked data items.

The CryptoMix ransomware undergoes an update after a two-month hiatus. New build appends the .MOLE66 string to locked data items. RANSOMWARETEST, NOT AN ISSUE SO FAR According to analysts who spotted RansomwareTest sample, its development is in progress. Configured to append the .crypt string to files.

According to analysts who spotted RansomwareTest sample, its development is in progress. Configured to append the .crypt string to files. THE OFFBEAT H34RTBL33D RANSOMWARE New one called H34rtBl33d propagates via Limewire peer-to-peer file sharing client and leverages Balloon Tips to interact with victims.

New one called H34rtBl33d propagates via Limewire peer-to-peer file sharing client and leverages Balloon Tips to interact with victims. COMEBACK OF THE SATAN RANSOMWARE Although this strain was considered extinct, it re-emerged with a multilingual version blemishing encoded files with the .satan extension.

NEW RANSOMWARE LAW TAKES EFFECT IN MICHIGAN Two bills passed and signed in Michigan make ransomware possession and distribution a prosecutable felony leading to 3-year sentence.

Two bills passed and signed in Michigan make ransomware possession and distribution a prosecutable felony leading to 3-year sentence. SOME MAGNIBER VARIANTS ARE NOW DECRYPTABLE Analysts at AhnLab security firm have released decrypt tools supporting several widespread builds of the Magniber ransomware.

Analysts at AhnLab security firm have released decrypt tools supporting several widespread builds of the Magniber ransomware. VURTEN RANSOMWARE EMERGES New strain called Vurten zeroes in on enterprise computer networks, uses the .improved file extension and UNCRYPT.README.txt note.

New strain called Vurten zeroes in on enterprise computer networks, uses the .improved file extension and UNCRYPT.README.txt note. CRYPREN SAMPLE SPOTTED IN THE WILD Another fresh culprit called Crypren ransomware appends .ENCRYPTED to filenames and drops READ_THIS_TO_DECRYPT.html how-to.

Another fresh culprit called Crypren ransomware appends .ENCRYPTED to filenames and drops READ_THIS_TO_DECRYPT.html how-to. OXAR LINEAGE UPDATED The Oxar ransomware oldie gets an update introducing the .F*CK file extension and ‘1 What happens with my files.txt’ ransom note.

The Oxar ransomware oldie gets an update introducing the .F*CK file extension and ‘1 What happens with my files.txt’ ransom note. BANSOMQARE MANNA DECRYPTED Security researchers were able to defeat the encryption of BansomQare Manna ransomware strain and released an ad hoc recovery tool.

Security researchers were able to defeat the encryption of BansomQare Manna ransomware strain and released an ad hoc recovery tool. DOUBLE TWEAK OF THE MATRIX RANSOMWARE One more old-stager on the ransomware arena called Matrix spews out two new spinoffs using ‘What happened with your files’ ransom note.

One more old-stager on the ransomware arena called Matrix spews out two new spinoffs using ‘What happened with your files’ ransom note. TURKHACKTEAM RANSOMWARE BUILDER Malware watchers come across ‘TurkHackTeam Ransomware Builder’ tool that’s claimed to automate ransomware creation process.

Malware watchers come across ‘TurkHackTeam Ransomware Builder’ tool that’s claimed to automate ransomware creation process. WHITEROSE STRAIN TURNS OUT DECRYPTABLE MalwareHunterTeam experts have succeeded in finding a workaround for the crypto applied by the relatively new WhiteRose ransomware.

MalwareHunterTeam experts have succeeded in finding a workaround for the crypto applied by the relatively new WhiteRose ransomware. HAXERBOI RANSOMWARE BUILDER IS NO LONGER AN ISSUE The details being unclear, the so-called Haxerboi ransomware builder utility isn’t accessible to the cybercrime underground anymore.

The details being unclear, the so-called Haxerboi ransomware builder utility isn’t accessible to the cybercrime underground anymore. A FLAW FOUND IN CRYPTO OF THE LOCKCRYPT BADDIE Malwarebytes employees have discovered an imperfection in the encryption routine utilized by LockCrypt, so data recovery may be possible.

Malwarebytes employees have discovered an imperfection in the encryption routine utilized by LockCrypt, so data recovery may be possible. OFFICE 365 SUITE NOW RANSOMWARE-RESISTANT Microsoft has introduced new features to their Office 365 package that allow users to restore encrypted files to their previous state.

Microsoft has introduced new features to their Office 365 package that allow users to restore encrypted files to their previous state. UNSETTLING AFTERMATH OF A RANSOMWARE INCIDENT The Colorado Department of Transportation reportedly spent $1.5 million to partially recover its systems from SamSam ransomware attack.

The Colorado Department of Transportation reportedly spent $1.5 million to partially recover its systems from SamSam ransomware attack. JIGSAW PEST UPDATED ONCE AGAIN According to MalwareHunterTeam, the latest discovered variant of the Jigsaw ransomware blemishes hostage files with the .LolSec string.

According to MalwareHunterTeam, the latest discovered variant of the Jigsaw ransomware blemishes hostage files with the .LolSec string. SKYFILE RANSOMWARE DISCOVERED Brand-new SkyFile ransomware is spotted that concatenates the .sky extension to files and uses ‘HOW TO DECRYPT.txt’ ransom note.

Brand-new SkyFile ransomware is spotted that concatenates the .sky extension to files and uses ‘HOW TO DECRYPT.txt’ ransom note. MATRIX RANSOMWARE OFFSHOOTS USING RDP Two more spinoffs of the Matrix ransomware are spotted. Both are deposited on target hosts via hacked remote desktop services.

Two more spinoffs of the Matrix ransomware are spotted. Both are deposited on target hosts via hacked remote desktop services. HORROS RANSOMWARE POPS UP The new Horros ransomware turns out to be a derivative of the Hidden Tear PoC code. Concatenates the .horros extension to encrypted files.

The new Horros ransomware turns out to be a derivative of the Hidden Tear PoC code. Concatenates the .horros extension to encrypted files. DCRTR STRAIN GETS AN UPDATE Crooks release a new ‘kinaman@protonmail.ch’ variant of the Dcrtr ransomware that was discovered in early February 2018. No crypto so far.

Crooks release a new ‘kinaman@protonmail.ch’ variant of the Dcrtr ransomware that was discovered in early February 2018. No crypto so far. PUBG RANSOMWARE BY A GAMING FAN New sample called the PUBG Ransomware is offbeat as it decrypts hostage data if the victim plays the PlayerUnknown’s Battlegrounds game.

New sample called the PUBG Ransomware is offbeat as it decrypts hostage data if the victim plays the PlayerUnknown’s Battlegrounds game. BREAKTHROUGH IN FIGHTING WANNACRY Researchers from Kryptos Logic firm present a tool called Telltale that provides organizations with access to WannaCry sinkhole information.

Researchers from Kryptos Logic firm present a tool called Telltale that provides organizations with access to WannaCry sinkhole information. MOST RANSOMWARE VICTIMS WHO PAID WOULD PAY AGAIN According to Telstra Enterprise, 80% of ransomware victims who paid the ransom for data decryption would cough it up again if infected.

According to Telstra Enterprise, 80% of ransomware victims who paid the ransom for data decryption would cough it up again if infected. CRYPTOWIRE STRAIN STILL ACTIVE A fresh edition of the CryptoWire ransomware is spotted that inserts the ‘.encrypted’ string in between the filename and original extension.

A fresh edition of the CryptoWire ransomware is spotted that inserts the ‘.encrypted’ string in between the filename and original extension. COMMENTARY ON A U.S. COUNTY’S 911 CENTER ATTACK Independence County (Arkansas) judge issues an official statement regarding a purported ransomware attack against local 911 center.

Independence County (Arkansas) judge issues an official statement regarding a purported ransomware attack against local 911 center. ERROR DISRUPTS NEW GANDCRAB CAMPAIGN A script compile flaw has reportedly rendered a new GandCrab ransomware malspam campaign inefficient, causing contamination to halt.

A script compile flaw has reportedly rendered a new GandCrab ransomware malspam campaign inefficient, causing contamination to halt. MAGNIBER DECRYPTOR FINE-TUNED AhnLab, South Korean security software provider, releases an updated Magniber ransomware decryption tool that now goes with a GUI.

AhnLab, South Korean security software provider, releases an updated Magniber ransomware decryption tool that now goes with a GUI. MICROSOFT’S NEW ANTI-RANSOMWARE INITIATIVE Microsoft is reportedly planning to add a new Ransomware Protection feature as part of the upcoming Windows 10 Spring Creators update.

Microsoft is reportedly planning to add a new Ransomware Protection feature as part of the upcoming Windows 10 Spring Creators update. MICROSOFT STAFFER IN CAHOOTS WITH REVETON CREW Network engineer at Microsoft is being charged for assisting the Reveton ransomware distributors to launder their ill-gotten money.

Network engineer at Microsoft is being charged for assisting the Reveton ransomware distributors to launder their ill-gotten money. IRON RANSOMWARE IS SUCH A COPYCAT New Iron ransomware is discovered that mimics the Maktub, DMA Locker, and Satan strains in several ways. Appends the .encry extension.

New Iron ransomware is discovered that mimics the Maktub, DMA Locker, and Satan strains in several ways. Appends the .encry extension. TRON RANSOMWARE SPOTTED This one affixes the .tron file extension, doesn’t drop any ransom notes, and doesn’t do damage to computers with Russian locale.

This one affixes the .tron file extension, doesn’t drop any ransom notes, and doesn’t do damage to computers with Russian locale. SPARTACUS STRAIN SURFACES The brand new Spartacus ransomware blemishes encrypted files with the .[MastersRecovery@protonmail.com].Spartacus extension.

The brand new Spartacus ransomware blemishes encrypted files with the .[MastersRecovery@protonmail.com].Spartacus extension. NM4 RANSOMWARE UPDATED NM4, a spinoff of the NMoreira infection, spews out a fresh variant that uses the .NMCRYPT extension and ‘Recovers your files.html’ note.

NM4, a spinoff of the NMoreira infection, spews out a fresh variant that uses the .NMCRYPT extension and ‘Recovers your files.html’ note. GREETING FROM GANDCRAB TO A SECURITY ANALYST Researcher Marcelo Rivero, who has focused on GandCrab lately, spotted a variant that displays “Hello, Marcelo :)” popup message.

Researcher Marcelo Rivero, who has focused on GandCrab lately, spotted a variant that displays “Hello, Marcelo :)” popup message. VORTEX DECRYPTOR NOW AVAILABLE TO VICTIMS CERT Polska, the Polish security think tank, releases a free decryption tool for the Vortex/Polski ransomware, following arrest of the author.

CERT Polska, the Polish security think tank, releases a free decryption tool for the Vortex/Polski ransomware, following arrest of the author. XIAOBA GOES THROUGH A BUGGY TRANSFORMATION The XiaoBa ransomware crew have remade their code for cryptojacking purposes, but it damages victims’ executables due to critical bugs.

The XiaoBa ransomware crew have remade their code for cryptojacking purposes, but it damages victims’ executables due to critical bugs. NHS HASN’T DONE ENOUGH TO TACKLE RANSOMWARE Having fallen victim to WannaCry ransomware almost a year ago, the UK’s NHS has barely improved the security of its services, experts say.

Having fallen victim to WannaCry ransomware almost a year ago, the UK’s NHS has barely improved the security of its services, experts say. MAGNITUDE EK REPURPOSED FOR GANDCRAB’S GOALS The Magnitude exploit kit, which has propped Magniber campaign exclusively, is now reportedly also pushing the GandCrab ransomware.

The Magnitude exploit kit, which has propped Magniber campaign exclusively, is now reportedly also pushing the GandCrab ransomware. GLOBEIMPOSTER ARE ON THE ‘PLUS’ WAVE The latest variants of the GlobeImposter ransomware have been appending new extensions followed by the ‘+’ sign (e.g. .ALCO2+, .LIN+).

The latest variants of the GlobeImposter ransomware have been appending new extensions followed by the ‘+’ sign (e.g. .ALCO2+, .LIN+). JIGSAW FAMILY GROWS FURTHER Another Jigsaw ransomware mod called Apophis goes live. Looks primitive and still demands $500 worth of Bitcoin for data decryption.

Another Jigsaw ransomware mod called Apophis goes live. Looks primitive and still demands $500 worth of Bitcoin for data decryption. TWO GAME-THEMED RANSOMWARE STRAINS RELEASED Analysts on the MalwareHunterTeam discover strains themed after Minecraft and CS:GO. The two don’t encrypt or do other damage so far.

Analysts on the MalwareHunterTeam discover strains themed after Minecraft and CS:GO. The two don’t encrypt or do other damage so far. NEW PYTHON-BASED BLACKMAIL INFECTION APPEARS A sample called “Meine_ransomware_PGP_DANGEROUS” is discovered that might be a PoC. Uses the .enc extension for encrypted files.

A sample called “Meine_ransomware_PGP_DANGEROUS” is discovered that might be a PoC. Uses the .enc extension for encrypted files. SATYR RANSOMWARE ON THE TABLE The new Satyr ransomware leverages a fusion of AES and RSA-2048 ciphers to lock data and stains encoded files with the .Satyr extension.

The new Satyr ransomware leverages a fusion of AES and RSA-2048 ciphers to lock data and stains encoded files with the .Satyr extension. RANSSIRIA PEST USES DESPICABLE TACTICS The RansSIRIA ransomware zeroes in on Brazilian users and tells victims that the ransoms they pay will be donated to Syrian refugees.

The RansSIRIA ransomware zeroes in on Brazilian users and tells victims that the ransoms they pay will be donated to Syrian refugees. GANDCRAB MIGHT BE USING PROMO CODES Security researchers notice that the GandCrab ransomware payment portal now includes a field for victims to enter promotion codes.

Security researchers notice that the GandCrab ransomware payment portal now includes a field for victims to enter promotion codes. KRAKATOWIS RANSOMWARE POPS UP A new screen locker called Krakatowis is spotted in the wild. Analysts figured out the unlock code: 1eb472049398e443d014d27c438ebff1.

A new screen locker called Krakatowis is spotted in the wild. Analysts figured out the unlock code: 1eb472049398e443d014d27c438ebff1. BLACKHEART RANSOMWARE ON THE TABLE This Star Wars themed ransomware uses the .BlackRouter or .pay2me extension for hostage files and drops ReadME-BLackHeart.txt note.

This Star Wars themed ransomware uses the .BlackRouter or .pay2me extension for hostage files and drops ReadME-BLackHeart.txt note. KRAKEN RANSOMWARE TRIES TO ‘CATCHEM’ The sample called Kraken runs as catchem.exe binary and leverages Discord freeware’s server for C&C purposes and to report infections.

The sample called Kraken runs as catchem.exe binary and leverages Discord freeware’s server for C&C purposes and to report infections. SATAN STRAIN TURNS OUT TO USE ETERNALBLUE EXPLOIT The notorious Satan ransomware adds the NSA exploit dubbed EternalBlue to its repertoir, thus propagating in a highly surreptitious fashion.

The notorious Satan ransomware adds the NSA exploit dubbed EternalBlue to its repertoir, thus propagating in a highly surreptitious fashion. GOV WEBSITE ATTACKED BY BLACKMAIL VIRUS The official website of the Prince Edwards Island government reportedly fell victim to the VevoLocker ransomware holding it for ransom.

The official website of the Prince Edwards Island government reportedly fell victim to the VevoLocker ransomware holding it for ransom. GANDCRAB V2.1 GOES LIVE GandCrab, one of the most widespread samples presently, gets updated to version 2.1 that utilizes code injection into svchost.exe.

GandCrab, one of the most widespread samples presently, gets updated to version 2.1 that utilizes code injection into svchost.exe. PUBG LINEAGE GROWS The game-themed PUBG ransomware spawns the ‘Special 999Hours’ / ‘TALK SHOP Edition’ variant. Demands 999 hours of playing to decrypt.

The game-themed PUBG ransomware spawns the ‘Special 999Hours’ / ‘TALK SHOP Edition’ variant. Demands 999 hours of playing to decrypt. WEIRD NEW VERSION OF THE XORIST RANSOMWARE The Xorist ransomware family spews out a variant appending files with an incredibly long extension that almost covers all ransom demands.

The Xorist ransomware family spews out a variant appending files with an incredibly long extension that almost covers all ransom demands. OBLIVION RANSOMWARE DISCOVERED This new strain jumbles up filenames and adds the .OBLIVION string to each one. Drops OBLIVION DECRYPTION INFORMATION.txt note.

This new strain jumbles up filenames and adds the .OBLIVION string to each one. Drops OBLIVION DECRYPTION INFORMATION.txt note. UKRAINIAN GOV SITE HIT BY RANSOMWARE The website of Ukraine’s energy ministry gets knocked offline by the VevoLocker ransomware. The crooks demand 0.1 BTC ($937) ransom.

The website of Ukraine’s energy ministry gets knocked offline by the VevoLocker ransomware. The crooks demand 0.1 BTC ($937) ransom. EXTORTIONISTS ZERO IN ON HPE ILO 4 SERVERS Unidentified ransomware targets HPE iLO 4 remote management interfaces that are online-accessible. Uses RSA-2048 cryptosystem.

Unidentified ransomware targets HPE iLO 4 remote management interfaces that are online-accessible. Uses RSA-2048 cryptosystem. LOCKCRYPT UPDATED, DECRYPTOR AVAILABLE The latest edition of the LockCrypt pest concatenates the .mich extension to encrypted files. Researcher Michael Gillespie cracks this one.

The latest edition of the LockCrypt pest concatenates the .mich extension to encrypted files. Researcher Michael Gillespie cracks this one. OFFBEAT C# RANSOMWARE Security analysts spot C# based blackmail malware that stands out from the rest as it compiles itself at runtime and runs directly in memory.

Security analysts spot C# based blackmail malware that stands out from the rest as it compiles itself at runtime and runs directly in memory. CRYPTCONSOLE STRAIN GETS A MINOR TWEAK New iteration of the CryptConsole ransomware switches to using xzet@tutanota.com contact email. Can still be decrypted for free.

New iteration of the CryptConsole ransomware switches to using xzet@tutanota.com contact email. Can still be decrypted for free. KCW RANSOMWARE GOING AFTER WEBSITES An India based hacking crew calling itself ‘Team Kerala Cyber Warriors’ starts infecting Pakistani websites with KCW crypto ransomware.

An India based hacking crew calling itself ‘Team Kerala Cyber Warriors’ starts infecting Pakistani websites with KCW crypto ransomware. RANDOMLOCKER STARTS MAKING THE ROUNDS Brand-new RandomLocker ransomware blemishes encrypted files with the .rand extension and is most likely distributed in a manual way.

Brand-new RandomLocker ransomware blemishes encrypted files with the .rand extension and is most likely distributed in a manual way. UK’S NHS STARTS USING WINDOWS 10 AS A SAFER OS The UK National Health Service officials decided to switch to Windows 10 for their computers in light of WannaCry incident.

The UK National Health Service officials decided to switch to Windows 10 for their computers in light of WannaCry incident. KRAKEN 2.0 WASN’T INTENDED FOR OFFENSIVE USE Researchers state the Kraken 2.0 ransomware was originally created as a PoC but the code ended up stolen and weaponized by crooks.

A DECENT WRITE-UP ON BTCWARE RELEASED Sophos analysts publish in-depth analysis of the BTCWare ransomware strain that was active throughout 2017 and spawned 17 variants.

Sophos analysts publish in-depth analysis of the BTCWare ransomware strain that was active throughout 2017 and spawned 17 variants. BLACKHEART RANSOMWARE’S CROSS-PROMOTION TACTIC It turns out that a variant of the relatively new Blackheart ransomware is distributed along with a legit remote desktop tool called AnyDesk.

It turns out that a variant of the relatively new Blackheart ransomware is distributed along with a legit remote desktop tool called AnyDesk. USELESSFILES BLACKMAIL VIRUS SPOTTED A new ransomware strain called UselessFiles starts making the rounds. It uses the .UselessFiles extension and demands $300 worth of BTC.

A new ransomware strain called UselessFiles starts making the rounds. It uses the .UselessFiles extension and demands $300 worth of BTC. XIAOBA STRAIN UPDATED Malware watchers bump into a fresh edition of the XiaoBa ransomware that switches to using the .[BaYuCheng@yeah.net] file extension.

Malware watchers bump into a fresh edition of the XiaoBa ransomware that switches to using the .[BaYuCheng@yeah.net] file extension. GANDCRAB REACHES VERSION 3 GandCrab v3 is released, featuring a number of conspicuous alterations. Now it replaces the desktop background with a warning screen.

GandCrab v3 is released, featuring a number of conspicuous alterations. Now it replaces the desktop background with a warning screen. JIGSAW UNDERGOES YET ANOTHER UPDATE Jigsaw ransomware, one of the oldies in the extortion landscape, spawns a new edition that appends the .hac suffix to ransomed items.

Jigsaw ransomware, one of the oldies in the extortion landscape, spawns a new edition that appends the .hac suffix to ransomed items. UNUSUAL DEMANDS BY THE NEW BKRANSOMWARE Analysts discover a Vietnamese ransom Trojan called BKRansomware, which runs via a command line and asks for phone number refill.

Analysts discover a Vietnamese ransom Trojan called BKRansomware, which runs via a command line and asks for phone number refill. MMM RANSOMWARE UPDATED The latest spinoff of the TripleM (MMM) ransomware uses the .MMM file extension and GET_YOUR_FILES_BACK.html ransom how-to.

The latest spinoff of the TripleM (MMM) ransomware uses the .MMM file extension and GET_YOUR_FILES_BACK.html ransom how-to. SCARAB RANSOMWARE PRODUCES A NEW MOD According to some scarce reports made by infected users, the Scarab ransomware has been updated to .horsia@airmail.cc extension variant.

According to some scarce reports made by infected users, the Scarab ransomware has been updated to .horsia@airmail.cc extension variant. SYNACK STRAIN BECOMES MORE EVASIVE A fresh variant of the SynAck ransomware appears to be leveraging the so-called ‘Process Doppelgänging’ fileless code injection technique.

A fresh variant of the SynAck ransomware appears to be leveraging the so-called ‘Process Doppelgänging’ fileless code injection technique. MATRIX FAMILY GROWING Another iteration of the Matrix ransomware introduces #What_Wrong_With_Files#.rtf note and new contact emails to reach the crooks.

Another iteration of the Matrix ransomware introduces #What_Wrong_With_Files#.rtf note and new contact emails to reach the crooks. THE COMEBACK OF PSCRYPT RANSOMWARE PSCrypt ransomware, which targeted Ukrainian users and companies in 2017, reemerges with a version using the .docs file extension.

PSCrypt ransomware, which targeted Ukrainian users and companies in 2017, reemerges with a version using the .docs file extension. RANSOMWARE INCIDENTS COUNT DECREASED IN 2017 According to the annual FBI Internet Crime Report, the number of officially reported ransomware attacks in the U.S. went down last year.

According to the annual FBI Internet Crime Report, the number of officially reported ransomware attacks in the U.S. went down last year. RANSOMAES SAMPLE SURFACES Brand-new culprit called RansomAES concatenates the apropos .RansomAES extension to files and drops READ ME.txt ransom note.

Brand-new culprit called RansomAES concatenates the apropos .RansomAES extension to files and drops READ ME.txt ransom note. GANDCRAB V3.0.1 APPEARS GandCrab operators release version 3.0.1 that doesn’t go with the wallpaper replacement and autorun feature introduced in previous build.

GandCrab operators release version 3.0.1 that doesn’t go with the wallpaper replacement and autorun feature introduced in previous build. ANOTHER HASTY UPDATE OF THE MATRIX PEST Three days after previous Matrix variant went live, a new one pops up that switches to .[RestoreFiles@qq.com].MTXLOCK file extension.

Three days after previous Matrix variant went live, a new one pops up that switches to .[RestoreFiles@qq.com].MTXLOCK file extension. FACEBOOK RANSOMWARE DISCOVERED This baddie subjoins the .facebook extension to encrypted files and features a picture of Mark Zuckerberg shown on its warning screen.

This baddie subjoins the .facebook extension to encrypted files and features a picture of Mark Zuckerberg shown on its warning screen. POLICE DEPT IN THE U.S. REPEATEDLY HIT BY RANSOMWARE Riverside Fire and Police department falls victim to ransomware for the second time during a month, with only 8 hours work lost this time.

Riverside Fire and Police department falls victim to ransomware for the second time during a month, with only 8 hours work lost this time. CRYPTON RANSOMWARE UPDATED The latest iteration of CryptON aka Nemesis uses the .[victim_ID].ransomed@india.com extension and HOWTODECRYPTFILES.html note.

The latest iteration of CryptON aka Nemesis uses the .[victim_ID].ransomed@india.com extension and HOWTODECRYPTFILES.html note. FRESH RSAUTIL MOD RELEASED New version of the RSAUtil ransomware is spotted that uses new contact emails, including tizer78224@gmx.de / india.com / protonmail.com.

New version of the RSAUtil ransomware is spotted that uses new contact emails, including tizer78224@gmx.de / india.com / protonmail.com. STALINLOCKER IS NOT A JOKE The sample called StalinLocker plays USSR anthem and tries to wipe the hard drive unless a correct code is entered during 10 minutes.

The sample called StalinLocker plays USSR anthem and tries to wipe the hard drive unless a correct code is entered during 10 minutes. RAPID RANSOMWARE V3 IS OUT The 3rd version of the Rapid Ransomware appends a random 5-character extension to encrypted files. Demands 0.07 BTC for decryption.

The 3rd version of the Rapid Ransomware appends a random 5-character extension to encrypted files. Demands 0.07 BTC for decryption. RANSOMWARE ATTACKS AUSTRALIAN HEALTHCARE ORG Family Planning NSW (New South Wales) suffers a ransomware incursion that may expose sentitive records on more than 8,000 clients.

Family Planning NSW (New South Wales) suffers a ransomware incursion that may expose sentitive records on more than 8,000 clients. SEPSIS RANSOMWARE EMERGES New sample called Sepsis ransomware affixes the .[Sepsis@protonmail.com].SEPSIS extension to files and drops Info.hta ransom manual.

New sample called Sepsis ransomware affixes the .[Sepsis@protonmail.com].SEPSIS extension to files and drops Info.hta ransom manual. CRYSIS FAMILY PRODUCES ANOTHER SPINOFF The latest version of the CrySiS/Dharma ransomware concatenates the .bip string to hostage files and uses Beamsell@qq.com contact email.

The latest version of the CrySiS/Dharma ransomware concatenates the .bip string to hostage files and uses Beamsell@qq.com contact email. SCARAB RANSOMWARE TWEAK Brand-new variant of the Scarab strain called Walker uses the .JohnnieWalker extension and HOW TO DECRYPT WALKER INFO.txt note.

Brand-new variant of the Scarab strain called Walker uses the .JohnnieWalker extension and HOW TO DECRYPT WALKER INFO.txt note. HORSUKE EDITION OF SCARAB The Scarab lineage spawns one more culprit called Horsuke, which uses the .HORSE extension and horsuke@nuke.africa contact email.

The Scarab lineage spawns one more culprit called Horsuke, which uses the .HORSE extension and horsuke@nuke.africa contact email. NEW JIGSAW SAMPLE RELEASED Analysts spot a variant of the Jigsaw ransomware that appends the .booknish string to files and uses some new wording for the ransom note.

Analysts spot a variant of the Jigsaw ransomware that appends the .booknish string to files and uses some new wording for the ransom note. SIGRUN RANSOMWARE IN THE WILD This one subjoins the .sigrun extension to scrambled files and leaves a combo of rescue notes named RESTORE-SIGRUN.txt/html.

This one subjoins the .sigrun extension to scrambled files and leaves a combo of rescue notes named RESTORE-SIGRUN.txt/html. MR. DEC RANSOMWARE New Mr. Dec ransomware concatenates the [ID]”random”[ID] suffix to encrypted data items and drops ‘Decoding help.hta’ ransom note.

New Mr. Dec ransomware concatenates the [ID]”random”[ID] suffix to encrypted data items and drops ‘Decoding help.hta’ ransom note. UNLOCK92 STRAIN GETS A MAKEOVER Updated version of the Unlock92 ransomware switches to using the .cdrpt file extension and unlckr@protonmail.com contact email.

Updated version of the Unlock92 ransomware switches to using the .cdrpt file extension and unlckr@protonmail.com contact email. CRYPTCONSOLE2 UPDATED New build of the CryptConsole2 baddie is released. Uses szems@tutanota.com mailbox and leaves a ransom note named README.hta.

New build of the CryptConsole2 baddie is released. Uses szems@tutanota.com mailbox and leaves a ransom note named README.hta. FRESH ROTORCRYPT EDITION POPS UP The latest RotorCrypt verison appends ransomed files with the !________INKOGNITO8000@TUTAMAIL.COM_________.SPG extension.

The latest RotorCrypt verison appends ransomed files with the !________INKOGNITO8000@TUTAMAIL.COM_________.SPG extension. PGPSNIPPET RANSOMWARE DISCOVERED New ransom Trojan called PGPSnippet appends .decodeme666@tutanota_com file extension and drops !!!README_DECRYPT!!!.txt note.

New ransom Trojan called PGPSnippet appends .decodeme666@tutanota_com file extension and drops !!!README_DECRYPT!!!.txt note. SMALL UPDATE OF AES-MATRIX PEST Researchers spot a fresh version of AES-Matrix ransomware that leaves a how-to file named ‘ACCUDATA_pay and get your data back.txt’.

Researchers spot a fresh version of AES-Matrix ransomware that leaves a how-to file named ‘ACCUDATA_pay and get your data back.txt’. JOSEPCRYPT SAMPLE SPOTTED Another new ransomware called JosepCrypt appends an apropos .josep suffix to filenames and drops RECOVERY.txt rescue note.

Another new ransomware called JosepCrypt appends an apropos .josep suffix to filenames and drops RECOVERY.txt rescue note. CRYPTON CHANGES SPREADING TACTIC The campaign delivering the ransomed@india.com variant of CryptON ransomware relies on compromising remote desktop services.

The campaign delivering the ransomed@india.com variant of CryptON ransomware relies on compromising remote desktop services. RANSOMWARE TARGETING RUSSIAN-SPEAKING AUDIENCE A Russian blackmail malware sample is spotted that drops a ransom how-to named Dont_Worry.txt and appends .UPS-[random] to filenames.

A Russian blackmail malware sample is spotted that drops a ransom how-to named Dont_Worry.txt and appends .UPS-[random] to filenames. YET ANOTHER UPDATE OF CRYPTCONSOLE2 One more edition of the CryptConsole2 family is released. Still drops README.hta note and uses szem@tutanota.com contact email address.

One more edition of the CryptConsole2 family is released. Still drops README.hta note and uses szem@tutanota.com contact email address. ID RANSOMWARE ENHANCED WITH NEW FEATURE The ID Ransomware service by MalwareHunterTeam now allows victims to get notifications when their sample becomes decryptable.

The ID Ransomware service by MalwareHunterTeam now allows victims to get notifications when their sample becomes decryptable. FLKR RANSOMWARE SPEWS OUT A SPINOFF The marginal FLKR ransomware undergoes an update. Uses the .__murzik@jabber.mipt.ru files extension and INSTRUCTIONS.txt ransom note.

The marginal FLKR ransomware undergoes an update. Uses the .__murzik@jabber.mipt.ru files extension and INSTRUCTIONS.txt ransom note. PLUS ONE VARIANT OF CRYPTCONSOLE The original CryptConsole culprit gets an overhaul featuring desparo@tuta.io contact email. It can still be decrypted beyond ransom.

The original CryptConsole culprit gets an overhaul featuring desparo@tuta.io contact email. It can still be decrypted beyond ransom. JIGSAW OPERATORS BREAK NEW GROUND A new version of the Jigsaw ransomware is discovered that uses a C&C server, unlike all previous builds that ran without such a feature.

A new version of the Jigsaw ransomware is discovered that uses a C&C server, unlike all previous builds that ran without such a feature. DHARMA RANSOMWARE UPDATED A tweak made to the Dharma ransom Trojan after a fairly long hiatus introduces the .id-{victim ID}.[java2018@tuta.io].arrow file extension.

A tweak made to the Dharma ransom Trojan after a fairly long hiatus introduces the .id-{victim ID}.[java2018@tuta.io].arrow file extension. FRESH EDITION OF SCARAB POPS UP The latest iteration of the Scarab ransomware switches to the .osk file extension and ‘HOW TO RECOVER ENCRYPTED FILES.txt’ ransom note.

The latest iteration of the Scarab ransomware switches to the .osk file extension and ‘HOW TO RECOVER ENCRYPTED FILES.txt’ ransom note. CRYPTCONSOLE2 KEEPS GETTING TWEAKS Yet another spinoff of the CryptConsole2 ransomware uses ‘HOW DECRIPT FILES.hta’ rescue note and zeman@tutanota.de contact email.

Yet another spinoff of the CryptConsole2 ransomware uses ‘HOW DECRIPT FILES.hta’ rescue note and zeman@tutanota.de contact email. ADDING C2 SERVERS BECOMES A TREND WITH CROOKS Shortly after the recent Jigsaw virus update, the Aurora (aka OneKeyLocker) ransomware follows suit by starting to use a C2 server.

Shortly after the recent Jigsaw virus update, the Aurora (aka OneKeyLocker) ransomware follows suit by starting to use a C2 server. CRYPTCONSOLE SPEWS OUT A NEW EDITION CryptConsole ransomware (not to be confused with CryptConsole2) undergoes an update with helps@tutanota.com contact email being used.

CryptConsole ransomware (not to be confused with CryptConsole2) undergoes an update with helps@tutanota.com contact email being used. NEW CRYPTOMIX VERSION MAKING THE ROUNDS Ransomware watchers spot a new build of the CryptoMix blackmail infection that blemishes encrypted data with the .BACKUP extension.

Ransomware watchers spot a new build of the CryptoMix blackmail infection that blemishes encrypted data with the .BACKUP extension. SCARAB LINEAGE GROWS Another mod of the Scarab ransomware is discovered that uses the .REBUS file extension and ‘REBUS RECOVERY INFORMATION.txt’ how-to.

Another mod of the Scarab ransomware is discovered that uses the .REBUS file extension and ‘REBUS RECOVERY INFORMATION.txt’ how-to. INSTA RANSOMWARE HUNT MHT’s Michael Gillespie asks fellow-researchres to help spot samples of new ransomware that uses .insta extension and filesinfo.txt note.

MHT’s Michael Gillespie asks fellow-researchres to help spot samples of new ransomware that uses .insta extension and filesinfo.txt note. TIES BETWEEN JIGSAW STRAIN AND ETHICAL HACKING Security analysts stumble upon a case where a sample of the prolific Jigsaw ransomware is leveraged in an ethical hacking course.

Security analysts stumble upon a case where a sample of the prolific Jigsaw ransomware is leveraged in an ethical hacking course. PAIN LOCKER RANSOMWARE ON THE TABLE MalwareHunterTeam discovers Pain Locker ransomware that uses the .[pain@cock.lu].pain extension and !=How_recovery_files=!.txt note./li>

MalwareHunterTeam discovers Pain Locker ransomware that uses the .[pain@cock.lu].pain extension and !=How_recovery_files=!.txt note./li> EVERBE RANSOMWARE UPDATED New version of the Everbe ransomware drops !=How_recovery_files=!.txt note and appends the .[embrace@airmail.cc].embrace extension.

New version of the Everbe ransomware drops !=How_recovery_files=!.txt note and appends the .[embrace@airmail.cc].embrace extension. THE CRUDE LITTLEFINGER BADDIE A sample called LittleFinger is spotted. Doesn’t affix any extension to filenames and demands 0.01 BTC. Probably an in-dev specimen.

A sample called LittleFinger is spotted. Doesn’t affix any extension to filenames and demands 0.01 BTC. Probably an in-dev specimen. CRYPTGH0ST BEGINS MAKING VICTIMS Fresh file-encrypting infection concatenates the .cryptgh0st string to files and leaves a rescue note named READ_TO_DECRYPT.html.

Fresh file-encrypting infection concatenates the .cryptgh0st string to files and leaves a rescue note named READ_TO_DECRYPT.html. LOCKCRYPT 2.0 ITERATION FOUND Researchers discover a build of LockCrypt 2.0 ransomware that uses the .id-{victim ID}.BI_D extension and ‘How To Restore Files.txt’ note.

Researchers discover a build of LockCrypt 2.0 ransomware that uses the .id-{victim ID}.BI_D extension and ‘How To Restore Files.txt’ note. ONE MORE SCARAB MOD RELEASED The pest appends .infovip@airmail.cc extension and drops ‘HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT’ ransom note.

The pest appends .infovip@airmail.cc extension and drops ‘HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT’ ransom note. STOP RANSOMWARE GETS A TWEAK The latest version of the Stop ransomware subjoins the .CONTACTUS suffix to files and leaves !!!!RESTORE_FILES!!!.txt how-to document.

The latest version of the Stop ransomware subjoins the .CONTACTUS suffix to files and leaves !!!!RESTORE_FILES!!!.txt how-to document. BITPAYMER RANSOMWARE UPDATED Fresh modification of the BitPaymer pest is spotted that switches to using a new ransom note and features a few other insignificant changes.

SIGRUN MAKER WANTS NO RANSOMS FROM RUSSIANS The architect of the Sigrun ransomware campaign allows Russian-speaking victims to get their data back without paying the ransom.

The architect of the Sigrun ransomware campaign allows Russian-speaking victims to get their data back without paying the ransom. OPSVENEZUELA RANSOMWARE IN THE WILD The OpsVenezuela sample combines the code of the Hidden Tear PoC and that of the EDA2 academic ransomware. Uses a weak crypto key.

The OpsVenezuela sample combines the code of the Hidden Tear PoC and that of the EDA2 academic ransomware. Uses a weak crypto key. CRYBRAZIL RANSOMWARE New one. Targets Brazilian users, concatenating the .crybrazil extension to encoded data items. Based on Hidden Tear and EDA2 PoCs.

New one. Targets Brazilian users, concatenating the .crybrazil extension to encoded data items. Based on Hidden Tear and EDA2 PoCs. AMBA STRAIN RELEASED The new Amba ransomware zeroes in on Russian-speaking users. Uses the .UPS-[random] file extension and Dont_Worry.txt ransom note.

The new Amba ransomware zeroes in on Russian-speaking users. Uses the .UPS-[random] file extension and Dont_Worry.txt ransom note. MAGNIBER ON THE LOOSE IN SOUTH KOREA Analysts report a Fresh Magniber ransomware distribution wave localized in South Korea. The infection drops README.txt how-to file.

Analysts report a Fresh Magniber ransomware distribution wave localized in South Korea. The infection drops README.txt how-to file. OPEDCONT RANSOMWARE FEATURING HARSH IMPACT The PedCont sample displays a ransom warning accusing the victim of accessing prohibited adult content. Crashes the screen shortly.

The PedCont sample displays a ransom warning accusing the victim of accessing prohibited adult content. Crashes the screen shortly. SCARAB FAMILY GIVES RISE TO NEW OFFSHOOT The latest variant of the Scarab ransomware appends the .DiskDoctor string to files and drops HOW TO RECOVER ENCRYPTED FILES.txt note.

The latest variant of the Scarab ransomware appends the .DiskDoctor string to files and drops HOW TO RECOVER ENCRYPTED FILES.txt note. HITLER-THEMED XIAOBA RANSOMWARE TWEAK New mod of the XiaoBa lineage subjoins the .AdolfHitler suffix to hostage files and leaves a note named ‘# # DECRYPT MY FILE # #.bmp’.

New mod of the XiaoBa lineage subjoins the .AdolfHitler suffix to hostage files and leaves a note named ‘# # DECRYPT MY FILE # #.bmp’. CRYPTCONSOLE UPDATED MalwareHunterTeam researchers discover a new CryptConsole version that uses the xser@tutanota.com contact email. Still decryptable.

MalwareHunterTeam researchers discover a new CryptConsole version that uses the xser@tutanota.com contact email. Still decryptable. ATLANTA PD’S EVIDENCE LOST OVER RANSOMWARE Years’ worth of Dashcam videos from police cars in Atlanta have been lost in a ransomware incident that hit the city in March 2018.

Years’ worth of Dashcam videos from police cars in Atlanta have been lost in a ransomware incident that hit the city in March 2018. REDEYE RANSOMWARE SPOTTED The fresh ransomware specimen in question uses the .RedEye extension for ransomed files. It can wipe data and affect a host’s MBR.

The fresh ransomware specimen in question uses the .RedEye extension for ransomed files. It can wipe data and affect a host’s MBR. AURORA STRAIN UNDERGOES A CHANGE The most recent build of the Aurora blackmail malware switches to using the #RECOVERY-PC#.txt ransom note and new BTC address.

The most recent build of the Aurora blackmail malware switches to using the #RECOVERY-PC#.txt ransom note and new BTC address. SECOND UPDATE OF CRYPTCONSOLE IN A FEW DAYS Yet another variant of the CryptConsole ransomware is discovered that instructs victims to contact the attacker at redbul@tutanota.com.

Yet another variant of the CryptConsole ransomware is discovered that instructs victims to contact the attacker at redbul@tutanota.com. CRYPTCONSOLE MUTATES AS IF ON STEROIDS No other ransomware strain is being fine-tuned as often as CryptConsole lately. One more iteration features heineken@tuta.io contact email.

No other ransomware strain is being fine-tuned as often as CryptConsole lately. One more iteration features heineken@tuta.io contact email. GLOBEIMPOSTER MAKES A COMEBACK Having remained mostly idle for quite some time, the GlobeImposter campaign resurfaces with a variant using the .emilysupp file extension.

Having remained mostly idle for quite some time, the GlobeImposter campaign resurfaces with a variant using the .emilysupp file extension. PRINCESS RANSOMWARE RAAS BEING PROMOTED The authors of the once widespread Princess Ransomware encourage other crooks to spread it on a Ransomware-as-a-Service basis.

The authors of the once widespread Princess Ransomware encourage other crooks to spread it on a Ransomware-as-a-Service basis. PGPSNIPPET BADDIE UPDATED Brand-new edition of the PGPSnippet ransomware uses the .digiworldhack@tutanota.com extension and !!!README_DECRYPT!!!.txt note.

Brand-new edition of the PGPSnippet ransomware uses the .digiworldhack@tutanota.com extension and !!!README_DECRYPT!!!.txt note. NEW SPARTACUS RANSOMWARE MOD FOUND Security enthusiasts spot a variant of the Spartacus ransomware (probably a test one) that appends the .SF extension to hostage objects.

Security enthusiasts spot a variant of the Spartacus ransomware (probably a test one) that appends the .SF extension to hostage objects. ANOTHER UPDATE OF THE MAGNIBER STRAIN New Magniber edition starts making the rounds. Concatenates the .ndpyhss string to filenames and uses a number of new Tor addresses.

New Magniber edition starts making the rounds. Concatenates the .ndpyhss string to filenames and uses a number of new Tor addresses. an ongoing list…