Wow..this has been a crazy week when it comes to ransomware. Since Monday, we have had 6 new ransomware infections, 1 new Ransomware as a Service, and 1 update to an existing ransomware. Been a busy week and have not been able to write about everything, so I thought I would put together a roundup of all the ransomware news for the week.

If I missed anything, please let me know and I will get it added to the article. A big thanks to all the people who been hammering at ransomware on Twitter and elsewhere! This article is the combined effort of all of them,

CryptXXX 2.0 - May 9th 2016

Version 2.0 of CryptXXX was released, which defeated the free decryption tool that Kaspersky released last week. ProofPoint has a great article on this new version. When CryptXXX encrypts your files it will append the .crypt extension to them and create ransom notes named after your unique id. For example, 8261b44400A5.html.

Ransom note from CryptXXX V2

The Enigma Ransomware - May 9th 2016

A new ransomware called the Enigma Ransomware was discovered that targets Russian speaking victims. This is fairly uncommon because if anything ransomware typically avoid encrypting Russian victims.. When encrypting files it will add the .enigma extension to the encrypted files and creates the enigma_encr.txt ransom note. It also creates numerous files that contain the Enigma string. More information can be found here: The Enigma Ransomware targets Russian Speaking Users.

Enigma Ransom Note

The Shujin Ransomware - May 10th, 2016

This could be the first ransomware that specifically targets Chinese victims. The ransom notes, web pages, and decryption tools are all written in Chinese and decryption process could be one of the most complicated one that I have ever seen. A great write-up on this infection can be found on the Nyxbone blog. Ransom notes associated with this infection are 文件解密帮助.txt.

Shujin Ransom Note

Courtesy of http://www.nyxbone.com/malware/chineseRansom.html

GNL Locker - May 11th, 2016

GNL Locker, or German Netherlands Locker, has been around for a while now, but we were just able to get a sample to examine this week. When this ransomware is run it will check the computer's IP address and only encrypt the machine if they are located in the Netherlands or Germany. Files encrypted by GNL Locker will have the .locked extension added to them and will create the ransom notes UNLOCK_FILES_INSTRUCTIONS.txt and UNLOCK_FILES_INSTRUCTIONS.txt. A support topic can be found here: GNL Locker Support and Help Topic - .locked and UNLOCK_FILES_INSTRUCTIONS.html.

GNL Locker Ransom Note

CryptoHitman - May 12th, 2016

The developers behind the Jigsaw Ransomware released a new version called CryptoHitman. This time they are using Agent 47 of the Hitman video game and movie franchise as their logo. The locker screen will also include many pornagraphic images on it and and will add the .porno extension to encrypted files. A detailed write-up on this infection can be found here: Jigsaw Ransomware becomes CryptoHitman with Porno Extension

CryptoHitman Ransom Screen

Crypren Ransomware - May 12th, 2016

The Crypren ransomware has also been around for a bit, but was heavily publicized this week. The Crypren ransomware will encrypt your data, append the .ENCRYPTED extension to encrypted files, and create ransom notes named READ_THIS_TO_DECRYPT.html. Thankfully, someone named pekeinfo has already created a working decryptor for this ransomware. A detailed write-up for this ransom can be found on Nyxbone's blog.

Crypren Ransom Note

New version of Petya and ransomware addon called Mischa - May 12th, 2016

A new version of Petya was released that had a major change in its installer. Now when the installer is executed, it will check if it can gain administrative privileges. If it is able to do so, it will install the Petya Ransomware. On the other hand if it is unable to gain these privs, it will instead install the file-encrypting Mischa Ransomware. More info can be found here: Petya is back and with a friend named Mischa Ransomware.

Mischa Ransom Note

Petya and Mischa are being offered as a Ransomware as a Service - May 13th, 2016

The malware developers behind Petya and Mischa have released a Ransomware as a Service program. This program allows malware distributors to earn a revenue share from the Petya devs by distributing their installer. More info about this affiliate program can be found here: The Petya and Mischa Ransomware are part of a new Affiliate Service.

Petya RaaS Screen

Decryptor released for CryptXXX Version 2.0 - May 13th, 2016

This weeks ransomware roundup is going to end on a good note! Kaspersky was able to modify their CryptXXX decryptor so that it can decrypt files encrypted by CryptXXX version 2.0. A big thanks and congrats to Kaspersky for their speedy modifications!