A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware.

The group's activity first came to light in March 2016, when various Magento stores were targeted and had their files locked with a Web-based ransomware called KimcilWare.

KimcilWare ransom note

The email address used for handling payment confirmations for KimcilWare ransoms was "tuyuljahat@hotmail.com."

Researchers spotted this same email address a few days later in the ransom note of another ransomware family called MireWare, which unlike KimcilWare, targeted Windows computers, and not web servers.

Both ransomware families were what security researchers often call "junk ransomware," which is a term they use to describe ransomware that uses code borrowed from open-source ransomware kits and is often decryptable.

For example, because KimcilWare targeted Magento shops, it was possible for website owners to restore their site from backups and remove the ransomware without paying.

Similarly, because MireWare was based on the Hidden Tear open source ransomware building kit, a flaw hidden in the project's encryption allowed researchers to recover files in some instances.

Group returns with new ransomware strains

Last week, security researcher MalwareHunter has come across a new ransomware family which appeared to be closely related to the modus operandi and internal structure of the CryPy ransomware.

Calling itself SADStory, this ransomware family featured a familiar email address — tuyuljahat@hotmail.com — which crooks made the mistake of reusing for the third time.

SADStory ransom note

Three days later, after realizing they've exposed most of their past deeds, the group behind SADStory decided to stop hiding and confessed to all their crimes.

They did this by releasing a renamed version of the SADStory ransomware, named L0CK3R74H4T. In the ransom note for this ransomware, the group fessed up to all their previous endeavors, officially admitting they were behind:

the KimcilWare and MireWare families

the CryPy ransomware discovered and analyzed by Kaspersky

the current SADStory and L0CK3R74H4T ransomware families

and another previously unknown ransomware threat named MafiaWare

Mafia Malware Indonesia ransom note

The new ransomware the group confessed to developing is MafiaWare, whose source code leaked online a few months ago [Bleeping Computer will refrain from sharing a link to its source code].

Mafia Malware Indonesia group behind wave of junk ransomware

Just like MireWare, MafiaWare was another (failed) attempt at creating a ransomware threat based on the Hidden Tear kit.

MafiaWare was spotted months ago, but because part of its source code was released, researchers had the upper hand and felt confident they could defeat it.

As MalwareHunter told Bleeping Computer in a private conversation, this wasn't necessary, as no user ever attempted to identify a MafiaWare infection via the ID-Ransomware service.

Similarly, despite researchers spotting SADStory and L0CK3R74H4T last week, these two ransomware threats also failed to make any victims as of yet.

Researchers feel confident they'll find a way to recover encrypted files if SADStory and L0CK3R74H4T make any victims.

All in all, the Mafia Malware Indonesia group seems to be an unskilled player on the ransomware market, who can't code its own ransomware without borrowing code from open source projects, and above all, has no idea how to mass-distribute its creations.