Tools to Power Your Online Retail Business

eCommerce Journal

Subscribe to eCommerce Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get eCommerce Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


eCommerce Journal Authors: William Schmarzo, Sematext Blog, Kevin Benedict, Liz McMillan, Jnan Dash

Related Topics: Drupal Developer, eCommerce Journal, CMS Journal, Game Developer, Zimbra on Ulitzer

Blog Feed Post

Ransomware Chronicle

This is a comprehensive report on ransomware-related events covering a time frame of May – December 2016. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources.

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

  • THE ENIGMA RANSOMWARE SURFACES

    Targets Russian-speaking victims. Appends the .enigma extension. Creates the enigma_encr.txt ransom note.

  • CRYPTXXX 2.0 EDITION

    Kaspersky’s free decryptor defeated. Concatenates the .crypt extension. Ransom notes named after victim ID.

  • SHUJIN RANSOMWARE SPREADING IN CHINA

    Zeroes in on Chinese victims only. Very complex decryption routine. Uses the 文件解密帮助.txt ransom note.

  • GNL LOCKER (GERMAN NETHERLANDS LOCKER)

    Targets German and Dutch users. Adds the .locked extension. UNLOCK_FILES_INSTRUCTIONS.txt manual.

  • CRYPTOHITMAN, A JIGSAW RANSOMWARE SPINOFF

    Hitman video game themed. Appends the .porno extension and uses X-rated images on warning screen.

  • CRYPREN RANSOMWARE DISTRIBUTION UPTICK

    Uses the .encrypted extension and drops READ_THIS_TO_DECRYPT.html help manual. Decryptable for free.

  • PETYA RANSOMWARE GOES WITH THE MISCHA BUNDLE

    If the MBR-overwriting Petya fails to get admin privileges, it installs Mischa, a typical file-encrypting Trojan.

  • PETYA AND MISCHA COMBO AS PART OF A RAAS

    Ransomware-as-a-Service platform launched allowing crooks to spread Petya and Mischa on an affiliate basis.

  • CRYPTXXX 2.0 CRACKED

    Kaspersky Lab updated their free decryptor for CryptXXX ransomware, version 2.0 now covered.

  • 8LOCK8 RANSOMWARE DISCOVERED

    New sample. Adds the .8lock8 extension and creates READ_IT.txt ransom notes. Interaction over email.

  • SHADE RANSOMWARE UPDATE

    New variant of the Shade aka Troldesh ransomware uses the .da_vinci_code extension to stain locked files.

  • FREE DECRYPTOR FOR GHOSTCRYPT AVAILABLE

    GhostCrypt ransomware (.Z81928819 extension, READ_THIS_FILE.txt ransom note) decrypted by researchers.

  • SNSLOCKER HITS THE HEADLINES

    New strain. Leverages AES cipher, appends the .RSNSlocked extension and demands $300 worth of Bitcoin.

  • XORIST RANSOMWARE LINEAGE DECRYPTED

    Decryptor for the Xorist family released by Emsisoft. Requires one encrypted file and its original copy.

  • 777 RANSOMWARE FAIL

    Appends the ._[timestamp]_$[email]$.777 extension. Decrypted by Emsisoft’s Fabian Wosar.

  • NEW ZYKLON LOCKER IN ROTATION

    A GNL Locker spinoff. Uses the .locked extension and drops UNLOCK_FILES_INSTRUCTIONS.html/txt manuals.

  • THE END OF TESLACRYPT: MASTER KEY RELEASED

    TeslaCrypt ransomware authors close the project and release the Master Decryption Key.

  • WEBSITE-ENCRYPTING RANSOMWARE

    New infection exploiting Drupal vulnerability. About 400 sites affected. Demands 1.4 BTC to decrypt content.

  • DMA LOCKER 4.0 DISCOVERED

    Doesn’t modify filenames. Creates Cryptinfo.txt ransom manual and extorts 1.5 BTC.

  • CRYPTXXX UPDATED TO VERSION 3.0

    Crypto flaw patched. Kaspersky’s decryptor no longer capable of restoring files.

  • TESLACRYPT DEVS RECOMMEND A RESEARCHER’S TOOL

    Crooks provide a link to expert-tailored decoder on Tor payment site for the defunct TeslaCrypt.

  • ODCODC: NEW RANSOMWARE ON THE TABLE

    File renaming format as follows: [attacker’s_email]-[original_filename].odcodc. Not decryptable for free.

  • ZCRYPT SPREADS VIA USB AND NETWORK SHARES

    New one. Appends the .zcrypt string. Propagates over autorun.inf files on memory sticks and network drives.

  • ZYKLON RANSOMWARE SWITCHES TO APROPOS EXTENSION

    New Zyklon edition switches from the .locked extension to .zyklon string. No more changes made.

  • BADBLOCK IS ON THE BLOCK

    New BadBlock ransomware doesn’t append any extension to files. Ransom size is 2 BTC.

  • INVISIBLE EMPIRE THEMED TROJAN

    Another Jigsaw ransomware version. Deletes files unless a victim pays up. Decryptable for free.

  • JOBCRYPTER UPDATE

    A modified variant of the JobCrypter ransomware discovered. Uses the .css extension.

  • ALFA RANSOMWARE DISCOVERED

    Alfa, aka Alpha, ransomware uses the .bin extension and appears to be created by Cerber devs.

  • NEW APOCALYPSE VARIANT DECRYPTED

    Emsisoft’s decryptor now handles the .bleepYourFiles version of the Apocalypse ransomware.

  • ANOTHER CRYPTXXX RANSOMWARE UPDATE

    New edition creates README.html (.bmp, .txt) ransom notes and upsells a tool called “Microsoft Decryptor”.

  • THE BUGGY CRYPTOFINANCIAL SPECIMEN

    Requests 0.2 BTC to unlock files but irreversibly deletes the data instead.

  • BITSTAK RANSOMWARE WITH WEAK CRYPTO

    Appends the .bitstak extension to scrambled files. Researcher named Michael Gillespie created a decryptor.

  • PIZZACRYPTS PROPAGATING VIA NEUTRINO EXPLOIT KIT

    Uses the .id-[unique_victim_id][email protected] extension to brand all encoded files.

  • THE PADCRYPT CAMPAIGN REVIVES

    Having stayed dormant for several months, the PadCrypt ransomware (.padcrypt extension) re-emerges.

  • UNLOCK92 ENCRYPTION ENHANCEMENTS

    New variant uses RSA-2048 cryptosystem, cannot be decrypted. Appends the .CCCRRRPPP extension.

  • A LAME CTB-LOCKER COPYCAT APPEARS

    Sample dubbed CTB-Faker moves files to a password-protected ZIP archive. Potentially crackable.

  • ODCODC RANSOMWARE FINALLY DEFEATED

    Researcher going by the handle BloodDolly came up with a method to decrypt ODCODC-encoded files.

  • NEW XORIST VERSION POSES AS CERBER

    Although this sample uses the .cerber extension, it’s a mere copycat. Doesn’t link to Tor decryptor page.

  • WILDFIRE LOCKER ON THE RISE

    According to OpenDNS, there is an upswing in WildFire Locker distribution via the Kelihos botnet.

  • LOW-COST STAMPADO RANSOMWARE FOR SALE

    Appends the .locked extension. Criminals can buy a copy on the dark web for as little as $39.

  • DECRYPTION KEYS GIVEAWAY BY CRYPTXXX DEVS

    For whatever reason, CryptXXX Tor payment sites provide free keys to decrypt .cryp1 and .crypz files.

  • PETYA RANSOMWARE UPDATED

    Petya authors improved their Salsa20 algo implementation to encrypt Master File Table more reliably.

  • CRYPTXXX BADLY CRIPPLES FILENAMES

    A fresh edition of CryptXXX replaces filenames with 32 hex characters and appends random extensions.

  • PYTHON-BASED HOLYCRYPT RANSOMWARE

    Written in Python, the HolyCrypt sample installs all components as a single Windows executable.

  • AUTOMATIC ODCODC DECRYPTOR RELEASED

    ODCODC ransomware victims can now use an automatic free decryptor. The infection’s C&C server is dead.

  • AVG CRACKS THE BART RANSOMWARE

    Free recovery tool by AVG allows Bart ransomware victims to crack the ZIP archive password.

  • POWERWARE IS NOTHING BUT A LOCKY COPYCAT

    PowerWare ransomware masquerades itself as Locky. Decryptor available courtesy of Michael Gillespie.

  • STAMPADO RANSOMWARE DECRYPTED

    Emsisoft team member Fabian Wosar created a free decrypt tool for the relatively new Stampado pest.

  • CRYPMIC, A CRYPTXXX LOOKALIKE

    CrypMIC bears a strong resemblance to CryptXXX. Researchers provide a comparative review of the two.

  • SIMPLE_ENCODER APPENDS FILENAMES WITH A TILDE

    New sample. Uses the .~ file extension and creates _RECOVER_INSTRUCTIONS.ini ransom note.

  • THE NOMORERANSOM PROJECT GOES LIVE

    A true breakthrough in fighting ransomware. Created by law enforcement agencies and security companies.

  • CHIMERA RANSOMWARE DECRYPTION KEYS RELEASED

    Petya and Mischa ransomware authors publish about 3500 decryption keys for a strain called Chimera.

  • JANUS RAAS BECOMES OPEN TO WANNABE CRIMINALS

    Crooks behind Petya and Mischa make their Ransomware-as-a-Service platform available to the public.

  • THE SHORT-LIVED JAGER RANSOMWARE

    Incremental ransom size starting with $100 worth of Bitcoin. C&C server went down shortly after launch.

  • UYARI RANSOMWARE GOES AFTER TURKISH USERS

    Appends the .locked extension to scrambled items. Ransom notes in Turkish asking for 2 BTC.

  • JIGSAW FAMILY KEEPS EXPANDING

    “We Are Anonymous” Jigsaw ransomware variant with a new warning background. Decryptable.

  • KASPERSKY’S DECRYPT TOOL UPDATED

    RakhniDecryptor solution by Kaspersky Lab decrypts Chimera-locked files with the keys previously leaked.

  • THE RAZY RANSOMWARE PREDICAMENT

    New strain, uses AES crypto and concatenates the .razy extension. Even the devs cannot decrypt files.

  • LOCKY VARIANT USES BOOBY-TRAPPED WSF ATTACHMENTS

    The Zepto version of Locky ransomware circulates via malware-tainted WSF email attachments.

  • SHINOLOCKER, A NEW PROOF-OF-CONCEPT

    Japanese researcher creates educational ransomware called ShinoLocker. Another controversial initiative.

  • ASTONISHING SURVEY RESULTS

    50% of U.S. companies were targeted by ransomware in the past 12 months, Osterman Research reveals.

  • CERBER RANSOMWARE 2.0 RELEASED

    Switches to .cerber2 extension and uses a new desktop background. Ransom notes unaltered.

  • VENUS LOCKER, AN EDA2 SPINOFF

    The EDA2 PoC gave birth to a new real-world strain. Uses AES-256 standard and appends .venusf extension.

  • HITLER-RANSOMWARE DISCOVERED

    Buggy sample that deletes extensions rather than encrypt files. Demands a 25 Euros worth Vodafone card.

  • REKTLOCKER BASED ON EDUCATIONAL HIDDEN TEAR

    Uses open-source Hidden Tear code with some modifications. Appends files with the .rekt extension.

  • RANSOMWARE ON IOT DEVICES

    Researchers demonstrate a viable ransomware hitting thermostats at the DEFCON event.

  • SMRSS32 RANSOMWARE, A CRYPTOWALL COPYCAT

    Impostor pretending to be CryptoWall. Installs manually via RDP. Appends the .encrypted extension to files.

  • PIZZACRYPTS AND JUICYLEMON DECRYPTED

    Ransomware analyst nicknamed BloodDolly creates a free decryptor for PizzaCrypts and JuicyLemon strains.

  • POKEMONGO TROJAN DROPS ARABIC RANSOM NOTES

    Appends the .locked extension. Creates a backdoor Windows user account (Hack3r) for future PC access.

  • TORRENTLOCKER TARGETS ITALIAN VICTIMS

    Aka Crypt0L0cker. Uses the .enc file extension. Infects computers via rogue energy bills sent over email.

  • THE SHARK RANSOMWARE-AS-A-SERVICE

    New RaaS platform that allows for extensive ransomware customization. Devs get 20% revenue cut.

  • CERBER RANSOMWARE DECRYPTION INITIATIVE

    Check Point released a decrypt tool for .cerber and .cerber2 variants. Worked for only 1 day, though.

  • CERBER RAAS REVENUE UNCOVERED

    According to an investigative research, Cerver devs’ annual revnue is on the order of $1 million.

  • NEW STRAIN TARGETING KOREAN VICTIMS

    Based on the educational Hidden Tear code. Apparent ties to the CripMIC ransomware discovered.

  • APOCALYPSE RANSOMWARE AUTHORS GET UPSET

    The crooks keep insulting Fabian Wosar who cracks every new edition of the pest.

  • CERBER DEVS PATCH FLAWS

    Threat actors behind Cerber ransomware make Check Point’s automatic decryptor inefficient.

  • SMRSS32 RANSOMWARE DECRYPTED

    Researchers release a free decrypt tool for the Smrss32.exe ransomware.

  • FSOCIETY RANSOMWARE DISCOVERED

    An EDA2 spinoff. Sets a Mr. Robot TV series themed wallpaper with Fsociety hacking group logo.

  • BART RANSOMWARE SWITCHES TO REAL CRYPTO

    Starts to actually encrypt files and append the .bart extension rather than simply password-protect them.

  • DETOXCRYPTO MIMICKING POKEMONGO FOR WINDOWS

    Payload pretends to be PokemonGO game. Takes a screenshot of Windows screen for intimidation purpose.

  • ALMA LOCKER USES RANDOM 5-CHAR EXTENSION

    Distributed via RIG exploit kit. Uses Tor C&C server. Ransom of 1 BTC to be submitted during 5 days.

  • ANOTHER CTB-LOCKER LOOKALIKE SURFACES

    Another CTB-Locker copycat, uses a similar ransom note and color scheme. Demands 0.5 BTC.

  • THE PURGE MOVIE-THEMED GLOBE RANSOMWARE

    Desktop wallpaper styling pays homage to the Purge movies. Appends the .purge extension to files.

  • WILDFIRE LOCKER TAKEDOWN

    Dutch police and NHTCU agency seize WildFire Locker ransomware’s C&C server. Free decryptor released.

  • ALMA LOCKER DECRYPTION OPTIONS

    According to PhishLabs, Alma Locker’s private key can be obtained with network sniffer during the attack.

  • FANTOM RANSOMWARE RUNS A FAKE WINDOWS UPDATE

    New strain based on EDA2. Displays a bogus Windows update screen to obfuscate the encryption process.

  • DOMINO RANSOMWARE POSING AS KMSPICO

    Based on educational Hidden Tear code. Payload disguised as KMSPico Windows crack.

  • LOCKY SWITCHES TO DLL INSTALLER TO AVADE AV

    The Zepto alias of Locky ransomware begins leveraging a DLL installer rather than an executable to spread.

  • SMRSS32 RANSOMWARE USES U.S. ELECTION SPAM

    New Smrss32 spam campaign delivering files masqueraded as U.S. Election news.

  • THE SERPICO VERSION OF DETOXCRYPTO

    Targets uses in Serbia and Croatia. Doesn’t modify filenames. Requests 50 EUR for decryption.

  • FAIRWARE RANSOMWARE, A THREAT TO LINUX USERS

    Adversaries compromise Linux servers, erase web folders and extort 2 BTC for recovery.

  • RAA RANSOMWARE APPEARS IN THE WILD

    Instructs victims to send email to [email protected] for decryption steps.

  • THE CURIOUS CASE OF FABIANSOMWARE

    Apocalypse ransomware devs name their new variant “Fabiansomware” to insult researcher Fabian Wosar.

  • CERBER SWITCHES TO USING A NEW EXTENSION

    New edition of the Cerber ransomware concatenates the .cerber3 extension to locked files.

  • REDIS SERVERS HACKED TO INSTALL RANSOMWARE

    Crooks reportedly used insecure Redis servers to infect Linux machines with the Fairware ransomware.

  • STAMPADO STARTS SCRAMBLING FILENAMES

    New Stampado variant replaces filenames with hexadecimal chars and uses the .locked extension.

  • THE NULLBYTE RANSOMWARE FAIL

    Pretends to be a PokemonGO bot app. Demands 0.1 BTC. Decrypted by Michael Gillespie.

  • NEW CRYLOCKER IMPERSONATES A FAKE ORGANIZATION

    Acts on behalf of inexistent Central Security Treatment Organization. Appends the .cry extension

  • CRYLOCKER DETAILS REVEALED

    CryLocker propagates via Sundown exploit kit and sends victims’ details to its C2 server over UDP.

  • LOCKY SWITCHES TO AUTOPILOT MODE

    New Locky samples go with built-in RSA keys and don’t communicate with C&C servers.

  • NO ACTUAL CRYPTO BY THE RARVAULT RANSOMWARE

    Targets Russian users. Moves files to password-protected RAR archive, creates RarVault.htm ransom note.

  • KAWAIILOCKER GOES AFTER RUSSIAN-SPEAKING AUDIENCE

    Hits Russian victims. Creates “How Decrypt Files.txt” ransom manual. Free decryptor released.

  • PHILADELPHIA RANSOMWARE SPOTTED IN THE WILD

    New Stampado version sold on the darknet for $400. Features a Mercy button.

  • FLYPER RANSOMWARE POPS UP

    Appends the .locked extension and requests 0.5 BTC. Attacker’s email address is [email protected].

  • PYTHON-BASED CRYPY THREAT

    Uses AES encryption, adds the .cry extension and drops README_FOR_DECRYPT.txt help file.

  • PHILADELPHIA RANSOMWARE DECRYPTED

    Emsisoft’s Fabian Wosar creates a free decryptor for the Philadelphia pest.

  • CROOKS FORGE SUPPORT FOR THE HOMELESS

    New Crysis ransomware rips users off under the guise of helping the homeless.

  • NOOBCRYPT TURNS OUT TO BE A LAME SAMPLE

    New ransomware, uses the same set of crypto keys for all victims. Decryption keys published by analysts.

  • LOCKLOCK, ANOTHER EDA2 SPINOFF

    Leverages AES-256 algo, appends the .locklock extension to files and creates READ_ME.txt ransom note.

  • NEW RAAS CALLED ATOM

    Shark RaaS rebranded as the Atom Ransomware Affiliate Program. Available on the public Internet.

  • STAMPADO DECRYPTOR UPDATED

    Fabian Wosar releases a decrypt tool handling new variants of the Stampado ransomware.

  • LOCKY PERSEVERES WITH OFFLINE ENCRYPTION

    Locky ransomware’s autopilot crypto gets improved to prevent AV detection.

  • STAMPADO ENCRYPTS WHAT’S ALREADY ENCRYPTED

    New version encrypts files that were locked by other ransomware strains, so it’s double trouble.

  • RAZY RANSOMWARE MIMICKS JIGSAW WARNING STYLE

    Razy asks for 10 EUR worth PaySafeCard to unlock files. Ransom screen resembles one by Jigsaw ransomware.

  • FANTOM RANSOMWARE UPDATE

    New edition can encrypt data offline, similarly to Locky. Now targets network shares.

  • FENIXLOCKER AUTHOR SPAWNS LOVE NOTES

    FenixLocker ransomware dev found to leave the “FenixIloveyou!!” message in each encrypted file.

  • HDDCRYPTOR REWRITES MASTER BOOT RECORD

    A highly dangerous sample that locks victims out of their computers by overwriting MBR.

  • FENIXLOCKER DECRYPTED

    Emsisoft releases a free decrypt tool for FenixLocker, which adds secret mash notes to encrypted files.

  • FANTOM RANSOMWARE TWEAKS

    New iteration sets desktop wallpapers randomly and derives ransom size from payload name.

  • STAMPADO AND APOCALYPSE UPDATED AND CRACKED

    Fabian Wosar stays busy upsetting ransomware makers with his updated free decryptors.

  • LOCKY OPTS OUT OF OFFLINE-ONLY MODE

    New Locky samples switch back to using C&C infrastructure for encryption, according to Avira.

  • CERBER CIRCULATION GROWTH

    A major increase in Cerber ransomware distribution: daily infections reach 80,000.

  • CYBER SPLITTER VBS RANSOMWARE DISCOVERED

    Spotted by GData, Cyber SpLiTTer Vbs asks for 1 BTC but fails to actually encrypt any files.

  • UNBLOCKUPC RANSOMWARE SURFACES

    New sample, drops “Files encrypted.txt” ransom manual and demands 0.18 BTC for decryption.

  • MARSJOKE, ONE MORE CTB-LOCKER COPYCAT

    Bears a strong resemblance to CTB-Locker. Mainly targets U.S. governmental and educational institutions.

  • NAGINI RANSOMWARE FOLLOWS POP CULTURE

    Warning screen contains an image of Lord Voldemort, an evil character from the Harry Potter films.

  • NEW HELP_DCFILE RANSOMWARE

    Named after ransom note help_dcfile.txt. Appends files with the .XXX extension.

  • THE DONALD TRUMP RANSOMWARE

    In-development sample with a photo of Donald Trump on the ransomware GUI.

  • LOCKY GIVES BIRTH TO A NEW .ODIN PERSONA

    New variant adds the .odin extension to files and creates _HOWDO_text.html/bmp ransom notes.

  • DXXD RANSOMWARE FINALLY CRACKED

    Michael Gillespie, aka @demonslay335, creates a decryptor for the DXXD ransom Trojan.

  • OPEN-SOURCE RANSOMWARE FOR LINUX

    New educational Linux ransomware called CryptoTrooper gets negative feedback from security community.

  • PRINCESS LOCKER WANTS TOO MUCH FOR DECRYPTION

    Decryptor page resembles Cerber’s. The ransom is 3 BTC (about $2200), doubles after deadline.

  • AL-NAMROOD RANSOMWARE DECRYPTED

    Appends the .unavailable extension. Emsisoft creates an automatic decrypt tool for this sample.

  • RAZY RANSOMWARE EXPANDS ITS GEOGRAPHY

    New version targets German users. Extorts ransom in PaySafeCard. Deadline for payment is 72 hours.

  • KASPERSKY DISSECTS BRAZILIAN CYBERCRIME

    A write-up by Kaspersky analyzes Brazilian TeamXRat ransomware that targets enterprises and hospitals.

  • NUKE RANSOMWARE SPOTTED

    New one. Uses the AES standard and creates !!_RECOVERY_instructions _!!.html/txt ransom notes.

  • RANSOMWARE MAKER JOINS SECURITY FORUM

    Apocalypse ransomware dev starts posting on BleepingComputer forums to insult researcher Fabian Wosar.

  • KASPERSKY DECRYPTS MARSJOKE RANSOMWARE

    Kaspersky updated their RannohDecryptor solution to so that it can crack the MarsJoke ransomware.

  • TREND MICRO BEATS THE GLOBE RANSOMWARE

    The Trend Micro Ransomware File Decryptor tool is now capable of decoding the Globe ransomware.

  • CERBER NOW DISPLAYS VERSION NUMBER

    Cerber Ransomware devs start indicating version number in v4.1.0 and onward.

  • SMASH RANSOMWARE ISN’T MUCH OF AN ISSUE

    Displays a “File Kill Timer” window with a funny image of Super Mushroom. Doesn’t delete any files for real.

  • DUMMYLOCKER WITH HYBRID PROPERTIES

    Encrypts data and locks a victim’s screen. Files are appended with the .dCrypt extension.

  • ZSCREENLOCKER VIRUS SUGGESTS BANNING ISLAM

    Having encrypted one’s files, the zScreenLocker ransomware displays a “Ban Islam” image.

  • NEW ENCRYPTOJJS RANSOMWARE

    Appends the .enc extension and creates “How to recover.enc.txt” ransom note.

  • PAYDOS RANSOMWARE, AN OLD SCHOOL STRAIN

    Displays a ransom note within command prompt. Requests 0.33 BTC for the passcode to decrypt.

  • GREMIT RANSOMWARE EMERGING

    New one. Concatenates the .rnsmwr extension to encoded files.

  • RSA PUBLISHES AN ARTICLE ON CERBER 4.1.x

    Titled “The Evolution of Cerber… v4.1.x”, the article dissects new versions of the ransomware.

  • CLOCK.WIN32.RANSOMWARE SPOTTED

    Doesn’t encrypt any data, simply displays a lock screen. Demands $20 through PayPal.

  • CERBER 4.1.4 APPEARS

    Spreads via phishing emails with fake Word invoice attached. Version number indicated in ransom notes.

  • NOOBCRYPT RANSOMWARE UPDATE

    New version uses an expired build of C# obfuscator. Accepts random, including blank, unlock key input.

  • CERBERTEAR, A CERBER COPYCAT

    A variant of Hidden Tear proof-of-concept pretending to be the Cerber ransomware.

  • JIGSAW RANSOMWARE EDITION WITH FRENCH ROOTS

    Decryptable sample that affixes the .encrypted extension to files and leaves a ransom note in French.

  • FSOCIETY RANSOMWARE APPENDING .DLL EXTENSION

    Based on RemindMe ransomware. Uses .dll extension and drops DECRYPT_YOUR_FILES.html ransom note.

  • RANSOMWARE DISGUISED AS PAYSAFECARD GENERATOR

    Uses a fake PaySafeCard generator window to obfuscate file encryption. Prepends “.cry_” to extensions.

  • AIRACROP RANSOMWARE BY TEAMXRAT RING

    Appends the ._AiraCropEncrypted extension to files. Distributed by the TeamXRat cybercrime gang.

  • IRANSOM INFECTION KIT SOLD ONLINE

    The sample can be purchased on underground resources. Adds the .Locked extension to data entries.

  • THE HEIMDALL PHP RANSOMWARE

    A proof-of-concept written in PHP that targets web servers. Created by Brazilian researcher.

  • TELECRYPT RANSOMWARE DISCOVERED

    The sample leverages the Telegram communication protocol to interact with its C2 infrastructure.

  • FAIRYTALE-ISH SAMPLE TARGETING RUSSIAN USERS

    A new specimen using a popular Russian “Kolobok” fairytale theme for the desktop background.

  • FAKE OPM BANK NOTIFICATIONS SPREADING LOCKY

    Spam emails disguised as alerts from U.S. Office of Personnel Management deliver Locky payloads.

  • CRYSIS RANSOMWARE DEVS RELEASE DECRYPT KEYS

    CrySiS ransomware authors set up a Pastebin page with Master Decryption Keys for their infection.

  • KARMA RANSOMWARE MIMICKING PC OPTIMIZATION

    New ransomware disguised as “Windows-TuneUp” app. Propagates over pay-per-install network.

  • PADCRYPT 3.0 AFFILIATE PLATFORM LAUNCHED

    The updated PadCrypt version 3.0 can now be distributed on a Ransomware-as-a-Service basis.

  • THE ANGELA MERKEL RANSOMWARE

    Displays a photo of Angela Merkel in the ransom notes. Asks for a BTC equivalent of 1200 EUR.

  • RANSOC SCREEN LOCKER’S PENALTY NOTICE

    Locks the desktop rather than encrypt files. Blackmails users with sensitive content found on their PCs.

  • CRYPTOLUCK SPREADING VIA AN EXPLOIT KIT

    CryptoLuck mimics the warning screen of CryptoLocker. Proliferates via RIG-E exploit kit.

  • RANSOMWARE TARGETING JPG FILES ONLY

    Dubbed the “Demo” ransomware, this one only encodes JPGs and appends the .encrypted extension.

  • CROOK SEEKING RESEARCHER’S ASSISTANCE

    One of Apocalypse ransomware devs contacts Emsisoft’s Fabian Wosar, asking for help with a code bug.

  • PCLOCK IN ROTATION AGAIN

    A CryptoLocker copycat. Returns after almost 2 years of inactivity. Demands 1 Bitcoin for decryption.

  • PRINCESS LOCKER DECRYPTOR IN DEVELOPMENT

    Researcher nicknamed ‘hasherezade’ gets close to cracking the Princess Locker ransomware.

  • GLOBE RANSOMWARE DECRYPTOR UPDATE

    Fabian Wosar releases a decryptor for Globe2 (.zendr4, .raid10, .blt, .globe, and .encrypted extensions).

  • LOCKY ARRIVES WITH PHONY FLASH PLAYER UPDATE

    A variant of the Locky ransomware found to be propagating via rogue Flash Player update sites.

  • .NET-BASED CRYPTON RANSOMWARE

    Uses a mix of RSA and AES algorithms to lock files and demands 0.2-2 Bitcoins for decryption.

  • NEW SHELLLOCKER RANSOM TROJAN

    One more sample coded with .NET programming language. Adds the .L0cked file extension.

  • THE DHARMA REINCARNATION OF CRYSIS

    Dharma ransomware is a new variant of the defunct CrySiS. Uses the .[email_address].dharma extension.

  • THE HELPFUL “ID RANSOMWARE” PROJECT

    The ID Ransomware service by MalwareHunterTeam now includes 238 ransomware strains.

  • CHIP RANSOMWARE SPREADING VIA RIG-E EK

    New sample called the CHIP ransomware relies on the RIG-E exploit kit for proliferation.

  • NEW DEADLY RANSOMWARE VARIANT APPEARS

    Corrupts victims’ data and provides no way to restore them due to a buggy key saving routine.

  • TRICKY OBFUSCATION BY PADCRYPT 3.0

    Uses a rogue Visa Credit Card generator to camouflage payload execution.

  • LOCKY SPREADING VIA FACEBOOK SPAM

    Malicious .svg images sent via Facebook’s instant messaging system install Nemucod Trojan and Locky.

  • CRYPT888 SETS A DEADLINE FOR PAYMENT

    New variant claims to delete the AES-256 key unless a ransom is sent within 36 hours. Decrypted by Avast.

  • AESIR VERSION OF THE LOCKY RANSOMWARE

    Appends the .aesir extension and leaves _[random_number]-INSTRUCTION.html/bmp ransom notes.

  • VINDOWS LOCKER IS NOT A MISSPELLING

    New ransomware telling victims to call a “Microsoft Support technician”. Appends the .vindows extension.

  • PRINCESS LOCKER DECRYPTED

    Security analyst @hasherezade defeats Princess Locker’s crypto and releases a decryption tool.

  • DECRYPTOR AVAILABLE FOR TELECRYPT

    Malwarebytes releases a free decryptor for Telecrypt ransomware, which uses Telegram’s API.

  • MHT FILES DELIVERING LOCKY

    Cisco Talos spot a Locky spam wave delivering booby-trapped MHT email attachments.

  • THANKSGIVING RANSOMWARE

    New ransomware appears that displays an image of a turkey on its warning screen.

  • OZOZALOCKER IS NO BIG DEAL

    Uses the .Locked extension and [email protected] email for communication. Decryptor available.

  • LOCKY’S NEW ZZZZZ VARIANT

    Another edition of the Locky ransomware appending the .zzzzz extension to encrypted files.

  • CERBER RANSOMWARE 5.0 EMERGES

    Proliferates via RIG-V exploit kit and spam. Still appends a random 4-character extension.

  • ONE MORE HIDDEN TEAR SPINOFF IN ROTATION

    Based off of open-source Hidden Tear proof-of-concept. Uses a Jigsaw movie-themed background.

  • LOMIX RANSOMWARE USING CRYPTOWIRE’S CODE

    A byproduct of educational ransomware project called CryptoWire. Asks for a Bitcoin equivalent of $500.

  • COCKBLOCKER AKA RANSOMWAREDISPLAY

    Appears to be an in-development ransomware sample. Appends the .hannah extension to locked files.

  • CERBER’S RANSOM NOTE TWEAK

    New variant of the Cerber ransomware creates _README_.hta ransom notes.

  • NEW SCREEN LOCKER BEING DISTRIBUTED

    Claims to have found viruses and displays “Your computer is locked!” warning. Unlock password released.

  • CRYPTER RANSOMWARE TARGETING BRAZILIAN USERS

    Attack are isolated to Brazil. Renames files rather than encrypt them. Demands 1 Bitcoin for recovery.

  • A PRIMITIVE SCREEN LOCKER DISCOVERED

    Displays “Your Windows Has Been Banned” message. The unlock password is 123456.

  • THE UNUSUAL KANGAROO RANSOMWARE

    An Apocalypse ransomware spinoff. Encrypts files and displays a warning screen before Windows boots up.

  • VINDOWS LOCKER DECRYPTED

    Security researchers create a decryptor for Vindows Locker, which uses tech support scam tactic.

  • SAN FRANCISCO MUNI HIT BY RANSOMWARE

    HDDCryptor ransomware paralyzes San Francisco Municipal Transit Agency’s IT infrastructure.

  • NEW RANSOMWARE BASED ON POWERSHELL

    This PowerShell-based sample uses the ps2exe script and overwrites the original files.

  • HTCRYPTOR HARNESSING HIDDEN TEAR CODE

    HTCryptor’s code is based on open-source Hidden Tear ransomware. Tries to disable Windows firewall.

  • SFMTA DENIES DATA THEFT

    San Francisco Muni’s officials deny allegations about corporate data being stolen by ransomware devs.

  • NMOREIRA RANSOMWARE CRACKED

    Emsisoft analyst Fabian Wosar creates a free decryptor for NMoreira/XPan ransomware.

  • RANSOMWARE ATTACKS A CANADIAN UNIVERSITY

    Unidentified rasomware sample compromises Carleton University in Canada, demanding 39 BTC.

  • JIGSAW RANSOMWARE’S NEW CAMOUFLAGE

    A new Jigsaw variant uses a phony Electrum Coin Adder app’s GUI to mask the ransomware installation.

  • ZETA RANSOMWARE STAINING FILES WITH NEW EXTENSION

    New edition of the Zeta ransomware uses .rmd extension and # HELP_DECRYPT_YOUR_FILES #.txt ransom note.

  • TORRENTLOCKER UPDATE

    The latest version of TorrentLocker, aka Crypt0L0cker, appends files with 6 random characters.

  • PRINCESS LOCKER CHANGES TAKING EFFECT

    New iteration uses random extensions of 4-6 chars and !_HOW_TO_RESTORE_[random].txt ransom note.

  • New ransomware released

  • Old ransomware updated

  • Ransomware decrypted

  • Other important ransomware related events

Read the original blog entry...

More Stories By David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.