Specific Ransomware Families and Types

[Back to the Ransomware Resource Page]

[Updated introduction and added multiple links 6th and 8th of October 2016]

I’m afraid this is not (and never will be) a complete list of ransomware families: I just can’t give it that much time. Which is why there’s often no commentary from me, just one or more links to information to be found elsewhere. Where possible, though, I’ll continue to attempt to give at least one link to as many families as I can. For now, anyway: as this is project is threatening to become my life’s work, I’m already having to cut back on the time I spend on it.

[May 12th 2016] Ransomware is not a static landscape. One of the reasons I have tried not to oversell the Specific Ransomware Families and Types page is that I can’t guarantee that it’s up to date at all times, even on the limited range of ransomware it covers. In the same way, the information in the Google spreadsheet here may also become outdated, but it does seem to have a number of potential contributors to help maintain it. On the other hand, that might actually mean that it remains partial because it favours the resources with which the contributors are associated, and while I’ve seen it suggested that it covers all ransomware, that’s just wishful thinking.Nonetheless, it could certainly be useful as a starting point when looking for information, but I’d suggest that you don’t assume that it is authoritative.

Some specific families and types are now being linked from sub-pages rather than summarized directly on this page. This is an ongoing process, intended for ease of maintenance.

[If you want to know more about specific ransomware, BleepingComputer is worth trying, as well as other resources such as anti-malware vendor encyclopaedias.]

Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14% – noting that:

  • 2,896 modifications were made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • The ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

Specific ransomware families and types

  • ‘Educational’ Ransomware

*Included in list of ransomware for which decrypters are available according to ZDnet (not checked, but the sources are reasonably reputable).

  • 777*
  • Al-Namrood*
  • Alma
  • Alpha
  • AlphaLocker
  • AndroidLocker/Dogspectus
  • Android/Lockerpin
  • Android/Lockdroid.E
  • Android.Lockscreen
  • Angler Exploit Kit
  • AnonPop
  • Apocalypse*
  • ApocalypseVM*
  • Autolocky*
  • Badblock*
  • Bart*
  • Bitcrypter/Bitcryptor*
  • BitLocker
  • Bluff – fake ransomware attacks
  • Browlock
  • Cerber (version 1*)
  • Charger
  • Chimera*
  • CoinVault*
  • Coverton
  • Crowti
  • CrypBoss*
  • CryptoDefense*
  • CryptInfinite*
  • CrypMIC
  • Crypt38
  • Crypt888 (see also Mircop)
  • CryptFile2
  • Cryptobit
  • CryptoHitman
  • CryptoHost (a.k.a. Manamecrypt)
  • Cryptojoker
  • Cryptolocker
  • CryptoMix
  • CryptoRoger
  • Cryptowall
  • CryptXXX
  • CryptXXX v.1 & 2*
  • CryptXXX v1, 2, 3, 4, 5*
  • CryPy
  • Crysis
  • CTB-Locker
  • Cyber.Police
  • DDoS Extortion and Ransomware
  • Delilah
  • DeriaLock
  • DetoxCrypto
  • DMA Locker*
  • Doxing as a Service
  • Doxware
  • Dridex-related
  • DXXD
  • ElGato
  • ElasticSearch
  • Encryptor RAAS
  • Enigma
  • Enrume
  • Erebus
  • Evil Santa Ded
  • Fabiansomware*
  • FairWare
  • Faketoken
  • Fantom
  • FBI virus
  • FenixLocker*
  • FireCrypt
  • Flocker
  • FLUX: see Ransomware as a Service
  • Globe*
  • Goldeneye
  • Goliath
  • Gomasom*
  • Hades Locker
  • Harasom*
  • HDD Cryptor
  • Hitler
  • HolyCrypt
  • HOSTMAN: see Ransomware as a Service
  • HydraCrypt*
  • JapanLocker
  • JBoss Backdoors
  • Jigsaw*/CryptoHit
  • Kelihos
  • KeRanger
  • KeyBTC*
  • KillDisk
  • KimcilWare
  • Koolova
  • Kovter
  • LeChiffre
  • Lechiffree*
  • Legion
  • Locker
  • Locky
  • LogicLocker
  • Magic
  • Maktub
  • Mamba (See HDD Cryptor)
  • Manamecrypt (a.k.a. CryptoHost)
  • Marlboro
  • MarsJoke*
  • Mircop*
  • Mischa
  • MongoDB hacking
  • Nanolocker
  • Nemucod*
  • ‘Notification’ ransomware
  • Odin
  • Operation Global III*
  • PadCrypt
  • PClock*
  • Petya*
  • Philadelphia*
  • PHP Ransomware
  • Polyglot – see MarsJoke*
  • Pompous
  • Popcorn Time
  • PoshCoder
  • PowerWare*
  • Power Worm
  • Princess Locker
  • PWSSynch-B
  • RAA
  • Rakhni & similar*
  • Rannoh*
  • Ranscam
  • Ransoc
  • Ransom32
  • Ransomlock.AT
  • Ransomware Affiliate Network: see Ransomware as a Service
  • Ransomware as a Service
  • Rokku
  • Sage
  • Samas
  • SamSam
  • Sarento
  • Satan: see also Ransomware as a Service
  • Satana
  • Serpent
  • 7ev3n
  • Shade
  • Shade v1 & 2*
  • Shark
  • shc – see JapanLocker
  • Shujin
  • Simplocker
  • SNSLocker*
  • Spora
  • Stampado*
  • Surprise
  • SZFlocker
  • TeamXRat
  • Tech Support Scams and Ransomware
  • Teerac
  • Telecrypt
  • TeslaCrypt
  • TeslaCrypt v1, 2, 3, 4*
  • Tescrypt
  • Tordow (Android.spy.Tordow)
  • Towelroot
  • Troldesh
  • TrueCrypter
  • UmbreCrypt*
  • Vandev*
  • VinCE [See Tech Support Scams and Ransomware]
  • Virlock
  • Wildfire*
  • Xorist*
  • Xpan
  • Zcryptor
  • Zepto

‘Educational’ Ransomware

[20th June 2016] David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

An article by David Bisson – Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project -looks at the complicated relationship between unequivocal ransomware (Magic, Ransom_Cryptear.B) and open-source ‘educational’ malware (Hidden Tear, EDA2). Not to mention the unfortunate affair of the free-hosting service that suspended the author’s account and deleted the data, so that even the criminal is unable to decrypt affected files now.

A later article by David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

More hopefully, Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

Cylance indicates that AlphaLocker (see below) is based on EDA2.

Alma

Lawrence Abrams for Bleeping Computer: New Alma Locker Ransomware being distributed via the RIG Exploit Kit

Analysis by PhishLabs: Alma Ransomware: Analysis of a New Ransomware Threat (and a decrypter!)

Al-Namrood

Al-Namrood Ransomware (.access_denied) Support & Help Topic

Alpha

David Bisson for Graham Cluley’s blog: How to recover from an Alpha ransomware attackDo your files have the .ENCRYPT extension? You may have been hit by the Alpha ransomware.

Lawrence Abrams for Bleeping Computer: Decrypted: Alpha Ransomware accepts iTunes Gift Cards as Payment

free decryptor is available.

Catalin Cimpanu for Softpedia: Decrypter for Alpha Ransomware Lets Victims Recover Files for Free

AlphaLocker

Analysis by Cylance of ransomware of which a unique copy plus administrative panel is sold (very cheaply) to each customer, who then manages the rest of the attack himself. (HT to Artem Baranov for flagging the article.)

Commentary by Kaspersky: Criminals Peddling Affordable AlphaLocker Ransomware

Android.Locker/Dogspectus

Android/Lockerpin

Android.Lockdroid.E

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

Android.Lockscreen

September 29th 2016

Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

SYMANTEC’S ARTICLE: ANDROID.LOCKSCREEN RANSOMWARE NOW USING PSEUDORANDOM NUMBERS – THE LATEST ANDROID.LOCKSCREEN VARIANTS ARE USING NEW TECHNIQUES TO IMPROVE THEIR CHANCES OF OBTAINING RANSOM MONEY.

COMMENTARY BY DAVID BISSON FOR TRIPWIRE.

Angler Exploit Kit

[23rd June 2016]

Joseph C. Chen for TrendLabs: After Angler: Shift in Exploit Kit Landscape and New Crytpo-Ransomware Activity. Interesting figures on a number of exploit kits.

[20th June 2016]: Is Angler EK Sleeping with the Fishes? Neutrino exploit kit now distributing most CryptXXX

Neat summary by Paul Ducklin for Sophos: Angler exploit kit rings in 2016 with CryptoWall ransomware. Also noted in the Cryptowall section below.

Angler takes a lead role in an article by Graham Cluley for Tripwire: Crypto-ransomware Spreads via Poisoned Ads on Major Websites

ArsTechnica report

Malwarebytes report

[19th April 2016] Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222.

AnonPop

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

ApocalypseVM

Decryptor made available by Emsisoft: Emsisoft Decrypter for ApocalypseVM. VMProtect was used in the vain hope of preventing security researchers from reverse-engineering this variant. For some reason, this story came back to life six months after the Bleeping Computer Story, in January 2017.

Two decrypters from AVG for different versions.

AutoLocky

[16th April 2016] Emsisoft gives a brief description of ransomware written in AutoIt that imitates Locky, but not very well, apparently. At any rate, Emsisoft also offers a decrypter.

Emsisoft Decrypter for AutoLocky

More description and commentary from David Bisson for Graham Cluley’s blog: Decryption tool released for Locky ransomware impersonator – AutoLocky ransomware has a “laughable” flaw

Bleeping Computer: AutoLocky

BadBlock

Laurence Abrams describes this horrible piece of scumware here: the decryptor by  Fabian Wosar of Emsisoft can be downloaded from here, but Abrams gives detailed instructions on the process.

Decrypter from AVG

Bart

The Register: Eat my reports! Bart ransomware slips into PCs via .zip’d JavaScript – ¡Ay caramba!

David Bisson: Bart ransomware takes files hostage by hiding them in password-protected ZIP files – What’s Locky ransomware got to do with it? Lots!

22nd July 2016:  reports that Bart ransomware victims get free decryptor. The decryptor is the work of AVG’s Jakub Kroustek and available for download. In order to generate the key the decryptor has to have access to one of the original files as well as its encrypted version.

BitLocker

(HT to Artem Baronov)

Vladimir Katalov for ElcomSoft: Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part I)

Bluff (fake ransomware attacks)

John Leyden for the Register: I don’t care what your eyeballs tell you. Alternative fact is, we’ve locked up your files – Survey: ‘Bluff’ ransomware is on the up

Browlock

Cerber

15th February 2017]

Trend Micro – CERBER Changes Course, Triple Checks for Security Software

David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?

See also notes on GoldenEye for a Cerber-like attack on HR departments (5th January 2017)

25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware

November 22nd 2016:

Trend Micro: Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

November 7th 2016:

Matthew Rosenquist, for McAfee: Cerber Ransomware Now Hunts for Databases

Commentary by Darren Pauli for The Register: Cerber ransomware menace now targeting databases – Why try to extract pennies from kiddies when there’s businesses to be bilked?

October 15th 2016

Trend Micro: Several Exploit Kits Now Deliver Cerber 4.0

October 5th 2016

Bleeping Computer reports on changes to Cerber in its new version: Cerber Ransomware switches to a Random Extension and Ends Database Processes

August 17th 2016

Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.

David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

Help Net Security: The inner workings of the Cerber ransomware campaign

July 18th 2016

FireEye: CERBER: ANALYZING A RANSOMWARE ATTACK METHODOLOGY TO ENABLE PROTECTION

29th June 2016

Avanan: Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus

SC Magazine commentary

The Register commentary: Ransomware scum target corporate Office 365 users in 0-day campaign – Spam flood tried to drop malicious macros in inboxes

Commentary from SANS

7th June 2016

David Bisson for Graham Cluley’s blog: Cerber, the ransomware which talks to you, continues to evolve – New Cerber ransomware variant generates new hashes every 15 seconds.

[25th May 2016] A version of Cerber that incorporates a DDoS bot:

Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”

Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem

[27th April 2016]  describes for Malwarebytes how Malvertising On The Pirate Bay Drops Ransomware: specifically, Cerber delivered via the Magnitude exploit kit. Commentary by Darren Pauli for The Register: Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads – There is no honour among content thieves. Meanwhile, Team Cymru takes A Look Inside Cerber Ransomware.

Charger

[January 2017]

The Register: More mobe malware creeps into Google Play – this time, ransomware – Charger seeks to drain bank accounts of unlucky ‘droids

Source, Checkpoint: Charger Malware Calls and Raises the Risk on Google Play

Chimera

13th August 2016:

Extract from Malwarebytes blog: ‘We’ve recently wrote about the leak of keys for Chimera ransomware. In this, more technical post, we will describe how to utilize the leaked keys to decrypt files. Also, we will perform some tests in order to validate the leaked material.’

Decrypting Chimera Ransomware

3rd August 2016: Kaspersky’s RakhniDecryptor tool is claimed to offer decryption of Chimera-encrypted files.

Malwarebytes on the apparent leaking of Chimera’s private keys by competitors, offering some chance that a decrypter will become available: Keys to Chimera ransomware leaked. Commentary from SC Magazine: Rival cyber-gang leaks private keys of Chimera ransomware. Commentary from Sophos: Chimera ransomware keys leaked by rival malware developers. Commentary by John Leyden for The Register: Saved from ransomware thugs… by rival ransomware thug – Chimera cybercrook competitor hands victims the keys

Coverton

Bleeping Computer: Coverton

Crowti

Microsoft: Crowti

CrypMIC

Trend Micro: CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps

Crypt38

Fortinet: Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Crypt888

Decrypter from AVG (See also Mircop)

CryptFile2

American Airlines spam from Kelihos delivers Ransomware 

See CryptoMix.

Cryptobit

Be careful with CryptoBit, the latest threat detected (Panda Security, April 2016)

CryptoBit: Another Ransomware Family Gets an Update (Palo Alto, July 2016)

CryptoHitman

(Rebranded version of Jigsaw.)

Cryptohost (a.k.a. Manamecrypt)

Analysis from Sabrina Berkenhopf for G DATA: Manamecrypt – a ransomware that takes a different route. Somewhat unusual in that rather than spreading via attachments or exploit kit, the sample analysed by G DATA is bundled with legitimate software, it blocks a number of applications from running where processes include certain strings – for instance, the names of security products. In its present incarnation, the data can, however, be recovered.

Bleeping Computer: CryptoHost

Cryptojoker

Lawrence Abrams reports for Bleeping Computer on how The CryptoJoker Ransomware is nothing to Laugh About, crediting its discovery to MalwareHunterTeam. The installer passes itself off as a PDF according to Abrams, suggesting that it’s distributed via email phishing campaigns.

 Cryptolocker

CryptoMix

Ransomware that makes the ludicrous claim that the 5 bitcoin ransom will be paid to a children’s charity. Related to CryptoWall 4.0 and CryptXXX: no free decrypter currently available.

Added 5th January 2017:

Cert.PL offers analysis of the newly-polished tur^H^H^H CryptFile2, now known as CryptoMix: Technical analysis of CryptoMix/CryptFile2 ransomware

Among its ‘interesting’ features:

  • The ‘insane’ ransom amount (currently 5 bitcoin)
  • There’s a suggestion in the analysis that paying is likely to generate further ransom demands, but not the decryption keys
  • The crooks claim that the ransom will be contributed to a children’s charity, and that the victim will get free PC support. Yeah, right.

In fact, none of this information is particularly new, but the technical analysis is interesting.

CryptoRoger

21st June 2016

CryptoWall

CryptXXX

 CryPy

Kaspersky: CryPy: ransomware behind Israeli lines

Sophos: Data-stealing CryPy ransomware raises the spectre of variable pricing for files

Crysis

[22nd November 2016] ESET decryption tool: How do I clean a Crysis infection using the ESET Crysis decryptor?. Commentary by The Register here and here. At the time of writing, it doesn’t seem to be possible to decrypt Crysis-encrypted files that have the .dharma extension.

Several other security companies have also taken advantage of the Crysis master decryption keys being made available anonymously/pseudonymously on the Bleeping Computer forum, as reported by Pierluigi Paganini: The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777.

Ondrej Kubovič  for ESET: Beyond TeslaCrypt: Crysis family lays claim to parts of its territory. The ransomware that ESET calls Win32/Filecoder.Crysis encrypts files on fixed, removable and network drives.

It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

It encrypts everything except system files and its own bits and pieces, and charges between 400 and 900 euros. However, ESET users may be able to recover files encrypted by older versions with the help of ESET technical support.

CTB Locker

Proofpoint: MarsJoke Ransomware Mimics CTB-Locker

Bleeping Computer: CTB-Locker for web sites

Article by Darren Pauli for The Register: Reinvented ransomware shifts from pwning PC to wrecking websites – ‘CTB Locker’ targets WordPress, offers live chat to help victims pay up.

And an article by David Bisson for Graham Cluley’s blog: Ransomware’s new target? WebsitesExtortionists demand Bitcoin ransom be paid to restore WordPress websites – DDoS (distributed denial of service) extortion and ransomware

Lucian Constantin reports [15 April 2016]: The CTB-Locker ransomware uses a metadata field in bitcoin transactions to store decryption keys

Cyber.Police

See Towelroot Exploit Kit

See also Flocker.

DDoS

[25th May 2016] A version of Cerber that incorporates a DDoS bot:

[9th May 2016] Action Fraud article about DDoS extortion threats by a hacking group: Online extortion demands affecting businesses. Commentary by SC Magazine: Action Fraud warns of new wave of Lizard Squad DDoS attacks

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Here are some older DDoS-related stories.

Softpedia on the failure of the Bitcoin-for-DDoS scheme to make much of a dent in BTCC. (4th January 2016)

Akamai’s  [state of the internet] / security Q4 2015 report offers an impressive array of information about DDoS attacks.

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

Deadly for a Good Purpose

Analysis by MalwareHunter and Bleeping Computer: FireCrypt Ransomware Comes With a DDoS Component. There are similarities with the Deadly for a Good Purpose ransomware.

Delilah

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

DetoxCrypto

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

DeriaLock

A fast-evolving threat appeared on Christmas Eve 2016, but researchers quickly provided free decryptors.

Decryptors are available from Checkpoint and from MalwareHunterTeam’s Michael Gillespie.

See also PHP Ransomware for the other family for which Checkpoint provided a decryptor.

DMA Locker

Android.Locker/Dogspectus

Android.Locker/ElGato: see ElGato

Doxing as a Service

[28th April 2016]

Here’s a slightly different twist on extortion that doesn’t involve ransomware. Steve Ragan describes for CSO Salted Hash how a Website offers Doxing-as-a-Service and customized extortion. The subtitle explains the business model:

Those posting Dox will get a commission, or they can pay to have someone’s personal details exposed

The amount of commission depends on the type of Doxing. In ascending order of payment:

  • Miscellaneous
  • Revenge
  • Paedophiles [the American spelling is used by the site: Cymmetria’s Nitsan Saddan is quoted as believing that it’s likely that ‘these are American players.’]
  • Law enforcement
  • Famous

The DaaS-tardly doxing service is priced according to the type of information collected, from the barest details to a complete profile. Ragan observes that the service doesn’t seem to be collecting customers – at any rate:

…the Bitcoin wallet used to process payments for this service has received no transactions.

And he has seen little traction on the site since he’s been monitoring it. Nevertheless, he predicts that this kind of activity will become more common.

Doxware

Not a single threat, but a name given to malware that not only holds data to ransom, but threatens to release captured information publicly unless the ransom is paid.

Chris Ensey for DarkReading: Ransomware Has Evolved, And Its Name Is Doxware – The latest form of malware holds computers hostage and compromises the privacy of conversations, photos, and sensitive files.

Dridex-related

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

SecurityWeek: Dridex Botnet Spreading Locky Ransomware Via JavaScript Attachments cites Trustware: Massive Volume of Ransomware Downloaders being Spammed

Droidjack

David Bisson for Graham Cluley’s blog (again): Pokémon Go for Windows? Beware ransomware! Pokémaniacs at risk.

DXXD

David Bisson for Graham Cluley’s blog: Decrypt THIS! Ransomware dev taunts security researchers in support forum – DXXD doesn’t display a ransom note like other ransomware…

ElasticSearch

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

ElGato

Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato

Encryptor RAAS

TrendLabs: The Rise and Fall of Encryptor RaaS

Enigma

Information from Bleeping Computer on Enigma (the ransomware, not the WW2 machine): The Enigma Ransomware targets Russian Speaking Users. While it appears to try to delete Shadow Volume Copies, it seems it doesn’t always succeed: if this is the case for you, this may help.

Enrume

Microsoft:  Enrume

Erebus

Erebus Ransomware Bypasses UAC for Privilege Elevation

Evil Santa Ded Crypto

David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

FairWare

Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

Faketoken

Romain Unuchek for SecureList: The banker that encrypted files

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. In Lucian’s article he links to a September article by Anton Kivva on Tordow (see below), not to the one he quotes  by Romain Unuchek (as above) on Trojan-Banker.AndroidOS.Faketoken. I’ve messaged him, so that may have changed by the time you read this. [Or not…]

Commentary by Richard Chirgwin for the Register: Bad news, fandroids: Mobile banking malware now encrypts files – First Faketoken stole credentials, now it holds data to ransom

Fantom

The FBI Virus

A misnomer. It isn’t a single threat, it isn’t a virus, and while it does attempt to pass itself off as an action taken on behalf of a law enforcement agency imposing a fine on the victim for viewing pornography or using pirated software, the FBI is by no means the only agency whose name is taken in vain. It’s seen across a variety of systems, and historically has often relied on tricking the user into thinking the system is locked rather than seriously disrupting or blocking the use of the system, so that recovery can sometimes be effected by quite simple means like the steps described here. However, the social engineering component (fake ‘policeware’) of the attack is increasingly seen used in quite different threats that are less easily dealt with, such as Lockerpin. See also Flocker.

FireCrypt

Analysis by MalwareHunter and Bleeping Computer: FireCrypt Ransomware Comes With a DDoS Component. There are similarities with the Deadly for a Good Purpose ransomware.

Flocker

Globe

Lawrence Abrams for Bleeping Computer: The Globe Ransomware wants to Purge your Files

Goldeneye

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.

Paul Ducklin for Sophos: Goldeneye ransomware: the resumé that scrambles your computer twice

Malwarebytes: Goldeneye Ransomware – the Petya/Mischa combo rebranded

Added 5th January 2016:

Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.

Goliath

May 19th, 2016.

Hades Locker

Proofpoint: Hades Locker Ransomware Mimics Locky

HDD Cryptor

Trend Micro Analysis: BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

Brian Krebs: San Francisco Rail System Hacker Hacked

Ars Technica: Ransomware locks up San Francisco public transportation ticket machines – Some systems now restored; attacker demanded $73,000.

Hitler

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

HolyCrypt

Lawrence Abrams for Bleeping Computer: New Python ransomware called HolyCrypt Discovered. The sample analysed by AVG’s Jakub Kroustek ‘appears to be a development version used by the malware developer to test the ransomware.’

JapanLocker

For Fortinet, Artem Semenchenko and Joie Salvio examine the resemblances between ‘JapanLocker’ and the surprisingly similar open-source ransomware ‘shc’. 

“JapanLocker”: An Excavation to its Indonesian Roots

JBoss Backdoors [18th April 2016]

Alexander Chiu for Talos looks hard at the JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

Jigsaw/CryptoHitMan

Kelihos

[15th February 2017] Sophos: RSA 2017: Deconstructing macOS ransomware

[14th April 2016] F-Secure’s Mikko Hypponen believes that Keranger’s is a forerunner of ransomware targeting not only local files but backups stored on network-attached and in-the-Cloud devices. In-the-cloud? Techrepublic states:

However, analysis of KeRanger also revealed work-in-progress code intended to also scramble files backed-up to attached storage via OS X’s Time Machine service.

Palo Alto reported on March 6th that New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer: they believe this to be ‘the first fully functional ransomware seen on the OS X platform.’ At any rate, it looks like a capable piece of malware. According to fortune.com,  Palo Alto plans ‘to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data’. [Updated 7th March 2016: additional commentary by Graham Cluley for Intego – Mac Users Hit by Rare Ransomware Attack, Spread via Transmission BitTorrent App – and Darren Pauli for The Register – First working Apple Mac ransomware infects Transmission BitTorrent app downloads: If you downloaded 2.90, you’ve got a few hours to get rid of it.] Bleeping Computer: KeRanger. Analysis by ESET: New Mac ransomware appears: KeRanger, spread via Transmission app

(Yes, this is duplicated in the OS X section above, for the moment: also commented on in some Mac Virus articles.)

Help Net Security has published some comments it has received from the industry on KeRanger: specifically from Aviv Raff of Seculert, Van Abernethy of NSFOCUS IB, and David Kennerley of Webroot. Mostly the sort of advice you’d expect to get from people in the security industry. Reactions to the KeRanger ransomware for Macs

According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert.

KillDisk

CyberX reports that KillDisk, already associated with cybersabotage, is now also being used as a basis for ransomware, demanding a hefty 222 bitcoin in ransom.

NEW KILLDISK MALWARE BRINGS RANSOMWARE INTO INDUSTRIAL DOMAIN

Commentary by Catalin Cimpanu for Bleeping Computer: KillDisk Disk-Wiping Malware Adds Ransomware Component.

Commentary by David Bisson for Tripwire: KillDisk Wiper Malware Evolves into Ransomware.

Added 5th January 2017:

For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.

Analyses by McAfee [added 14th February 2017]: Analyzing KillDisk Ransomware, Part 1: Whitelisting; Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

KimcilWare

Bleeping Computer: KimcilWare

Koolova

Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s  Stay safe while browsing  and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?

Kovter

Jai Vijayan for Dark Reading: New Kovter Trojan Variant Spreading Via Targeted Email Campaign –  The authors of a malware sample that has been around for more than two years have yet another trick for distributing it.

[Older content]

Fake IRS refund carries Kovter ransomware downloader

To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.

According to Heimdal’s Andrea Zaharia, the spam message looks something like this:

From: [spoofed / fake return address]

Subject Line: Payment for tax refund # 00 [6 random numbers]

Attached:
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js

Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign

Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware

Check Point [19th April 2016]: KOVTER RANSOMWARE – THE EVOLUTION: From Police Scareware to Click Frauds and then to Ransomware

An article by Reaqta explores the relationship between Kovter and Nemucod: Nemucod meets 7-Zip to launch ransomware attacks

LeChiffre

Malwarebytes: LeChiffre

Legion

Decrypter from AVG

Locker

An internal discussion regarding the closing down of TeslaCrypt reminded me that it’s not the first time that ransomware has been closed down with some measure of apology and remediation. On the 30th May 2016, a post appeared on Pastebin announcing that:

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV. This is a dump of the complete database and most of the keys weren’t even used…

The poster went on to give a variety of information about the malware.

Locky

LogicLocker

14th February 2017:

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

Magic

Bleeping Computer: Magic

Maktub

[14th April 2016] Paul Ducklin, for Sophos: The ransomware attack that knows where you live

[24th March, 2016] Hasherazade for Malwarebytes:  Maktub Locker – Beautiful And Dangerous

[23rd March 2016] Lawrence Abrams for Bleeping Computer: The Art of the Maktub Locker Ransomware

Mamba

See HDD Cryptor

Manamecrypt (a.k.a. Cryptohost)

Analysis from Sabrina Berkenhopf for G DATA: Manamecrypt – a ransomware that takes a different route. Somewhat unusual in that rather than spreading via attachments or exploit kit, the sample analysed by G DATA is bundled with legitimate software, it blocks a number of applications from running where processes include certain strings – for instance, the names of security products. In its present incarnation, the data can, however, be recovered.

Marlboro

Catalin Cimpanu for Bleeping Computer: Marlboro Ransomware Defeated in One Day

Emsisoft’s decryptor. However, due to the bugginess of the malware, Fabian Wosinar, who created the decryptor, notes that:

“…the malware will truncate up to the last 7 bytes from files it encrypts,” the researcher said. “It is, unfortunately, impossible for the decrypter to reconstruct these bytes.”

MarsJoke

Proofpoint: MarsJoke Ransomware Mimics CTB-Locker

Kaspersky: MARSJOKE RANSOMWARE TARGETS .EDU, .GOV AGENCIES

Kaspersky: RESEARCHERS BREAK MARSJOKE RANSOMWARE ENCRYPTION

Commentary by SC Magazine: Multilingual ransomware Polyglot talks good game, but can’t match CTB-Locker

Mircop

TrendLabs: MIRCOP Crypto-Ransomware Channels Guy Fawkes, Claims To Be The Victim Instead. Some victim… demanding a ransom of 48.48 bitcoins.

Decrypter from AVG

Mischa

[24th October 2016]

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead. See also MISCHA RANSOMWARE Support and Help Topic – YOUR_FILES_ARE_ENCRYPTED.HTML & TXT.

July 31st 2016

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

MongoDB

Following reports of tens of thousands of MongoDB database installations attacked with ransomware, the maker published advice on how to avoid unsafe defaults. Thomas Claburn for The Register (11th January 2017):

How to secure MongoDB – because it isn’t by default and thousands of DBs are being hacked – Stop right now and make sure you’ve configured it correctly

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

NanoLocker

Bleeping Computer: NanoLocker

Nemucod

‘Notification’ ransomware

Kaspersky: The “notification” ransomware lands in Brazil

Odin

Sophos: Odin ransomware takes over from Zepto and Locky

Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension

PadCrypt

Ransomware with several interesting features described for Graham Cluley’s blog by David Bisson: New ransomware comes with Live Chat feature, somewhat useless uninstaller. The article draws on information published by Lawrence Abrams for Bleeping Computer: PadCrypt: The first ransomware with Live Support Chat and an Uninstaller.

The point about the uninstaller is that it removes all the files associated with the infection, but doesn’t reverse the encryption.

Petya

Added 8th February 2017: article by Raul Alvarez for Fortinet: Ransomware and the Boot Process

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.

Added 24th October 2016:

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

Here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.

Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on KernelMode.info forums.

David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.

G-Data: Ransomware Petya – a technical review

Nice, clear Sophos summary: New ransomware with an old trick: “Petya” parties like it’s 1989

Helpnet: Petya ransomware encrypts files, disks, locks users out of computers

11th April 2016: A flaw in Petya – the current version, at least – has allowed an unidentified researcher to create a key generator to crack the encryption without paying 0.9 bitcoin to the criminals. BBC story: Petya ransomware encryption system cracked. Commentary by David Bisson for Graham Cluley’s blog: Infected by Petya ransomware? Use this tool to unlock your files… for nowThank goodness ransomware sometimes contains bugs too… And the website set up to help people with the generation: unfortunately, the average victim will have problems getting the information necessary to kickstart the process. Confirmed by Lawrence Abrams of Bleeping Computer.

[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead.

July 18th 2016

Malwarebytes: Third time (un)lucky – improved Petya is out

July 31st 2016

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

PHP Ransomware

Paul Ducklin’s articles are always worth reading, but this one is particularly relevant to this blog: PHP ransomware attacks blogs, websites, content managers and more… The article is mainly about the malware Sophos calls Troj/PHPRansm-B

Unnamed PHP Ransomware(-ish)

Checkpoint also has a decryptor for the unnamed PHP ransomware also described in its article on DeriaLock. In fact, ransomware might be the wrong word in this case, since at present it displays no ransom ‘note’ and has no known channel for paying a ransom.

Polyglot

See MarsJoke

Pompous

Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

Popcorn Time

Bleeping Computer: New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key

PoshCoder

6-4-16: see PowerWare

Known for its attempts to imitate other ransomware – Cryptowall, TeslaCrypt, Locky…

PowerWare

[23rd July 2016]

Zeljka Zorz reports for Help Net Security: Decrypter for Locky-mimicking PowerWare ransomware released – Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Josh Grunzweig’s decryptor is a Python script available here.

Zeljka points out ‘They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.’

[4-4-16]

AlienVault: PowerWare “Fileless Infection” Deepens Ransomware Conundrum for Healthcare Providers

Carbon Black flexes its PR muscles and manages not to mention that ‘AV is Dead’ in its analysis: Threat Alert: “PowerWare,” New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word. It does share Indicators of Compromise, but as a graphic rather than as text. However, the Word doc used to spread the malware is detected (according to VirusTotal) by 34 products at the time of writing: 69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf. The ransomware script is also widely detected: https://www.virustotal.com/en/file/02beca974ecc4f871d8d42462ef305ae595fb6906ad764e6e5b6effe5ff05f29/analysis/.

Michael Mimoso for Threat Post (Kaspersky): Fileless Powerware Ransomware Found On Healthcare Network

6th April 2016

Peter Ewane draws comparisons between PowerWare and PoshCoder, and asserts that:

PowerWare seems to be heavily based on PoshCoder, the ransomware that rose to infamy due to the fact it destroyed encrypted data using a logic based programming flaw.

His analysis is here: PowerWare or PoshCoder? Comparison and Decryption

PoshCoder is, in turn, closely related to Power Worm. Some sources regard the names as interchangeable

Power Worm

Graham Cluley on a more-than-usually-inept example of ransomware: Buggy ransomware locks up your data, then throws away the encryption key

Princess Locker

Bleeping Computer: Introducing Her Royal Highness, the Princess Locker Ransomware

[21st November 2016] Analysis by Malwarebytes with a link to a decryptor. PrincessLocker – ransomware with not so royal encryption

PWSSync-B

15th February 2017: Sophos – RSA 2017: Deconstructing macOS ransomware

RAA

Lawrence Abrams for Bleeping Computer: The new RAA Ransomware is created entirely using Javascript

Rannoh

Kaspersky’s RannohDecryptor, originally developed to counter the Rannoh ransomware, has been tweaked to offer decryption of CryptXXX. In order to effect the encryption, the victim must have access to the original unencrypted version of one of at least one of the encrypted files. The decryptor is also claimed to work with the malware that Kaspersky calls Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, and Trojan-Ransom.Win32.Cryakl

Ranscam

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

Ransoc

John Leyden for The Register: New Ransoc extortionists hunt for actual child abuse material – Brazen hackers actually accepting credit card payments. Based on a report by Proofpoint: Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles

Ransom32

Sabrina Pagnotta writes for ESET on the ransomware Emsisoft calls Ransom32, notable for passing itself off as Chrome.

Bleeping Computer: Ransom32

Emsisoft’s Fabian Wosar, having recovered from the ‘shock’ of being badmouthed by the author of the Radamant ransomware kit, continues the good work by reporting on The First Ransomware in Javascript: Ransom32. English version of the article now to be found here, and there is a summary by Richard Chirgwin for The Register: Happy 2016, and here’s the year’s first ransomware story – JavaScript-ed nasty only spotted on Windows, so far. Wosar points out that in theory at least, this malware could easily be repackaged for OS X and Linux:

Das sollte bedeuten, dass sich Ransom32 auch leicht für Linux und Mac OS X packen lässt – zumindest in der Theorie.

Later commentary by Help Net: Difficult to block JavaScript-based ransomware can hit all operating systems.

See also the Cerber section above.

Ransomlock.AT

[8th August 2016]

As described in an article on this site: Ransomlock.AT: ransomware meets support scams

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

Ransomware as a Service

[16th February 2017] Fortinet: Ransomware-as-a-Service: Rampant in the Underground Black Market. HOSTMAN, FLUX, Ransomware Affiliate Network

Zeljka Zorz for HelpNet Security: Satan: A new Ransomware as a Service;
Darren Pauli for The Register: Satan enters roll-your-own ransomware game – Code named for Prince of Darkness offers commissions for spreading evil

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Symantec: Shark: New Ransomware-as-a-Service threat takes bite of proceeds – The creators of Shark have made it freely available, but demand a 20 percent cut of its profits.

SC Magazine: Commentary and related links. Shark ransomware-as-a-service chomps its way to a 20% commission

Rokku

An Avira blog describes the very ‘professional’ Rokku ransomware. It has a number of interesting characteristics, but its use of a QR code to enable a victim to pay up has particularly caught the imagination of Sven Carlsen in his analysis: Rokku, the “professional” ransomware.

Bleeping Computer: CryptoHost

Sage

David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?

SamAs

Microsoft: Samas

SamSam

[March 31st, 2016]

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

Pierreluigi Paganini: Why malware like the Samsam ransomware are so dangerous for hospitals?

[18th April]

Alexander Chiu for Talos looks hard at the (SamSam-related) JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

[19th April 2016]

For the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.

Sarento

Microsoft: Sarento

Satan

See also Ransomware as a Service.

Darren Pauli for The Register: Satan enters roll-your-own ransomware game – Code named for Prince of Darkness offers commissions for spreading evil

[Added 8th February 2017] Peter Stephenson for SC Magazine: Devilish New Ransomware Hits the Street.

Satana

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

Earlier info:

Serpent

New Serpent Ransomware Targets Danish Speakers

7ev3n

Shade

David Bisson for Graham Cluley’s blog: Shade malware attack examines your finances before demanding ransom – Remote control now. Encryption later.

Shark

Symantec: Shark: New Ransomware-as-a-Service threat takes bite of proceeds – The creators of Shark have made it freely available, but demand a 20 percent cut of its profits.

SC Magazine: Commentary and related links. Shark ransomware-as-a-service chomps its way to a 20% commission

Shujin

Article from Trend Micro on ransomware localized to China, using the simplified character set favoured on the mainland: Chinese-language Ransomware Makes An Appearance

Simplocker

SNSLocker

Trend Micro: Ransomware Leaves Server Credentials in its Code

Spora

Bleeping Computer: Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet

Bleeping Computer: Spora Ransomware Sets Itself Apart with Top-Notch PR, Customer Support

Stampado*

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software including Petya/Goldeneye and Stampado.

Surprise

Bleeping Computer: The Surprise

David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

SZFlocker

Decrypter from AVG

TeamXRat

Kaspersky: TeamXRat: Brazilian cybercrime meets ransomware

Tech Support Scams and Ransomware

Teerac

Microsoft: Teerac

Telecrypt

Kaspersky Labs: The first cryptor to exploit Telegram

Commentary from HelpNet Security: Telecrypt ransomware uses Telegram for command and control

Sounds as if data is recoverable without paying the crooks, at present.

[23rd November 2016] Nathan Scott, of Malwarebytes, has provided a decryption tool here which should work as long as there’s an unencrypted copy of one of the encrypted files available. Commentary by Darren Pauli for The Register here. 

TeslaCrypt

Tescrypt

Microsoft: Tescrypt

Tordow

Anton Kivva for Kaspersky (September 20th 2016), describing malware discovered in February 2016 (Trojan-Banker.AndroidOS.Tordow.a): The banker that can steal anything.

According to Comodo (December 13th 2016), a ‘2nd version’ has acquired extra functionality characteristic of ransomware: Comodo Threat Research Labs Warns Android Users of “Tordow v2.0” outbreak. They refer to it as Android.spy.Tordow.

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. (The other malware he’s referring to is Faketoken, though in Lucian’s article he links to the September article by Anton Kivva, not to the one he quotes  by Romain Unuchek. I’ve messaged him, so this may have changed by the time you read this.)

Towelroot Exploit Kit

Troldesh

Microsoft Malware Protection Center: Troldesh ransomware influenced by (the) Da Vinci code

TrueCrypter

Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

[2nd May 2016] Commentary by David Bisson: TrueCrypter ransomware lets you pay with Amazon gift cards – Just click “Pay” to decrypt – no payment required! (at the moment)

Umbrecrypt

Bleeping Computer: Umbrecrypt

VinCE

See Tech Support Scams and Ransomware

Virlock[er]/

Noted on Spiceworks

Raul Alvarez for Fortinet: On-Demand Polymorphic Code In Ransomware

Zeljka Zorz for HelpNet: VirLocker ransomware is back, but can be defeated. Source article from Malwarbytes: VirLocker’s comeback; including recovery instructions [January 2017]

Wildfire

Kelihos botnet delivering Dutch WildFire Ransomware

Jornt van der Wiel, for Kaspersky: Wildfire, the ransomware threat that takes Holland and Belgium hostage. Summary/commentary by Darren Pauli for The Register: Intel douses Wildfire ransomware as-a-service Euro menace – Group scored $79k a month with infect-o-tronic rent-a-bot

Decrypters available from Kaspersky and Intel via the No More Ransom site.

Xpan

Kaspersky: TeamXRat: Brazilian cybercrime meets ransomware

ZCryptor

[Added 17th June 2016] Malwarebytes description of zCrypt ransomware: under the hood

[Added 10th June 2016] McAfee: Zcrypt Expands Reach as ‘Virus Ransomware’

Zepto

6th – 8th October 2016

Sophos: Odin ransomware takes over from Zepto and Locky

Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension

Older links:

[Back to the Ransomware Resource Page]