Specific Ransomware Families and Types

[Back to the Ransomware Resource Page]

[Updated introduction and added multiple links 6th and 8th of October 2016]

I’m afraid this is not (and never will be) a complete list of ransomware families: I just can’t give it that much time. Which is why there’s often no commentary from me, just one or more links to information to be found elsewhere. Where possible, though, I’ll continue to attempt to give at least one link to as many families as I can. For now, anyway: as this is project is threatening to become my life’s work, I’m already having to cut back on the time I spend on it.

[May 12th 2016] Ransomware is not a static landscape. One of the reasons I have tried not to oversell the Specific Ransomware Families and Types page is that I can’t guarantee that it’s up to date at all times, even on the limited range of ransomware it covers. In the same way, the information in the Google spreadsheet here may also become outdated, but it does seem to have a number of potential contributors to help maintain it. On the other hand, that might actually mean that it remains partial because it favours the resources with which the contributors are associated, and while I’ve seen it suggested that it covers all ransomware, that’s just wishful thinking.Nonetheless, it could certainly be useful as a starting point when looking for information, but I’d suggest that you don’t assume that it is authoritative.

Some specific families and types are now being linked from sub-pages rather than summarized directly on this page. This is an ongoing process, intended for ease of maintenance.

[If you want to know more about specific ransomware, BleepingComputer is worth trying, as well as other resources such as anti-malware vendor encyclopaedias.]

Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14% – noting that:

  • 2,896 modifications were made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • The ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

Specific ransomware families and types

  • ‘Educational’ Ransomware

*Included in list of ransomware for which decrypters are available according to ZDnet (not checked, but the sources are reasonably reputable).

  • 777*
  • 7ev3n
  • Al-Namrood*
  • Alma
  • Alpha
  • AlphaLocker
  • AndroidLocker/Dogspectus
  • Android/Lockerpin
  • Android/Lockdroid.E
  • Android.Lockscreen
  • Angler Exploit Kit
  • AnonPop
  • Apocalypse*
  • ApocalypseVM*
  • Arena – see Dharma/Crysis
  • Autolocky*
  • Badblock*
  • Bart*
  • Bitcrypter/Bitcryptor*
  • BitLocker
  • BitPaymer
  • Blank Slate Campaign
  • Bluff – fake ransomware attacks
  • Browlock
  • BTCWare
  • Cerber/CRBR (version 1*)
  • Charger
  • Chimera*
  • CoinVault*
  • Coverton
  • CRBR – see Cerber
  • Crowti
  • CrypBoss*
  • CryptoBlock
  • CryptoDefense*
  • CryptInfinite*
  • CrypMIC
  • Crypt38
  • Crypt888 (see also Mircop)
  • CryptFile2
  • Cryptobit
  • CryptoHitman
  • CryptoHost (a.k.a. Manamecrypt)
  • Cryptojoker
  • Cryptolocker
  • CryptoMix
  • CryptoRoger
  • Cryptowall
  • CryptXXX
  • CryptXXX v.1 & 2*
  • CryptXXX v1, 2, 3, 4, 5*
  • CryPy
  • Crysis
  • CTB-Locker
  • Cyber.Police
  • DDoS Extortion and Ransomware
  • Defray
  • Delilah
  • DeriaLock
  • DetoxCrypto
  • Dharma – see Crysis
  • Diablo6 – see Locky
  • DMA Locker*
  • Doxing as a Service
  • Doxware
  • Dridex-related
  • DXXD
  • ElGato
  • ElasticSearch
  • Empty
  • Encryptor RAAS
  • Enigma
  • Enrume
  • Erebus
  • EV (see also WordPress)
  • Evil Santa Ded
  • ExPetr – see Petya
  • Fabiansomware*
  • FairWare
  • FakeCry [See also WannaCry and Petya]
  • Faketoken
  • Fantom
  • FBI virus
  • FenixLocker*
  • FireCrypt
  • Flocker
  • FLUX: see Ransomware as a Service
  • Frozrlock
  • GhostCtrl (see also OmniRAT)
  • Globe*
  • GlobeImposter
  • Goldeneye [see also Petya]
  • Goliath
  • Gomasom*
  • Hades Locker
  • Harasom*
  • HDD Cryptor
  • Hitler
  • HolyCrypt
  • HOSTMAN: see Ransomware as a Service
  • HydraCrypt*
  • Jaff
  • JapanLocker
  • JBoss Backdoors
  • Jigsaw*/CryptoHit
  • Karmen
  • Kelihos
  • KeRanger
  • KeyBTC*
  • KillDisk
  • KimcilWare
  • Kirk
  • Koolova
  • Kovter
  • LeakerLocker
  • LeChiffre
  • Lechiffree*
  • Legion
  • Lockdroid
  • Locker
  • Locky
  • LogicLocker
  • Lukitus (Locky variant)
  • MacRansom (& MacSpy)
  • Magic
  • Maktub
  • Mamba (See HDD Cryptor)
  • Manamecrypt (a.k.a. CryptoHost)
  • Marlboro
  • MarsJoke*
  • Mircop*
  • Mischa
  • MongoDB hacking
  • Nanolocker
  • Nemucod*
  • NOOB
  • ‘Notification’ ransomware
  • NotPetya – see Petya
  • nRansomware
  • Nuclear – see BTCWare
  • Odin
  • OmniRAT (see also GhostCtril)
  • Operation Global III*
  • OSX.FileCoder.E {see Patcher}
  • OSX.Filezip {see Patcher}
  • PadCrypt
  • Patcher
  • PClock*
  • PetrWrap (see Petya)
  • Petya* (and also NotPetya/ExPetr/PetyaWrap etc.)
  • Philadelphia* [See also Ransomware As A Service]
  • PHP Ransomware
  • Polyglot – see MarsJoke*
  • Pompous
  • Popcorn Time
  • PornDroid
  • PoshCoder
  • PowerWare*
  • Power Worm
  • Princess Locker
  • PWSSynch-B
  • RAA
  • Rakhni & similar*
  • Rannoh*
  • RanRan
  • Ranscam
  • Ransoc
  • Ransom32
  • Ransomlock.AT
  • Ransomware Affiliate Network: see Ransomware as a Service
  • Ransomware as a Service
  • RensenWare
  • Reyptson
  • Rokku
  • Sage
  • Samas
  • SamSam
  • Sarento
  • Satan: see also Ransomware as a Service
  • Satana
  • Serpent
  • 7ev3n
  • Shade
  • Shade v1 & 2*
  • Shark
  • shc – see JapanLocker
  • Shinigami Locker
  • Shujin
  • Simplocker
  • Slocker
  • SNSLocker*
  • Sorebrect
  • Spora
  • Stampado*
  • Surprise
  • Svpeng
  • SynAck
  • SyncCrypt
  • SZFlocker
  • TeamXRat
  • Tech Support Scams and Ransomware
  • Teerac
  • Telecrypt
  • TeslaCrypt
  • TeslaCrypt v1, 2, 3, 4*
  • Tescrypt
  • Tordow (Android.spy.Tordow)
  • Towelroot
  • Troldesh
  • TrueCrypter
  • UmbreCrypt*
  • Vandev*
  • VinCE [See Tech Support Scams and Ransomware]
  • Virlock
  • WannaCryptor (WannaCry, WannaCrypt, wCrypt etc.)
  • WannaLocker
  • Wildfire*
  • WordPress (see also EV)
  • XData
  • Xorist*
  • Xpan
  • Ykcol/.YKCOL – see Locky
  • Zcryptor
  • Zepto
  • ZAYKA

‘Educational’ Ransomware

[20th June 2016] David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

An article by David Bisson – Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project -looks at the complicated relationship between unequivocal ransomware (Magic, Ransom_Cryptear.B) and open-source ‘educational’ malware (Hidden Tear, EDA2). Not to mention the unfortunate affair of the free-hosting service that suspended the author’s account and deleted the data, so that even the criminal is unable to decrypt affected files now.

A later article by David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

More hopefully, Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

Cylance indicates that AlphaLocker (see below) is based on EDA2.

Alma

Lawrence Abrams for Bleeping Computer: New Alma Locker Ransomware being distributed via the RIG Exploit Kit

Analysis by PhishLabs: Alma Ransomware: Analysis of a New Ransomware Threat (and a decrypter!)

Al-Namrood

Al-Namrood Ransomware (.access_denied) Support & Help Topic

Alpha

David Bisson for Graham Cluley’s blog: How to recover from an Alpha ransomware attackDo your files have the .ENCRYPT extension? You may have been hit by the Alpha ransomware.

Lawrence Abrams for Bleeping Computer: Decrypted: Alpha Ransomware accepts iTunes Gift Cards as Payment

free decryptor is available.

Catalin Cimpanu for Softpedia: Decrypter for Alpha Ransomware Lets Victims Recover Files for Free

AlphaLocker

Analysis by Cylance of ransomware of which a unique copy plus administrative panel is sold (very cheaply) to each customer, who then manages the rest of the attack himself. (HT to Artem Baranov for flagging the article.)

Commentary by Kaspersky: Criminals Peddling Affordable AlphaLocker Ransomware

Android.Locker/Dogspectus

Android/Lockerpin

Android.Lockdroid.E

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

Android.Lockscreen

September 29th 2016

Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

SYMANTEC’S ARTICLE: ANDROID.LOCKSCREEN RANSOMWARE NOW USING PSEUDORANDOM NUMBERS – THE LATEST ANDROID.LOCKSCREEN VARIANTS ARE USING NEW TECHNIQUES TO IMPROVE THEIR CHANCES OF OBTAINING RANSOM MONEY.

COMMENTARY BY DAVID BISSON FOR TRIPWIRE.

Angler Exploit Kit

[23rd June 2016]

Joseph C. Chen for TrendLabs: After Angler: Shift in Exploit Kit Landscape and New Crytpo-Ransomware Activity. Interesting figures on a number of exploit kits.

[20th June 2016]: Is Angler EK Sleeping with the Fishes? Neutrino exploit kit now distributing most CryptXXX

Neat summary by Paul Ducklin for Sophos: Angler exploit kit rings in 2016 with CryptoWall ransomware. Also noted in the Cryptowall section below.

Angler takes a lead role in an article by Graham Cluley for Tripwire: Crypto-ransomware Spreads via Poisoned Ads on Major Websites

ArsTechnica report

Malwarebytes report

[19th April 2016] Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222.

AnonPop

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

ApocalypseVM

Decryptor made available by Emsisoft: Emsisoft Decrypter for ApocalypseVM. VMProtect was used in the vain hope of preventing security researchers from reverse-engineering this variant. For some reason, this story came back to life six months after the Bleeping Computer Story, in January 2017.

Two decrypters from AVG for different versions.

Arena

[1st September 2017]

Bleeping Computer reports a CryptoMix version that also uses the ‘Arena’ file suffix: New Arena CryptoMix Ransomware Variant Released. Lawrence Abrams says:

The easiest way to tell the difference between the CryptoMix and Crysis variants, is that the CryptoMix variant will turn the filenames into a hexadecimal strings…

[25th August 2017]

Apparently related to Dharma/Crysis. ESET calls it Filecoder.Crysis. No reliable decryption and recovery at present. Minimal analysis here.

 

AutoLocky

[16th April 2016] Emsisoft gives a brief description of ransomware written in AutoIt that imitates Locky, but not very well, apparently. At any rate, Emsisoft also offers a decrypter.

Emsisoft Decrypter for AutoLocky

More description and commentary from David Bisson for Graham Cluley’s blog: Decryption tool released for Locky ransomware impersonator – AutoLocky ransomware has a “laughable” flaw

Bleeping Computer: AutoLocky

BadBlock

Laurence Abrams describes this horrible piece of scumware here: the decryptor by  Fabian Wosar of Emsisoft can be downloaded from here, but Abrams gives detailed instructions on the process.

Decrypter from AVG

Bart

The Register: Eat my reports! Bart ransomware slips into PCs via .zip’d JavaScript – ¡Ay caramba!

David Bisson: Bart ransomware takes files hostage by hiding them in password-protected ZIP files – What’s Locky ransomware got to do with it? Lots!

22nd July 2016:  reports that Bart ransomware victims get free decryptor. The decryptor is the work of AVG’s Jakub Kroustek and available for download. In order to generate the key the decryptor has to have access to one of the original files as well as its encrypted version.

See also Jaff.

BitLocker

(HT to Artem Baronov)

Vladimir Katalov for ElcomSoft: Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part I)

BitPaymer

Bill Brenner for Sophos: How BitPaymer ransomware covers its tracks

Ransomware that uses ADS (Alternate Data Streams) to reduce its visibility.

Blank Slate Campaign

Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.

Bluff (fake ransomware attacks)

John Leyden for the Register: I don’t care what your eyeballs tell you. Alternative fact is, we’ve locked up your files – Survey: ‘Bluff’ ransomware is on the up

Browlock

BTCWare

Bleeping Computer: Btcware Ransomware Support Topic (.crypton Gryphon Help.txt)

Bleeping Computer: New Nuclear BTCWare Ransomware Released (Updated)

Lawrence Abrams notes: “Michael Gillespie discovered that the developers of this variant messed up on the encryption of files greater than 10MB in file size and will not be able to decrypt them. It was also discovered that this same behavior was seen with other files of random sizes. Therefore, it is advised that you do not pay the ransom as there is a good chance many of your files not be able to be decrypted.”

 Cerber

Charger

[January 2017]

The Register: More mobe malware creeps into Google Play – this time, ransomware – Charger seeks to drain bank accounts of unlucky ‘droids

Source, Checkpoint: Charger Malware Calls and Raises the Risk on Google Play

Chimera

13th August 2016:

Extract from Malwarebytes blog: ‘We’ve recently wrote about the leak of keys for Chimera ransomware. In this, more technical post, we will describe how to utilize the leaked keys to decrypt files. Also, we will perform some tests in order to validate the leaked material.’

Decrypting Chimera Ransomware

3rd August 2016: Kaspersky’s RakhniDecryptor tool is claimed to offer decryption of Chimera-encrypted files.

Malwarebytes on the apparent leaking of Chimera’s private keys by competitors, offering some chance that a decrypter will become available: Keys to Chimera ransomware leaked. Commentary from SC Magazine: Rival cyber-gang leaks private keys of Chimera ransomware. Commentary from Sophos: Chimera ransomware keys leaked by rival malware developers. Commentary by John Leyden for The Register: Saved from ransomware thugs… by rival ransomware thug – Chimera cybercrook competitor hands victims the keys

Coverton

Bleeping Computer: Coverton

CRBR

See Cerber.

Crowti

Microsoft: Crowti

CrypMIC

Trend Micro: CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps

Crypt38

Fortinet: Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Crypt888

Decrypter from AVG (See also Mircop)

CryptFile2

American Airlines spam from Kelihos delivers Ransomware 

See CryptoMix.

Cryptobit

Be careful with CryptoBit, the latest threat detected (Panda Security, April 2016)

CryptoBit: Another Ransomware Family Gets an Update (Palo Alto, July 2016)

CryptoBlock

Nathan Scott for Malwarebytes: CryptoBlock ransomware and its C2

CryptoHitman

(Rebranded version of Jigsaw.)

Cryptohost (a.k.a. Manamecrypt)

Analysis from Sabrina Berkenhopf for G DATA: Manamecrypt – a ransomware that takes a different route. Somewhat unusual in that rather than spreading via attachments or exploit kit, the sample analysed by G DATA is bundled with legitimate software, it blocks a number of applications from running where processes include certain strings – for instance, the names of security products. In its present incarnation, the data can, however, be recovered.

Bleeping Computer: CryptoHost

Cryptojoker

Lawrence Abrams reports for Bleeping Computer on how The CryptoJoker Ransomware is nothing to Laugh About, crediting its discovery to MalwareHunterTeam. The installer passes itself off as a PDF according to Abrams, suggesting that it’s distributed via email phishing campaigns.

 Cryptolocker

CryptoMix

[1st September 2017]

Bleeping Computer reports a CryptoMix version that also uses the ‘Arena’ file suffix: New Arena CryptoMix Ransomware Variant Released. Lawrence Abrams says:

The easiest way to tell the difference between the CryptoMix and Crysis variants, is that the CryptoMix variant will turn the filenames into a hexadecimal strings…

[29th August 2017]

The Merkle: CryptoMix Ransomware Developers Struggle to Keep Their Creation Relevant

[25th August 2017]

Bleeping Computer: New EMPTY CryptoMix Ransomware Variant Released

[21st July 2017]

Lawrence Abrams for Bleeping Computer: The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession

[6th July 2017]

Lawrence Abrams for Bleeping Computer: New Azer CryptoMix Ransomware Variant Released. Abrams notes:

This version of Cryptomix was discovered today by security researcher MalwareHunterTeam right as a decryptor for the previous version, Mole02, was released.

[May 2016]

Ransomware that makes the ludicrous claim that the 5 bitcoin ransom will be paid to a children’s charity. Related to CryptoWall 4.0 and CryptXXX: no free decrypter currently available.

Added 5th January 2017:

Cert.PL offers analysis of the newly-polished tur^H^H^H CryptFile2, now known as CryptoMix: Technical analysis of CryptoMix/CryptFile2 ransomware

Among its ‘interesting’ features:

  • The ‘insane’ ransom amount (currently 5 bitcoin)
  • There’s a suggestion in the analysis that paying is likely to generate further ransom demands, but not the decryption keys
  • The crooks claim that the ransom will be contributed to a children’s charity, and that the victim will get free PC support. Yeah, right.

In fact, none of this information is particularly new, but the technical analysis is interesting.

CryptoRoger

21st June 2016

CryptoWall

CryptXXX

 CryPy

Kaspersky: CryPy: ransomware behind Israeli lines

Sophos: Data-stealing CryPy ransomware raises the spectre of variable pricing for files

Crysis

25th August 2017: ‘Arena’ is related to Dharma/Crysis. ESET calls it Filecoder.Crysis. No reliable decryption and recovery at present. Minimal analysis here.

[28th May 2017]

ESET: Keys for Crysis released, as decryption efforts of WannaCryptor files continue includes link to decryptor based on the 200 Crysis masterkeys released on Pastebin and announced by a Malwarebytes forum member. There’s also an Avast! decryptor linked from the Bleeping Computer blog.

[2nd March 2017] It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension. Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com.

ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor.

[22nd November 2016] ESET decryption tool: How do I clean a Crysis infection using the ESET Crysis decryptor?. Commentary by The Register here and here.

Several other security companies have also taken advantage of the Crysis master decryption keys being made available anonymously/pseudonymously on the Bleeping Computer forum, as reported by Pierluigi Paganini: The decryption keys for the CrySis ransomware were posted online on the BleepingComputer.com forum by a user known as crss7777.

Ondrej Kubovič  for ESET: Beyond TeslaCrypt: Crysis family lays claim to parts of its territory. The ransomware that ESET calls Win32/Filecoder.Crysis encrypts files on fixed, removable and network drives.

It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

It encrypts everything except system files and its own bits and pieces, and charges between 400 and 900 euros. However, ESET users may be able to recover files encrypted by older versions with the help of ESET technical support.

CTB Locker

Proofpoint: MarsJoke Ransomware Mimics CTB-Locker

Bleeping Computer: CTB-Locker for web sites

Article by Darren Pauli for The Register: Reinvented ransomware shifts from pwning PC to wrecking websites – ‘CTB Locker’ targets WordPress, offers live chat to help victims pay up.

And an article by David Bisson for Graham Cluley’s blog: Ransomware’s new target? WebsitesExtortionists demand Bitcoin ransom be paid to restore WordPress websites – DDoS (distributed denial of service) extortion and ransomware

Lucian Constantin reports [15 April 2016]: The CTB-Locker ransomware uses a metadata field in bitcoin transactions to store decryption keys

Cyber.Police

See Towelroot Exploit Kit

See also Flocker.

DDoS

[25th May 2016] A version of Cerber that incorporates a DDoS bot:

[9th May 2016] Action Fraud article about DDoS extortion threats by a hacking group: Online extortion demands affecting businesses. Commentary by SC Magazine: Action Fraud warns of new wave of Lizard Squad DDoS attacks

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Here are some older DDoS-related stories.

Softpedia on the failure of the Bitcoin-for-DDoS scheme to make much of a dent in BTCC. (4th January 2016)

Akamai’s  [state of the internet] / security Q4 2015 report offers an impressive array of information about DDoS attacks.

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

Deadly for a Good Purpose

Analysis by MalwareHunter and Bleeping Computer: FireCrypt Ransomware Comes With a DDoS Component. There are similarities with the Deadly for a Good Purpose ransomware.

Defray

Zeljka Zorz for Help Net: New, custom ransomware delivered to orgs via extremely targeted emails

GB Hackers on Security: Beware: New “Defray” Ransomware Attack Spreading Via Microsoft Word Document

Delilah

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

DetoxCrypto

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

DeriaLock

A fast-evolving threat appeared on Christmas Eve 2016, but researchers quickly provided free decryptors.

Decryptors are available from Checkpoint and from MalwareHunterTeam’s Michael Gillespie.

See also PHP Ransomware for the other family for which Checkpoint provided a decryptor.

Dharma

25th August 2017: ‘Arena’ is related to Dharma/Crysis. ESET calls it Filecoder.Crysis. No reliable decryption and recovery at present. Minimal analysis here.

See Crysis

DMA Locker

Android.Locker/Dogspectus

Android.Locker/ElGato: see ElGato

Diablo6 – see Locky

Doxing as a Service

[28th April 2016]

Here’s a slightly different twist on extortion that doesn’t involve ransomware. Steve Ragan describes for CSO Salted Hash how a Website offers Doxing-as-a-Service and customized extortion. The subtitle explains the business model:

Those posting Dox will get a commission, or they can pay to have someone’s personal details exposed

The amount of commission depends on the type of Doxing. In ascending order of payment:

  • Miscellaneous
  • Revenge
  • Paedophiles [the American spelling is used by the site: Cymmetria’s Nitsan Saddan is quoted as believing that it’s likely that ‘these are American players.’]
  • Law enforcement
  • Famous

The DaaS-tardly doxing service is priced according to the type of information collected, from the barest details to a complete profile. Ragan observes that the service doesn’t seem to be collecting customers – at any rate:

…the Bitcoin wallet used to process payments for this service has received no transactions.

And he has seen little traction on the site since he’s been monitoring it. Nevertheless, he predicts that this kind of activity will become more common.

Doxware

Not a single threat, but a name given to malware that not only holds data to ransom, but threatens to release captured information publicly unless the ransom is paid.

Chris Ensey for DarkReading: Ransomware Has Evolved, And Its Name Is Doxware – The latest form of malware holds computers hostage and compromises the privacy of conversations, photos, and sensitive files.

Dridex-related

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

SecurityWeek: Dridex Botnet Spreading Locky Ransomware Via JavaScript Attachments cites Trustware: Massive Volume of Ransomware Downloaders being Spammed

See also under Jaff.

Droidjack

David Bisson for Graham Cluley’s blog (again): Pokémon Go for Windows? Beware ransomware! Pokémaniacs at risk.

DXXD

David Bisson for Graham Cluley’s blog: Decrypt THIS! Ransomware dev taunts security researchers in support forum – DXXD doesn’t display a ransom note like other ransomware…

ElasticSearch

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

ElGato

Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato

Empty

[29th August 2017]

The Merkle: CryptoMix Ransomware Developers Struggle to Keep Their Creation Relevant

[25th August 2017]

Bleeping Computer: New EMPTY CryptoMix Ransomware Variant Released

Encryptor RAAS

TrendLabs: The Rise and Fall of Encryptor RaaS

Enigma

Information from Bleeping Computer on Enigma (the ransomware, not the WW2 machine): The Enigma Ransomware targets Russian Speaking Users. While it appears to try to delete Shadow Volume Copies, it seems it doesn’t always succeed: if this is the case for you, this may help.

Enrume

Microsoft:  Enrume

Erebus

Graham Cluley for ESET: Web-hosting firm agrees to pay over $1 million to ransomware extortionists [20-6-2017]

Erebus Ransomware Bypasses UAC for Privilege Elevation

EV (WordPress)

[18th August 2017]

Ransomware targeting WordPress sites

WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’

I hope the company won’t mind my quoting this important paragraph:

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites

Evil Santa Ded Crypto

David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

FairWare

Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

FakeCry

The Register: Cha-ching! NotPetya hackers cash out – but victims won’t ever see that data again – Plus, bonus ransomware strain found in bottom of source code. [John Leyden reported that ‘A new analysis by Kaspersky Lab reports that:

NotPetya was not the only ransomware pushed through the trojanised M.E.Doc update. Unpacking the source code reveals that the project’s name was “WannaCry” and that it pretends to be “made in China”. These factors have prompted Kaspersky Lab researchers to dub the malware “FakeCry”.’

Faketoken

Romain Unuchek for SecureList: The banker that encrypted files

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. In Lucian’s article he links to a September article by Anton Kivva on Tordow (see below), not to the one he quotes  by Romain Unuchek (as above) on Trojan-Banker.AndroidOS.Faketoken. I’ve messaged him, so that may have changed by the time you read this. [Or not…]

Commentary by Richard Chirgwin for the Register: Bad news, fandroids: Mobile banking malware now encrypts files – First Faketoken stole credentials, now it holds data to ransom

Fantom

The FBI Virus

A misnomer. It isn’t a single threat, it isn’t a virus, and while it does attempt to pass itself off as an action taken on behalf of a law enforcement agency imposing a fine on the victim for viewing pornography or using pirated software, the FBI is by no means the only agency whose name is taken in vain. It’s seen across a variety of systems, and historically has often relied on tricking the user into thinking the system is locked rather than seriously disrupting or blocking the use of the system, so that recovery can sometimes be effected by quite simple means like the steps described here. However, the social engineering component (fake ‘policeware’) of the attack is increasingly seen used in quite different threats that are less easily dealt with, such as Lockerpin. See also Flocker.

FireCrypt

Analysis by MalwareHunter and Bleeping Computer: FireCrypt Ransomware Comes With a DDoS Component. There are similarities with the Deadly for a Good Purpose ransomware.

Flocker

Frozrlock

[13th May 2017]

David Bisson for Graham Cluley’s blog: A ‘great security tool’ that encrypts files? Think again! It’s ransomware – A license for FrozrLock isn’t all that expensive, either…

Fusob

Tom Spring for Kaspersky: SVPENG BEHIND A SPIKE IN MOBILE RANSOMWARE. In Ransomware in 2016-2017 “In its analysis, Kaspersky Lab singled out two malware families, Svpeng and Fusob, as dominating the mobile ransomware space.”

GhostCtrl

Catalin Cimpanu: GhostCtrl Is an Android RAT That Also Doubles as Ransomware

… can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections…

…according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT … that can target four major operating systems: Android, Linux, macOS, and Windows.

 Trend Micro report cited by Cimpanu.

Globe

Lawrence Abrams for Bleeping Computer: The Globe Ransomware wants to Purge your Files

GlobeImposter

Bleeping Computer discussion: GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext – !back_files!.html )

Goldeneye [see also Petya]

[July 7 2017]

Malwarebytes: The key to old Petya versions has been published by the malware author. Won’t help people/organizations affected by NotPetya/EternalPetya  or whatever your name of choice is, but may be good news for victims of Petya/Goldeneye if they’ve retained disk images.

Earlier…

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.

Paul Ducklin for Sophos: Goldeneye ransomware: the resumé that scrambles your computer twice

Malwarebytes: Goldeneye Ransomware – the Petya/Mischa combo rebranded

Added 5th January 2016:

Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.

Goliath

May 19th, 2016.

Hades Locker

Proofpoint: Hades Locker Ransomware Mimics Locky

HDD Cryptor

Kaspersky: The return of Mamba ransomware

Trend Micro Analysis: BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

Brian Krebs: San Francisco Rail System Hacker Hacked

Ars Technica: Ransomware locks up San Francisco public transportation ticket machines – Some systems now restored; attacker demanded $73,000.

Hitler

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

HolyCrypt

Lawrence Abrams for Bleeping Computer: New Python ransomware called HolyCrypt Discovered. The sample analysed by AVG’s Jakub Kroustek ‘appears to be a development version used by the malware developer to test the ransomware.’

Jaff

Some sources link the WannaCryptor outbreak with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSIsoft. Commentary by The Register.

Apparently Kaspersky’s RakhniDecryptor tool v.1.21.2.1 now decrypts Jaff-encrypted files.

JapanLocker

For Fortinet, Artem Semenchenko and Joie Salvio examine the resemblances between ‘JapanLocker’ and the surprisingly similar open-source ransomware ‘shc’. 

“JapanLocker”: An Excavation to its Indonesian Roots

JBoss Backdoors [18th April 2016]

Alexander Chiu for Talos looks hard at the JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

Jigsaw/CryptoHitMan

Karmen

[18th April 2017]

Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web.

Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker

Recorded Future on Hidden Tear

Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for  – Nifty dashboard shows the bitcoin rolling in

Kelihos

[15th February 2017] Sophos: RSA 2017: Deconstructing macOS ransomware

[14th April 2016] F-Secure’s Mikko Hypponen believes that Keranger’s is a forerunner of ransomware targeting not only local files but backups stored on network-attached and in-the-Cloud devices. In-the-cloud? Techrepublic states:

However, analysis of KeRanger also revealed work-in-progress code intended to also scramble files backed-up to attached storage via OS X’s Time Machine service.

Palo Alto reported on March 6th that New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer: they believe this to be ‘the first fully functional ransomware seen on the OS X platform.’ At any rate, it looks like a capable piece of malware. According to fortune.com,  Palo Alto plans ‘to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data’. [Updated 7th March 2016: additional commentary by Graham Cluley for Intego – Mac Users Hit by Rare Ransomware Attack, Spread via Transmission BitTorrent App – and Darren Pauli for The Register – First working Apple Mac ransomware infects Transmission BitTorrent app downloads: If you downloaded 2.90, you’ve got a few hours to get rid of it.] Bleeping Computer: KeRanger. Analysis by ESET: New Mac ransomware appears: KeRanger, spread via Transmission app

(Yes, this is duplicated in the OS X section above, for the moment: also commented on in some Mac Virus articles.)

Help Net Security has published some comments it has received from the industry on KeRanger: specifically from Aviv Raff of Seculert, Van Abernethy of NSFOCUS IB, and David Kennerley of Webroot. Mostly the sort of advice you’d expect to get from people in the security industry. Reactions to the KeRanger ransomware for Macs

According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert.

KillDisk

CyberX reports that KillDisk, already associated with cybersabotage, is now also being used as a basis for ransomware, demanding a hefty 222 bitcoin in ransom.

NEW KILLDISK MALWARE BRINGS RANSOMWARE INTO INDUSTRIAL DOMAIN

Commentary by Catalin Cimpanu for Bleeping Computer: KillDisk Disk-Wiping Malware Adds Ransomware Component.

Commentary by David Bisson for Tripwire: KillDisk Wiper Malware Evolves into Ransomware.

Added 5th January 2017:

For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.

Analyses by McAfee [added 14th February 2017]: Analyzing KillDisk Ransomware, Part 1: Whitelisting; Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

KimcilWare

Bleeping Computer: KimcilWare

Kirk

Lawrence Abrams for Bleeping Computer: Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!

David Bisson for Graham Cluley’s blog: Kirk ransomware sports Star Trek-themed decryptor and little-known crypto-currency – “It’s ransomware, Jim, but not as we know it!”

Koolova

Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s  Stay safe while browsing  and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?

Kovter

Jai Vijayan for Dark Reading: New Kovter Trojan Variant Spreading Via Targeted Email Campaign –  The authors of a malware sample that has been around for more than two years have yet another trick for distributing it.

[Older content]

Fake IRS refund carries Kovter ransomware downloader

To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.

According to Heimdal’s Andrea Zaharia, the spam message looks something like this:

From: [spoofed / fake return address]

Subject Line: Payment for tax refund # 00 [6 random numbers]

Attached:
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js

Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign

Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware

Check Point [19th April 2016]: KOVTER RANSOMWARE – THE EVOLUTION: From Police Scareware to Click Frauds and then to Ransomware

An article by Reaqta explores the relationship between Kovter and Nemucod: Nemucod meets 7-Zip to launch ransomware attacks

LeakerLocker

[1st August 2017]

Trend Micro: LeakerLocker Mobile Ransomware Threatens to Expose User Information

[13th July 2017]

David Bisson for Graham Cluley’s blog: LeakerLocker ransomware threatens to dox Android users as extortion – Digital threat spotted in two apps on Google’s Play Store.

LeChiffre

Malwarebytes: LeChiffre

Legion

Decrypter from AVG

Lockdroid

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone. [23rd February 2017]

Locker

An internal discussion regarding the closing down of TeslaCrypt reminded me that it’s not the first time that ransomware has been closed down with some measure of apology and remediation. On the 30th May 2016, a post appeared on Pastebin announcing that:

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV. This is a dump of the complete database and most of the keys weren’t even used…

The poster went on to give a variety of information about the malware.

Locky (see also Jaff)

Lukitus

[September 1st 2017]

Zeljka Zorz for HelpNet: Locky ransomware returns with new tricks up its sleeve

[August 30th 2017]

Malware Breakdown: “IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

LogicLocker

14th February 2017:

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

MacRansom (& MacSpy)

MacSpy isn’t ransomware, but seems to have been developed by the same author, and both are offered as as-a-service malware.

Zeljka Zorz for HelpNet Security: Two Mac malware-as-a-Service offerings uncovered. According to HelpNet ‘Patric Wardle’s RansomWhere? tool can also stop MacRansomware from doing any damage.’

Rommel Joven and Wayne Chin Yick Low, for Fortinet: MacRansom: Offered as Ransomware as a Service

Sophos: More evidence Mac ransomware exists

Fortinet notes that “Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file…”

AlienVault: MacSpy: OS X RAT as a Service

Magic

Bleeping Computer: Magic

Magnitude Exploit Kit

[3rd August 2017]

 for Malwarebytes: Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain. Magnitude ‘is mainly used to deliver the Cerber ransomware to specific countries in Asia.’ Interesting techniques.

Maktub

[14th April 2016] Paul Ducklin, for Sophos: The ransomware attack that knows where you live

[24th March, 2016] Hasherazade for Malwarebytes:  Maktub Locker – Beautiful And Dangerous

[23rd March 2016] Lawrence Abrams for Bleeping Computer: The Art of the Maktub Locker Ransomware

Mamba

See HDD Cryptor

Manamecrypt (a.k.a. Cryptohost)

Analysis from Sabrina Berkenhopf for G DATA: Manamecrypt – a ransomware that takes a different route. Somewhat unusual in that rather than spreading via attachments or exploit kit, the sample analysed by G DATA is bundled with legitimate software, it blocks a number of applications from running where processes include certain strings – for instance, the names of security products. In its present incarnation, the data can, however, be recovered.

Marlboro

Catalin Cimpanu for Bleeping Computer: Marlboro Ransomware Defeated in One Day

Emsisoft’s decryptor. However, due to the bugginess of the malware, Fabian Wosinar, who created the decryptor, notes that:

“…the malware will truncate up to the last 7 bytes from files it encrypts,” the researcher said. “It is, unfortunately, impossible for the decrypter to reconstruct these bytes.”

MarsJoke

Proofpoint: MarsJoke Ransomware Mimics CTB-Locker

Kaspersky: MARSJOKE RANSOMWARE TARGETS .EDU, .GOV AGENCIES

Kaspersky: RESEARCHERS BREAK MARSJOKE RANSOMWARE ENCRYPTION

Commentary by SC Magazine: Multilingual ransomware Polyglot talks good game, but can’t match CTB-Locker

Mircop

TrendLabs: MIRCOP Crypto-Ransomware Channels Guy Fawkes, Claims To Be The Victim Instead. Some victim… demanding a ransom of 48.48 bitcoins.

Decrypter from AVG

Mischa

[24th October 2016]

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead. See also MISCHA RANSOMWARE Support and Help Topic – YOUR_FILES_ARE_ENCRYPTED.HTML & TXT.

July 31st 2016

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

MongoDB

Following reports of tens of thousands of MongoDB database installations attacked with ransomware, the maker published advice on how to avoid unsafe defaults. Thomas Claburn for The Register (11th January 2017):

How to secure MongoDB – because it isn’t by default and thousands of DBs are being hacked – Stop right now and make sure you’ve configured it correctly

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

NanoLocker

Bleeping Computer: NanoLocker

Nemucod

NOOB

[21st July 2017]

Lawrence Abrams for Bleeping Computer: The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession

‘Notification’ ransomware

Kaspersky: The “notification” ransomware lands in Brazil

nRansomware

From Motherboard: This Ransomware Demands Nudes Instead of Bitcoin. To be precise, at least ten nude photographs of the victim. Real ransomware or an unpleasant prank: well, quite a few AV engines detect it as malware, according to VirusTotal. More info if and as I receive it.

Nuclear

See BTCWare

Odin

Sophos: Odin ransomware takes over from Zepto and Locky

Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension

OmniRAT

Catalin Cimpanu: GhostCtrl Is an Android RAT That Also Doubles as Ransomware

… can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections…

…according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT … that can target four major operating systems: Android, Linux, macOS, and Windows.

 Trend Micro report cited by Cimpanu.

OSX/Filecoder.E/OSX.Filezip

See Patcher.

PadCrypt

Ransomware with several interesting features described for Graham Cluley’s blog by David Bisson: New ransomware comes with Live Chat feature, somewhat useless uninstaller. The article draws on information published by Lawrence Abrams for Bleeping Computer: PadCrypt: The first ransomware with Live Support Chat and an Uninstaller.

The point about the uninstaller is that it removes all the files associated with the infection, but doesn’t reverse the encryption.

Patcher

MARC-ETIENNE M.LÉVEILLÉ for ESET: New crypto-ransomware hits macOS – malware that calls itself ‘Patcher’, detected by ESET as OSX/Filecoder.E [22nd February 2017]

Thomas Reed for Malwarebytes: Mac ransomware on piracy sites – Malwarebytes calls it OSX.Findzip.[23rd February 2017]

Thomas Reed’s follow-up: Decrypting after a Findzip ransomware infection. Very useful work on recovering data (the gang behind the ransomware will take your money, but can’t provide you with a way of decrypting it). [February 28th 2017]

Paul Ducklin for Sophos: ‘Filecode’ ransomware attacks your Mac – how to recover for free [28th February 2017]

Commentary by Graham Cluley: How to recover from the FileCoder ransomware on your Mac – Buggy ransomware didn’t offer a method of recovery even if you paid the extortionists. Until now. [March 1st 2017]

Note that both Reed and Cluley sometimes refer to the malware as FileCoder (Graham Cluley amended his article subsequently). This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

Avast! has a decryptor, though it requires Windows emulation.

Petya (and NotPetya/ExPetr/PetrWrap etc.)

Philadelphia

[25th July 2017]

Sophos: Ransomware as a service: how the bad guys marketed Philadelphia

Lawrence Abrams for Bleeping Computer: The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals

Zeta Two: Reversing malware USB drives in Gothenburg

PHP Ransomware

Paul Ducklin’s articles are always worth reading, but this one is particularly relevant to this blog: PHP ransomware attacks blogs, websites, content managers and more… The article is mainly about the malware Sophos calls Troj/PHPRansm-B

Unnamed PHP Ransomware(-ish)

Checkpoint also has a decryptor for the unnamed PHP ransomware also described in its article on DeriaLock. In fact, ransomware might be the wrong word in this case, since at present it displays no ransom ‘note’ and has no known channel for paying a ransom.

Polyglot

See MarsJoke

Pompous

Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

Popcorn Time

Bleeping Computer: New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key

PornDroid

ZScaler: “New Android ransomware bypasses all antivirus programs – Infection continues even after the victim pays the ransom”. Despite the sensationalist title and the four hour gap between download and activation, it isn’t actually difficult to detect. ESET detects it as Android/Locker.KB. Some sources describe it as a PornDroid variant.

PoshCoder

6-4-16: see PowerWare

Known for its attempts to imitate other ransomware – Cryptowall, TeslaCrypt, Locky…

PowerWare

[23rd July 2016]

Zeljka Zorz reports for Help Net Security: Decrypter for Locky-mimicking PowerWare ransomware released – Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Josh Grunzweig’s decryptor is a Python script available here.

Zeljka points out ‘They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.’

[4-4-16]

AlienVault: PowerWare “Fileless Infection” Deepens Ransomware Conundrum for Healthcare Providers

Carbon Black flexes its PR muscles and manages not to mention that ‘AV is Dead’ in its analysis: Threat Alert: “PowerWare,” New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word. It does share Indicators of Compromise, but as a graphic rather than as text. However, the Word doc used to spread the malware is detected (according to VirusTotal) by 34 products at the time of writing: 69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf. The ransomware script is also widely detected: https://www.virustotal.com/en/file/02beca974ecc4f871d8d42462ef305ae595fb6906ad764e6e5b6effe5ff05f29/analysis/.

Michael Mimoso for Threat Post (Kaspersky): Fileless Powerware Ransomware Found On Healthcare Network

6th April 2016

Peter Ewane draws comparisons between PowerWare and PoshCoder, and asserts that:

PowerWare seems to be heavily based on PoshCoder, the ransomware that rose to infamy due to the fact it destroyed encrypted data using a logic based programming flaw.

His analysis is here: PowerWare or PoshCoder? Comparison and Decryption

PoshCoder is, in turn, closely related to Power Worm. Some sources regard the names as interchangeable

Power Worm

Graham Cluley on a more-than-usually-inept example of ransomware: Buggy ransomware locks up your data, then throws away the encryption key

Princess Locker

Bleeping Computer: Introducing Her Royal Highness, the Princess Locker Ransomware

[21st November 2016] Analysis by Malwarebytes with a link to a decryptor. PrincessLocker – ransomware with not so royal encryption

PWSSync-B

15th February 2017: Sophos – RSA 2017: Deconstructing macOS ransomware

RAA

Lawrence Abrams for Bleeping Computer: The new RAA Ransomware is created entirely using Javascript

Rannoh

Kaspersky’s RannohDecryptor, originally developed to counter the Rannoh ransomware, has been tweaked to offer decryption of CryptXXX. In order to effect the encryption, the victim must have access to the original unencrypted version of one of at least one of the encrypted files. The decryptor is also claimed to work with the malware that Kaspersky calls Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, and Trojan-Ransom.Win32.Cryakl

RanRan

[9th March 2017] Unit 42: Targeted Ransomware Attacks Middle Eastern Government Organizations for Political Purposes

Falcone and Grunzweig say: ‘The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.’

Ranscam

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

Ransoc

John Leyden for The Register: New Ransoc extortionists hunt for actual child abuse material – Brazen hackers actually accepting credit card payments. Based on a report by Proofpoint: Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles

Ransom32

Sabrina Pagnotta writes for ESET on the ransomware Emsisoft calls Ransom32, notable for passing itself off as Chrome.

Bleeping Computer: Ransom32

Emsisoft’s Fabian Wosar, having recovered from the ‘shock’ of being badmouthed by the author of the Radamant ransomware kit, continues the good work by reporting on The First Ransomware in Javascript: Ransom32. English version of the article now to be found here, and there is a summary by Richard Chirgwin for The Register: Happy 2016, and here’s the year’s first ransomware story – JavaScript-ed nasty only spotted on Windows, so far. Wosar points out that in theory at least, this malware could easily be repackaged for OS X and Linux:

Das sollte bedeuten, dass sich Ransom32 auch leicht für Linux und Mac OS X packen lässt – zumindest in der Theorie.

Later commentary by Help Net: Difficult to block JavaScript-based ransomware can hit all operating systems.

See also the Cerber section above.

Ransomlock.AT

[8th August 2016]

As described in an article on this site: Ransomlock.AT: ransomware meets support scams

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

Ransomware as a Service

[25th July 2017]

Sophos: Ransomware as a service: how the bad guys marketed Philadelphia

[13th June 2017]

(MacSpy isn’t ransomware, but seems to have been developed by the same author, and both are offered as as-a-service malware.)

Zeljka Zorz for HelpNet Security: Two Mac malware-as-a-Service offerings uncovered. According to HelpNet ‘Patric Wardle’s RansomWhere? tool can also stop MacRansomware from doing any damage.’

Rommel Joven and Wayne Chin Yick Low, for Fortinet: MacRansom: Offered as Ransomware as a Service

Fortinet notes that “Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file…”

AlienVault: MacSpy: OS X RAT as a Service

[13th May 2017]

David Bisson for Graham Cluley’s blog: A ‘great security tool’ that encrypts files? Think again! It’s ransomware – A license for FrozrLock isn’t all that expensive, either…

[18th April 2017]

Karmen – Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web.

Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker

Recorded Future on Hidden Tear

Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for  – Nifty dashboard shows the bitcoin rolling in

[3rd April 2017]

John Leyden for The Register: Point-and-pwn tool for posers dumbs down ransomware spreading

[16th February 2017]

Fortinet: Ransomware-as-a-Service: Rampant in the Underground Black Market. HOSTMAN, FLUX, Ransomware Affiliate Network

Zeljka Zorz for HelpNet Security: Satan: A new Ransomware as a Service;
Darren Pauli for The Register: Satan enters roll-your-own ransomware game – Code named for Prince of Darkness offers commissions for spreading evil

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Symantec: Shark: New Ransomware-as-a-Service threat takes bite of proceeds – The creators of Shark have made it freely available, but demand a 20 percent cut of its profits.

SC Magazine: Commentary and related links. Shark ransomware-as-a-service chomps its way to a 20% commission

RensenWare

Reyptson

Lawrence Abrams for Bleeping Computer: Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts. He says:

‘…unfortunately there is no way to decrypt this ransomware currently for free. We have, though, setup a dedicated Reyptson Support & Help Topic for those who wish to discuss it or ask questions.’

Announcement by EMSIsoft’s @PolarToffee.

Notes from @malwrhunterteam

Rokku

An Avira blog describes the very ‘professional’ Rokku ransomware. It has a number of interesting characteristics, but its use of a QR code to enable a victim to pay up has particularly caught the imagination of Sven Carlsen in his analysis: Rokku, the “professional” ransomware.

Bleeping Computer: CryptoHost

Sage

[March 6th 2017] Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.

David Bisson for Graham Cluley’s blog: Sage 2.0 ransomware wants to be just like Cerber when it grows up – Same parents or pure mimicry?

SamAs

Microsoft: Samas

SamSam

[March 31st, 2016]

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

Pierreluigi Paganini: Why malware like the Samsam ransomware are so dangerous for hospitals?

[18th April]

Alexander Chiu for Talos looks hard at the (SamSam-related) JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

[19th April 2016]

For the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.

Sarento

Microsoft: Sarento

Satan

See also Ransomware as a Service.

Darren Pauli for The Register: Satan enters roll-your-own ransomware game – Code named for Prince of Darkness offers commissions for spreading evil

[Added 8th February 2017] Peter Stephenson for SC Magazine: Devilish New Ransomware Hits the Street.

Satana

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

Earlier info:

Serpent

New Serpent Ransomware Targets Danish Speakers

7ev3n

Shade

David Bisson for Graham Cluley’s blog: Shade malware attack examines your finances before demanding ransom – Remote control now. Encryption later.

Shark

Symantec: Shark: New Ransomware-as-a-Service threat takes bite of proceeds – The creators of Shark have made it freely available, but demand a 20 percent cut of its profits.

SC Magazine: Commentary and related links. Shark ransomware-as-a-service chomps its way to a 20% commission

Shinigami Locker

JP Buntix for The Merkle: Bitcoin Ransomware Education: Shinigami Locker

Shujin

Article from Trend Micro on ransomware localized to China, using the simplified character set favoured on the mainland: Chinese-language Ransomware Makes An Appearance

Simplocker

Slocker

Trend Micro: SLocker Mobile Ransomware Starts Mimicking WannaCry

Check Point blog: Preinstalled Malware Targeting Mobile Users

SNSLocker

Trend Micro: Ransomware Leaves Server Credentials in its Code

Sorebrect

Spora

Danny Palmer for ZDnet: Ransomware 2.0: Spora now steals your credentials and logs what you type – Spora has become the latest form of ransomware to inflict several different forms of misery on its victims.

Sophos, 26th June 2017: How Spora ransomware tries to fool antivirus

Bleeping Computer: Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet

Bleeping Computer: Spora Ransomware Sets Itself Apart with Top-Notch PR, Customer Support

McAfee on Spora’s offline capabilities: Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

Stampado*

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software including Petya/Goldeneye and Stampado.

Surprise

Bleeping Computer: The Surprise

David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

Svpeng

Tom Spring for Kaspersky: SVPENG BEHIND A SPIKE IN MOBILE RANSOMWARE. In Ransomware in 2016-2017 “In its analysis, Kaspersky Lab singled out two malware families, Svpeng and Fusob, as dominating the mobile ransomware space.”

SynAck

[September 5th 2017]

Catalin Cimpanu for Bleeping Computer: SynAck Ransomware Sees Huge Spike in Activity

SyncCrypt

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

SZFlocker

Decrypter from AVG

TeamXRat

Kaspersky: TeamXRat: Brazilian cybercrime meets ransomware

Tech Support Scams and Ransomware

Teerac

Microsoft: Teerac

Telecrypt

Kaspersky Labs: The first cryptor to exploit Telegram

Commentary from HelpNet Security: Telecrypt ransomware uses Telegram for command and control

Sounds as if data is recoverable without paying the crooks, at present.

[23rd November 2016] Nathan Scott, of Malwarebytes, has provided a decryption tool here which should work as long as there’s an unencrypted copy of one of the encrypted files available. Commentary by Darren Pauli for The Register here. 

TeslaCrypt

Tescrypt

Microsoft: Tescrypt

Tordow

Anton Kivva for Kaspersky (September 20th 2016), describing malware discovered in February 2016 (Trojan-Banker.AndroidOS.Tordow.a): The banker that can steal anything.

According to Comodo (December 13th 2016), a ‘2nd version’ has acquired extra functionality characteristic of ransomware: Comodo Threat Research Labs Warns Android Users of “Tordow v2.0” outbreak. They refer to it as Android.spy.Tordow.

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. (The other malware he’s referring to is Faketoken, though in Lucian’s article he links to the September article by Anton Kivva, not to the one he quotes  by Romain Unuchek. I’ve messaged him, so this may have changed by the time you read this.)

Towelroot Exploit Kit

Troldesh

Microsoft Malware Protection Center: Troldesh ransomware influenced by (the) Da Vinci code

TrueCrypter

Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

[2nd May 2016] Commentary by David Bisson: TrueCrypter ransomware lets you pay with Amazon gift cards – Just click “Pay” to decrypt – no payment required! (at the moment)

Umbrecrypt

Bleeping Computer: Umbrecrypt

VinCE

See Tech Support Scams and Ransomware

Virlock[er]/

Noted on Spiceworks

Raul Alvarez for Fortinet: On-Demand Polymorphic Code In Ransomware

Zeljka Zorz for HelpNet: VirLocker ransomware is back, but can be defeated. Source article from Malwarbytes: VirLocker’s comeback; including recovery instructions [January 2017]

WannaCryptor (WannaCry, WannaCrypt etc.)

 

WannaLocker

David Bisson – WannaLocker – The WannaCry Copycat Targeting Android Users in China

Wildfire

Kelihos botnet delivering Dutch WildFire Ransomware

Jornt van der Wiel, for Kaspersky: Wildfire, the ransomware threat that takes Holland and Belgium hostage. Summary/commentary by Darren Pauli for The Register: Intel douses Wildfire ransomware as-a-service Euro menace – Group scored $79k a month with infect-o-tronic rent-a-bot

Decrypters available from Kaspersky and Intel via the No More Ransom site.

WordPress (EV)

[18th August 2017]

Ransomware targeting WordPress sites

WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’

I hope the company won’t mind my quoting this important paragraph:

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites

XData

ESET recovery tool

Avast! recovery tool

ESET: Anton Cherepov – XData ransomware making rounds amid global WannaCryptor scare

Xpan

Kaspersky: TeamXRat: Brazilian cybercrime meets ransomware

ZAYKA

[21st July 2017]

Lawrence Abrams for Bleeping Computer: The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession

ZCryptor

[Added 17th June 2016] Malwarebytes description of zCrypt ransomware: under the hood

[Added 10th June 2016] McAfee: Zcrypt Expands Reach as ‘Virus Ransomware’

Zepto

6th – 8th October 2016

Sophos: Odin ransomware takes over from Zepto and Locky

Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension

Older links:

[Back to the Ransomware Resource Page]