Skip to content ↓ | Skip to navigation ↓

Online extortionists took their attacks to a whole new level last month. They brought the infamous Locky monster back to life after more than three months of hiatus. The architects of the Jigsaw ransomware campaign were busier than ever, contriving seven new variants of their plague. The Hidden Tear, EDA2, and CryptoWire proof-of-concept ransomware projects gave rise to a slew of real-world spinoffs.

The quantitative summary for April is as follows: 41 new strains appeared, 22 old ransomware samples were updated, and six decryption tools were released by researchers. Read the report below to learn more.

APRIL 1, 2017

Security loophole in Gigabyte BRIX firmware spotted

It turns out the firmware for Gigabyte BRIX compact PC kits is susceptible to ransomware attacks. When taking the floor at Black Hat Asia 2017, researchers from Cylance presented their proof-of-concept UEFI Ransomware that exploits two vulnerabilities in vF6 and vF2 firmware versions for GB-BSi7H-6500 and GB-BXi7-5775 models, respectively.

APRIL 2, 2017

New ransomware codebase surfaces

A strain called GX40 appears to be a potential codebase for cooking up other extortion tools. This particular infection stains one’s files with the .encrypted extension and instructs victims to contact for recovery steps.

First GX40 offspring spotted

Researchers’ apprehension regarding the GX40 code starts materializing as its new spinoff takes root. The somewhat crude derivative uses address to interact with victims.

AngryKite ransomware is angry indeed

This sample badly scrambles file names and affixes the .NumberDot string to each one. An interesting hallmark sign of AngryKite is that it tells victims to dial 1-855-455-6800 to sort things out.

DeathNote Hackers ransomware

Having infected a computer, the strain in question displays a screen with the “DeathNote Hackers” inscription, hence the name. It uses the Rijndael block cipher to lock victims’ files down and demands a ransom of 0.5 BTC. Security analysts were able to get hold of the unlock code, which is 83KYG9NW-3K39V-2T3HJ-93F3Q-GT.

APRIL 3, 2017

The almost cute Fluffy-TAR

This cyber baddie has English and French editions of the ransom note in store and adds a PNG image of a pink fluffy creature wearing sunglasses, whatever that should mean. Fluffy-TAR appends the .lock75 extension to encoded files and asks for 0.039 BTC to restore data.

Cerber gets some fresh make-up

The latest variant of Cerber has switched to using a new combo of ransom how-to files. The updated editions are called _READ_THI$_FILE_[random characters]_.hta/jpeg/txt.

Amadeous creation still in progress

The code of this in-development HiddenTear based sample has clues suggesting that the author’s name is Paul. In fact, researchers came across this project a while ago. Paul appears to have been quite busy working on his infection lately. At least, he finally came up with “Amadeous” as its name.

Faizal is your commonplace ransomware

Another offspring of the questionably sensible HiddenTear PoC project is found. It’s called Faizal, and its ransom note is in Indonesian. This infection uses the .gembok string to label affected files.

APRIL 4, 2017

PadCrypt takes after Spora in a way

The TOR payment site used by PadCrypt contains a new review page. It says victims can get a partial refund of their ransom on condition that they give the decryption service a good feedback. Another widespread threat called Spora was the first one to introduce such a feature in early February.

Bart ransomware cracked

Bitdefender devises a free decryptor for Bart ransomware. It supports locked files with the .bart,, and .perl extensions appended to them.

New GX40 derivative

Cybercrooks use the code of the above-mentioned GX40 ransomware to coin one more descendent. Its fresh incarnation requests 0.02 BTC for decryption and uses email address to interact with those infected.

New Jigsaw variant is out

The latest Jigsaw edition blemishes one’s encrypted files with .I’WANT MONEY suffix and tells victims to contact the extortionists via

APRIL 5, 2017

A ray of hope for Vortex victims

Michael Gillespie, the creator of the commendable ID Ransomware service, tweets he can decrypt data held hostage by Vortex / Floreta. Those hit by said Trojan should contact the researcher for assistance.

Samas ransomware tweak

An updated version of Samas, also referred to as SamSam, goes live. It concatenates the .skjdthghh string to files and leaves the following decryption how-to manual: 009-READ-FOR-DECCCC-FILESSS.html.

PadCrypt update

PadCrypt, which had recently hit the headlines with its new abominable review service, gets a bit of fine-tuning and reaches version 3.5.0.

Fantom RaaS may pop up anytime soon

When reversing the latest iteration of Fantom, security analysts stumbled upon something interesting. Its code now contains a ‘PartnerID’ value. This ostensibly insignificant nuance may indicate a serious concern, though. It’s quite possible that the crooks are about to launch a Ransomware-as-a-Service platform for Fantom.

The army of CryptoWire spinoffs gets a new soldier

Although the proof-of-concept ransomware called CryptoWire originally contained no panel so that felons weren’t likely to abuse it for real-world attacks, the author’s preemptive measure didn’t work. First, there where Lomix and UltraLocker pests that borrowed the code uploaded to GitHub. And now there is another one called “”, which propagates as an AA_V3.exe file.

Another Python based troublemaker

Researchers spot a new ransomware sample coded in Python. It instructs victims to submit 0.3 BTC within three hours or else the hostage data will purportedly become irrecoverable.

HiddenTear abused again

The educational HiddenTear project gives rise to one more real-life menace. It’s a Turkish strain referred to as Kripto. This infection displays a warning window titled “Dikkat”, which is the Turkish for “Attention”.

APRIL 6, 2017

LMAOxUS sample demonstrates PoC exploitation

An Indian black hat hacker who goes by an online handle “Empinel” has adjusted the open-source code of EDA2 proof-of-concept ransomware to actual extortion activity. In particular, he was able to eliminate a backdoor left by the EDA2 author; therefor,e third-party interference with the campaign behind the scenes is no longer possible.

Teenager apprehended in Austria over ransomware incident

Austrian law enforcement track down and arrest a 19-year-old man on suspicion of plaguing the IT network of a Linz-based company with the Philadelphia ransomware. This attack rendered data on the target organization’s servers inaccessible. Although the crook demanded a ransom of $400 for recovery, the company never paid up and restored all information from the backup.

“Rensenware” joke infection wants you to play a game

A developer nicknamed Tvple Eraser, who most likely resides in Korea, creates a program called Rensenware. Unlike conventional ransom Trojans, this one doesn’t demand money for data decryption. Instead, it tells victims to score 200 million in the LUNATIC level of the TH12 ~ Undefined Fantastic Object shooting game. Later on, the dev reached out to popular security resources, stating that it was a joke. Nevertheless, people got infected for real.

A cybercrime ring’s earnings revealed

Researchers from F5 Labs, a company specializing in application threat intelligence, got hold of statistics for a ransomware campaign exploiting Apache Struts vulnerability cataloged as CVE-2017-5638. According to their findings, the crooks made 84 BTC (about $98,000) in ransom since March 10, 2017.

Cry9 ransomware encryption defeated

Fabian Wosar, the chief technical officer at Emsisoft, creates a decryption tool for Cry9. This strain uses multiple extensions to label encoded data entries, including .[id], .[id]_[].xj5v2, and .[id]_[].r2vy6.

APRIL 7, 2017

Researchers react to questionable SCADA ransomware claims

An article on proof-of-concept SCADA and ICS ransomware called ClearEnergy, which was published by Security Affairs on April 5, calls forth a great deal of criticism on the security community’s end. Some analysts blame the PoC authors at CRITIFENCE for not conducting proper research and unverified claims about alleged real-world attacks.

Matrix ransomware boasts high-profile distribution

Although this infection isn’t new, it’s not until recently that it has started propagating on a large scale. The circulation of its current edition reportedly relies on the use of the EITest campaign and the RIG exploit kit.

Cerberos ransomware is nothing out of the ordinary

In spite of the fact that this Trojan’s name sounds similar to Cerber, there are no ties between the two. The somewhat primitive Cerberos appears to be a CyberSplitterVBS spinoff.

APRIL 8, 2017

New sample configured to stain data with the .kilit suffix

A group of researchers called the MalwareHunterTeam (MHT) comes across crude in-development ransomware that’s set to append the .kilit string to encrypted files. Details of the discovered code indicate that the author may be from Turkey. Interestingly, this one parses its configuration from a page hosted at Blogspot.

APRIL 9, 2017

Serpent ransomware keeps crawling

New edition of the Serpent Trojan surfaces. It subjoins the .serp extension to hostage files and drops README_TO_RESTORE_FILES_[random string].txt document with ransom instructions.

APRIL 10, 2017

Cry9 decryptor made more efficient

Emsisoft CTO Fabian Wosar updates his free decryptor for Cry9, which infects computers via RDP. The new version of the decryption tool can handle more Cry9 variants and boasts better performance.

APRIL 11, 2017

Crooks won’t stop using open-source Hidden Tear

Although the academic ransomware project called Hidden Tear originally pursued benign educational goals, it has spawned numerous real-life derivatives. Security analysts stumbled upon another one of these spinoffs that uses the .locked extension to label encrypted files. Its warnings are in Portuguese and it has a GUI, which isn’t common for Hidden Tear-based samples.

Minor change made to BTCWare

The latest version of the BTCWare ransom Trojan has switched to using a new email address for communication with victims. It instructs those infected to shoot a message to

Eduware trying to be helpful

The strain called Eduware, or the Kindest Ransomware ever, enciphers data for real but doesn’t engage in extortion proper. Instead, it decrypts files after a victim watches an instructive YouTube video about ransomware as a phenomenon.

APRIL 12, 2017

Mole ransomware spreads in an unusual way

The distribution vector used by the new Mole ransomware involves malspam that encourages recipients to click on a link redirecting to a bogus web page titled “Microsoft Word Online”. The document on that site looks corrupted, and the victim is told to download and install a rogue plugin to view the content. The plugin, though, is actually a ransomware payload. This Trojan uses the .MOLE file extension and INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt ransom note.

Meet Anthony, a newbie extortionist with ambitions

MHT spots a new Hidden Tear offspring whose maker’s name might be Anthony – at least, that’s what certain attributes in its code suggest. This one appends files with the .rekt extension.

Jigsaw variant targeting French-speaking audience

A fresh sample from the Jigsaw family blemishes hostage files with the .crypte extension and displays a ransom alert in French.

El-Diablo, another Hidden Tear clone

This in-dev ransom Trojan is configured to leave a decryption how-to called El-Diablo_ReadMe.txt. Based on code metadata, the developer’s nickname is “SteveJenner”.

New Globe v3 version takes after Dharma

The latest build of Globe v3 appears to mimic the Dharma pest. In particular, it appends the .[].wallet string to encrypted files.

Jigsaw family keeps expanding

Security researchers spot a Jigsaw edition that concatenates the .lcked extension to affected data entries and uses a new scary-looking background for its ransom warning.

Lame ransomware builder on the table

Although this new malicious tool looks like it allows would-be extortionists to create their own viable ransomware, it actually provides some junk open-source code to copy and compile. It goes with a .NET UI.

APRIL 13, 2017

CradleCore ransomware kit

A growing trend in the cybercrime environment revolves around Ransomware-as-a-Service (RaaS) portals. The perpetrators who created Cradle, however, ended up going a different route. They are selling their source code called CradleCore to anyone who wants to try their hand at online extortion. Negotiations regarding the price start at 0.35 BTC.

APRIL 14, 2017

Officially, Cerber is today’s prevalent ransomware threat

According to Q1 2017 report released by Malwarebytes Labs, Cerber outperforms all the other crypto threat families by far. Its market share reached a whopping 86.98% in March.

Hidden Tear PoC abused once again

A new offspring of the Hidden Tear open-source educational code is spotted. It leaves a ransom note named READ_IT_FOR_GET_YOUR_FILE.txt. The creator is most likely from Thailand. An offbeat hallmark sign of this Trojan is that it appends one’s files with one of four extensions chosen randomly. These include .loveyouisreal, .okokokokok, .ranranranran, and .whatthefuck. The email address to reach the attacker is

pyCL ransomware devs try a new spreading tactic

The pyCL ransomware, which is a Python-based CTB-Locker replica, starts proliferating via malicious Word documents. It appends the .crypted extension to files and creates a shortcut named “Decrypt My Files” pointing to the index.html ransom note.

Small tweak made to the Dharma ransomware

The newest variant of Dharma stains its victims’ encrypted files with the .onion extension preceded by the following string: .id-[random].[].

APRIL 15, 2017

German screen locker surfaces

A new ransom Trojan is discovered that locks the screen rather than encrypts data. It displays a picture of the villain from the Jigsaw movie on its warning screen. Researchers were able to obtain two applicable unlock codes: HaltStopp! and 12344321.

Schwerer ransomware spotted

This one is coded in AutoIt scripting language. It requests €150 to unlock files. The ransom must be paid within three days.

APRIL 16, 2017

Troldesh ransomware update

The only conspicuous change made to Troldesh, also known as Shade, is the new .dexter extension concatenated to hostage files. It still leaves a series of README[0-10].txt ransom notes and displays a desktop background with warning text in Russian and English.

Ransomware named after notorious computer worm

New strain called the C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E appends an apropos .conficker extension to encrypted files. It drops a recovery how-to named Decrypt.txt and demands 0.5 BTC for decryption.

Malabu ransomware pops up

The Malabu ransom Trojan originally asks for a Bitcoin equivalent of $500, but the amount goes up to $1000 in 48 hours. The crooks use some bad language in the ransom note and the file extension.

APRIL 17, 2017

SnakeEye is underway

Threat actors identifying themselves as the “Snake Eye Squad” appear to be working on SnakeEye. It is based on crude, open-source code available online.

Ransomware that obliterates data

New unnamed sample developed by someone from Turkey doesn’t work right. It deletes victims’ files beyond recovery instead of encrypting them.

APRIL 18, 2017

Academic ransomware gives rise to a RaaS

Cybercriminals behind the file-encrypting infection called Karmen have started distributing their harmful program on a Ransomware-as-a-Service basis, which is a malicious counterpart of regular affiliate networks. A really disconcerting thing about this whole story is that the code of Karmen is based on Hidden Tear.

Atlas, another threat to watch out for

Having encrypted one’s files, the strain in question appends them with the .ATLAS extension and drops a recovery walkthrough named ATLAS_FILES.txt.

APRIL 19, 2017

LOLI RanSomeWare released

Whether it’s a deliberate misspelling or utter ignorance, the Korean author of the LOLI RanSomeWare chose to dub his brainchild this way. The pest affixes the .LOLI suffix to locked files.

APRIL 20, 2017

Jigsaw assumes new characteristics

The background of the new Jigsaw variant warning window now features images of Joker and Batman. This edition concatenates the .fun extension to hostage data entries and threatens to delete an incremental number of files until the ransom is submitted.

Karmen ransomware becomes Mordor

The Karmen ransomware, which started propagating via a RaaS portal a few days back, transforms into a crypto infection called Mordor. It is attributed to Russian cybercriminal underground.

Crappy Hidden Tear spinoff goes live

A new derivative of the open-source Hidden Tear is spotted in the wild. It uses the .locked extension to label scrambled data. The cipher-backed file processing currently applies to the desktop only, but the Trojan fails to complete the encryption and crashes.

APRIL 21, 2017

AES-NI distribution harnessing exploits

The AES-NI campaign reportedly leverages NSA exploits leaked by the Shadow Brokers hacker group recently. The infection targets Windows servers, uses the .aes_ni_0day file extension, and drops a ransom note named “!!! READ THIS – IMPORTANT !!!.txt”.

The comeback of Locky

When it seemed that Locky had completely vanished form the extortion landscape, it reemerged after almost four months of inactivity. The pest arrives with malicious spam carrying fake payment receipts on board. The current Locky edition uses the Redchip2.exe payload.

Locky circulation keeps relying on Necurs

The new wave of Locky spam is reportedly Necurs botnet-borne. This particular tandem made the ransomware under consideration one of the top crypto menaces of 2016. The volume of this malspam is reaching tens of thousands of rogue emails per hour.

The OSIRIS edition of Locky is still the case

The authors of Locky still stick with the Egyptian mythology theme for the current variant of their creation. It’s the exact same build that was in rotation in late 2016. It concatenates the .OSIRIS extension to encrypted files and leaves a ransom note called OSIRIS-[4 random characters].htm.

APRIL 22, 2017

Brazilian JeepersCrypt ransomware

Judging by the name and design of the warning screen, this one pays homage to the Jeepers Creepers horror film. It adds the .jeepers suffix to every hostage file, demands 0.02 BTC for decryption and provides a 24-hour deadline to pay up.

APRIL 23, 2017

New features added to ID Ransomware

MHT extends the identification functionality of ID Ransomware service. Those infected with crypto malware can now figure out which strain they are facing by entering the email address, Bitcoin wallet address, or Tor URL mentioned in the ransom note.

AES-NI infection making the rounds more actively

Indicators of compromise, in this case, include the .aes_ni_0day extension concatenated to locked files and a recovery how-to called “!!! READ THIS – IMPORTANT !!!.txt”. Interestingly, the ransom note states that the perpetrating program uses NSA exploits dumped by the Shadow Brokers hacker ring in mid-April.

“Hopeless” ransomware, a CryptoWire spinoff

Analysts come across a new derivative of the open-source CryptoWire, which is academic ransomware originally designed for educational purposes. Its warning screen is titled “Sem Solução” (“Hopeless” in Portuguese), hence the name. The infection blemishes files with the .encrypted extension. Fortunately, it is easy to crack – the decryption password is 123.

APRIL 24, 2017

XPan campaign dissected

Kaspersky Lab does an informative write-up on XPan. The proliferation of this sample is mostly isolated to Brazil, and the threat actors deposit the bad code onto computers manually by brute forcing targets’ RDP access credentials. Indicators of compromise include the .one extension appended to files and “Recupere seus arquivos aqui.txt” ransom note, which is the Portuguese for “Recover your files here”.

Getrekt version of Jigsaw – better luck next time

An umpteenth edition of Jigsaw shows up. Having scrambled one’s data, it affixes the .getrekt string to original filenames. Fortunately, researcher Michael Gillespie quickly updates his Jigsaw Decryptor tool to support this spinoff.

PshCrypt is such a junk

New ransom Trojan is spotted that stains files with the .psh extension and displays a primitive warning screen asking for 0.05 BTC. It didn’t take security analysts long to do the math and figure out that the serial code for decryption is “HBGP”.

Big fail for FailedAccess

Security experts were able to crack a ransom Trojan while its ill-minded author was still working on it. The sample is dubbed FailedAccess due to the extension it appends to files. MalwareHunterTeam’s Michael Gillespie defeated its crypto in the blink of an eye. Those infected can use his StupidDecryptor solution to restore hostage information.

APRIL 25, 2017

Details of the CTF ransomware

The name of this new strain suggests that its developer must be a big fan of Capture the Flag competition. The ransom Trojan derives a victim-specific encryption key from a plagued workstation’s MAC address and concatenates the .CTF extension to encoded files.

A minor change made to pyteHole pest

The only tweak accompanying the latest pyteHole update is the new .adr suffix being added to filenames as part of the data scrambling routine.

Mole using a tricky distribution tactic

According to Palo Alto Networks, a CryptoMix spinoff appending files with the .MOLE extension is propagating via a complex social engineering methodology. Its payload arrives with rogue emails impersonating the United States Postal Service. The messages encourage would-be victims to visit a counterfeit Microsoft Word styled website and download the ransomware camouflaged as an Office plugin.

APRIL 26, 2017

NMoreira reaches version 4

Cybercrooks release a new variant of the NMoreira that uses the .NM4 extension to label encrypted files. This sample provides a troubleshooting walkthrough called “Recovers your files.html”.

APRIL 27, 2017

Cerber update introducing minor changes

The latest build of Cerber uses a new set of ransom notes, namely _!!!_README_!!!_[random]_.txt and _!!!_README_!!!_[random]_.hta. Another noteworthy modification has to do with the payload delivery method. The campaign now leverages a vulnerability in RTF documents cataloged as CVE-2017-0199 to deploy malicious Visual Basic scripts on computers.

Ransomware impersonating a law enforcement agency

An in-development sample is discovered that displays International Police Association themed warning messages. There is no crypto involved in its modus operandi. Instead, the pest moves a victim’s files into a password-protected archive, appending each item with the .locked string preceded by an extra space. Researchers figured out that those infected can unlock the archive by entering “ddd123456” in the password field.

Jigsaw won’t stop mutating

Another Jigsaw update features a new extension added to filenames after the encryption has been performed. The string is Obviously, it matches the email address to reach the attackers for step-by-step recovery instructions.

An insight into current Cerber campaign

The perpetrators behind Cerber are diversifying their contamination tactics. Both of the prevalent distribution channels use booby-trapped ZIP email attachments. However, the file extracted from the archive can be either in JS or RTF format. The latter type is a .doc file that exploits the above-mentioned CVE-2017-0199 vulnerability.

APRIL 28, 2017

Mordor strain isn’t prosaic at all

The relatively new real-world derivative of Hidden Tear is gaining momentum. It does not target German users, stains encrypted files with the .mordor extension, and leaves a data buyout how-to named READ_ME.html. Whereas the name is Mordor, the payment page is titled “Milene Ransomware” for some reason. Go figure.

APRIL 29, 2017

The .wallet extension getting popular with crooks

Taking after Dharma and Globe v3 strains, the newest variant of CryptoMix starts flagging encrypted files with the .wallet string. The build in question instructs victims to send a message to or for recovery steps.

Another BTCWare update

After some minor fine-tuning, this crypto malware now appends files with the .[].btcware extension and drops a ransom note named #_HOW_TO_FIX.inf.

APRIL 30, 2017

RSAUtil pops up

One of the hallmark signs of the specimen dubbed RSAUtil is that it’s coded in Delphi. Having completed the encryption part of its mission, it concatenates the[random characters] extension to filenames and drops a recovery tutorial called How_return_files.txt.

DeadSec-Crypto v2.1 ransom Trojan spotted

This sample might be a rising threat to Portuguese-speaking audience. While currently in development, it is configured to append files with the .locked suffix and demand 0.05 BTC for data decryption. The author’s email address indicated in the ransom note is The deadline for paying up is set to one week.


One of the most unsettling tendencies in the present-day online extortion ecosystem has to do with cybercrooks’ growing interest in weaponizing educational ransomware code. It doesn’t take a rocket scientist to understand that PoCs like Hidden Tear, EDA2 and CryptWire never worked as intended. Instead of demonstrating the modus operandi of crypto-malware to researchers, these projects have become a cradle for numerous real-life strains. This should give security enthusiasts some food for thought – they should make felons’ lives harder, not easier.


david balabanAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.