Skip to content ↓ | Skip to navigation ↓

July was relatively slow in terms of ransomware. Some crooks must have been on vacation spending ill-gotten money at deluxe resorts. Well, why not? They sure can afford it. The rest were busy releasing small shoddy strains and reanimating old ones. Here’s what the month looked like in the numbers: 42 new samples went live, 33 existing ones were fine-tuned, and 11 got decrypted.

JULY 1, 2017

Petya and past cyber-attacks in Ukraine may have common roots

A number of security vendors, including ESET and Kaspersky, discover ties between the latest Petya ransomware outbreak and onslaughts against Ukrainian power facilities that took place in late 2015. A cyber crime crew referred to as TeleBots, which most likely has Russian origins, is believed to have been responsible for both incidents.

New strain called Lalabitch

This one scrambles file names using base64 encoding scheme and appends them with the .lalabitch extension. The ransom how-to file is called lalabitch.php.

Takeom ransomware – not in the wild yet

Researchers come across a crude sample called Takeom, which is currently in the process of development. Based on clues in its code, the author’s name, or nickname, is Liam. It has no crypto functionality so far.

RansRans sample based on Hidden Tear

An umpteenth offshoot of the academic Hidden Tear ransomware is discovered. It concatenates the .ransrans string to encrypted files, hence the name. The code is shoddy and crashes all the time.

Hell ransomware, alias Radiation

There’s some ambiguity regarding this sample’s name. The victim console says it’s Radiation ransomware, while the desktop background contains references to a strain called Hell. Anyway, the code is too unprofessionally tailored to handle victims’ files the right way, so the data simply goes down the drain.

JULY 2, 2017

BTCWare tweak

The BTCWare crypto hazard starts manifesting itself in a slightly different way. The most conspicuous change made to this malicious program is the new .aleta extension being affixed to victims’ skewed files.

Unikey pest coming out of an infamous cradle

Security analysts discover an in-dev strain called Unikey. Upon closer scrutiny, it turns out to be an offshoot of Hidden Tear, the controversial proof-of-concept ransomware.

JULY 3, 2017

Cry36 ransomware update

The latest iteration of said malign code switches to using the .63vc4 extension to blemish enciphered data. Another tweak is the ### DECRYPT MY FILES ###.txt restoration how-to file dropped onto the desktop and all folders with inaccessible information.

JULY 4, 2017

Ukrainian law enforcement’s move to contain Petya epidemic

The police of Ukraine, a country that suffered the most from the recent Petya, or NotPetya, outbreak, seize servers belonging to a local vendor distributing M.E.Doc. A Trojanized update of this accounting program was reportedly used to fire the initial wave of attacks at Ukrainian organizations.

ShellLocker undergoes an alteration

New edition of the ShellLocker sample stains encrypted files with the .L0cked string. Furthermore, file names themselves become unidentifiable due to a scrambling routine being applied. As before, this variant displays ransom notes in Russian.

ZeroRansom, another one in the wild

Unique indicators of ZeroRansom onslaught include the .z3r0 file extension and a ransom how-to document called EncryptNote_README.txt. This baddie automatically sends encryption-related information to the attacker via Gmail.

J-Ransomware uses an almost cute extension

The above-mentioned ZeroRansom becomes the code base for a fresh specimen called J-Ransomware. The latter concatenates the .LoveYou string to each ciphered entry and leaves a troubleshooting manual named ReadMe.txt.

zScreenLocker resurfaces with some changes under the hood

The original version of zScreenLocker Trojan was spotted in early November last year. It displayed a warning screen featuring anti-Islamic motives. Its first offspring appeared eight months later. Fortunately, the newcomer is easy to crack – the unlock password is Kate8Zlord.

CryptoMix keeps spawning “moles”

Another variant of the CryptoMix ransomware appears. It speckles files with the .MOLE00 extension. The previous one used .MOLE02 string for this purpose. That’s some strange math right there, isn’t it?

Crypter 1.0, a really weird specimen

This sample doesn’t have a working crypto module, so it poses no risk to data so far. It displays pop-up messages with gibberish contents and demands a whopping ransom of 10 Bitcoin.

JULY 5, 2017

Petya crew starts transferring funds

Crooks behind the devastating Petya campaign initiate some transactions with Bitcoins futilely submitted by victims who were hoping to regain access to their plagued systems. The amount is approximately worth $10,000. The felons moved this crypto currency to numerous wallets, which is classic OPSEC in the ransomware business.

New whitepaper on cyber threat landscape released

According to Security Report 2016/17 by Germany-based AV-TEST Institute, ransomware isn’t nearly as prevalent as most people might think. The analysts calculated that ransom Trojans accounted for only 0.94% of all malware attacks in 2016.

MOLE02 specimen decrypted

A number of security vendors and independent researchers teamed up to crack a CryptoMix ransomware offshoot that concatenates the .MOLE02 string to files. As a result of these efforts, a free decryptor for this strain is released. Thumbs up to everyone involved!

Newsmaking arrests over ransomware

Chinese police track down and apprehend two men for spreading a ransom Trojan based off of the notorious SLocker Android infection. It’s noteworthy that the perpetrating code under consideration imitates the look and feel of WannaCry, a strain that has contaminated thousands of Windows computers since May. This Android based WannaCry lookalike was reportedly distributed via a rogue plugin for the King of Glory game.

CryptoMix authors launch one more spinoff

The latest addition to the CryptoMix ransomware lineage is a sample that replaces filenames with 32 hexadecimal characters and stains them with the attackers’ email address followed by .AZER string. The ransom note is named _INTERESTING_INFORMACION_FOR_DECRYPT.txt – obviously, spelling is not the crooks’ forte.

BTCWare decryptor enhanced

MalwareHunterTeam’s Michael Gillespie updates his free decryption tool for BTCWare so that it supports the recent variant appending hostage files with the .master extension. This may not have happened if the anonymous creator of BTCWare hadn’t posted the private decryption key on Bleeping Computer’s forums.

JULY 6, 2017

Executioner updates aren’t game-changing

Although the author of Turkish file-encrypting malware called Executioner has been busy releasing new versions with improvements of the crypto routine, all of his endeavors end up futile. Researchers claim it can still be easily decrypted.

CountLocker is more destructive than most counterparts

This isn’t a garden-variety strain, as it is configured to erase all data on a contaminated computer’s C drive unless the victim pays up within a 72-hour deadline. The size of the ransom is 0.3 Bitcoin ($700).

Fenrir sample breaks new ground in a way

The new Fenrir ransomware introduces an offbeat approach to blemishing encoded files. It uses a file extension fetched from the target machine’s HWID (Hardware ID) parameter, namely its first 10 characters. Furthermore, while most ransom Trojans create decryption avenues in TXT, HTML, or HTA format, Fenrir drops one named Ransom.rtf.

ElmersGlue_3 ransomware

As opposed to its predecessor that demanded 16 Bitcoin to unlock the screen, ElmersGlue_3 “humbly” asks for $150 worth of the cryptocurrency. Fortunately, it doesn’t encrypt anything and can be easily circumvented with a password security analysts were able to retrieve.

JULY 7, 2017

NotPetya prototype can now be decrypted

The dev of the original Petya ransomware, who goes by the online alias JANUS, leaks the master decryption key for his nasty contrivance. This is quite likely a move to disavow his involvement with NotPetya campaign wreaking havoc in Ukraine and several more countries.

SurveyLocker fails to impress

This infection displays a popup alert saying “Internet surfing is disabled” and won’t unlock the screen until the victim completes some surveys. Fortunately, security experts got hold of the unlock code, which is “thanksfortheadmoney”.

Random6 genealogy explained

According to researchers’ new findings, the Random6 ransom Trojan spotted in late June isn’t an independently developed strain. It turns out to be an offshoot of the Fantom ransomware that has been in the wild since August 2016.

JULY 10, 2017

LeakerLocker ransomware zeroes in on Android

This new ransom Trojan infects Android devices on a large scale. It is making the rounds via two booby-trapped applications available on Google Play called “Wallpapers Blur HD” and “Booster & Cleaner Pro”. LeakerLocker accesses sensitive data stored on the device, exfiltrates it to attackers’ servers, and threatens to send the files to all of a victim’s telephone and email contacts unless they pay $50. Google removed the above-mentioned apps from its official marketplace after the ransomware reports started coming in.

A Petya knockoff appears

Researchers come across a sample called Petya+ that uses a warning screen resembling that of the original Petya infection. This copycat is programmed in .NET and does not complete the encryption process due to crude code.

Scorpio strain goes verbose with ransom notes

The sample called Scorpio replaces filenames with random combinations of hexadecimal characters and concatenates the .[Help-Mails@Ya.Ru].Scorpio string to each one. It also leaves decryption how-to files named “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt”.

Oxar ransomware spotted

Also referred to as the Locked In ransomware, this one is based on Hidden Tear proof-of-concept. It uses the .OXR extension to label encoded files.

Bit Paymer specimen in the wild

A brand new crypto malady called Bit Paymer subjoins the .locked suffix to hostage files. It leaves a separate .readme_txt rescue note for every encrypted item and uses a Tor based payment page.

JULY 11, 2017

Arrest ensuing from a ransomware investigation

Australian law enforcement agency arrested a 75-year-old individual for creating bogus tech support companies that used remote access services to deposit ransomware on computers. The man has been reportedly in cahoots with an overseas ransomware ring since 2010.

JULY 12, 2017

NemucodAES baddie cracked

Emsisoft vendor creates a free decryption tool for the NemocodAES ransomware. This perpetrating program is distributed via “undelivered package”-themed spam.

AslaHora, another Hidden Tear offshoot

Online extortionists continue their foul play with academic ransomware originally designed for educational purposes. The new Hidden Tear based ransomware called AslaHora stains files with the .Malki extension. Fortunately, analysts were able to retrieve the unlock password, which is MALKIMALKIMALKI.

JULY 13, 2017

DCry ransomware isn’t an issue anymore

Security experts teamed up to contrive a free decryptor for the DCry. The supported sample adds the .dcry extension to filenames.

BLACKOUT ransomware goes with a License Agreement

This one base64 encodes original filenames to make them difficult to identify. It drops a recovery manual named README_[random].txt, which includes a License Agreement stating that the program is “designed to test the protection of OS Windows against ransomware.”

Keep Calm sample is a PoC derivative

File-encrypting malware called Keep Calm is based on EDA2, another educational ransomware from the creator of the infamous Hidden Tear. It appends encrypted files with the .locked extension and drops a rescue note named “Read Instructions.rtf”.

Purge ransomware campaign fails

Predictably enough, this strain concatenates the .purge suffix to every encoded file. It lacks stability as far as the performance goes, crashing off and on during the attack. Researchers who analyzed its code managed to get hold of the unlock password – TotallyNotStupid – so victims don’t have to pay $250 for decryption.

Some crooks aren’t well schooled

New screen locker is discovered that displays a message reading, “Your All Data Is Encrypt!” It demands 1 Bitcoin for unlocking the screen, but the Alt+F4 combo does the trick free of charge.

BrainLag ransomware spotted before it goes live

Analysts stumble into an in-dev sample called BrainLag. It shows a warning screen with an image of the Grim Reaper and a smiley. It does not apply any crypto at this point.

Ransed strain in the wild

Cybercriminals have coined a new verb judging from the name of the Ransed infection and the identical extension being affixed to filenames. The infection chain includes an instance of connecting to MySQL server, which means server login data is hard-coded into the ransomware.

JULY 14, 2017

Jigsaw edition featuring a deterrent extension

The new iteration of the Jigsaw ransomware is discovered. The distinguishing hallmark of this one is the .kill string being appended to hostage files.

SamSam ransomware update

The SamSam, or Samas,  lineage of file-encrypting infections is quite dynamic as it regularly spawns new versions. The latest one speckles encoded files with the .country82000 extension.

ENDcrypt0r ransomware is a bluff

While passing itself off as classic crypto ransomware, the ENDcrypt0r Trojan is nothing but a garden-variety screen locker. When confronted with this impostor, victims can use “A01B” password to unlock their computers.

Fuacked ransomware merges with the crowd

Some ransomware devs must be getting short of creativity as they cook up infections like the one called Fuacked. There is no uniqueness about it except the immodest-sounding name and the “WAHHH!!!” exclamation in the title of the ransom note.

JULY 15, 2017

Striked ransomware is now decryptable

This sample got its name from “Your files are striked [sic]” phrase in its README_DECRYPT.html ransom note. It uses the following pattern for skewing the look of hostage files: Filename#rap@mortalkombat.top#id#[10 random numbers]. Fortunately, researchers were able to defeat its crypto and released a free recovery solution.

JULY 17, 2017

Android ransomware that pilfers data

New remote access Trojan called GhostCtrl, which is a spinoff of the notorious multi-platform OmniRAT malware, turns out to exhibit ransomware properties on Android. In particular, it resets the PIN of a target device and locks the screen with a rescue note.

Alosia ransomware launched and cracked

This specimen is based on shoddy open-source code. It speckles encrypted files with the .alosia extension and displays a ransom note named “File Anda Terkunci,” which is Indonesian for “Your file is locked.” Victims can use the following code to decrypt their data: CREATEDBYMR403FORBIDDEN.

New Jigsaw offspring appears

Yet another Jigsaw edition is spotted in the wild. It concatenates the .korea string to all encoded files and sets a black desktop background with a big smiley in it.

Reyptson ransomware uses clever self-spreading tactics

Spanish crypto strain called Reyptson stands out from the rest as it accesses the victim’s Thunderbird email account and sends out bobby-trapped messages to their contacts. It appends the .reyptson extension to files and drops a rescue note named Como_Recuperar_Tus_Ficheros.txt into every folder with hostage files.

Viro ransomware engages some blasphemy in the extortion mix

This derivative of Hidden Tear PoC stains encrypted files with the .locked suffix and generates a ransom how-to dialog titled “Computer compromised”. It also replaces the victim’s desktop background with a blasphemous Photoshopped image. Shame on the bad guys.

Run-of-the-mill Oops ransomware

This one uses the .oops extension to label ransomed entries. It instructs victims to send a file named EncryptedKey, their computer name, and Bitcoin address to only4you@protonmail.com for further directions. The ransom amounts to 0.1 Bitcoin ($275).

Explorer v1.58 ransomware hailing from HT cradle

The strain in question is yet another Hidden Tear spin-off. It adds the .explorer extension to files, uses decrypter.files@mail.ru email address to interact with those infected, and states that victims can pay half the regular price if they fit in their ransom within a 24-hour payment deadline.

GlobeImposter lineage gets new variants

Two fresh editions of the GlobeImposter ransomware are discovered. They concatenate the .s1crypt or .au1crypt extension to locked files. Both share the same rescue note named how_to_back_files.html.

JULY 18, 2017

FedEx badly impacted by Petya attack

According to a report released by FedEx, some of the company’s servers were severely affected in the wake of the Petya, or NotPetya, ransomware campaign. The officials say the full recovery of their systems and critical business data isn’t a likely prospect, so the damage is significant.

JULY 19, 2017

Public media company struggling to recover from ransomware onslaught

KQED, A radio and TV station headquartered in San Francisco, experienced issues with remediating the damage from a ransomware attack. The incident took place in mid-June and is still causing disruption of the station’s operational workflow. The management decided to reinstall operating systems on infected machines. Therefore, a certain amount of data was lost irreversibly.

NemucodAES decryptor enhanced

Security researcher Fabian Wosar from Emsisoft did some fine-tuning of his previously released free decryption tool for the NemucodAES ransomware. A new edition of the decryptor now supports large database files, which wasn’t the case prior to the update.

China-Yunlong Trojan spotted in the wild

As the name suggests, this sample hails from China. It leaves file names unaltered and appends them with the .yl extension.

JULY 20, 2017

CryptoMix authors release two more variants

Hallmark signs of the new CryptoMix ransomware editions are the .NOOB and .ZAYKA extensions being concatenated to hostage files. Both drop ransom notes named _HELP_INSTRUCTION.txt and use the admin@zayka.pro email address to communicate with victims.

Recent versions of Striked ransomware now crackable

Michael Gillespie from MalwareHunterTeam updates his decryption tool for the Striked ransomware so that it supports files with several new extensions appended to them.

Hidden Tear misapplied once again

Security analysts come across an umpteenth variant of the academic Hidden Tear ransomware called Matroska. It blemishes encrypted files with the .hustonwehaveaproblem@keemail.me extension.

JULY 21, 2017

CryptoMix family keeps growing

A brand new iteration of the CryptoMix ransomware uses the .CK extension token to label skewed files. The name of the ransom how-to, _HELP_INSTRUCTION.txt, is the same as before, but its contents have been redacted.

New edition of the Jigsaw ransomware

There aren’t many strains out there as frequently updated as Jigsaw. The latest version in the wild concatenates the .afc string to enciphered files and displays a new desktop background.

Symbiom ransomware surfaces

This sample is one of the numerous Hidden Tear proof-of-concept offshoots. It stains all encrypted files with the .symbiom_ransomware_locked suffix and provides a payment walkthrough in README_Ransomware_Symbiom.txt document.

Bitshifter is more than just ransomware

While encrypting and holding a victim’s personal data hostage, the specimen called Bitshifter also attempts to find and exfiltrate information on cryptocurrency wallets. This ransomware is identifiable by a ransom note named ARE_YOU_WANNA_GET_YOUR_FILES_BACK.txt. Bitshifter virus targets China for now.

“Stinking” GlobeImposter version appears

The architects of the GlobeImposter ransomware campaign release a new variant that subjoins the .skunk string to every hostage file.

Python-based SnakeLocker

Researchers discover two editions of new ransomware called SnakeLocker. They add the .snake or .TGIF extension to encrypted items and leave the INSTRUCTIONS-README.html rescue note with payment steps.

JULY 22, 2017

GlobeImposter spawns new versions in rapid succession

Another variant of the GlobeImposter ransomware surfaces one day after the .skunk file variant was discovered. The newcomer concatenates the .GOTHAM extension to ransomed files.

This ransomware lineage is expanding at astonishing rate

Yet another persona of GlobeImposter appears. It uses the .crypt string to speckle locked files and leaves a decryption how-to named how_to_back_files.html. Victims are coerced into contacting the threat actors via support24@india.com or support24_02@india.com.

This is GlobeImposter’s day, obviously

While the fresh iteration of this ransomware still drops how_to_back_files.html ransom how-to, it also switched to using the .HAPP suffix for encoded files. It instructs those infected to shoot a message to happydaayz@aol.com or strongman@india.com for recovery steps.

Zilla ransomware update

A variant of the Zilla ransomware is spotted that blemishes files with the .Atom string. The new name of the ransom note is ReadMeNow.txt.

SimpleRansomware doesn’t live up to its name

This in-development specimen leverages Pastebin to work out if a specific user has submitted the ransom. Furthermore, its code contains numerous indications that the attackers are trying to equip the infection with a VB rootkit.

JULY 23, 2017

Bam! Ransomware in the wild

The sample in question concatenates the apropos .bam! extension to scrambled files. It sets a 24-hour deadline for payment and tells victims to contact the crooks via abc@xyz.com or acc@xyz.com for a payment walkthrough.

JCoder authors pay homage to Petya

Security analysts come across a specimen called JCoder that appends the .Petya suffix to enciphered data entries.

JULY 24, 2017

DCry ransomware updated

The latest edition of the DCry baddie switches to using the .qwqd extension to label encoded files. Fortunately, the DCry decryption tool released earlier by MalwareHunterTeam’s Michal Gillespie supports this variant.

WannaCry copycat from Turkey

Researchers discover a WannaCry ransomware knockoff that displays a ransom warning in Turkish. It reportedly infiltrates computers via remote desktop services. The ransom amounts to $7,000 worth of Bitcoin.

The original Petya declared decryptable

Security experts used clues in the tweet posted by the author of the original Petya threat to retrieve the private decryption key for last year’s variants. This confirms once again that the recent NotPetya outbreak in Ukraine was operated by a different cybercrime crew. According to Malwarebytes, the automatic decryptor is in progress.

Another day, another GlobeImposter update

One more iteration of the GlobeImposter ransomware appears. It stains encrypted files with the .707 extension and drops RECOVER-FILES.html ransom how-to.

GlobeImposter makers appear to be restless

Guess what? Plus one for this ransomware family. The latest iteration uses the .{email address}.BRT92 extension for locked files, so a sample file named Pic.jpg morphs into something like Pic.jpg.{asnaeb7@india.com}.BRT92. The ransom note is #HOW_DECRYPT_FILES#.html.

JULY 25, 2017

VindowsLocker returns

Originally discovered in late November 2016, the VindowsLocker ransomware campaign didn’t last long. In a surprise move, it reappeared eight months later. The current variant locks one’s desktop, says “Your computer will explode in 24 hours,” and demands a ransom payable in iTunes gift cards.

RanDsomeWare isn’t a misspelling

The sample called RanDsomeWare uses the .RDWF character string to label encrypted files. Its behavior suggests that it may be a joke – it generates a warning that reads, “You are about to run a ransomware” before performing the crypto part. Even if a victim is careless enough to grant it the required permissions, they can use the SUPER_SECRET_KEY code to undo the damage.

GlobeImposter architects are busier than ever

Analysts have gotten accustomed to discovering new GlobeImposter versions every other day, or even more frequently than that. A fresh one out there affixes the .p1crypt string to file names and leaves a rescue note named how_to_back_files.html.

JULY 26, 2017

Striked ransomware decryptor updated

The previously released free decryption tool for the Striked ransomware now supports several new variants that use contact email addresses hosted at the aolonline.top domain.

Tweak of the Serpent strain

The latest version of the Serpent ransomware appends files with the .srpx extension. It drops a new combo of ransom notes named README_TO_RESTORE_FILES_t7Q.html/txt.

New one targeting Polish users

Security experts come across an in-dev sample that displays warning messages in Polish. The current encryption key is 12345.

ABC Locker spotted

This one is a spinoff of the CloudSword ransomware, which was discovered in January 2017. Just like its prototype, ABC Locker leverages AES-256 encryption in CBC (cipher block chaining) mode. It provides a payment deadline of five days. Otherwise, the ransom increases from 0.5 to 1 Bitcoin. Interestingly, the USD equivalent of 1 Bitcoin mentioned in the rescue note is $550, whereas the current rate is $2,740. Well, the text of the warning must have been written at least a year ago when this cryptocurrency was worth several times less than it is now.

Ransomware InVincible

Whatever motivated the developers of the new ransomware InVincible to call it this way, such a choice appears to be unwarranted as it does not perform encryption at this point. This sample displays a GUI resembling that of WannaCry. The size of the ransom is $50 worth of Bitcoin.

JULY 27, 2017

Spongebob ransomware 2.0

Despite the funny name, this in-development specimen may shape up to be a serious issue when completed. Meanwhile, it only displays a funny-looking GUI and fails to do the crypto part.

Zuahahhah sample spotted

The Crypt888 ransomware family, which has been around since June 2016, produces a new offshoot that goes by a weird name of Zuahahhah.

The comeback of LambdaLocker

The Python-based LambdaLocker sample was first spotted in early February 2017 and shortly vanished from the cybercrime arena to return in July. The new variant concatenates the .MyChemicalRomance4EVER string to hostage files and drops a recovery manual named UNLOCK_guiDE.tXT.

Interesting findings regarding the ransomware ecosystem

According to an in-depth analysis conducted by Google’s researchers Elie Bursztein, Kylie McRoberts, and Luca Invernizzi, 95% of ransoms traced since 2014 were cashed out by means of BTC-e, one of the world’s largest Bitcoin exchange and trading platforms.

ShieldFS makes computers immune to ransomware

A possible breakthrough in fending off crypto ransomware is hitting the headlines. Security enthusiasts from Italy created ShieldFS, which they call a self-healing, ransomware-aware filesystem. In a nutshell, this sophisticated solution identifies ransomware before it affects a computer, terminates its activity, and can even reinstate data that already got encrypted.

Police apprehend BTC-e proprietor

Following the above-mentioned report presented by Google employees at Black Hat USA 2017, Greek police arrest 38-year-old Alexander Vinnik, the owner of BTC-e digital currency trading service. He is being charged with laundering ransomware payouts and money stolen in the notorious Mt. Gox hack Bitcoin exchange hack. Law enforcement also takes down BTC-e portal as part of the investigation.

JULY 28, 2017

CryptoMix becomes more of a moving target

The CryptoMix ransomware crew is busy creating new variants of this perpetrating program. This time they launch two editions in a row. These append the .ZERO and .DG extensions to encrypted files and drop an identical decryption manual named _HELP_INSTRUCTION.txt.

JULY 30, 2017

Another SamSam mod goes live

The SamSam, or Samas, ransomware campaign has been somewhat idle recently. New editions do appear once in several weeks, though. The latest one stains every hostage item with the .supported2017 extension.

JULY 31, 2017

GlobeImposter distributors adopt a new tactic

The GlobeImposter ransomware edition that blemishes encoded files with the .crypt extension is making the rounds via so-called “Blank Slate” spam. The booby-trapped emails don’t include any subject line and contain a Trojanized ZIP file attachment. This particular variant drops a data restoration manual named !back_files!.html.

SUMMARY

Perhaps the determinant event of last month was the takedown of BTC-e cryptocurrency trading platform, the one purportedly used to cash out most ransoms. Let’s see how things pan out in this regard. Perhaps initiatives like that can help stop the epidemic in its tracks. Meanwhile, to stay away from the rampant ransomware frenzy use reliable security software, run operating system updates on time, and most importantly, be sure to keep those files backed up.

 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

['om_loaded']
['om_loaded']
<!-- -->