Skip to content ↓ | Skip to navigation ↓

When it seemed that ransomware authors hit the lowest of the low with their attacks a long time ago, they managed to take it a notch further last month. With the revamped Petya Trojan that surfaced on June 27, the crooks broke new ground and started waging a real cyber war against a particular country. This toxic code renders computers inoperable, and paying the ransom does absolutely nothing.

The quantitative summary for June is as follows: 66 new ransomware samples appeared, and 23 offshoots of known strains were discovered. To their credit, security vendors and enthusiasts released five free decryptors to help victims get their data back. Peruse this chronicle to get the big picture.

JUNE 1, 2017

BlueHowl screen locker spotted

This new ransom Trojan claims to encrypt files, but its impact is restricted to locking the screen of a target computer. It demands 0.2 Bitcoin and provides a payment deadline of 72 hours. The warning screen contains a QR code to streamline the payment process.

Amnesia decryptor update

Security vendor Emsisoft enhances its free decryptor for the Amnesia ransomware. The updated version of this tool supports Amnesia2, the second generation of said strain.

JUNE 2, 2017

Hadoop hijacking saga moves on

According to the latest reports, the number of ransomed Hadoop servers worldwide is currently on the order of 500. This may be partially the aftermath of attacks against these databases as of January this year, whereas some are quite likely still being targeted at the time of this writing.

German ransomware called CainXPii

CainXPii appears to be a screen-locking counterpart of the Hitler ransomware, which surfaced in August 2016. While the Trojan in question does not apply any cipher, it erases some files every time a victim tries to terminate its executable. The pest asks for €20 in PaySafeCard.

Joksy, another low-level threat

Security researchers come across one more screen locker dubbed Joksy. Its warning message is in Lithuanian. The small ransom of $0.01 is payable in PayPal.

LockCrypt ransomware

This one blemishes hostage files with an extension in the following format: ID[unique victim identifier].lock. It also sprinkles ransom notes called ReadMe.txt all over the contaminated computer.

JUNE 3, 2017

Ramsey ransomware targeting Turkish users

The sample dubbed Ramsey is a spinoff of the ubiquitous Jigsaw strain that concatenates the .ram string to encrypted files. Its ransom how-to is in Turkish. Victims are instructed to submit $25 worth of Bitcoin for data recovery.

JUNE 4, 2017

PoC based Executioner ransomware

The new Turkish crypto hoax referred to as Executioner is one of the numerous derivatives of the educational open-source Hidden Tear code. It uses random extensions for locked files, generates a decryption walkthrough called Sifre_Coz_Talimat.html, and requests a Bitcoin equivalent of $150.

Run-of-the-mill Mora Project strain

Mora Project is yet another offspring of the controversial Hidden Tear proof-of-concept. It affixes the .encrypted extension to scrambled files and leaves a ransom how-to document named ReadMe_Important.txt.

StrutterGear pushes the Jigsaw terror forward

The Jigsaw ransomware version known as StrutterGear features a new creepy background for its ransom note, which contains quite a bit of bad language. It demands $500 worth of Bitcoin.

JUNE 5, 2017

New facts on Jaff ransomware uncovered

Security analysts discover that the architects of the Jaff ransomware campaign are in cahoots with proprietors of a Russian cybercrime marketplace called PaySell. Specifically, the extortion operation relies on server space shared with said underground portal. Other infections affiliated with PaySell include Locky, Dridex, and the Necurs botnet.

Jigsaw lineage more prolific than ever

The payload of the fresh Jigsaw ransomware spinoff is disguised as Flash update. The infection uses the .lost extension to label encoded data.

MrLocker isn’t as formidable as it appears

New self-proclaimed ransomware dubbed MrLocker claims to wipe a victim’s personal data unless they submit $250 worth of Bitcoin within 10 days. Fortunately, these threats are nothing but a bluff.

Jigsaw decryptor now boasts broader coverage

Michael Gillespie (@demonslay335), the creator of ID Ransomware service, updates his previously released decryption tool for the Jigsaw family of crypto threats. The decryptor additionally supports variants that append the .ram, .lost, and .tax extensions to hostage files.

Jigsaw knockoff called The Dark Encryptor

This one displays a ransom alert paying homage to the Jigsaw movie, although its ties with the infamous ransomware family have not been vetted. The Dark Encryptor uses the .tdelf string to label encoded data and demands $100 worth of Bitcoin.

Ogre ransomware – nothing out of the ordinary

The strain under consideration subjoins the .ogre extension to locked files and displays a somewhat primitive warning screen. Victims are instructed to cough up €20 in Bitcoin.

Ransomware claiming to be YouTube-borne

A tricky screen locker starts circulating in the wild. Its warning screen says, “You have violated the YouTube law,” whatever that means. Researchers were able to get hold of the unlock code, which is ‘law725’.

$ucyLocker, an umpteenth HT offspring

The sample called $ucyLocker is based on open-source Hidden Tear PoC. It creates a help file named READ_IT.txt and concatenates the .WINDOWS extension to encoded entries.

JUNE 6, 2017

BTCWare tweak

A new edition of the BTCWare ransom Trojan switches to appending the .[].blocking suffix to scrambled files.

CryMore sample being cooked up

Analysts spot in-dev ransomware that stains hostage data with the .encrypt extension. The size of the ransom is currently unknown, but the warning screen states that it will be getting 1.5 times bigger every 12 hours.

CryptoSearch utility now supports more strains

A brand-new version of CryptoSearch is released. It is a tool that finds files locked by ransomware and allows victims to move them to a separate location for decryption in the future if an ad hoc free decryptor appears. Owing to the update, this app can identify data entries held hostage by the following ransomware: Amnesia, Amnesia2, Cry128, Cry36, and Cry9.

One more sample identifiable with ID Ransomware

The ID Ransomware online portal has been updated to support the Cry36 crypto infection, which uses the email address to interact with victims.

The onset of Zilla ransomware

Zilla is one of the increasingly widespread Turkish strains at large. It adds the .zilla string to every encoded file and leaves a decryption walkthrough called OkuBeni.txt, which translates as “ReadMe.txt”.

JUNE 7, 2017

BeethoveN ransomware, a new one on the table

This one displays a ransom note stating that it leverages a combo of AES-256 and RSA-2048 ciphers to lock down a victim’s data. It concatenates the .BeethoveN extension to hostage files and provides a payment deadline of 168 hours.

New MrLocker edition

A successor of the buggy MrLocker ransomware surfaces. As opposed to its prototype, this one only locks the screen without threatening to delete data. Thanks to researchers who reverse-engineered the infection, victims can use the code ‘6269521’ to get around the lock screen.

Jigsaw army gets a new trooper

The new iteration of the Jigsaw ransomware uses the .R3K7M9 extension to label inaccessible files. The above-mentioned free decryptor by Michael Gillespie can easily handle this derivative.

JUNE 8, 2017

Windows 10 Creators Update featuring anti-ransomware enhancements

According to Microsoft, the latest version of Windows 10 operating system boasts efficient mechanisms that help thwart ransomware attacks. To prove this, company executives emphasize that the recent WannaCry campaign has not affected a single Windows 10 user through its well-trodden path engaging NSA exploits.

xXLecXx Trojan isn’t an issue at all

Said ransomware is a primitive screen locker that dupes people into thinking their data is encrypted. Victims can use Alt+F4 keys combo to close the lock screen – as simple as that.

New strain targeting Russian users

All the warning messages and instructions generated by the ransomware in question are in Russian. It affixes the .cr020801 string to locked files and tells victims to shoot a message to for buyout steps.

CryptoGod malady pops up

As per analysts’ verdicts, the sample called CryptoGod is a spinoff of the MoWare H.F.D. ransomware, which has been around since late May. The newcomer concatenates the .payforunlock extension to files and displays a ransom note with the inscription “Information Security”, which is quite sarcastic of the crooks.

Unexpected findings regarding WannaCry

Researchers unveil some new controversial characteristics of the WannaCry ransomware. It turns out that this perpetrating program is unable to work out which victims have submitted the ransom. An infection as sophisticated as this one definitely shouldn’t lack this ransomware-specific hallmark. This may suggest that WannaCry was originally tailored to fulfill goals other than extortion alone.

JUNE 9, 2017

In-dev Spectre ransomware with some potential under the hood

A new strain called Spectre is not in the wild thus far, but some uncovered details of its development process might indicate that it’s going to become a serious player in the cybercrime ecosystem. It boasts flawless encryption and robust Command & Control infrastructure. The Trojan scrambles file names and appends them with the .spectre extension. The ransom note is called HowToDecryptIMPORTANT!.txt.

Update made to the Jaff ransomware

The only noteworthy change made to the Jaff crypto malware is that it now concatenates the .sVn extension to files rather than the previously used .wlu string.

MacRansom RaaS

The Ransomware-as-a-Service called MacRansom is shaping up to be the next big thing on the extortion arena. This underground affiliate network makes Mac ransomware available to wannabe cybercriminals.

JUNE 10, 2017

Encryption tweak of BeethoveN ransomware

The recently discovered BeethoveN strain starts leveraging embedded RSA keys and email-based victim interaction principle instead of using a Command & Control server for these purposes. It demands $400 worth of Bitcoin for decryption.

JUNE 11, 2017

Law enforcement action against WannaCry

French police confiscate a server hosting several Tor relays that were engaged for a WannaCry ransomware attack against a big local company. According to some unconfirmed reports, the overall number of Tor nodes seized in France around the same time was in the dozens. Trojan – no crypto, only screen locking

New ransomware called displays a lock screen stating that the victim’s files are encrypted, while they actually aren’t. The size of the ransom is a BTC equivalent of $50.

JUNE 12, 2017

Facebook-themed ransomware

The sample referred to as the Facebook Ransomware turns out to be a derivative of the Hidden Tear proof-of-concept code. Predictably enough, this one concatenates the .Facebook string to hostage data items.

R4bb0l0ck ransomware targeting Dutch audience

This baddie mainly proliferates in the Netherlands, so it displays a ransom note in Dutch named LEES_MIJ.txt (READ_ME.txt in English). It appends original filenames with the .R4bb0l0ck extension.

One more Jigsaw version spotted

The latest offspring of the Jigsaw ransomware family uses the .Ghost extension to stain locked files. Those infected can use Michael Gillespie’s decryption tool to get their data back for free.

The almost adorable Virus Ransomware

A new sample on the extortion arena called Virus Ransomware displays a warning screen reading “Your PC Got Hacked” and containing an image of a toy from “My Little Pony” collection. Although it fails to perform data encryption, it requests $300 in Bitcoins. Victims can simply apply a commonplace malware eradication routine to address the issue.

CA$HOUT ransomware

This is another unsuccessful Trojan that’s incapable of enciphering files correctly. Despite its buggy gist, it demands a ransom of $100.

Malicious affiliate platforms targeting Macs

Analysts come across two malware deployment frameworks delivering viable ransomware and spyware for macOS. One of them called MacRansom is a RaaS (Ransomware-as-a-Service) portal allowing crooks to fire up an extortion campaign of their own. The other, MacSpy, pushes spyware designed specifically for Macs.

The disgusting GPAA ransomware

The perpetrating app in question claims to emanate from an inexistent humanitarian organization named Global Poverty Aid Agency. It drops the !READ.htm ransom how-to titled “Save Children”, which asks for 1 Bitcoin as part of a fake crowdfunding initiative.

JUNE 13, 2017

Ransomware with lame OPSEC

A new strain is spotted that subjoins the .rnsmwre suffix to filenames and displays @decrypt_your_files.txt ransom note. Its unusual hallmark is the use of PaySafeCard for ransoms, which suggests that the attacker might be unprofessional.

Jaff ransomware undergoes a change

Felons in charge of the Jaff ransomware campaign release an updated edition of the nasty program. The only modification is that the infection now leaves help manuals named !!!!!SAVE YOUR FILES!!!!.txt and !!!SAVE YOUR FILES!.bmp.

Why-Cry, another crude sample in the wild

This new crypto malware is based on poorly coded open-source ransomware. It affixes the .whycry extension to encoded files and demands $300 worth of Bitcoin for recovery.

Newsmaking incident in South Korea

Linux servers belonging to Nayana, a South Korean web hosting provider, get hit by a file-encrypting Trojan called Erebus. This attack calls forth disastrous collateral damage, as more than 3,000 websites get infected along the way. Ransom negotiations are ongoing.

JUNE 14, 2017

Jaff ransomware finally decrypted

Analysts from Kaspersky Lab spot an imperfection in the encryption routine utilized by the Jaff ransomware, a likely successor of Locky. The vendor’s updated RakhniDecryptor utility is now capable of decrypting files appended with the .jaff, .wlu, and .sVn strings.

New BTCWare version released

The latest update of the prolific BTCWare strain introduces a small change. The pest switches to using the .[].master file extension. This edition is categorized as MasterLock.

EncrypTile ransomware cracked

Avast creates a free decryptor for the file-scrambling infection called EncrypTile. Although this offending program has been in rotation since October 2016, it hasn’t made many victims and remained in the shade of more widespread ransomware families. EncrypTile goes with a user interface and supports multiple languages.

Sage now manifests itself in a slightly different way

HTA ransom how-to dropped by the Sage ransomware doesn’t have an indication of the version number anymore. This is the only tweak made to the infection as part of this update.

CryForMe ransomware in development

The immature sample called CryForMe may have Italian roots. It is based on Hidden Tear educational ransomware code. The ransom is set to €250 worth of Bitcoin.

JUNE 15, 2017

College in the UK falls victim to ransomware

Educational establishments are amongst cyber extortionists’ favorite targets. A recent incident involves University College London, whose computer network got compromised by an unnamed strain of ransomware. According to official UCL report, antimalware tools failed to block the infection, so this may have been a zero-day attack.

CryptoSpider, a new one out there

This infection displays a warning screen that says, “Hacked by ./Mr.Gh0s7_C47”. The extension affixed to hostage files is .Cspider.

WinUpdatesDisabler spreading in the wild

A new Hidden Tear based ransom Trojan called WinUpdatesDisabler is a garden-variety sample. It concatenates the .zbt suffix to encrypted data items.

WinBan ransomware

The specimen in question locks the screen with an alert reading, “Your Windows has been banned.” Malware researchers got hold of the unlock code that victims need to enter in the warning screen – it is 4N2nfY5nn2991.

JUNE 16, 2017

Executioner ransomware can be cracked

The author of Turkish EDA2-based crypto strain called Executioner reportedly made some critical mistakes when coding the infection. According to Michael Gillespie from MalwareHunterTeam, these flaws make the ransomware easy to decrypt.

Sandwich ransomware keeps its makers hungry

This one is only a screen locker, so it doesn’t encrypt any files. It displays a picture of a sandwich on its warning screen. The two codes that do the unlock trick are as follows: 0941-4234-6354-0235 and 4215-2511-7845-2135.

Screen-locking Cerber replica

A new ransom Trojan is spotted that impersonates the Cerber ransomware and claims to encrypt a victim’s important data. In fact, though, it simply locks the screen and demands 0.1 Bitcoin for the fix.

JUNE 17, 2017

Umpteenth Jigsaw offshoot

A fresh edition of the Jigsaw ransomware speckles encoded files with the .sux extension. It mostly targets Italian users.

Another day, another WannaCry knockoff

Security experts spot an in-dev specimen that impersonates the infamous WannaCry ransomware. In contrast to its prototype, though, it uses the “.Wana Decrypt0r Trojan-Syria Editi0n” file extension and displays a ransom warning with the dark color theme.

JUNE 18, 2017

WinBamboozle infection coming up

That’s quite an appropriate name for a piece of ransomware. This sample appends each hostage file with a unique extension consisting of five hexadecimal characters while leaving the original filename intact.

JUNE 19, 2017

SkullLocker isn’t as scary as it appears

The Trojan called SkullLocker only locks the screen of a target host rather than encrypts a victim’s personal data. The good old Alt+F4 combo suffices to close the spooky-looking screen.

The Dumb ransomware family expands

More offspring of the Dumb ransomware strand appears. The newcomer displays a ransom note in Polish and demands 1,880 Zloty worth of Bitcoin (0.2 BTC).

SamSam resurfaces

The authors of the SamSam ransomware release three new editions of this strain in one shot. These variants concatenate the .breeding123, .mention9823, and suppose666 extensions to encrypted files.

DecryptOr 3.2 ransomware

Researchers keep discovering samples whose development is still in progress. One of these parasites is a half-baked specimen called DecryptOr 3.2. It is configured to request $100 worth of Bitcoin for decryption.

NSMF strain wants Bitcoins or pizza

A Readme.txt note dropped by the NSMF ransom Trojan, which appends the .nsmf suffix to scrambled files, says “Send me 5 Bitcoins or pizza.” This infection is based on the academic Hidden Tear ransomware.

JUNE 20, 2017

1-million-dollar ransom paid

South Korean web host called Nayana decides to submit a mind-blowing ransom that amounts to $1 million worth of Bitcoin. The Erebus ransomware attack, which took place on June 10, crippled the company’s 153 Linux web servers and thus affected 3,400 hosted sites. Interestingly, this particular strain had been a Windows-only infection prior to this newsmaking onslaught against Nayana’s Linux environment.

Kuntzware, a threat that doesn’t work as intended

Predictably enough, this one uses the .kuntzware file extension to label what has been encrypted. While it is supposed to skew a victim’s data and possibly even lock the screen, it currently crashes after starting up.

Zilla ransomware update

The baddie targets Turkish users. It affixes the .zilla string to filenames and provides decryption steps in a how-to document named @@BurayaBak.txt (“LookHere” in English).

Gansta ransomware devs should work on their spelling

This sample concatenates the .enc extension to enciphered files. The ransom note says it’s “the only free ransomware”. Go figure what that is supposed to mean.

Screen locker requesting sensitive information

New screen-locking malware is spotted that instructs victims to enter their credit card details, including the number, expiration date, full name, and security code.

Crypt888 variant treats files in an unusual way

A new edition of the Crypt888 ransomware is discovered. Whereas most crypto threats put certain character strings at the end of filenames, this one goes its own route and prepends the “Lock.” prefix to files instead. Another tweak is the new red desktop background that replaces the original.

JUNE 21, 2017

Car plant hit by WannaCry

The WannaCry ransomware attacked Honda car factory based in Sayama, Japan. The manufacturer was forced to stop the production process while implementing incident response measures.

TeslaWare for sale

New ransomware kit called TeslaWare is discovered on the dark web. Its creators offer fellow-crooks a deal where the latter can buy their custom variant of the infection for €35-70. The offending program keeps deleting some files until the victim pays up. Analysts state this ransomware has serious functional flaws and can thus be decrypted without a ransom.

Another ransomware hunt commences

MalwareHunterTeam’s Michael Gillespie publishes a tweet encouraging colleagues to help find samples of the aZaZeL ransomware. Its indicators of compromise include the .Encrypted file extension, File_Encryption_Notice.txt ransom note, and contact email address.

New Ruby-based ransomware

a fresh sample written in Ruby demonstrates that online extortionists keep experimenting with programming languages. Its modus operandi involves a domain generation algorithm (DGA).

JUNE 22, 2017

WannaCry won’t stop causing chaos

This nasty ransomware makes another high-profile victim. This time, it contaminates 55 road safety cameras in the Australian state of Victoria. As a result, local police cancel 590 tickets and stop issuing new ones until the problem is fixed.

Locky is back but ill-conceived

The Locky ransomware re-emerges after another pause in distribution that lasted more than a month. The Necurs botnet is still the one to blame for this novel propagation wave. The good news is the code has imperfections that prevent it from running on Windows editions later than Vista.

CryptoDark specimen acts in a bizarre way

Despite the fact that this malicious entity manifests itself just like the average crypto ransomware, it does not actually encode any data. It demands $300 worth of Bitcoin regardless.

Impostor mimicking Cerber

The Trojan in question generates victim interaction modules resembling ones displayed by Cerber ransomware. According to researchers’ findings, though, it is an independently developed sample. This pseudo-Cerber appends the .encrypted extension to locked files.

AlixSpy committing some data theft

As opposed to garden-variety ransomware, the strain called AlixSpy prefers theft to encryption. It steals a victim’s authentication details for Growtopia game then locks the screen and demands $20 worth of Bitcoin for unlocking.

QuakeWay ransomware

This one concatenates the .org extension to encrypted files and creates a ransom manual named _iWasHere.txt. Experts from MHT claim it can be decrypted.

JUNE 23, 2017

Most ransomware attacks stay in the dark

The FBI’s Internet Crime Complaint Center (IC3) releases a fresh annual Internet Crime Report. One of the interesting takeaways from it is that the majority of ransomware victims choose not to inform law enforcement about their quandary.

Windows 10 S is susceptible to ransomware

White hat hackers decided to vet Microsoft’s reassurances that their newest Windows 10 S edition is invulnerable to ransomware attacks. Matthew Hickey from the Hacker House security firm was able to install a ransomware sample on brand-new Surface Laptop in a couple of hours.

Odd modus operandi of the Reetner ransomware

The sample in question employs a modular execution workflow. It means different executables are responsible for different processes involved in the extortion chain. For example, Noter.exe displays the ransom note, another executable encrypts files, and so on. If this approach becomes more widespread in the ransomware environment overall, it may significantly complicate detection and troubleshooting.

Screen locker without financial motivation

Researchers discover a new ransom Trojan whose impact is restricted to locking one’s screen. This doesn’t align with the text on the lock screen that states all personal files have been encrypted. According to the alert, the attacker doesn’t want money and won’t decrypt anything. Obviously, this whole campaign doesn’t make sense.

HT based EyLamo ransomware

Similarly to the strain called NSMF that demanded “Bitcoins or pizza” for decryption, the new EyLamo specimen asks for “BTC or kebab”. The two must have a common origin. EyLamo is a malicious offshoot of Hidden Tear that subjoins the .lamo extension to files and drops READ_IT.txt ransom how-to.

Kryptonite sneaks inside as a primitive game

Kryptonite ransomware infiltrates computers while passing itself off as a Snake game. It claims to use RSA-2048 cryptosystem and demands a Bitcoin equivalent of $500. Fortunately, it fails to even get to the encryption part of its abominable undertaking.

JUNE 24, 2017

Jigsaw ransomware update

A new Jigsaw edition is discovered that subjoins the .rat extension string to ciphered files. No other noteworthy changes have been made.

Spear-extortion might be the next big thing

Researchers from MHT come across a ransomware sample that displays READ_ME.txt ransom note tailored for a particular organization, namely the Eurogate Group. It is a Hidden Tear spinoff that stains files with the .locked extension.

Rogue X-rated app turns out to be Android ransomware

Android ransom Trojan called Koler starts targeting United States users who visit an adult-themed site. Intrusive ads on this adult web resource recommend would-be victims to install a bogus app, which then displays FBI themed lock screen demanding a $500 penalty for watching prohibited content.

JUNE 26, 2017

Another ransomware disguised as a computer game

Security experts discover a Hidden Tear offshoot that infects machines while masquerading as the Battlefield game. Files encrypted by this sample get the .locked suffix appended to their original names.

MMM ransomware in development

This one uses the .0x004867 string to blemish ransomed data and drops an additional file with the .info extension for every encoded data entry. The latter contains the corresponding cryptographic key. The MMM Trojan currently works in test mode.

Samas gets a small tweak

The latest iteration of the extortion old-stager called Samas ransomware concatenates the .moments2900 suffix to filenames.

Adverse aftermath of the Nayana incident

After the web host called Nayana agreed to cough up a $1 million ransom to Erebus ransomware distributors, other crooks started firing massive DDoS-for-ransom attacks at South Korean companies – obviously, in pursuit of huge payouts.

JUNE 27, 2017

Karo ransomware fails to impress

Having encoded data on a computer, this specimen adds the .ipygh string to filenames and leaves a recovery how-to called ReadMe.html on the desktop.

Latvian ViaCrypt sample spotted

This strain got its name based on the .via extension concatenated to hostage files. It drops a ransom note in Latvian.

The Shifr Ransomware-as-a-Service

The RaaS in question stands out form the pack. This malicious affiliate platform is amazingly easy for wannabe felons to join, with just a few custom parameters to define. Furthermore, the architects of Shifr only take a 10% share from subsequent ransoms, which is several times lower than the average cut in the ransomware distribution business. Researchers suspect such a low rate might have a flip side for newbie-extortionists, namely data theft from their machines by means of a stealth info-stealer module.

Petya ransomware lookalike pops up

Also referred to as NotPetya or Petrwrap, this nasty infection spreads like wildfire in Ukraine, compromising state-owned banks, large private companies, and media. Its reach quickly expands to Western Europe. This pest affects the Master Boot Record (MBR) of a contaminated computer and encrypts the system’s Master File Table, thus completely locking users out of their machines.

Petya-related mailbox blocked

Posteo, the email provider whose services are used by Petya makers to interact with victims, blocks the corresponding email account in light of fraudulent use. Analysts fear this is a wrong move that may prevent victims from regaining access to their computers and data.

Offbeat infection vector used by Petya

Numerous reports start coming in about a peculiar entry point of the new Petya variant. The infection routine may be executed via a booby-trapped update for accounting software called M.E.Doc, which is widely used by Ukrainian enterprises.

Prevention mechanism for Petya discovered

This sophisticated ransom Trojan turns out to create and run a file named perfc.dat to operate inside a system. Therefore, it is possible to thwart the destructive routine by creating a read-only file with the same name in Windows folder.

CryptoBubble lives up to its name

This ransomware sample is easy to identify as it stains files with the .bubble extension. Fortunately, it has weak crypto. This allowed MHT’s Michael Gillespie to create a free decryption tool that pokes the bubble, figuratively speaking.

Executioner ransomware update

A fresh edition of the Turkish ransom Trojan called Executioner switches to using random file extensions that consist of six hexadecimal characters.

The new Petya isn’t classic ransomware

According to Kaspersky Lab, the most recent incarnation of Petya doesn’t provide any viable decryption options, no matter if a victim has paid up or not. This fact suggests that it must have been created for disruption and sabotage rather than commonplace online extortion.

JUNE 28, 2017

Ukraine is the epicenter of cyber attacks

Whereas the Petya epidemic got the most press coverage, several more ransomware strains have been zeroing in on Ukrainian users lately. For instance, a sample called PSCrypt was claiming victims in said country in mid-June. These campaigns were preceded by the XData outbreak in May.

More analysts state Petya is cyber warfare

Based on evidence, the (Not)Petya ransomware does not pursue extortion goals. It does not provide victims with a decryption key even if they cough up the ransom. Looks like this whole campaign is a state-sponsored action targeting a particular country.

MusicGuy Trojan getting on victims’ nerves

This is a new file-encrypting program on the computer crime arena. It concatenates the .locked suffix to each enciphered data item on a target machine.

Random6 pest in the wild

This ransomware affixes a random 6-character string to affected files. It creates a ransom note in the format RESTORE-.[file extension]-FILES.txt, so its name is unique for every plagued user.

Gank Ransom seems like a joke

Said sample uses the .gankLocked file extension and READ_ME_ASAP.txt ransom how-to. Its demands are currently explicated in the following way: “You must send me one million Bitcoins to retrieve the key.” Someone is fooling around, obviously.

Pirateware doesn’t do harm as intended

At first sight, the in-dev Pirateware infection looks just like the average ransomware. It displays a warning screen that instructs the victim to send 0.1 BTC to a specific Bitcoin wallet. What makes it different from viable counterparts, though, is that it fails to encrypt any data.

JUNE 29, 2017

Microsoft’s clever anti-ransomware initiative

The Corporation announced a new Windows Defender feature called Controlled Folder Access. It is scheduled to go live around October this year as part of Fall Creators Update. The objective of this promising feature is to prevent third-party code from making changes to data stored in system folders (by default) and custom directories defined by the user.

Cerber morphs into CRBR Encryptor

This prolific ransomware begins manifesting itself as CRBR Encryptor. The updated variant drops ransom notes named _READ_THIS_[random]_.hta/txt, renames files, and appends them with four hexadecimal characters. It still arrives with malspam.

Another ransom Trojan targeting Ukraine

Analysts discover a new extortion campaign fired at this East European country. This time it’s a .NET based WannaCry copycat. The infection reportedly sticks with the same propagation mechanism as Petya, employing the M.E.Doc accounting software environment to contaminate computers.

ABCScreenLocker is on its way

This infection is half-baked and doesn’t spread in the wild at this point. As the name suggests, it is supposed to only lock the screen without encrypting anything on compromised hosts.

Nemucod ransomware tweak

A new offshoot of the Nemucod family surfaces that does not modify filenames or append any extensions. It displays an updated version of the ransom note that demands 0.45 BTC for data recovery.

JUNE 30, 2017

Petya was created for destruction, period

A growing number of security vendors state that the most recent iteration of the Petya ransomware does not provide decryption and system recovery options even if victims pay up. The main conclusion to draw from this fact is that the code is intended to do damage and disrupt the activity of target organizations.


Not only does the present-day ransomware cause financial losses, but it can also shut down factories and affect critical infrastructure. The Petya ransomware outbreak has demonstrated how vulnerable organizations are when skilled threat actors come into play. Hopefully, Windows Defender’s upcoming Controlled Folder Access feature and perhaps some other new security initiatives will turn out to be game-changing.


david balabanAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.