Skip to content ↓ | Skip to navigation ↓

Whatever the reason is, ransomware activity skyrocketed last month. An influx of crude, unprofessionally tailored samples bombarded home users and enterprises, sometimes simply destroying data beyond recovery due to broken crypto. Meanwhile, high-profile threats like Spora, Sage, Cerber and Jigsaw became more sophisticated.

The statistics for March 2017 are as follows: threat actors released 46 new strains and updated 20 existing ones. Although anti-malware labs and security enthusiasts were able to devise seven free decryptors, that’s still a disproportional achievement. Read this report to stay on top of the current ransomware trends.

MARCH 1, 2017

The comeback of Crypt0L0cker

A new wave of the Crypt0L0cker, or TorrentLocker, ransomware campaign breaks out after a lengthy standstill since mid-2015. The updated strain primarily zeroes in on European countries.

Clever AV evasion by Locky

According to Microsoft Malware Protection Center (MMPC), the latest Osiris edition of the notorious Locky program is signed with a valid digital certificate. This trick allows the infection to fly under the radar of most security suites.

A gesture of goodwill to help Dharma victims

In an unexpected move, someone nicknamed ‘gektar’ provides a link on Bleeping Computer’s forums supposedly pointing to a Pastebin-hosted repository of master decryption keys for the Dharma ransomware.

In-dev KRider strain spotted

MalwareHunterTeam, a well-known group of security analysts specializing in combating crypto ransomware, discovers a somewhat crude sample called KRider. It is configured to append victims’ files with the .kr3 extension.

Nontrivial ransomware identification puzzle

A file-encrypting malware specimen gets out. It concatenates the .SN-[victim_ID] string to encrypted files. Although reminiscent of CrySiS, quite a few properties don’t match. So it’s unclear which family it is.

Prominent researcher provides anti-ransomware tips

Michael Gillespie, the architect of ID Ransomware service, participates in the Fight Ransomware Podcast by Carbonite to express his viewpoint on ways to beat the epidemic.

Tricky distribution vector for ASN1 ransomware

The ransom Trojan called ASN1 turns out to be proliferating via a rogue ad server pointing to the RIG exploit kit. This sample does not affix any extra strings to scrambled files and drops a ransom how-to called “!!!!!readme!!!!!.htm”.

MARCH 2, 2017

Dharma ransomware cracked

Following the newsmaking leak of master decryption keys for Dharma, Kaspersky Lab updates the RakhniDecryptor tool so that it supports the infection. ESET and Avast craft the apropos free decryption solutions shortly afterwards, as well.

Cerber stepping into Android environment?

Analysts at ESET locate Cerber’s README.hta ransom note within the source code of several Android apps distributed on Google Play. This may suggest that threat actors are trying their hand at expanding their campaign to the mobile platform in question.

Double exploitation of PoC ransomware

A new file-encrypting Trojan surfaces whose code is based on the MafiaWare infection, which was discovered in early January this year. The interesting thing about this interrelation is that MafiaWare, in its turn, is a spinoff of the open-source proof-of-concept strain known as Hidden Tear.

MARCH 3, 2017

One more Hidden Tear derivative spotted

Security experts stumble upon a perpetrating program called FabSysCrypto, which appears to be an offspring of the above-mentioned Hidden Tear PoC. Furthermore, its data recovery manual is a replica of the ransom note created by Locky.

MARCH 5, 2017

Jigsaw ransomware reaches version 4.6

Jigsaw ransomware version 4.6 features a new alert screen with different wording than before. It demands $150 worth of Bitcoin for decryption and pressures victims into paying up within 24 hours.

MARCH 6, 2017

Pennsylvania Senate Democrats under ransomware attack

An unidentified ransomware infection hits the computer network of the Pennsylvania Senate Democratic Caucus. The compromise causes a shutdown of the organization’s IT infrastructure and makes proprietary data inaccessible.

FadeSoft ransomware update

Researchers bump into a fresh variant of the FadeSoft ransomware. The only noteworthy change is the new ransom note design. The threat actors demand 0.1 BTC and provide a seven-day deadline to pay up.

New Spanish ransomware appears

ESET spots a file-encrypting sample called CryptoJacky. It targets Spanish-speaking users and comes equipped with Aescrypt.exe application that does the data encryption job.

MARCH 7, 2017

Unexpected incarnation of Shamoon malware

The disk-wiping infection known as Shamoon, or Disttrack, has been around since 2012. But it’s not until recently that it started propagating with a ransomware module on board. According to Kaspersky, the latest version dubbed StoneDrill encrypts files, circumvents sandboxing mechanisms, and affects 32-bit and 64-bit systems alike.

Enjey ransomware surfaces

The authors of the new ransom Trojan called Enjey borrowed their code from the older RemindMe strain. The infection instructs victims to send their personal identifier to in order to receive further decryption steps and learn the size of the ransom.

Minor tweak of the Unlock92 ransomware

The only conspicuous change made to the Unlock92 Trojan as part of the latest update is a new name of the ransom note. The how-to file is now called READ_ME_!.txt.

The destructive Nhtnwcuf sample

While featuring a really unusual name, Nhtnwcuf is also offbeat in terms of the way it handles a victim’s data. The pest wreaks havoc with files to an extent where they cannot be restored even if an infected person meets the attackers’ demands. It drops one of the following ransom notes: HELP_ME_PLEASE.txt or !_RECOVERY_HELP_!.txt.

MARCH 8, 2017

Meet Paul, a wannabe cybercrook

Security analysts discover an in-development French strain whose code contains a name attribute “Paul”, which is most likely the creator’s name. It is a spinoff of the educational Hidden Tear project.

CryptON ransomware defeated

Fabian Wosar, the chief technology officer at Emsisoft, cooks up a free decryptor for the CryptON ransomware. This crypto malady is also known as Nemesis and leverages a fusion of AES-256, RSA, and SHA-256 algorithms to scramble victims’ data.

Latest Crypt0L0cker campaign dissected

Cisco’s Talos Intelligence Group publishes a comprehensive report regarding the totality of characteristics of the current Crypt0L0cker variant.

CryptoLocker 1.0.0 shaping up to be a serious problem

MalwareHunterTeam stumbles upon the new CryptoLocker 1.0.0 threat, which is just a replica of its infamous prototype. This propagation of this sample is mostly isolated to Turkey. It uses asymmetric RSA-2048 cryptosystem to lock files.

MARCH 9, 2017

RanRan strain is unique in a few ways

There are several things that make RanRan stand out of the rest. First off, it is employed in targeted attacks against Middle Eastern government institutions. Furthermore, it prevents victims from opening Task Manager, terminates database processes, leverages different encryption keys for files with different size, and displays zXz.html ransom note with a political message in it.

Cerber ransomware update

The most recent iteration of Cerber does not alter the original filenames, whereas its forerunners replaced them with 10 random hexadecimal characters. However, it still appends files with a four-character extension that matches the plagued PC’s MachineGuid parameter.

Vortex ransomware spotted

This new perpetrating program zeroes in on Polish victims. It concatenates the .aes suffix to encoded files and leaves a ransom note in Polish named ODZSZYFRUJ-DANE.txt.

VapeLauncher, another PoC derivative

Researchers come across a file-encrypting infection called VapeLauncher, which requests a Bitcoin equivalent of $200 for decryption. Its AutoIt code is based on the CryptoWire proof-of-concept that was uploaded by a security enthusiast to GitHub in late May 2016.

Ties between Spora and HTA email attachments

According to RSA Security, the architects of the Spora campaign are heavily relying on the use of HTA files attached to malspam emails. This vector allows the ransom Trojan to fulfill the contamination process without requesting any additional data from a Command and Control server.

PadCrypt version 3.4.0 is out

PadCrypt, a ransomware sample that gained notoriety for providing live support chat to its victims, gets some fine-tuning. Its current version number is 3.4.0. Other than that, hardly anything else has changed.

Samas ransomware distribution specificity

It turns out that the crooks behind Samas, or SamSam, exploit Active Directory service in order to infiltrate and traverse big networks. The cybercrime ring in question reportedly defrauded organizations of about $450,000 during the past 12 months.

MARCH 10, 2017

A great write-up on Spora

Malwarebytes publishes an article encompassing the ins and outs of Spora. The analysis includes main attack vectors, encryption routine, and extortion cycle.

One group behind ransomware and a data stealer

The latest variant of the Sage ransomware (version 2.2) is distributed by the same threat actors as those responsible for depositing the August Stealer malware onto computers. Both of these campaigns appear to serve payloads from the same file path.

Android ransomware used in a targeted attack

According to Check Point, 36 new smartphones purchased by two big technology companies arrived with Android malware on board. In particular, the devices had a sample of Slocker ransomware and Loki adware pre-installed on them.

MARCH 11, 2017

ID Ransomware enhancement

Due to an important update made to MalwareHunterTeam’s ID Ransomware service, victims of Spora can determine which strain they are confronted with and continue the troubleshooting accordingly.

Another day, another Samas update

A fresh edition of Samas concatenates the .iaufkakfhsaraf string to encrypted files. It also adds a new ransom note called IF_ WANT_FILES_BACK_PLS_READ.html.

Damage ransomware decrypted

Emsisoft CTO Fabian Wosar runs a streaming video session where he analyses the Damage ransomware and creates an ad hoc automatic decryption tool in real time.

Russian RozaLocker ransomware

The RozaLocker sample takes root in the Russian online segment. It uses the .ENC extension to blemish affected files and demands 10,000 Rubles (about $180) for decryption.

MARCH 12, 2017

Another French ransomware spotted

The Trojan in question displays a ransom warning in French and asks for 0.1 BTC to decrypt files. Overall, this one is fairly run-of-the-mill.

MARCH 13, 2017

Extortionist’s payback hits the headlines

The maker of the Enjey malware fires a series of distributed denial-of-service attacks against the ID Ransomware resource. Prior to this predicament, the author of ID Ransomware had crafted a free decryption tool for said infection.

Flotera ransomware emerges

This abominable specimen appears to be part of the same family as the Polski and Vortex infections. Its propagation involves a remote access Trojan (RAT) called vjw0rm.

One more PadCrypt update

The developers of PadCrypt stay busy coining new variants of their cyber offspring. The latest one, PadCrypt 3.4.1, introduces hardly any novelty aside from the version number.

Hunting down the Project34 baddie

Michael Gillespie asks his security community colleagues to combine efforts in analyzing the Project34 ransomware. This sample prepends the “*” string to filenames and leaves a TXT ransom note.

MARCH 14, 2017

PetrWrap, a Petya ransomware spinoff

Kaspersky Lab spots a strain called PetrWrap, which is based on the infamous Petya ransomware. Just like its predecessor, the Trojan in question uses the Salsa20 cryptosystem to scramble the Master File Table of NTFS partitions, thus rendering the plagued machines inoperable until the ransom is paid. PetrWrap is used in targeted attacks against specific companies.

White hats upset the makers of a RaaS

Analysts working on the Malwarebytes team hack into the C2 server of an in-dev Ransomware-as-a-Service (RaaS) platform called FileCrypter Shop.

New domain used by Spora

Researchers discover that the operators of Spora registered and started using a new domain for their campaign. It’s at

Jigsaw ransomware update

The latest incarnation of Jigsaw uses the extension to label encrypted data. Nothing else has been modified.

Hermes reaches version 2.0

Malefactors release Hermes ransomware v2.0. This update includes a fix for the crypto flaw that allowed Emsisoft’s Fabian Wosar to devise a free decryptor.

Updated Hermes still decryptable

Michael Gillespie, alias demonslay335, teams up with Emsisoft researcher Fabian Wosar to create a viable decryption tool for the Hermes ransomware. Apparently, the recent crypto bug fix rolled out by the threat actors didn’t do the trick.

An instructive ransomware sample spotted

A new Russian screen locker displays a warning that recommends the victim to exercise more caution with fishy downloads online. The unlock password is indicated in the ransom note.

The Karmen RaaS appears

A Ransomware-as-a-Service portal called Karmen is intended to make the ransomware business as easy as ABC for wannabe criminals. The suggested malicious build displays a ransom warning in English and German.

MARCH 15, 2017

Revenge ransomware, a new one on the table

Quite predictably, the strain called Revenge appends the .revenge extension to enciphered files. It proliferates through the use of the RIG exploit kit. The ransom note is called # !!!HELP_FILE!!! #.txt.

Turkish CTB-Locker copycat found

Avast researchers spot a replica of the notorious CTB-Locker that displays all of its warning messages in Turkish. The infection stains files with the .encrypted suffix and leaves the “Beni Oku.txt” decryption how-to, which is the Turkish for “Read Me”.

A crook obsessed with social networking

Experts from GData discover a Hidden Tear based ransom Trojan whose conceited author instructs victims to post the phrase “I’ve been hacked by anony” on their Facebook wall in order to obtain the decryption key.

MARCH 16, 2017

Attack vector engaging NSIS installers

According to MMPC, ransomware deployers have come to leverage advanced distribution techniques that revolve around exploiting the Nullsoft Scriptable Install System (NSIS). This way, the threat actors make sure their code evades security systems.

The unusual Kirk ransomware

A Star Trek themed data-encrypting infection called the Kirk ransomware quickly becomes a buzzword in the IT security community. It concatenates the .Kirked extension to files and drops a recovery manual called RANSOM_NOTE.txt. Interestingly, this sample accepts Monero cryptocurrency rather than Bitcoin and uses a decryptor called Spock.

The Lick ransomware pops up

This one is almost identical to the aforementioned Kirk pest. It uses the exact same name for the ransom note. As opposed to its forerunner, though, this sample appends the .Licked string to jumbled files and uploads victim-specific data to Pastebin.

CryptoDevil screen locker turns out rather lame

The malware called CryptoDevil does not actually encrypt anything but locks an infected PC with a bright-red screen instead. Researchers manage to obtain the unlock code, which is “kjkszpj”.

RoshaLock 2.0 isn’t about crypto

Security analysts discover a ransom Trojan dubbed RoshaLock 2.0, which moves a victim’s files to a password-protected RAR archive. It drops a ransom note called “All Your Files in Archive!.txt”.

Decryptor for CryptON gets fine-tuned

Emsisoft updates the free CryptON decryption tool, which now supports the latest version of this ransomware.

MARCH 17, 2017

ZinoCrypt makes an appearance

A file-encrypting threat called “ZinoCrypt Ransomware – 2017 Edition” is discovered. It affixes the .ZINO extension to encoded data entries and leaves the ZINO_NOTE.txt ransom manual.

Crptxxx, another commonplace ransomware

The conventional name of this strain was derived from the .crptxxx extension that it concatenates to one’s mutilated files. It adds a decryption how-to file named HOW_TO_FIX_!.txt.

Jigsaw malady gets a new look and feel

Researchers stumble upon a new variant of Jigsaw that uses the .fun extension. The most conspicuous tweak made to the infection is the new background of its ransom note. Courtesy of Avast, this Trojan is decryptable for free.

New ransomware builder spotted

IT experts come across a utility that automates the process of generating custom builds of the DH File Locker ransomware. It allows criminals to define the folder that the executable should be dropped into, the text of the ransom demand, and quite a few more values.

Trident File Locker infection builder found

A primitive-looking builder for the Trident File Locker ransomware is uncovered. Its graphical user interface contains configurable fields for the targeted file extensions, the name and contents of the ransom note, as well as the unlock password.

One more Hidden Tear offspring discovered

The perpetrating program in question is called the MacAndChess Ransomware. Similarly to another infection spotted two days before, it tells victims to post the phrase “I’ve been hacked by anony” on their Facebook walls.

MARCH 18, 2017

BrainCrypt is no longer an issue

Michael Gillespie creates an automatic free decryptor for the BrainCrypt ransomware, which uses the “.[].braincrypt” extension to label victims’ scrambled files.

MOTD baddie comes into researchers’ sight

A fairly simplistic crypto plague called MOTD is spotted in the wild. Its warning message reads, “You are infected with the most cryptographic advanced ransomware,” which is a somewhat exaggerated statement. It is a commonplace strain appending files with the .enc extension.

MARCH 19, 2017

CryptoDevil starts encoding data

This one originally acted as a screen locker, but the crooks in charge have begun distributing an edition that actually applies crypto. CryptoDevil affixes the .devil string to locked files.

Jigsaw variant built to attack Vietnamese users

A new in-dev file-encoding pest from the Jigsaw ransomware family generates warnings in Vietnamese, which makes it clear which geographic location is going to be targeted once the infection becomes fully functional.

MARCH 20, 2017

The decline of Locky

Locky, which was one of the top crypto threats in 2016, appears to be losing momentum. Security experts speculate this is due to a dramatic drop in the volume of Locky spam generated by the powerful Necurs botnet.

Legislation addressing ransomware

A new bill proposed in Indiana is going to make ransomware distribution a felony that will ensue a jail sentence of up to six years or a $10,000 fine.

PadCrypt devs are busier than ever

Security analysts keep discovering new versions of PadCrypt. This is quite strange because the campaign isn’t large-scale at all and doesn’t hit many users. The latest version 3.4.4 didn’t introduce any noteworthy modifications compared to the previous one.

Another Samas update

The indicators of compromise inherent to the new variant of the Samas, or SamSam, ransom Trojan include the .cifgksaffsfyghd file extension as well as the READ_READ_DEC_FILES.html ransom note.

MARCH 21, 2017

Connection between LLTP ransomware and Venus Locker

At first sight, the LLTP ransomware looks like a brand new, independently coded sample targeting Spanish-speaking audience. Some expert insight, though, reveals that it’s a remake of the existing Venus Locker malady.

SAP vulnerability uncovered

According to ERPScan, a well-known business application security provider’s endpoint devices running SAP GUI application are susceptible to ransomware attacks due to a remote command execution vulnerability.

MARCH 22, 2017

User-centered ransomware on the rise

Analysts predict that crypto malware designs are going to become increasingly intuitive. This trend is exemplified by the relatively new Spora variant, which features easy-to-access customer support and multiple UI components contributing to a better user experience.

Ransomware devs inspired by the Zorro character

A malicious program called Zorro is discovered. It blemishes encrypted files with the .zorro extension and drops a ransom manual called “Take_Seriously (Your saving grace).txt”.

AngleWare, another Hidden Tear offspring

A new infection has replenished the list of countless ransom Trojans harnessing the code of the open-source Hidden Tear proof-of-concept. It uses the .AngleWare extension to label scrambled data entries, hence its name.

An unusual Jigsaw version emerges

A spinoff of the prolific Jigsaw referred to as Monument stealthily spreads alongside the Imminent Monitor RAT (remote access tool). Its main peculiarity, though, is that it appends every encrypted file with a string containing the entirety of ransom payment instructions.

Onset of the Meteoritan ransomware

The Meteoritan extortion campaign is mainly isolated to Poland. It leaves a combo of the following ransom notes: readme_your_files_have_been_encrypted.txt and where_are_your_files.txt.

Globe3 decryptor updated

Emsisoft researchers update their free decryptor for the Globe3 ransomware. The tool can now restore files jumbled by the latest variant of this crypto infection.

MARCH 23, 2017

Jigsaw spinoff featuring a compound extortion mechanism

Not only does the updated Monument iteration of the Jigsaw ransomware encode victims’ data, but it also goes bundled with an aggressive screen locker.

A fraction of Spora statistics revealed

Based on Spora victims’ submissions to the ID Ransomware service, 646 plagued users got a total of 48,466,020 personal files encrypted.

LK Encrypter sample discovered

Cybercrooks have once again used the source code of educational ransomware to create a real-life infection. ]LK Encrypter is based on the Hidden Tear PoC. It uses the .locked extension for ciphered files and drops the READ_IT.txt ransom note.

MARCH 24, 2017

BTCWare spreading in the wild

A new crypto threat called BTCWare is in fact a Crptxxx derivative. It demands 0.5 BTC for data decryption and uses the Telegram messenger to interact with those infected.

SADStory ransomware

The SADStory pest is nothing out of the ordinary. It is most likely an offspring of the CryPy ransomware. The Trojan claims to delete one file permanently every six hours until the victim coughs up the requested amount of Bitcoin.

MARCH 25, 2017

Enhancement made to CryptoSearch tool

The utility called CryptoSearch was designed to detect ransomware-locked files and move them to a new place, which should make recovery easier if researchers release a free decryptor. The tool is now capable of identifying and handling data affected by Spora.

WCry ransomware updated

New WCry variant is out that instructs victims to pay for the “Wanna Decryptor” application. This edition provides a workaround in case one’s anti-malware removes the core ransomware components.

A tricky Spanish strain surfaces

The authors of the ransom Trojan in question employ Smart Install Maker app to deposit their bad code on computers. When encrypting one’s valuable data, the infection displays a bogus Windows update screen to obfuscate the adverse process running behind the scenes.

Primitive MemeLocker is underway

Malware watchers spot a brand new sample dubbed MemeLocker. While still in development, it features an acrid red warning screen that reads, “You just got memed by MemeLocker.”

MARCH 28, 2017

A ransomware syndicate exposed

It turns out that a group of cybercriminals identifying themselves as “Mafia Malware Indonesia” is behind a series of not-so-professional extortion campaigns. In particular, these individuals are liable for creating and distributing the following crypto threats: SADStory, CryPy, L0CK3R74H4T, MafiaWare and MireWare.

Safari ransomware issue addressed

The latest iOS 10.3 update has added countermeasures for a massive extortion wave, where so-called police ransomware would lock Safari Mobile browser, display a spoof warning, and demand $100 worth of iTunes gift cards.

PyCL Trojan backed by high-profile distribution

The operators of the new Python-based PyCL appear to be employing the RIG exploit kit to plant their harmful code on computers. Such a mechanism ensures an obscure contamination workflow that isn’t likely to raise any red flags.

The prosaic R ransomware

MalwareHunterTeam comes across a file-scrambling sample called R, which adds the Ransomware.txt restoration how-to and demands 2 BTC to decrypt data. The crooks are apparently running out of creativity when it comes to naming their threats.

AnDROid ransomware spotted

A new offending program dubbed AnDROid stains one’s files with the .android suffix and displays an animated skull image on its warning screen.

Another ransomware hunt kicks off

Michael Gillespie, aka demonslay335, starts a new hunt for the strain that concatenates the .pr0tect extension to encrypted entries and leaves “READ ME ABOUT DECRYPTION.txt” ransom note.

MARCH 29, 2017

Sage ransomware scrutinized

Malwarebytes Labs experts do a great write-up on Sage. As per this analysis, the current 2.2 edition of this infection performs its encryption job in offline, or autopilot, mode. It also employs a combination of elliptic curve cryptography and the ChaCha20 stream cipher to lock one’s data down.

HappyDayzz ransomware is ironic to the bone

The infection called HappyDayzz sure makes its victims sad rather than happy. Its encryption routine is unique because the Command and Control server instructs the malware to utilize one of seven different cryptographic standards selected randomly.

The self-explanatory DoNotChange ransomware

This ransom note for this new strain contains a line saying, “Changing the file name makes the restore process impossible!” It requests a ransom of $250 for recovery.

File Frozr RaaS pops up

The Ransomware-as-a-Service platform called File Frozr allows ill-minded beginners to join and use it for 0.09 BTC (about $100) per month. The first month discount is $50. That’s quite a promotion in action, isn’t it?

MARCH 30, 2017

DoNotChange ransomware decrypted

Security analysts release a free decryptor for the above-mentioned DoNotChange. It took the white hats as little as one day to craft the tool.

A comforting statement by Google

According to Google’s Android Security team, only one in 10 million apps downloaded from the official Play Store turns out to be ransomware. However, the number is 1,000 times higher when it comes to applications downloaded from uncertified resources.

CryptoSearch solution updated

The remarkable CryptoSearch tool is now capable of spotting data entries scrambled by the FadeSoft ransomware.

Another ID Ransomware enhancement

The ID Ransomware portal has been updated to support the FadeSoft ransom Trojan. Those who fell victim to this strain should simply upload a sample encrypted file or ransom note to find out what adversary they are dealing with.

MARCH 31, 2017

Elusive Android ransomware

A malicious Android locker disguised as a popular Russian social networking app called OK is quite tricky as it bypasses detection mechanisms of mobile security solutions. Another adverse hallmark sign of this ransomware is that the hostage data may be impossible to decrypt because of buggy cryptographic routine.

The abominable LanRan infection

Whereas all ransomware is definitely disagreeable, the LanRan sample evokes extra disgust because it displays a distasteful turquoise warning window. It demands 0.5 BTC and tells victims to contact the crooks via

New Fantom ransomware version is out

The latest build appends files with an extension derived from the timestamp of the contamination event. Furthermore, it discontinues the attack if it detects that the localization of the victim’s operating system is Russian.

CrypVault is back

A fresh variant of the CrypVault ransomware surfaces. It arrives at computers via malspam delivering a .chm attachment camouflaged as a CV. The threat actors’ contact email address is

Ransomware hunt becomes a good tradition

Michael Gillespie launches one more hunt. This time, the target is the Cradle ransomware, which subjoins the .cradle suffix to files and leaves the _HOW_TO_UNLOCK_FILES_.html ransom note.

The eccentric Sanctions ransomware

The makers of this crypto threat choose to add some politics to the conventional blackmail mix. This ransomware ridicules the United States’ sanctions against Russia by displaying a big USSR-styled bear and a small figure of a person resembling a former U.S. President. On top of that, the infection demands a whopping ransom of 6 BTC, which is the equivalent of about $7,000.

Summary of Ransomware in March 2017

When it comes to ransomware prevention, the importance of following safe online practices is hard to overestimate. Most of these threats are still spam-borne, so users should never open any suspicious email attachments, period. File backups pose another invaluable layer of defense – no doubt about it. The countermeasures have hardly changed since the dawn of the crypto ransomware era back in 2013. So use this fact to advantage and stay safe.

To learn more about protecting yourself from Ransomare, click here.


david balabanAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.