Skip to content ↓ | Skip to navigation ↓

In May, ransomware was in full bloom. Over sixteen new ransom Trojans surfaced, plus one Ransomware-as-a-Service (RaaS) and plenty of updates to existing ransomware.

The good news is that at least six new decryptors were released.

The database of ransom infections has been extended, with a novel specimen that targets websites rather than computers and networks. That ransomware affected Drupal web sites and scrambled their data.

Breaking news of the month was TeslaCrypt shutting down. The ransomware developers published its original master decryption key, allowing all the victims to decrypt their affected data without paying the ransom.

We do appreciate all the enthusiasts and experts who have committed themselves to tracking and combating ransomware. This review is an outcome of their critical contributions to anti-ransomware campaign.

May 9, 2016


The second edition of CryptXXX is revealed, which suppressed the free decryption solution that Kaspersky published back in April. ProofPoint provides a wonderful review of this new variety. When CryptXXX scrambles your digital data items, it is going to append the .crypt extension to the files and generate ransom notes titled after your unique identity.

The Enigma ransomware

A ransoming plague called “the Enigma” focuses on the Russian language audience. This is really quite uncommon because ransomware generally refrains from hitting users in Post-Soviet states. Every time the ransomware encrypts users’ digital data, it appends the .enigma extension to the files and creates the enigma_encr.txt reminder. Besides this, it creates multiple files that include the Enigma string.

May 10, 2016

The Shujin ransomware

Shujin is the first ransomware variant that targets Chinese people. The ransom messages, online resources, as well as decryption products are written completely in Chinese. All ransom information related to this virus is outlined in 文件解密帮助.txt. An excellent review on this subject is available on Nyxbone’s site.

May 11, 2016

GNL Locker

GNL Locker, also called a German-Netherlands Locker, has been spreading for some time. However, researchers weren’t able to pick up a specimen to investigate until early May. Once this ransomware executes, it verifies the IP and encrypts the PC if and only if it is located within the Netherlands or Germany. Computer data encoded by GNL Locker features the .locked extension. It originates the ransom messages UNLOCK_FILES_INSTRUCTIONS .txt or UNLOCK_FILES_INSTRUCTIONS .txt.

May 12, 2016


The programmers behind Jigsaw Ransomware launch another edition generally known as CryptoHitman. This time, they take advantage of Agent 47 of the Hitman video game. In addition, the locker comes with plenty of pornographic pictures, not to mention the .porno addition to encrypted documents. A comprehensive guidance on this subject is available here: Jigsaw Virus turns into CryptoHitman.

Crypren Ransomware

The Crypren ransom plague has been around quite a while, yet its activity spiked in the middle of May. The Crypren virus encrypts your files, attaches the .ENCRYPTED to affected objects, as well as generates a decryption guide labeled READ_THIS_TO_DECRYPT.html. One good thing is a person named “pekeinfo” has offered a free decryptor against this ransomware. A comprehensive guide is available on Nyxbone’s webpage.

Fresh edition of Petya combined with ransomware add-on named Mischa

Another variety of Petya surfaces with an important improvement in the installer. Immediately after the installer is launched, it checks if it can acquire admin access. In case it’s permitted to accomplish that, the installer introduces the Petya Ransomware. In case it’s not able to secure such privileges, loads up the Mischa Ransomware instead. Further details are available here.

May 13, 2016

Petya coupled with Mischa incorporated into Ransomware-as-a-Service

The malicious software designers behind Petya and Mischa begin to offer a Ransomware-as-a-Service platform. The product enables feature virus dealers to earn some bucks from the Petya developers by spreading their installer. Further details on this online business are to be found here.

Decryptor presented for CryptXXX edition 2.0

Great news! Kaspersky updates their CryptXXX decryptor to make sure it retrieves data encrypted by CryptXXX edition 2.0. Many thanks to Kaspersky for their work!

May 14, 2016


Another ransomware spotted by IT researcher Daniel Gallagher scrambles your files and then adds the .8lock8 appendix to encrypted objects. Once the encryption process completes, the virus presents a READ_IT.txt reminder suggesting the victim to write to or for ransom payment details. A decrypting solution for the ransom plague has been released by Michael Gillespie.

May 16, 2016


MalwareHunterTeam observes that the Shade/Troldesh ransomware opts for adding the .da_vinci_code appendix to encrypting data. The extortionists are using for payment directions.

A decryptor is created for the GhostCrypt ransomware

This ransomware scrambles your data by means of AES encryption in order to get a couple of Bitcoins for regaining access to your data. Any time the ransomware encrypts any information, it attaches the .Z81928819 appendix. Once the job is done, the virus generates a ransom reminder READ_THIS_FILE .txt. A decryptor has been developed, which means users can obtain their data at no cost. Contact Michael Gillespie to get the decryptor.


Another ransomware referred to as SNSLocker has become a matter of common knowledge. It’s being engineered by an actor called Saad, and it is still in the stage of development. This ransom Trojan resorts to AES encryption combined with adding the .RSNSlocked string at the end of the data items affected. The ransomware as of now is aimed towards 229 extensions. It demands $300 payable in bitcoins if you want to get your decryption solution.

May 17, 2016

Xorist ransom Trojan decrypted

Emsisoft introduces an anti-encryption solution for the infections attributed to Xorist ransomware family. The Xorist ransom infections are based on a platform that generates a unique .exe file for every actor spreading the plague. Although this type of ransomware has been going around for some time, until now, affected victims had no way to get their data back. Since a specific decryptor has become available, now you can decrypt your files on your own.

777 ransom virus updated and decrypted

A PortEx IT security researcher detects the 777 ransomware. The infection scrambles your files, adding .777 string to scrambled files. The virus further generates a ransom reminder named ._timestamp_$email$ .777. Emisoft IT security lab has announced a decryptor for this plague.

May 18, 2016

Zyklon Locker

Another ransom virus named Zyklon Locker is revealed by security researchers. The ransom threat is recognized as a new modification of the GNL Locker exposed earlier. Being true to GNL Locker habits, Zyklon Locker attaches the .locked string at the end of encrypted files and generates the paid decryption reminder UNLOCK_FILES_INSTRUCTIONS.txt. Victims may seek help here.

May 19, 2016

TeslaCrypt is over

The designers of TeslaCrypt shut down their operations and provides a free decryption key to all victims. ESET has since used that key to generate a decryption tool.

Webpage Suspended! Web sites get locked for ransom

A new ransomware that focuses on websites is spotted by a team of IT security experts. The ransomware has affected circa four hundred Internet sites and seems to be focusing on a security flaw inherent in Drupal. The ransomware uses the 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 Bitcoin wallet for receiving payments. And yet the good thing is that not a single person has made a payment for the time being.

May 20, 2016

DMA Locker version 4.0

A security researcher nicknamed Hasherezade reports on the appearance of the DMA Locker version 4.0. Once infected, all of your docs end up encrypted, but their titles are not altered. To be able to distinguish DMA Locker 4.0 from the rest, you need to examine the document using special software to see if the initial nine bytes include the following: !DMALOCK4. A less difficult way is to discharge the affected item to ID Ransomware, which is capable of detecting the malicious encryptor automatically. As soon as the digital data gets scrambled, the ransomware comes up with its message called cryptinfo.txt. The ransom note provides a reference to the online transaction page. The virus also shows a window with a locker demanding 1.5 Bitcoins to redeem your docs.

May 21, 2016

CryptXXX version 3.0

This day, the hackers masterminding CryptXXX launch edition 3.0 of the crypto Trojan. This variant repairs the vulnerability used by Kaspersky to help affected users regain their data ransom-free. Furthermore, the ransomware’s decryptor is spoiled, meaning that victims cannot rescue their data even after paying the ransom.

May 22, 2016

ODCODC ransomware

Another ransoming malware is spotted by Michael Gillespie. The ransomware is referred to as ODCODC due to the string added to the encoded data. MalwareHunterTeam has observed that once a working station gets compromised, the virus is going to scramble its files and modify their names as follows: %emailaddress%-%originalfilename%.odcodc.

In addition, the security researchers report the ransomware is operated from remote server. The above host also governs a wide range of identity theft websites and distributes computer infections. Sadly enough, there is no remedy against this malware up to now.

May 24, 2016

Zcrypt virus

Zcrypt ransomware is spotted by a malware expert nicknamed Jack. The infection scrambles your files adding .zcrypt at the end of their names. The malware sells the decoding key for 1.2 BTC. This ransom Trojan does not always work correctly. In the version observed, the interaction with the remote host server was out of order, and researchers needed to harness certain inventive server requests edit to get the proper data. For the time being, there is no wide-scale propagation of Zcrypt malware. Microsoft presented a press release on Zcrypt. The article says the ransomware is going to distribute with the aid of USB autorun files as well as over local network drives.

New variant of Zyklon virus

Another kind of Zyklon encryption surfaces. This one is adding a .Zyklon extension to the affected files. It’s the only modification observed. All other characteristics of the ransomware in question are true to its previous releases.


A fresh ransom threat referred to as BadBlock is uncovered by a malware expert nicknamed S!Ri. Once the malware arrives, it’s going to scramble your data to claim two Bitcoins for their decryption. As your data gets scrambled, no extra file extensions are added.

May 26, 2016

Invisible Empire version of Jigsaw

This edition of the Jigsaw ransom virus makes use of artistic print known as Invisible Empire. The image somewhat fits the virus, since it shows the way the actors disguise themselves when breaking the law. The Trojan wipes off some data until after the payment is made. Fortunately, the relevant decryption remedy has been revised to cope with this edition.

The month of May is over, but ransomware is still around. A number of new and updated releases have been spotted in June already. Additionally, the Internet community has been quite successful in resisting ransom attacks, as it came up with efficient decryptors and shut down many servers used by the encrypting plague.


david balabanAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.