Q2 2017

RansomwareReport.com — sponsored by Terranova WW Corporation provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Leaked NSA exploits play into threat actors’ hands

Ransomware plague continues to wreak havoc on organizations globally.

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jun. 30, 2017

The devastating WannaCry ransomware outbreak as of May shaped up to be a game-changing event of the quarter. The Shadow Brokers hacker group dumped a slew of software exploits that the NSA had been stockpiling, and online extortionists weaponized these exploits for ransomware deployment. The worst part of this cybercrime frenzy is that WannaCry can infect a computer without engaging the user in the attack chain – the bad code silently slithers its way inside via security loopholes in the operating system’s architecture.

All in all, the ransomware plague kept wreaking havoc. The nasty Petya ransomware rose from the ashes after a year of standstill, locking down computer networks of large organizations in Europe. A South Korean company agreed to pay an unthinkable one-million-dollar ransom to crooks behind the Erebus strain. The felons are waging a cyberwar – sometimes politically flavored – against users, businesses and governments, so it’s about time to fight back adequately.



Jun. 28. Researchers discover that the updated Petya ransomware doesn’t run if it fails to execute a file named perfc.dat from the system folder. Therefore, all it takes to make a computer immune to the compromise is create a new read-only file named perfc.dat inside C:\Windows directory.

Jun. 27. The notorious Petya ransomware makes a reappearance. Its modified variant primarily infects numerous organizations in Ukraine, including critical infrastructure entities, then spreads to other European countries. Analysts blame this wave on state-sponsored hackers from Russia. One of the reported entry points is a trojanized update rolled out for accounting software called M.E.Doc.

Jun. 23. According to the latest Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the overwhelming majority of ransomware victims choose not to report their incidents to law enforcement.

Jun. 22. A new incarnation of the prolific Locky ransomware gains momentum on the cybercrime landscape. While the architects of this campaign still rely on the Necurs botnet-borne spam for distribution, the attack surface is now restricted to machines running Windows XP and Vista.

Jun. 22. The ubiquitous WannaCry ransom Trojan contaminates 55 red light and speeding cameras in the state of Victoria, Australia. Local authorities are thus forced to suspend about 8,000 traffic violation tickets issued during the road safety systems’ outage.

Jun. 21. The WannaCry plague disrupts the operations of Honda car plant in Sayama, Japan. Obviously, the vehicle manufacturer’s efforts to protect its IT networks from this strain after the original outbreak as of May didn’t turn out efficient enough.

Jun. 20. Nayana, a South Korean web hosting provider, opts for the biggest ransomware payout to date. The size of the ransom is a whopping $1 million. This is the aftermath of a defiant attack by the Erebus ransomware that hit the company’s 153 Linux servers, which in turn affected more than 3,000 hosted websites.

Jun. 19. The SamSam ransomware, also referred to as Samas, returns after a hiatus of several months. The three new editions of this perpetrating program use the following extensions to blemish hostage files: .breeding123, .mention9823, and .suppose666.

RELATED: Three things you can do to protect your workforce against ransomware attacks

Jun. 15. University College London (UCL) falls victim to an unidentified ransomware sample. The infection reportedly came in via a phishing email and crippled the student management system and shared drives.

Jun. 14. Avast security vendor contrives a mechanism to decrypt the EncrypTile ransomware for free. This sample allows victims to select their preferred language on the ransom note. It has been in the wild since October 2016.

Jun. 14. Malware analysts at Kaspersky Lab defeat the crypto of the Jaff ransomware, which is believed to be a successor of Locky. The company’s RakhniDecryptor tool now supports Jaff variants that append the .jaff, .sVn or .wlu extension to encrypted files.

Jun. 13. The above-mentioned Nayana web hosting company based in South Korea suffers the consequences of a massive ransomware attack. The strain called Erebus encrypted data stored on the provider’s Linux web servers, which caused tremendous collateral damage for numerous customer websites.

Jun. 10. French law enforcement agencies seize a number of Tor relays as part of an investigation into the WannaCry ransomware campaign. These are Tor entry guard nodes allegedly used by the ransomware distributors to contact their C2 server.

Jun. 9. Security researchers spot the first known Ransomware-as-a-Service hub on the dark web that hosts viable ransomware targeting macOS. This offbeat RaaS called MacRansom allows wannabe criminals to purchase a custom build of the infection.

Jun. 8. Analysts at McAfee unveil some interesting details of the WannaCry ransomware. According to their findings, the offending code might have been originally tailored for non-extortion purposes.

Jun. 5. Michael Gillespie, well-known researcher who created the ID Ransomware service, releases an updated edition of his Jigsaw Decrypter. Due to new enhancements, the free tool is now capable of restoring files with the .lost, .ram and .tax extensions locked by the Jigsaw strain.

Jun. 2. Security experts discover about 4,500 vulnerable Hadoop servers worldwide that have no authentication and contain over 5,000 Terabytes of information. These are disconcerting statistics, given the massive wave of ransomware attacks fired at Hadoop servers in January, 2017.


May 30. An individual affiliated with the XData ransomware dumps Master Decryption Keys for the infection on Bleeping Computer forums. Based on this data, Kaspersky and a few more vendors quickly release free decryptors.

May 29. The No More Ransom project team joins efforts with CERT Polska and Avast to create effective decryption tools for the AES-NI, BTCWare and Mole ransom Trojans.

May 25. Interesting new facts are revealed regarding the WannaCry ransomware attribution. Having scrutinized its ransom notes from a linguistic perspective, researchers came to a conclusion that it was most likely developed by Chinese-speaking criminals who are also quite fluent in English.

May 23. Jaff ransomware, a probable offshoot of the Locky family, gets a new file extension token. Its latest variant concatenates the .WLU suffix to encrypted files. As before, the payload arrives via PDF email attachments with embedded booby-trapped Word documents asking victims to enable macros.

May 19. Crypto ransomware called XData starts making victims in Ukraine at an astonishing rate. The geographic localization of these attacks suggests that they might be part of Russia’s warfare against the neighboring country.

May 16. The author of the BTCWare file-encrypting malady releases Master Decryption Key for the strain. This data allows IT analysts to devise tools that unencrypt ransomed files beyond ransom.

RELATED: Think of the human factor when developing a cybersecurity strategy

May 16. Adylkuzz, a Monero cryptocurrency miner, appears to have utilized the notorious NSA exploits (EternalBlue and DoublePulsar) weeks before the WannaCry ransomware started making the rounds. Interestingly, Adylkuzz closes down SMB ports that the ransom Trojan uses to propagate, thus making infected machines bulletproof against WannaCry.

May 15. Cybercrooks in charge of the Philadelphia ransomware campaign start employing the RIG exploit kit in its multi-layered distribution mechanism. The exploit kit first drops a malware downloader component called Pony, which in its turn deposits the crypto infection onto PCs.

May 14. Brad Smith, Microsoft’s president and chief legal officer, publishes an article providing some food for thought on the WannaCry epidemic. One of the takeaways is that the NSA should do a much better job safeguarding the exploits it discovers.

May 13. Security enthusiast from the UK accidentally stops WannaCry distribution for a while by registering what’s called the “kill switch” domain. It turns out that the ransomware completes its attack chain only if this domain is unregistered.

May 12. WannaCry, or Wana Decrypt0r 2.0, begins its large-scale extortion campaign. It quickly becomes the world’s top ransomware threat due to a sophisticated attack vector involving NSA exploits dubbed EternalBlue and DoublePulsar. Effectively, the malicious code enters computers via open SMB ports, so users get hit without clicking anything.

May 11. The new Jaff ransomware is spotted in the wild. Its makers appear to have borrowed some features from Locky, which could be an indicator that the two are from the same family. In particular, Jaff uses the same Tor payment page and spreads with the Necurs botnet.

May 8. A law firm based in Rhode Island demands insurance compensation over a ransomware attack. The firm had purportedly paid a ransom of $25,000 to restore their proprietary records and lost about $700,000 in billings because of the compromise.

May 5. New Jigsaw ransomware edition that appends the .fun string to locked files doesn’t follow the classic spam or exploit kit based infection scenario. Its payload is camouflaged as a credit card generator called CCgen2017.

May 3. The Cerber ransomware reaches version 6 and now goes equipped with top-notch AV evasion capabilities. It also accommodates anti-VM features that prevent researchers from reverse-engineering the code.

May 1. Emsisoft CTO Fabian Wosar creates a free decryption tool for the CryptON ransomware variant called Cry123, which contaminates computers by compromising remote desktop services.


Apr. 30. New CryptoMix offspring uses the .wallet extension to speckle hostage files. This indicator of compromise tangles ransomware identification because some other strains, including Dharma and CrySiS, append data entries with the exact same string. The crooks should expand their vocabulary, obviously.

Apr. 29. Malware researchers discover the Mini ransomware. It’s not a commonplace sample because its code is based on Hidden Tear, a benign proof-of-concept ransom Trojan originally pursuing educational purposes.

Apr. 27. The Cerber ransomware starts spreading via “Blank Slate” spam campaign that disseminates a contagious email attachment in RTF format. When opened, this document harnesses CVE-2017-0199 vulnerability to execute a malicious Visual Basic script behind the user’s back.

Apr. 25. Mole ransomware, a new sample from the CryptoMix lineage, propagates via an intricate scheme that engages a phony Word online site hosting a ZIP archive with malicious JavaScript file inside. This payload delivery mechanism also promotes click-fraud malware called Kovter and Miuref.

Apr. 23. Ransomware victims can use additional new features of the ID Ransomware portal. Different strains are now identifiable by Bitcoin address, email or Tor URL provided in the ransom note.

Apr. 21. Having vanished from the ransomware radar in late 2016, the Locky ransomware resumes its extortion activity. Its Osiris variant is deposited on computers via botnet-backed spam. Bogus Word receipts embedded in these emails contain malicious VBA macros.

Apr. 20. Proliferation of a new sample called AES-NI relies on NSA hacking tools leaked by black hat hackers in mid-April. In particular, this strain takes advantage of security loopholes in server message block (SMB) protocol.

Apr. 18. Security analysts discover a Russian Ransomware-as-a-Service (RaaS) platform sustaining the distribution of the Karmen ransomware. This infection is based on Hidden Tear, the ill-famed academic ransomware by Turkish coder named Utku Sen.

RELATED: Get Vigilant About Phishing – One click and you’ll know

Apr. 14. According to Cybercrime tactics and techniques Q1 2017 report by Malwarebytes, the Cerber ransomware is the world’s most widespread file-encrypting threat. Its market share reached 86.98% in March.

Apr. 13. While some threat actors set up RaaS portals to push their despicable business forward on an affiliate basis, the authors of the Cradle ransomware went a different route. They elected to put up their source code, server scripts and payment console for sale. The price for this kit called CradleCore is negotiable, starting at 0.35 BTC.

Apr. 12. A strain called Mole appears. Its makers utilize an offbeat propagation mechanism, where would-be victims are duped into visiting a fake Microsoft Word Online page. This page hosts the bad payload camouflaged as a must-download plugin.

Apr. 10. Emsisoft updates their decryptor for the Cry9 ransomware to ensure smoother performance and broader coverage of the infection’s variants. The sample in question is a CryptON strain spinoff that infiltrates computers via hacked remote desktop services.

Apr. 7. The Matrix ransomware gets a substantial propagation boost. Its worldwide circulation engages several top-notch components, including the so-called EITest scripts running on compromised websites, as well as the RIG exploit kit that drops the payload proper.

Apr. 6. Korean programmer nicknamed Tvple Eraser creates a crypto virus called Rensenware. To decrypt their data, victims have to score 200 million in a computer game called TH12 ~ Undefined Fantastic Object. According to the ne’er-do-well’s tweets, his motivation was to have fun.

Apr. 6. Austrian law enforcement agency apprehends a 19-year-old individual on suspicion of infecting a local company’s computer network with the Philadelphia ransomware. The teenager reportedly demanded $400 worth of Bitcoin for decryption, but the infected Linz-based firm refused to pay up.

Apr. 4. Bitdefender releases a tool that cracks the Bart ransomware for free. This strain features offline encryption mode, appends files with the .perl, .bart or .bart.zip extension, and displays a Locky-style ransom screen.

Apr. 1. Taking the floor at Black Hat Asia 2017 conference, researchers from Cylance security firm present proof-of-concept UEFI ransomware. This academic infection compromises Gigabyte BRIX small computer kits by leveraging weaknesses in their firmware.

Stay tuned for the Q3 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q1 2017

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Ransomware epidemic grows, new online extortion trends taking root

Crypto infections rampant on open source DB servers and Android devices, Spora and Locky continue propagating.

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Apr. 6, 2017

The increasingly competitive ransomware ecosystem keeps spawning novel attack vectors. A series of large-scale extortion campaigns targeted thousands of MongoDB, CouchDB, Hadoop and MySQL servers in the first quarter of 2017. Some crooks have come to make emphasis on customer support, as is the case with the new Spora ransomware. Android crypto infections are starting to employ dropper techniques that used to be isolated to Windows only.

To top it all off, police departments, county governments, libraries, schools, hotels and CCTV systems are still as susceptible to ransomware attacks as before. What does the future hold? Hopefully a breakthrough in combating this ubiquitous epidemic.



Mar. 31. A strain dubbed the Sanctions ransomware surfaces, and it’s ironic to the bone. It got its name from the image in Restore_All_Data.html decryption how-to, where a hungry Russian Bear squeezes a person in its paw who says “Beware my sanctions!”

Mar. 29. Malwarebytes provides in-depth analysis of the Sage ransomware and explains what makes it one of the top crypto threats these days. In particular, this perpetrating program encrypts data in offline mode and uses a combo of elliptic curve cryptography (ECC) and ChaCha20 algorithm flawlessly.

Mar. 28. An Android ransomware sample is discovered that flies under the radar of mobile security programs. Its payload is camouflaged a popular Russian social networking app called OK. The infection demands 500 Rubles, which is worth about $9, for unlocking a device.

Mar. 27. Security patches included in iOS 10.3 release address a notorious ransomware issue, where cybercrooks were able to lock Safari browser on Apple’s mobile devices and request a ransom payable in iTunes gift cards.

Mar. 23. MalwareHunterTeam, a research group specializing in ransomware identification and analysis, provides disconcerting statistics on the reported Spora ransomware incidents. The infection encrypted 48466020 files belonging to 646 victims.

Mar. 22. A new variant of the prolific Jigsaw ransomware goes bundled with a cracked edition of a remote access tool (RAT) called Imminent Monitor. Interestingly, this strain provides data decryption steps right in the extension appended to scrambled files.

Mar. 22. Emsisoft CTO Fabian Wosar updates his previously released free decryptor for the Globe3 ransomware. The tool now supports the latest version of this file-encrypting Trojan.

Mar. 22. Researchers at the ERPScan business application security provider discover a vulnerability in SAP enterprise software that may allow threat actors to send and execute ransomware payloads on SAP Windows clients.

Mar. 20. Locky ransomware, one of the prevalent crypto infections in 2016, appears to be gradually vanishing from the cybercrime arena. Analysts found ties between this extortion campaign and the Necurs botnet, which no longer spews Locky spam.

Mar. 16. CryptON, or Nemesis, ransomware is no longer a problem as the Emsisoft team devises a free decryption tool for this sample. The solution can handle all variants of this perpetrating program, including the latest one.

Mar. 16. The new Star Trek themed Kirk ransomware is definitely not a run-of-the-mill strain. This Python-based infection accepts the Monero cryptocurrency rather than the widespread Bitcoin and uses a decryption service called Spock.

Mar. 14. An offbeat incarnation of the notorious Petya ransomware called PetrWrap is spotted in the wild. This one is leveraged in targeted attacks against organizations. Similarly to its prototype, PetrWrap encrypts the MFT (Master File Table) of NTFS partitions on infected machines.

Mar. 11. Fabian Wosar, a renowned researcher mentioned above, demonstrates the process of analyzing and cracking the new Damage ransomware in a live video session.

Mar. 10. Two multinational technology companies discover that 38 Android smartphones used by their employees were shipped with pre-installed Slocker ransomware and Loki adware. Security analysts blame it on parties involved in the supply chain.

Mar. 9. A fresh version of the Cerber ransomware keeps original filenames intact instead of replacing them with 10 random hexadecimal characters as it used to do. It still appends files with a four-character extension that matches the computer’s MachineGuid value.

Mar. 8. Cisco’s Talos Intelligence Group dissects the new Crypt0L0cker, or TorrentLocker, a campaign that broke out after a year-long pause. The article covers new features of the ransomware and reveals that the epidemic is mostly isolated to Europe.

Mar. 6. The computer infrastructure of the Pennsylvania Senate Democratic Caucus gets hit by an unidentified ransomware strain. The infection rendered the target’s entire IT network inoperable.

Mar. 2. Kaspersky Lab updates their RakhniDecryptor solution so that it can restore data ciphered by the Dharma ransomware. This win became possible after someone released the master decryption keys for this sample on Bleeping Computer security forums.


Feb. 23. The latest version of the Android.Lockdroid.E ransomware stands out from the crowd because it has added a speech recognition feature to the extortion cycle. It instructs victims to speak their unlock code obtained after paying the ransom.

Feb. 22. New ransom Trojan called MacOS Patcher infects Mac machines under the guise of cracking tools for popular software suites, including Adobe Premiere Pro CC 2017 and Office 2016. The crypto is buggy, so it may be impossible to restore files even if the ransom is paid.

Feb. 22. Cybercrooks start distributing Trump Locker, a ransomware strain functionally similar to the existing VenusLocker sample. This provocative infection fully encodes widespread types of files and applies partial encryption for less popular ones.

Feb. 21. Avast devises a free decryption tool that reinstates data scrambled by an edition of the CryptoMix ransomware that operates in offline, or autopilot, mode.

Feb. 20. A research team at Emsisoft updates their decryptor for MRCR or Merry X-Mas ransomware. The utility is now capable of restoring files with the .merry extension locked by the newest variant of the plague.

Feb. 16. Online extortionists’ worst enemy Fabian Wosar of Emsisoft sets up a streaming video session where he reverse-engineers the new Hermes ransomware and finds vulnerabilities in its crypto implementation.

Feb. 15. In a defiant move, the developers of Cerber ransomware release a variant that does not encode files related to antivirus suites. This way, the threat actors may be demonstrating that the present-day security solutions aren’t much of a hindrance to this nefarious business.

Feb. 14. According to Kaspersky Lab, about 75% of ransomware samples propagating in 2016 were attributable to the activity of Russian-speaking threat actors.

Feb. 14. Three researchers from the Georgia Institute of Technology take the floor at RSA Conference in San Francisco to present their proof-of-concept ransomware that targets industrial control systems (ICS).

Feb. 9. New crypto threat called the Serpent ransomware is discovered. It hails from the same family as the notorious WildFire Locker and Hades Locker samples. Serpent spreads via spam and zeroes in on Danish-speaking users.

Feb. 8. The ID Ransomware online portal by MalwareHunterTeam reaches an important milestone. It is now capable of identifying 300 different ransomware lineages by ransom notes or sample encrypted files.

Feb. 6. The Android.Lockdroid.E ransomware, which targets Android devices, gets more sophisticated. It starts leveraging a dropper technique to determine whether a gadget is rooted or not and then proceeds with the infection chain based on the response.

Feb. 3. A British man and Swedish woman, both 50 years old, get arrested in London for infecting the closed-circuit television system of Washington, D.C. with ransomware. The cyber-attack, which affected 70% of storage devices on the CCTV network, reportedly took place a week before Donald Trump’s inauguration.

Feb. 2. Avast complements its list of free decryptors with three more tools. The new ones can unencrypt data scrambled by the Jigsaw, Hidden Tear, and Stampado ransomware.


Jan. 31. An aggressive ransomware infection poisons computer systems of the government of Licking County, Ohio. Collateral damage from the attack is that local 911 emergency services stopped functioning as well.

Jan. 31. An intricate campaign involving fake Google Chrome font update popups distributes the Spora ransomware. The contamination chain is triggered behind the scenes as soon as an unsuspecting user opts for the bogus font update for the browser.

Jan. 29. Four-star Austrian hotel Romantic Seehotel Jaegerwirt falls victim to ransomware. The perpetrating code affects the hotel’s cash desk, reservation, and electronic key lock systems.

Jan. 26. The Osiris variant of Locky ransomware contaminates the IT infrastructure of Cockrell Hill police in Texas. The infection cripples a vast amount of evidence, including all Microsoft Office documents, photos, surveillance and body camera videos.

Jan. 24. Predictably enough, the high-profile Spora ransomware expands its reach. Having originally propagated in former Soviet countries only, it starts infecting users worldwide.

Jan. 23. Security analysts state that the new Sage 2.0 ransomware is shaping up to be a major player in the online extortion ecosystem. It is being distributed by the same cybercrime ring as the one behind Locky, Cerber and Spora strains.

Jan. 20. Ransomware infects 16 branches of the Saint Louis Public Library, holding valuable data on more than 700 machines hostage. The crooks demand a ransom of $35,000 for recovery.

Jan. 19. Researchers discover a new Ransomware as a Service portal supporting the Satan ransomware campaign. The service enables interested parties to build their custom edition of the Trojan. The architects of this RaaS get a 30% cut from all ransoms paid by victims.

Jan. 18. A group of cybercrooks targets unsecured CouchDB and Hadoop servers around the world. The attackers hijack such databases, erase their content and instruct victims to submit 0.2 Bitcoin to restore the data.

Jan. 15. Michael Gillespie, the author of ID Ransomware service, releases a tool called CryptoSearch. It scans a computer for files encrypted by ransomware and allows the victim to back them up to a specified location. This should streamline the data recovery process if an ad hoc decryptor appears in the future.

Jan. 12. Emsisoft tailors a free decryption tool for the new Marlboro ransomware, which appends the .oops extension to locked files. Interestingly, it took the company’s research team less than one day to defeat the crypto and release the fix.

Jan. 10. Ransomware called Spora is spotted in the wild. This sample is out of the ordinary because it operates in an offline mode, implements the crypto part immaculately and boasts a professionally crafted payment service.

Jan. 10. Los Angeles Valley College suffers the consequences of a newsmaking ransomware attack that made its email servers and student data inaccessible. The LA college district ends up paying a hefty ransom of $28,000.

Jan. 7. Ransomware deployers zero in on UK educational institutions, cold-calling school staff and duping them into opening malicious ZIP files attached to rogue emails.

Jan. 4. A strain called the Merry X-Mas ransomware makes an appearance. The developers of this Christmas-themed infection identify themselves as ComodoSecurity. The pest is equipped with a data-stealing module powered by the DiamondFox malware.

Jan. 4. Emsisoft cooks up another decryptor. The free tool can restore data encoded by Globe ransomware version 3, which blemishes files with the .decrypt2017 or .hnumkhotep extensions.

Jan. 3. Extortionists hit poorly protected MongoDB databases, export their content and replace it with an instruction to pay 0.2 Bitcoin to get the stolen data back. The number of compromised servers reaches 28,000 in a few days.

Jan. 1. Senate Bill 1137 takes effect in California. It identifies ransomware distribution as a standalone felony rather than a type of hacking or money laundering. This initiative should considerably facilitate the prosecution workflow.

Stay tuned for the Q2 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q4 2016

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Crypto ransomware targeting critical infrastructure

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jan. 14, 2016

Along with commonplace extortion campaigns affecting end users, threat actors pulled off a number of high-profile ransomware attacks during the final quarter of 2016.

In late November, an infection called HDDCryptor compromised the IT network of San Francisco Municipal Transit Agency, paralyzing the company’s critical services for several days. Another attack hit Carleton University in Canada around the same time. Obviously, the crooks are taking their nefarious activities to a whole new level.



Dec. 30. An article posted on the MalwareTech security blog dissects the controversial issue of proof-of-concept ransomware. The researchers emphasize that cybercriminals often leverage open source ransomware code to deploy real-world attacks.

Dec. 28. Security analysts discover a new screen locker that targets LG Smart TVs. This Android ransomware displays a counterfeit FBI themed warning on an infected device’s screen and asks for $500 to unlock it.

Dec. 24. A ransomware strain called DeriaLock emerges on Christmas Eve. Its uniqueness revolves around the fact that the author can unlock all contaminated computers by executing a single command remotely.

Dec. 22. One of the most prolific ransomware samples of 2016 called Cerber gets updated. The new edition no longer obliterates Shadow Copies of its victims’ files and mainly targets Microsoft Office documents.

Dec. 21. The ransom note created by the new Free-Freedom ransomware mentions that its maker is 13 years old. Script kiddies are apparently trying their hand at something more sophisticated than defacing websites and hacking for fun.

Dec. 20. By virtue of the latest update, the RannohDecryptor tool by Kaspersky Lab is now capable of decrypting .cryp1, .crypt and .crypz files locked by the CryptXXX ransom Trojan.

Dec. 19. The Cybereason security firm creates a tool called RansomFree. The solution can detect most of the present-day ransomware strains and prevents them from compromising Windows computers.

Dec. 15. No More Ransom is a project containing a database of known ransomware families and providing free decryption tools. As of December 2016, this initiative engaged 34 new partnering organizations to fight the crypto epidemic.

Dec. 14. The distributors of the Cerber ransomware adopt a new social engineering tactic to deposit their malicious code on computers. Misleading emails disguised as credit card reports entice recipients into opening contagious Microsoft Word files.

Dec. 12. Analysts at Palo Alto Networks scrutinize the activity of the Samas, or SamSa, cybercriminal ring and come up with astonishing conclusions. The group’s estimated earnings amounted to more than $450,000 in 2016 alone.

Dec. 9. Cybercrooks use the CryptoWire proof-of-concept ransomware to devise real-world threats. The spinoffs called Lomix and UltraLocker are based on the open-source code published on GitHub.

Dec. 8. Victims of the new ransomware called Popcorn Time face an awful dilemma: to pay the ransom, or get their decryption key for free by sending the payload to two more people and getting them infected.

Dec. 6. A new GoldenEye ransomware specimen surfaces. Similarly to its prototype called Petya, it corrupts an infected machine’s master boot record and encrypts the master file table to render the system inoperable.

Dec. 5. The Locky ransomware, which gained notoriety for uncrackable crypto and massive distribution campaigns, got updated. Its new version appends the .osiris extension to encrypted files, paying homage to Egyptian mythology.

Dec. 4. A 40-year-old ransomware developer nicknamed Pornopoker is apprehended at the Moscow Domodedovo Airport. He is suspected of creating and spreading the Ransomlock.P screen locker.

Dec. 2. The turkney RaaS (Ransomware as a Service) kit called Alpha Locker is sold on Russian hacking forums for $60. This offending program is written in C# and boasts a lightweight 50 KB downloader.

Dec. 1. Researchers at Avast create four new decryption tools for the Alcatraz Locker, CrySiS, Globe, and NoobCrypt ransomware lineages. Those infected can download and use these apps for free.


Nov. 30. Security experts discover a rogue application called Electrum Coin Adder, which drops a sample of the Jigsaw ransomware along with a stealthy Bitcoin stealer.

Nov. 29. Crypto ransomware compromises email servers and a number of other administrative services at Carleton University in Canada. The attackers demand 39 Bitcoins for data recovery.

Nov. 28. The San Francisco Municipal Transit Agency (SFMTA) gets hit by HDDCryptor, a ransomware strain that overwrites computers’ master boot records. The attack paralyzes SF Muni’s automated faring system for several days. The malefactors demand 100 Bitcoins, or about $73,000.

Nov. 23. Cisco Talos Group spots a new Locky ransomware spam campaign disseminating malicious MHT files. The fake emails pretend to be from the HSBC financial services organization.

Nov. 21. A new .aesir file extension variant of Locky goes live. It spreads via Facebook spam luring users into opening booby-trapped SVG images. The infection chain involves the infamous malware downloader called Nemucod.

Nov. 18. The ID Ransomware service by MalwareHunterTeam can identify 238 ransomware types as of mid-November. It allows victims to upload a random encrypted file or ransom note and determine what ransomware strain they are confronted with.

Nov. 17. New Dharma ransomware appears literally days after the authors of its precursor called CrySiS released Master Decryption Keys for the previous campaign. The new variant appends crippled files with the threat actors’ email address and the .wallet extension.

Nov. 17. Fabian Wosar, a security researcher at Emsisoft, updates his free decryptor for the Globe ransomware. The app can now decode files with the .blt, .raid10 and .zendr4 extensions locked by Globe2.

Nov. 16. The Apocalypse ransomware developer contacts Fabian Wosar of Emsisoft, asking for assistance in fixing a bug in the crypto. The researcher refuses to help.

Nov. 14. The author of the CrySiS ransomware releases all Master Decryption Keys so that victims can restore their data. Experts at Kaspersky Lab use the keys to update their RakhniDecryptor app.

Nov. 9. New Telecrypt ransomware is discovered. It is one of a kind because it uses the Telegram API to communicate with Command and Control servers.

Nov. 8. An offbeat German ransomware surfaces. It pretends to be a PaySafeCard PIN code generator, thus obfuscating the file encryption routine. This sample concatenates the “.cry_” extension to one’s mutilated files.

Nov. 7. A new variant of the Jigsaw ransomware specifically targets French users. It leaves a ransom note in French and uses the .encrypted suffix to label affected files. Fortunately, its crypto is buggy, so researchers found a recovery workaround.

Nov. 4. Researchers at RSA Link publish an in-depth report on the evolution of the Cerber ransomware. In particular, the article provides an insight into Cerber’s Command and Control infrastructure and the new extension assigning principle in versions 4.1.x and later.

Nov. 3. The strain known as zScreenLocker adds some dirty politics to the extortion mix, displaying a desktop background that reads “Ban Islam.” This ransomware is potentially decryptable through brute-forcing of the unlock key.

Nov. 1. The Cerber ransomware starts indicating its version number explicitly in the warning message that replaces a victim’s original desktop background.


Oct. 27. The author of the fs0ciety ransomware sends a message to Emsisoft researcher Fabian Wosar, trying to sell 200 decryption keys for 10 Bitcoins. Mr. Wosar rejects the offer as he has already come up with a way to restore files encrypted by this infection.

Oct. 25. Locky ransomware starts appending the .thor extension to encrypted files. This edition can encrypt data in offline mode without requesting crypto keys from its C2 server.

Oct. 23. A new file-encrypting threat called Angry Duck features an apropos desktop background, uses the .adk file extension and demands an unusually high ransom of 10 Bitcoins.

Oct. 20. The sample dubbed JapanLocker zeroes in on web servers rather than personal data stored on victims’ computers. Coded in PHP, this infection encrypts website content and provides an email address for webmasters to reach the attacker for recovery steps.

Oct. 20. Cisco Talos Group creates MBRFilter, a tool that prevents ransomware from modifying a computer’s master boot record. In particular, this solution detects and blocks such strains as Petya and the GoldenEye ransomware.

Oct. 18. Another unordinary ransomware is discovered. It is camouflaged as a Click Me game, encouraging a victim to chase the button across the screen while the infection is encrypting important files and appending them with the .hacked extension.

Oct. 18. A Polish security researcher @hasherezade releases free decryption tools for several variants of the 7ev3n ransomware.

Oct. 15. Malwarebytes analysts create a tool that decrypts files with the !XPTLOCK5.0 extension scrambled by the newest version of the DMA Locker ransomware.

Oct. 14. The new LockyDump command line tool by Talos Security Intelligence and Research Group facilitates the analysis of different Locky ransomware variants. Its virtualized environment enables researchers to safely extract configuration details and other properties of the infection.

Oct. 14. The Exotic Ransomware distributed by a cybercriminal ring dubbed EvilTwin operates in a bizarre way. It encrypts executables along with regular data objects, which may lead to a system crash.

Oct. 13. Researchers at Doctor Web discover Trojan.Encoder.6491, the first piece of ransomware written in the Go programming language. Fortunately, the experts also create an automatic decoder for this threat.

Oct. 11. The specificity of the new VenisRansomware is that it enables Remote Desktop Host as part of the compromise. This allows the attackers to hack into infected machines remotely.

Oct. 8. Similarly to its prototype called Fantom, the new Comrade Circle ransomware displays a fake Windows update screen during unauthorized data encryption in the background.

Oct. 5. The Hades Locker strain is discovered. It turns out to be a successor of the WildFire Locker ransomware, whose command and control infrastructure was seized by a Dutch law enforcement agency in late August.

Oct. 4. Cerber ransomware version 4 goes live. It appends encrypted files with a victim-specific 4-character extension and leaves the Readme.hta ransom note.

Oct. 2. Written in Python, the latest edition of Fs0ci3ty L0ck3r features an extortion scheme with the incremental ransom. The amount increases by 1 Bitcoin every day after the initial 24-hour period expires.

Oct. 1. Emsisoft releases a free decryptor for the Purge movie themed Globe ransomware. This infection uses Blowfish block cipher to render victims’ data inaccessible and concatenates the .purge, .globe or .okean-1955@india.com extension to crippled files.

Stay tuned for the Q1 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.