Q1 2017

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Ransomware epidemic grows, new online extortion trends taking root

Crypto infections rampant on open source DB servers and Android devices, Spora and Locky continue propagating.

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Apr. 6, 2017

The increasingly competitive ransomware ecosystem keeps spawning novel attack vectors. A series of large-scale extortion campaigns targeted thousands of MongoDB, CouchDB, Hadoop and MySQL servers in the first quarter of 2017. Some crooks have come to make emphasis on customer support, as is the case with the new Spora ransomware. Android crypto infections are starting to employ dropper techniques that used to be isolated to Windows only.

To top it all off, police departments, county governments, libraries, schools, hotels and CCTV systems are still as susceptible to ransomware attacks as before. What does the future hold? Hopefully a breakthrough in combating this ubiquitous epidemic.



Mar. 31. A strain dubbed the Sanctions ransomware surfaces, and it’s ironic to the bone. It got its name from the image in Restore_All_Data.html decryption how-to, where a hungry Russian Bear squeezes a person in its paw who says “Beware my sanctions!”

Mar. 29. Malwarebytes provides in-depth analysis of the Sage ransomware and explains what makes it one of the top crypto threats these days. In particular, this perpetrating program encrypts data in offline mode and uses a combo of elliptic curve cryptography (ECC) and ChaCha20 algorithm flawlessly.

Mar. 28. An Android ransomware sample is discovered that flies under the radar of mobile security programs. Its payload is camouflaged a popular Russian social networking app called OK. The infection demands 500 Rubles, which is worth about $9, for unlocking a device.

Mar. 27. Security patches included in iOS 10.3 release address a notorious ransomware issue, where cybercrooks were able to lock Safari browser on Apple’s mobile devices and request a ransom payable in iTunes gift cards.

Mar. 23. MalwareHunterTeam, a research group specializing in ransomware identification and analysis, provides disconcerting statistics on the reported Spora ransomware incidents. The infection encrypted 48466020 files belonging to 646 victims.

Mar. 22. A new variant of the prolific Jigsaw ransomware goes bundled with a cracked edition of a remote access tool (RAT) called Imminent Monitor. Interestingly, this strain provides data decryption steps right in the extension appended to scrambled files.

Mar. 22. Emsisoft CTO Fabian Wosar updates his previously released free decryptor for the Globe3 ransomware. The tool now supports the latest version of this file-encrypting Trojan.

Mar. 22. Researchers at the ERPScan business application security provider discover a vulnerability in SAP enterprise software that may allow threat actors to send and execute ransomware payloads on SAP Windows clients.

Mar. 20. Locky ransomware, one of the prevalent crypto infections in 2016, appears to be gradually vanishing from the cybercrime arena. Analysts found ties between this extortion campaign and the Necurs botnet, which no longer spews Locky spam.

Mar. 16. CryptON, or Nemesis, ransomware is no longer a problem as the Emsisoft team devises a free decryption tool for this sample. The solution can handle all variants of this perpetrating program, including the latest one.

Mar. 16. The new Star Trek themed Kirk ransomware is definitely not a run-of-the-mill strain. This Python-based infection accepts the Monero cryptocurrency rather than the widespread Bitcoin and uses a decryption service called Spock.

Mar. 14. An offbeat incarnation of the notorious Petya ransomware called PetrWrap is spotted in the wild. This one is leveraged in targeted attacks against organizations. Similarly to its prototype, PetrWrap encrypts the MFT (Master File Table) of NTFS partitions on infected machines.

Mar. 11. Fabian Wosar, a renowned researcher mentioned above, demonstrates the process of analyzing and cracking the new Damage ransomware in a live video session.

Mar. 10. Two multinational technology companies discover that 38 Android smartphones used by their employees were shipped with pre-installed Slocker ransomware and Loki adware. Security analysts blame it on parties involved in the supply chain.

Mar. 9. A fresh version of the Cerber ransomware keeps original filenames intact instead of replacing them with 10 random hexadecimal characters as it used to do. It still appends files with a four-character extension that matches the computer’s MachineGuid value.

Mar. 8. Cisco’s Talos Intelligence Group dissects the new Crypt0L0cker, or TorrentLocker, a campaign that broke out after a year-long pause. The article covers new features of the ransomware and reveals that the epidemic is mostly isolated to Europe.

Mar. 6. The computer infrastructure of the Pennsylvania Senate Democratic Caucus gets hit by an unidentified ransomware strain. The infection rendered the target’s entire IT network inoperable.

Mar. 2. Kaspersky Lab updates their RakhniDecryptor solution so that it can restore data ciphered by the Dharma ransomware. This win became possible after someone released the master decryption keys for this sample on Bleeping Computer security forums.


Feb. 23. The latest version of the Android.Lockdroid.E ransomware stands out from the crowd because it has added a speech recognition feature to the extortion cycle. It instructs victims to speak their unlock code obtained after paying the ransom.

Feb. 22. New ransom Trojan called MacOS Patcher infects Mac machines under the guise of cracking tools for popular software suites, including Adobe Premiere Pro CC 2017 and Office 2016. The crypto is buggy, so it may be impossible to restore files even if the ransom is paid.

Feb. 22. Cybercrooks start distributing Trump Locker, a ransomware strain functionally similar to the existing VenusLocker sample. This provocative infection fully encodes widespread types of files and applies partial encryption for less popular ones.

Feb. 21. Avast devises a free decryption tool that reinstates data scrambled by an edition of the CryptoMix ransomware that operates in offline, or autopilot, mode.

Feb. 20. A research team at Emsisoft updates their decryptor for MRCR or Merry X-Mas ransomware. The utility is now capable of restoring files with the .merry extension locked by the newest variant of the plague.

Feb. 16. Online extortionists’ worst enemy Fabian Wosar of Emsisoft sets up a streaming video session where he reverse-engineers the new Hermes ransomware and finds vulnerabilities in its crypto implementation.

Feb. 15. In a defiant move, the developers of Cerber ransomware release a variant that does not encode files related to antivirus suites. This way, the threat actors may be demonstrating that the present-day security solutions aren’t much of a hindrance to this nefarious business.

Feb. 14. According to Kaspersky Lab, about 75% of ransomware samples propagating in 2016 were attributable to the activity of Russian-speaking threat actors.

Feb. 14. Three researchers from the Georgia Institute of Technology take the floor at RSA Conference in San Francisco to present their proof-of-concept ransomware that targets industrial control systems (ICS).

Feb. 9. New crypto threat called the Serpent ransomware is discovered. It hails from the same family as the notorious WildFire Locker and Hades Locker samples. Serpent spreads via spam and zeroes in on Danish-speaking users.

Feb. 8. The ID Ransomware online portal by MalwareHunterTeam reaches an important milestone. It is now capable of identifying 300 different ransomware lineages by ransom notes or sample encrypted files.

Feb. 6. The Android.Lockdroid.E ransomware, which targets Android devices, gets more sophisticated. It starts leveraging a dropper technique to determine whether a gadget is rooted or not and then proceeds with the infection chain based on the response.

Feb. 3. A British man and Swedish woman, both 50 years old, get arrested in London for infecting the closed-circuit television system of Washington, D.C. with ransomware. The cyber-attack, which affected 70% of storage devices on the CCTV network, reportedly took place a week before Donald Trump’s inauguration.

Feb. 2. Avast complements its list of free decryptors with three more tools. The new ones can unencrypt data scrambled by the Jigsaw, Hidden Tear, and Stampado ransomware.


Jan. 31. An aggressive ransomware infection poisons computer systems of the government of Licking County, Ohio. Collateral damage from the attack is that local 911 emergency services stopped functioning as well.

Jan. 31. An intricate campaign involving fake Google Chrome font update popups distributes the Spora ransomware. The contamination chain is triggered behind the scenes as soon as an unsuspecting user opts for the bogus font update for the browser.

Jan. 29. Four-star Austrian hotel Romantic Seehotel Jaegerwirt falls victim to ransomware. The perpetrating code affects the hotel’s cash desk, reservation, and electronic key lock systems.

Jan. 26. The Osiris variant of Locky ransomware contaminates the IT infrastructure of Cockrell Hill police in Texas. The infection cripples a vast amount of evidence, including all Microsoft Office documents, photos, surveillance and body camera videos.

Jan. 24. Predictably enough, the high-profile Spora ransomware expands its reach. Having originally propagated in former Soviet countries only, it starts infecting users worldwide.

Jan. 23. Security analysts state that the new Sage 2.0 ransomware is shaping up to be a major player in the online extortion ecosystem. It is being distributed by the same cybercrime ring as the one behind Locky, Cerber and Spora strains.

Jan. 20. Ransomware infects 16 branches of the Saint Louis Public Library, holding valuable data on more than 700 machines hostage. The crooks demand a ransom of $35,000 for recovery.

Jan. 19. Researchers discover a new Ransomware as a Service portal supporting the Satan ransomware campaign. The service enables interested parties to build their custom edition of the Trojan. The architects of this RaaS get a 30% cut from all ransoms paid by victims.

Jan. 18. A group of cybercrooks targets unsecured CouchDB and Hadoop servers around the world. The attackers hijack such databases, erase their content and instruct victims to submit 0.2 Bitcoin to restore the data.

Jan. 15. Michael Gillespie, the author of ID Ransomware service, releases a tool called CryptoSearch. It scans a computer for files encrypted by ransomware and allows the victim to back them up to a specified location. This should streamline the data recovery process if an ad hoc decryptor appears in the future.

Jan. 12. Emsisoft tailors a free decryption tool for the new Marlboro ransomware, which appends the .oops extension to locked files. Interestingly, it took the company’s research team less than one day to defeat the crypto and release the fix.

Jan. 10. Ransomware called Spora is spotted in the wild. This sample is out of the ordinary because it operates in an offline mode, implements the crypto part immaculately and boasts a professionally crafted payment service.

Jan. 10. Los Angeles Valley College suffers the consequences of a newsmaking ransomware attack that made its email servers and student data inaccessible. The LA college district ends up paying a hefty ransom of $28,000.

Jan. 7. Ransomware deployers zero in on UK educational institutions, cold-calling school staff and duping them into opening malicious ZIP files attached to rogue emails.

Jan. 4. A strain called the Merry X-Mas ransomware makes an appearance. The developers of this Christmas-themed infection identify themselves as ComodoSecurity. The pest is equipped with a data-stealing module powered by the DiamondFox malware.

Jan. 4. Emsisoft cooks up another decryptor. The free tool can restore data encoded by Globe ransomware version 3, which blemishes files with the .decrypt2017 or .hnumkhotep extensions.

Jan. 3. Extortionists hit poorly protected MongoDB databases, export their content and replace it with an instruction to pay 0.2 Bitcoin to get the stolen data back. The number of compromised servers reaches 28,000 in a few days.

Jan. 1. Senate Bill 1137 takes effect in California. It identifies ransomware distribution as a standalone felony rather than a type of hacking or money laundering. This initiative should considerably facilitate the prosecution workflow.

Stay tuned for the Q2 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q4 2016

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Crypto ransomware targeting critical infrastructure

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jan. 14, 2016

Along with commonplace extortion campaigns affecting end users, threat actors pulled off a number of high-profile ransomware attacks during the final quarter of 2016.

In late November, an infection called HDDCryptor compromised the IT network of San Francisco Municipal Transit Agency, paralyzing the company’s critical services for several days. Another attack hit Carleton University in Canada around the same time. Obviously, the crooks are taking their nefarious activities to a whole new level.



Dec. 30. An article posted on the MalwareTech security blog dissects the controversial issue of proof-of-concept ransomware. The researchers emphasize that cybercriminals often leverage open source ransomware code to deploy real-world attacks.

Dec. 28. Security analysts discover a new screen locker that targets LG Smart TVs. This Android ransomware displays a counterfeit FBI themed warning on an infected device’s screen and asks for $500 to unlock it.

Dec. 24. A ransomware strain called DeriaLock emerges on Christmas Eve. Its uniqueness revolves around the fact that the author can unlock all contaminated computers by executing a single command remotely.

Dec. 22. One of the most prolific ransomware samples of 2016 called Cerber gets updated. The new edition no longer obliterates Shadow Copies of its victims’ files and mainly targets Microsoft Office documents.

Dec. 21. The ransom note created by the new Free-Freedom ransomware mentions that its maker is 13 years old. Script kiddies are apparently trying their hand at something more sophisticated than defacing websites and hacking for fun.

Dec. 20. By virtue of the latest update, the RannohDecryptor tool by Kaspersky Lab is now capable of decrypting .cryp1, .crypt and .crypz files locked by the CryptXXX ransom Trojan.

Dec. 19. The Cybereason security firm creates a tool called RansomFree. The solution can detect most of the present-day ransomware strains and prevents them from compromising Windows computers.

Dec. 15. No More Ransom is a project containing a database of known ransomware families and providing free decryption tools. As of December 2016, this initiative engaged 34 new partnering organizations to fight the crypto epidemic.

Dec. 14. The distributors of the Cerber ransomware adopt a new social engineering tactic to deposit their malicious code on computers. Misleading emails disguised as credit card reports entice recipients into opening contagious Microsoft Word files.

Dec. 12. Analysts at Palo Alto Networks scrutinize the activity of the Samas, or SamSa, cybercriminal ring and come up with astonishing conclusions. The group’s estimated earnings amounted to more than $450,000 in 2016 alone.

Dec. 9. Cybercrooks use the CryptoWire proof-of-concept ransomware to devise real-world threats. The spinoffs called Lomix and UltraLocker are based on the open-source code published on GitHub.

Dec. 8. Victims of the new ransomware called Popcorn Time face an awful dilemma: to pay the ransom, or get their decryption key for free by sending the payload to two more people and getting them infected.

Dec. 6. A new GoldenEye ransomware specimen surfaces. Similarly to its prototype called Petya, it corrupts an infected machine’s master boot record and encrypts the master file table to render the system inoperable.

Dec. 5. The Locky ransomware, which gained notoriety for uncrackable crypto and massive distribution campaigns, got updated. Its new version appends the .osiris extension to encrypted files, paying homage to Egyptian mythology.

Dec. 4. A 40-year-old ransomware developer nicknamed Pornopoker is apprehended at the Moscow Domodedovo Airport. He is suspected of creating and spreading the Ransomlock.P screen locker.

Dec. 2. The turkney RaaS (Ransomware as a Service) kit called Alpha Locker is sold on Russian hacking forums for $60. This offending program is written in C# and boasts a lightweight 50 KB downloader.

Dec. 1. Researchers at Avast create four new decryption tools for the Alcatraz Locker, CrySiS, Globe, and NoobCrypt ransomware lineages. Those infected can download and use these apps for free.


Nov. 30. Security experts discover a rogue application called Electrum Coin Adder, which drops a sample of the Jigsaw ransomware along with a stealthy Bitcoin stealer.

Nov. 29. Crypto ransomware compromises email servers and a number of other administrative services at Carleton University in Canada. The attackers demand 39 Bitcoins for data recovery.

Nov. 28. The San Francisco Municipal Transit Agency (SFMTA) gets hit by HDDCryptor, a ransomware strain that overwrites computers’ master boot records. The attack paralyzes SF Muni’s automated faring system for several days. The malefactors demand 100 Bitcoins, or about $73,000.

Nov. 23. Cisco Talos Group spots a new Locky ransomware spam campaign disseminating malicious MHT files. The fake emails pretend to be from the HSBC financial services organization.

Nov. 21. A new .aesir file extension variant of Locky goes live. It spreads via Facebook spam luring users into opening booby-trapped SVG images. The infection chain involves the infamous malware downloader called Nemucod.

Nov. 18. The ID Ransomware service by MalwareHunterTeam can identify 238 ransomware types as of mid-November. It allows victims to upload a random encrypted file or ransom note and determine what ransomware strain they are confronted with.

Nov. 17. New Dharma ransomware appears literally days after the authors of its precursor called CrySiS released Master Decryption Keys for the previous campaign. The new variant appends crippled files with the threat actors’ email address and the .wallet extension.

Nov. 17. Fabian Wosar, a security researcher at Emsisoft, updates his free decryptor for the Globe ransomware. The app can now decode files with the .blt, .raid10 and .zendr4 extensions locked by Globe2.

Nov. 16. The Apocalypse ransomware developer contacts Fabian Wosar of Emsisoft, asking for assistance in fixing a bug in the crypto. The researcher refuses to help.

Nov. 14. The author of the CrySiS ransomware releases all Master Decryption Keys so that victims can restore their data. Experts at Kaspersky Lab use the keys to update their RakhniDecryptor app.

Nov. 9. New Telecrypt ransomware is discovered. It is one of a kind because it uses the Telegram API to communicate with Command and Control servers.

Nov. 8. An offbeat German ransomware surfaces. It pretends to be a PaySafeCard PIN code generator, thus obfuscating the file encryption routine. This sample concatenates the “.cry_” extension to one’s mutilated files.

Nov. 7. A new variant of the Jigsaw ransomware specifically targets French users. It leaves a ransom note in French and uses the .encrypted suffix to label affected files. Fortunately, its crypto is buggy, so researchers found a recovery workaround.

Nov. 4. Researchers at RSA Link publish an in-depth report on the evolution of the Cerber ransomware. In particular, the article provides an insight into Cerber’s Command and Control infrastructure and the new extension assigning principle in versions 4.1.x and later.

Nov. 3. The strain known as zScreenLocker adds some dirty politics to the extortion mix, displaying a desktop background that reads “Ban Islam.” This ransomware is potentially decryptable through brute-forcing of the unlock key.

Nov. 1. The Cerber ransomware starts indicating its version number explicitly in the warning message that replaces a victim’s original desktop background.


Oct. 27. The author of the fs0ciety ransomware sends a message to Emsisoft researcher Fabian Wosar, trying to sell 200 decryption keys for 10 Bitcoins. Mr. Wosar rejects the offer as he has already come up with a way to restore files encrypted by this infection.

Oct. 25. Locky ransomware starts appending the .thor extension to encrypted files. This edition can encrypt data in offline mode without requesting crypto keys from its C2 server.

Oct. 23. A new file-encrypting threat called Angry Duck features an apropos desktop background, uses the .adk file extension and demands an unusually high ransom of 10 Bitcoins.

Oct. 20. The sample dubbed JapanLocker zeroes in on web servers rather than personal data stored on victims’ computers. Coded in PHP, this infection encrypts website content and provides an email address for webmasters to reach the attacker for recovery steps.

Oct. 20. Cisco Talos Group creates MBRFilter, a tool that prevents ransomware from modifying a computer’s master boot record. In particular, this solution detects and blocks such strains as Petya and the GoldenEye ransomware.

Oct. 18. Another unordinary ransomware is discovered. It is camouflaged as a Click Me game, encouraging a victim to chase the button across the screen while the infection is encrypting important files and appending them with the .hacked extension.

Oct. 18. A Polish security researcher @hasherezade releases free decryption tools for several variants of the 7ev3n ransomware.

Oct. 15. Malwarebytes analysts create a tool that decrypts files with the !XPTLOCK5.0 extension scrambled by the newest version of the DMA Locker ransomware.

Oct. 14. The new LockyDump command line tool by Talos Security Intelligence and Research Group facilitates the analysis of different Locky ransomware variants. Its virtualized environment enables researchers to safely extract configuration details and other properties of the infection.

Oct. 14. The Exotic Ransomware distributed by a cybercriminal ring dubbed EvilTwin operates in a bizarre way. It encrypts executables along with regular data objects, which may lead to a system crash.

Oct. 13. Researchers at Doctor Web discover Trojan.Encoder.6491, the first piece of ransomware written in the Go programming language. Fortunately, the experts also create an automatic decoder for this threat.

Oct. 11. The specificity of the new VenisRansomware is that it enables Remote Desktop Host as part of the compromise. This allows the attackers to hack into infected machines remotely.

Oct. 8. Similarly to its prototype called Fantom, the new Comrade Circle ransomware displays a fake Windows update screen during unauthorized data encryption in the background.

Oct. 5. The Hades Locker strain is discovered. It turns out to be a successor of the WildFire Locker ransomware, whose command and control infrastructure was seized by a Dutch law enforcement agency in late August.

Oct. 4. Cerber ransomware version 4 goes live. It appends encrypted files with a victim-specific 4-character extension and leaves the Readme.hta ransom note.

Oct. 2. Written in Python, the latest edition of Fs0ci3ty L0ck3r features an extortion scheme with the incremental ransom. The amount increases by 1 Bitcoin every day after the initial 24-hour period expires.

Oct. 1. Emsisoft releases a free decryptor for the Purge movie themed Globe ransomware. This infection uses Blowfish block cipher to render victims’ data inaccessible and concatenates the .purge, .globe or .okean-1955@india.com extension to crippled files.

Stay tuned for the Q1 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.