Q4 2016

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Crypto ransomware targeting critical infrastructure

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jan. 14, 2016

Along with commonplace extortion campaigns affecting end users, threat actors pulled off a number of high-profile ransomware attacks during the final quarter of 2016.

In late November, an infection called HDDCryptor compromised the IT network of San Francisco Municipal Transit Agency, paralyzing the company’s critical services for several days. Another attack hit Carleton University in Canada around the same time. Obviously, the crooks are taking their nefarious activities to a whole new level.



Dec. 30. An article posted on the MalwareTech security blog dissects the controversial issue of proof-of-concept ransomware. The researchers emphasize that cybercriminals often leverage open source ransomware code to deploy real-world attacks.

Dec. 28. Security analysts discover a new screen locker that targets LG Smart TVs. This Android ransomware displays a counterfeit FBI themed warning on an infected device’s screen and asks for $500 to unlock it.

Dec. 24. A ransomware strain called DeriaLock emerges on Christmas Eve. Its uniqueness revolves around the fact that the author can unlock all contaminated computers by executing a single command remotely.

Dec. 22. One of the most prolific ransomware samples of 2016 called Cerber gets updated. The new edition no longer obliterates Shadow Copies of its victims’ files and mainly targets Microsoft Office documents.

Dec. 21. The ransom note created by the new Free-Freedom ransomware mentions that its maker is 13 years old. Script kiddies are apparently trying their hand at something more sophisticated than defacing websites and hacking for fun.

Dec. 20. By virtue of the latest update, the RannohDecryptor tool by Kaspersky Lab is now capable of decrypting .cryp1, .crypt and .crypz files locked by the CryptXXX ransom Trojan.

Dec. 19. The Cybereason security firm creates a tool called RansomFree. The solution can detect most of the present-day ransomware strains and prevents them from compromising Windows computers.

Dec. 15. No More Ransom is a project containing a database of known ransomware families and providing free decryption tools. As of December 2016, this initiative engaged 34 new partnering organizations to fight the crypto epidemic.

Dec. 14. The distributors of the Cerber ransomware adopt a new social engineering tactic to deposit their malicious code on computers. Misleading emails disguised as credit card reports entice recipients into opening contagious Microsoft Word files.

Dec. 12. Analysts at Palo Alto Networks scrutinize the activity of the Samas, or SamSa, cybercriminal ring and come up with astonishing conclusions. The group’s estimated earnings amounted to more than $450,000 in 2016 alone.

Dec. 9. Cybercrooks use the CryptoWire proof-of-concept ransomware to devise real-world threats. The spinoffs called Lomix and UltraLocker are based on the open-source code published on GitHub.

Dec. 8. Victims of the new ransomware called Popcorn Time face an awful dilemma: to pay the ransom, or get their decryption key for free by sending the payload to two more people and getting them infected.

Dec. 6. A new GoldenEye ransomware specimen surfaces. Similarly to its prototype called Petya, it corrupts an infected machine’s master boot record and encrypts the master file table to render the system inoperable.

Dec. 5. The Locky ransomware, which gained notoriety for uncrackable crypto and massive distribution campaigns, got updated. Its new version appends the .osiris extension to encrypted files, paying homage to Egyptian mythology.

Dec. 4. A 40-year-old ransomware developer nicknamed Pornopoker is apprehended at the Moscow Domodedovo Airport. He is suspected of creating and spreading the Ransomlock.P screen locker.

Dec. 2. The turkney RaaS (Ransomware as a Service) kit called Alpha Locker is sold on Russian hacking forums for $60. This offending program is written in C# and boasts a lightweight 50 KB downloader.

Dec. 1. Researchers at Avast create four new decryption tools for the Alcatraz Locker, CrySiS, Globe, and NoobCrypt ransomware lineages. Those infected can download and use these apps for free.


Nov. 30. Security experts discover a rogue application called Electrum Coin Adder, which drops a sample of the Jigsaw ransomware along with a stealthy Bitcoin stealer.

Nov. 29. Crypto ransomware compromises email servers and a number of other administrative services at Carleton University in Canada. The attackers demand 39 Bitcoins for data recovery.

Nov. 28. The San Francisco Municipal Transit Agency (SFMTA) gets hit by HDDCryptor, a ransomware strain that overwrites computers’ master boot records. The attack paralyzes SF Muni’s automated faring system for several days. The malefactors demand 100 Bitcoins, or about $73,000.

Nov. 23. Cisco Talos Group spots a new Locky ransomware spam campaign disseminating malicious MHT files. The fake emails pretend to be from the HSBC financial services organization.

Nov. 21. A new .aesir file extension variant of Locky goes live. It spreads via Facebook spam luring users into opening booby-trapped SVG images. The infection chain involves the infamous malware downloader called Nemucod.

Nov. 18. The ID Ransomware service by MalwareHunterTeam can identify 238 ransomware types as of mid-November. It allows victims to upload a random encrypted file or ransom note and determine what ransomware strain they are confronted with.

Nov. 17. New Dharma ransomware appears literally days after the authors of its precursor called CrySiS released Master Decryption Keys for the previous campaign. The new variant appends crippled files with the threat actors’ email address and the .wallet extension.

Nov. 17. Fabian Wosar, a security researcher at Emsisoft, updates his free decryptor for the Globe ransomware. The app can now decode files with the .blt, .raid10 and .zendr4 extensions locked by Globe2.

Nov. 16. The Apocalypse ransomware developer contacts Fabian Wosar of Emsisoft, asking for assistance in fixing a bug in the crypto. The researcher refuses to help.

Nov. 14. The author of the CrySiS ransomware releases all Master Decryption Keys so that victims can restore their data. Experts at Kaspersky Lab use the keys to update their RakhniDecryptor app.

Nov. 9. New Telecrypt ransomware is discovered. It is one of a kind because it uses the Telegram API to communicate with Command and Control servers.

Nov. 8. An offbeat German ransomware surfaces. It pretends to be a PaySafeCard PIN code generator, thus obfuscating the file encryption routine. This sample concatenates the “.cry_” extension to one’s mutilated files.

Nov. 7. A new variant of the Jigsaw ransomware specifically targets French users. It leaves a ransom note in French and uses the .encrypted suffix to label affected files. Fortunately, its crypto is buggy, so researchers found a recovery workaround.

Nov. 4. Researchers at RSA Link publish an in-depth report on the evolution of the Cerber ransomware. In particular, the article provides an insight into Cerber’s Command and Control infrastructure and the new extension assigning principle in versions 4.1.x and later.

Nov. 3. The strain known as zScreenLocker adds some dirty politics to the extortion mix, displaying a desktop background that reads “Ban Islam.” This ransomware is potentially decryptable through brute-forcing of the unlock key.

Nov. 1. The Cerber ransomware starts indicating its version number explicitly in the warning message that replaces a victim’s original desktop background.


Oct. 27. The author of the fs0ciety ransomware sends a message to Emsisoft researcher Fabian Wosar, trying to sell 200 decryption keys for 10 Bitcoins. Mr. Wosar rejects the offer as he has already come up with a way to restore files encrypted by this infection.

Oct. 25. Locky ransomware starts appending the .thor extension to encrypted files. This edition can encrypt data in offline mode without requesting crypto keys from its C2 server.

Oct. 23. A new file-encrypting threat called Angry Duck features an apropos desktop background, uses the .adk file extension and demands an unusually high ransom of 10 Bitcoins.

Oct. 20. The sample dubbed JapanLocker zeroes in on web servers rather than personal data stored on victims’ computers. Coded in PHP, this infection encrypts website content and provides an email address for webmasters to reach the attacker for recovery steps.

Oct. 20. Cisco Talos Group creates MBRFilter, a tool that prevents ransomware from modifying a computer’s master boot record. In particular, this solution detects and blocks such strains as Petya and the GoldenEye ransomware.

Oct. 18. Another unordinary ransomware is discovered. It is camouflaged as a Click Me game, encouraging a victim to chase the button across the screen while the infection is encrypting important files and appending them with the .hacked extension.

Oct. 18. A Polish security researcher @hasherezade releases free decryption tools for several variants of the 7ev3n ransomware.

Oct. 15. Malwarebytes analysts create a tool that decrypts files with the !XPTLOCK5.0 extension scrambled by the newest version of the DMA Locker ransomware.

Oct. 14. The new LockyDump command line tool by Talos Security Intelligence and Research Group facilitates the analysis of different Locky ransomware variants. Its virtualized environment enables researchers to safely extract configuration details and other properties of the infection.

Oct. 14. The Exotic Ransomware distributed by a cybercriminal ring dubbed EvilTwin operates in a bizarre way. It encrypts executables along with regular data objects, which may lead to a system crash.

Oct. 13. Researchers at Doctor Web discover Trojan.Encoder.6491, the first piece of ransomware written in the Go programming language. Fortunately, the experts also create an automatic decoder for this threat.

Oct. 11. The specificity of the new VenisRansomware is that it enables Remote Desktop Host as part of the compromise. This allows the attackers to hack into infected machines remotely.

Oct. 8. Similarly to its prototype called Fantom, the new Comrade Circle ransomware displays a fake Windows update screen during unauthorized data encryption in the background.

Oct. 5. The Hades Locker strain is discovered. It turns out to be a successor of the WildFire Locker ransomware, whose command and control infrastructure was seized by a Dutch law enforcement agency in late August.

Oct. 4. Cerber ransomware version 4 goes live. It appends encrypted files with a victim-specific 4-character extension and leaves the Readme.hta ransom note.

Oct. 2. Written in Python, the latest edition of Fs0ci3ty L0ck3r features an extortion scheme with the incremental ransom. The amount increases by 1 Bitcoin every day after the initial 24-hour period expires.

Oct. 1. Emsisoft releases a free decryptor for the Purge movie themed Globe ransomware. This infection uses Blowfish block cipher to render victims’ data inaccessible and concatenates the .purge, .globe or .okean-1955@india.com extension to crippled files.

Stay tuned for the Q1 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.