Q3 2017

RansomwareReport.com — sponsored by Terranova WW Corporation provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


FedEx and Merck confronted with NotPetya’s scorched-earth tactic

Ransomware authors code a myriad of new strains

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Sep. 29, 2017

Large international companies from healthcare and courier delivery sectors kept dealing with the aftermath of the NotPetya data wiper outbreak camouflaged as a classic extortion wave. WannaCry, another sophisticated blackmail virus, remained a serious concern months after the release, hitting South Korean technology giant LG.

Other notorious ransomware heavyweights Cerber, Locky, CrySiS, CryptoMix, BTCWare and GlobeImposter maintained the status quo in the third quarter of 2017. The operators of these campaigns were busy diversifying their malicious portfolio. Some started embedding extra data theft modules into their perpetrating code. Others were experimenting with on-close Word macros to streamline the infection chain.

Meanwhile, the Hidden Tear proof-of-concept continued to fuel the niche of mainstream ransomware, demonstrating how easily cybercriminals can weaponize something created for benign purposes.





Sep. 28. Malware analysts spot a ransomware builder called LaserLocker. It allows wannabe extortionists to create custom variants of a screen locking Trojan by simply filling out a few fields. The infection can optionally disable Task Manager, System Restore, and the Windows Command Prompt.

Sep. 25. An extravagant strain called nRansom goes beyond all reasonable bounds with its demands. It instructs victims to send at least 20 nude pictures of themselves to its operators. To add insult to injury, it also asks for a video of the user murdering 10 innocent people. The ne’er-do-wells are going nuts, obviously.

Sep. 23. New blackmail malware dubbed RedBoot turns out to be more destructive than it appears. It encrypts a victim’s data, replaces the Master Boot Record with a custom one, and corrupts the partition table while providing no way to undo these critical changes.

Sep. 22. A sample called InfinityLock is discovered that displays an unusual ransom note featuring animated effects. Having completed data encryption, it triggers a bogus Command Prompt window that imitates a hacker typing certain commands in real time.

Sep. 22. The newest variant of the Locky ransomware, which stains encrypted files with the .ykcol extension, is becoming increasingly prevalent. It is being distributed via six large-scale malspam waves. The Ykcol edition demands 0.25 Bitcoin (about $1,000) for data decryption.

Sep. 21. CyberDrill_2, yet another offshoot of the open source Hidden Tear ransomware, starts making the rounds. It displays a WannaCry-style warning window, concatenates the .cyberdrill string to locked files and demands 5 Bitcoin for decryption.

Sep. 20. There is reportedly an ‘ethical’ discussion going on in the Eastern European cybercriminal underground regarding ransomware distribution. Some administrators of Dark Web resources argue that ransomware shouldn’t be practiced because it attracts too much attention and prevents other types of cybercrime from evolving.

Sep. 18. An updated version of Locky is released. It switches to using the .ykcol suffix for hostage files. By the way, that’s ‘locky’ spelled backward. This spinoff drops rescue notes named ykcol.htm and ykcol.bmp.

Sep. 14. The strain called PSCrypt, which gained notoriety for targeting specifically Ukrainian users and organizations, gets a facelift. Its latest build appends the .paxynok extension to encrypted files and displays a ransom note in Russian.

Sep. 13. A file-encrypting Trojan called Paradise definitely doesn’t live up to its name. It uses asymmetric RSA-1024 cryptosystem to make one’s files inaccessible and appends them with the .[info@decrypt.ws].paradise extension. It is spreading on a RaaS (Ransomware-as-a-Service) basis.

Sep. 12. The developers of GlobeImposter, one of the most prolific ransomware strands at this point, decide to pay homage to the 40th US President. The most recent variant of this infection subjoins the .reaGAN extension to ransomed files and instructs victims to send a message to Ronald_Reagan@derpymail.org for instructions.

Sep. 11. Two new versions of the Jigsaw ransomware go live during one day. Both target Polish users, replace the desktop background with the Grim Reaper themed image, and concatenate the .pablukCRYPT or .pabluk300CrYpT! extension to victims’ files.

Sep. 7. Researchers discover that the binary of a brand new GlobeImposter ransomware sample has a valid signature issued by Comodo RSA Code Signing CA. This specimen appends the .f41o1 extension to files and drops READ_IT.html ransom note. Later on the same day, a .4035 extension variant surfaces with the certificate revoked.

Sep. 5. A massive SynAck ransomware campaign takes root. It mostly hits businesses via compromised RDP services. The ransom amounts to $2,100 worth of Bitcoin. Interestingly, the crooks’ Bitcoin wallet holds nearly 100 BTC (about $400,000), so the extortionists must have had some success with their nefarious activity.

Sep. 4. Three cybercriminal crews hijacked 26,000 MongoDB servers in a couple of days. The threat actors spotted online-accessible MongoDB installs with weak or no authentication and replaced their content with a ransom note asking for 0.05-0.5 BTC.

Sep. 1. A new version of the CryptoMix ransomware is discovered. It replaces filenames with 32 random hexadecimal characters, affixes the .arena extension each one, and drops a recovery how-to document named _HELP_INSTRUCTION.txt.

Sep. 1. Operators of the Locky ransomware campaign add another smart contamination vector to their repertoire. The infection chain still harnesses malicious Word macros but is now triggered when a would-be victim closes a trojanized malspam attachment.


Aug. 31. The architects of the Princess Locker ransomware campaign add another clever distribution vector to their portfolio. They start leveraging the RIG exploit kit to contaminate computers. Therefore, simply visiting a compromised website may be enough to get infected.

Aug. 29. A number of hospitals in Lanarkshire, Scotland, fall prey to a blackmail Trojan called BitPaymer. The perpetrating code infiltrated the institutions’ IT networks via RDP services and crippled their telephone and staff recruiting systems. The crooks demand a whopping ransom of 53 Bitcoin (about $200,000).

Aug. 25. A brand-new Trojan development kit surfaces on the Android ransomware arena. Contrived by a Chinese malware developer, the solution makes it amazingly easy to devise custom builds of the infamous Lockdroid ransomware.

Aug. 24. Security analysts discover a strain called the Defray ransomware. It stands out from the rest because its intended set of victims includes large US and UK companies from technology, manufacturing, healthcare and education segments. Defray’s entry point is spear phishing.

Aug. 21. According to fresh cybersecurity statistics by McAfee, nearly 30% of all ransomware samples spotted in June were spinoffs of Hidden Tear, a notorious proof-of-concept crypto infection originally devised for educational purposes.

Aug. 19. A new specimen from the prolific Dharma/CrySiS ransomware lineage is discovered. It blemishes encrypted files with the .cesar extension and drops a rescue note named Info.hta. Just like its predecessors, the culprit enters computers via hacked remote desktop services.

Aug. 18. LG, a South Korean electronics giant, falls victim to the nasty WannaCry ransomware that took the world by storm in mid-May. The perpetrating program reportedly harnessed unpatched software vulnerabilities to infect self-service kiosks in the company’s customer service centers across South Korea.

Aug. 17. Cybersecurity services provider Check Point shares some interesting findings on the ecosystem of spam-borne malware. According to their latest Global Cyber Attack Trends 2017 report, ransomware accounted for the majority of all infections distributed via malicious spam in the second quarter of 2017.

Aug. 16. A new edition of the infamous Locky ransomware is released. It concatenates the .lukitus extension to victims’ files and drops ransom walkthroughs named lukitus.htm and lukitus.bmp. Data locked by this variant cannot be fully decrypted beyond the payment route.

Aug. 16. Researchers spot a revolutionary ransomware strain called SyncCrypt. It slips under the radar of antivirus tools due to an intricate infection routine leveraging WSF spam attachments that download booby-trapped image files. Because security suites tend to treat images as benign objects, SyncCrypt passes undetected.

Aug. 15. Online extortionists turn another PoC ransomware project into a real-world menace. This time it’s an ‘educational’ infection targeting PHP web servers. It was contrived and outsourced by an Indonesian programmer in 2016. Cybercrooks have since used the code to create custom strains, including JapanLocker and, more recently, the EV ransomware zeroing in on WordPress sites.

Aug. 11. A 51-year-old man is arrested in Ukraine for infecting a number of local firms with the destructive Petya.A ransomware. The investigation revealed that these were pseudo attacks aimed at tax evasion via staged loss of the companies’ accounting data.

Aug. 11. The Gryphon ransomware, a BTCWare family spinoff, starts sailing its own boat as a standalone lineage. The latest variants drop HELP.txt ransom note and speckle encrypted files with the .gryphon or .crypton extension preceded by the attacker’s contact email address.

Aug. 7. GlobeImposter 2.0 is shaping up to be the most frequently updated ransomware strand across the board. It spawns seven new offshoots during one week. These variants append the following extensions to hostage files: .492, .725, .726, .astra, .coded, .crypt, and .sea.

Aug. 4. Cerber, a true heavyweight on the ransomware arena, undergoes an update. In addition to uncrackable data encryption, the new iteration features spyware hallmarks. It steals information from Bitcoin wallet applications if spotted on an infected host.

Aug. 2. Security experts discover a new sample called the Crystal ransomware. It goes equipped with a virus promotion module that surreptitiously downloads other malware. To top it off, the strain includes a flooder component leveraged for DDoS attacks.

Aug. 1. Merck, a large US pharmaceutical company, continues to incur tangible remediation costs after falling victim to the NotPetya ransomware in late June. The pharma giant is still having issues with sales, manufacturing and research operations disrupted by the incursion.


Jul. 27. According to Google’s analysts, 95% of all ransomware payouts made since 2014 were cashed out via a Bitcoin trading service called BTC-e. Based on this evidence, Greek police apprehend 38-year-old Russian national Alexander Vinnik, the owner of said cryptocurrency trading platform.

Jul. 26. A crew of Italian researchers presents a ‘self-healing, ransomware-aware filesystem’ add-on called ShieldFS, which may become a breakthrough in combatting blackmail viruses. It accurately detects and halts ransomware activity and boasts the ability to revert malicious data encryption.

Jul. 24. A free decryption tool is released for the original variant of MFT-encrypting Petya ransomware and related crypto infections called Goldeneye and Mischa. However, the decryptor doesn’t apply to the recent Petya.A Trojan, which appears to have been created independently from its prototype.

Jul. 22. Several new spinoffs of the GlobeImposter ransomware go live during a single day, which is unprecedented productivity for the extortion ecosystem. These derivatives label ransomed data with the .crypt, .gotham, and .mole extension tokens and leave a decryption how-to tutorial named how_to_back_files.html.

Jul. 21. A brand-new sample called BitShifter turns out to be more harmful than commonplace ransomware. It includes a reconnaissance component that zeroes in on cryptocurrency wallet information. The culprit uses the WebSocket protocol to send the stolen data to its operators.

Jul. 18. FedEx, an international courier services company, struggles to recover from the NotPetya ransomware onslaught that affected its worldwide operations in June. The infection reportedly took root from the Ukrainian TNT Express division. The financial impact is likely to be material.

Jul. 17. Reyptson, a new crypto infection targeting Spanish-speaking users, steals its victims’ Thunderbird account information, including login credentials and contacts list. When done, it triggers a self-spreading routine by sending emails with trojanized attachments to the plagued user’s contacts.

Jul. 15. Michael Gillespie, the author of ID Ransomware service, devises a free decryption tool for the Striked ransomware. The supported infection leaves a rescue note named README_DECRYPT.html and concatenates the attacker’s email address along with unique victim ID to every encrypted file.

Jul. 12. Antimalware vendor Emsisoft releases an automatic decryptor for all known editions of the blackmail Trojan dubbed NemucodAES. For the record, this specimen employs a combo of RSA and AES-128 ciphers to lock down victims’ files, leaves original filenames unaltered and drops a ransom manual named Decrypt.hta.

Jul. 11. Australian law enforcement agencies apprehend a 75-year-old man as part of an investigation of a large-scale online extortion campaign. The arrestee reportedly created a few rogue tech support companies that accepted and laundered ransomware payments.

Jul. 10. Two apps available on Google Play, ‘Booster & Cleaner Pro’ and ‘Wallpapers Blur HD’, are found to promote Android ransomware called LeakerLocker. When installed, the pest steals a victim’s images, text messages and browser history and demands $50 for not sending the private information to all their contacts.

Jul. 6. A person who goes under an online alias ‘Janus’ and claims to be the creator of the original Petya ransomware, dumps the master decryption key for this Trojan and affiliated infections known as Mischa and Goldeneye. Researchers confirm that the key is valid.

Jul. 5. Two individuals are arrested by Chinese police on suspicion of distributing Android ransomware called SLocker. The ne’er-do-wells disguised the malicious app as a King of Glory game plugin. The offending program imitates the GUI of WannaCry, a sophisticated ransomware targeting Windows.

Jul. 4. Ukrainian police seize servers belonging to M.E.Doc, a local vendor of accounting software that was used to deploy the NotPetya campaign. The perpetrating program reportedly arrived at numerous computers as part of a trojanized software update rolled out by the company.

Jul. 3. Security Report 2016/17 published by German IT-security institute AV-TEST categorizes ransomware as a ‘marginal phenomenon’. As per their findings, ransomware accounted for a negligible 0.94% of all cyber-attacks recorded in 2016.

Jul. 1. ESET exposes connections between the recent NotPetya campaign, XData ransomware onslaughts from late May, and incursions targeting Ukrainian power grid back in 2015. The common denominator is that all of these attacks were attributed to a cybercriminal crew dubbed Telebots, or BlackEnergy.

Stay tuned for the Q4 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q2 2017

RansomwareReport.com — sponsored by Terranova WW Corporation provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Leaked NSA exploits play into threat actors’ hands

Ransomware plague continues to wreak havoc on organizations globally.

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jun. 30, 2017

The devastating WannaCry ransomware outbreak as of May shaped up to be a game-changing event of the quarter. The Shadow Brokers hacker group dumped a slew of software exploits that the NSA had been stockpiling, and online extortionists weaponized these exploits for ransomware deployment. The worst part of this cybercrime frenzy is that WannaCry can infect a computer without engaging the user in the attack chain – the bad code silently slithers its way inside via security loopholes in the operating system’s architecture.

All in all, the ransomware plague kept wreaking havoc. The nasty Petya ransomware rose from the ashes after a year of standstill, locking down computer networks of large organizations in Europe. A South Korean company agreed to pay an unthinkable one-million-dollar ransom to crooks behind the Erebus strain. The felons are waging a cyberwar – sometimes politically flavored – against users, businesses and governments, so it’s about time to fight back adequately.



Jun. 28. Researchers discover that the updated Petya ransomware doesn’t run if it fails to execute a file named perfc.dat from the system folder. Therefore, all it takes to make a computer immune to the compromise is create a new read-only file named perfc.dat inside C:\Windows directory.

Jun. 27. The notorious Petya ransomware makes a reappearance. Its modified variant primarily infects numerous organizations in Ukraine, including critical infrastructure entities, then spreads to other European countries. Analysts blame this wave on state-sponsored hackers from Russia. One of the reported entry points is a trojanized update rolled out for accounting software called M.E.Doc.

Jun. 23. According to the latest Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the overwhelming majority of ransomware victims choose not to report their incidents to law enforcement.

Jun. 22. A new incarnation of the prolific Locky ransomware gains momentum on the cybercrime landscape. While the architects of this campaign still rely on the Necurs botnet-borne spam for distribution, the attack surface is now restricted to machines running Windows XP and Vista.

Jun. 22. The ubiquitous WannaCry ransom Trojan contaminates 55 red light and speeding cameras in the state of Victoria, Australia. Local authorities are thus forced to suspend about 8,000 traffic violation tickets issued during the road safety systems’ outage.

Jun. 21. The WannaCry plague disrupts the operations of Honda car plant in Sayama, Japan. Obviously, the vehicle manufacturer’s efforts to protect its IT networks from this strain after the original outbreak as of May didn’t turn out efficient enough.

Jun. 20. Nayana, a South Korean web hosting provider, opts for the biggest ransomware payout to date. The size of the ransom is a whopping $1 million. This is the aftermath of a defiant attack by the Erebus ransomware that hit the company’s 153 Linux servers, which in turn affected more than 3,000 hosted websites.

Jun. 19. The SamSam ransomware, also referred to as Samas, returns after a hiatus of several months. The three new editions of this perpetrating program use the following extensions to blemish hostage files: .breeding123, .mention9823, and .suppose666.

RELATED: Three things you can do to protect your workforce against ransomware attacks

Jun. 15. University College London (UCL) falls victim to an unidentified ransomware sample. The infection reportedly came in via a phishing email and crippled the student management system and shared drives.

Jun. 14. Avast security vendor contrives a mechanism to decrypt the EncrypTile ransomware for free. This sample allows victims to select their preferred language on the ransom note. It has been in the wild since October 2016.

Jun. 14. Malware analysts at Kaspersky Lab defeat the crypto of the Jaff ransomware, which is believed to be a successor of Locky. The company’s RakhniDecryptor tool now supports Jaff variants that append the .jaff, .sVn or .wlu extension to encrypted files.

Jun. 13. The above-mentioned Nayana web hosting company based in South Korea suffers the consequences of a massive ransomware attack. The strain called Erebus encrypted data stored on the provider’s Linux web servers, which caused tremendous collateral damage for numerous customer websites.

Jun. 10. French law enforcement agencies seize a number of Tor relays as part of an investigation into the WannaCry ransomware campaign. These are Tor entry guard nodes allegedly used by the ransomware distributors to contact their C2 server.

Jun. 9. Security researchers spot the first known Ransomware-as-a-Service hub on the dark web that hosts viable ransomware targeting macOS. This offbeat RaaS called MacRansom allows wannabe criminals to purchase a custom build of the infection.

Jun. 8. Analysts at McAfee unveil some interesting details of the WannaCry ransomware. According to their findings, the offending code might have been originally tailored for non-extortion purposes.

Jun. 5. Michael Gillespie, well-known researcher who created the ID Ransomware service, releases an updated edition of his Jigsaw Decrypter. Due to new enhancements, the free tool is now capable of restoring files with the .lost, .ram and .tax extensions locked by the Jigsaw strain.

Jun. 2. Security experts discover about 4,500 vulnerable Hadoop servers worldwide that have no authentication and contain over 5,000 Terabytes of information. These are disconcerting statistics, given the massive wave of ransomware attacks fired at Hadoop servers in January, 2017.


May 30. An individual affiliated with the XData ransomware dumps Master Decryption Keys for the infection on Bleeping Computer forums. Based on this data, Kaspersky and a few more vendors quickly release free decryptors.

May 29. The No More Ransom project team joins efforts with CERT Polska and Avast to create effective decryption tools for the AES-NI, BTCWare and Mole ransom Trojans.

May 25. Interesting new facts are revealed regarding the WannaCry ransomware attribution. Having scrutinized its ransom notes from a linguistic perspective, researchers came to a conclusion that it was most likely developed by Chinese-speaking criminals who are also quite fluent in English.

May 23. Jaff ransomware, a probable offshoot of the Locky family, gets a new file extension token. Its latest variant concatenates the .WLU suffix to encrypted files. As before, the payload arrives via PDF email attachments with embedded booby-trapped Word documents asking victims to enable macros.

May 19. Crypto ransomware called XData starts making victims in Ukraine at an astonishing rate. The geographic localization of these attacks suggests that they might be part of Russia’s warfare against the neighboring country.

May 16. The author of the BTCWare file-encrypting malady releases Master Decryption Key for the strain. This data allows IT analysts to devise tools that unencrypt ransomed files beyond ransom.

RELATED: Think of the human factor when developing a cybersecurity strategy

May 16. Adylkuzz, a Monero cryptocurrency miner, appears to have utilized the notorious NSA exploits (EternalBlue and DoublePulsar) weeks before the WannaCry ransomware started making the rounds. Interestingly, Adylkuzz closes down SMB ports that the ransom Trojan uses to propagate, thus making infected machines bulletproof against WannaCry.

May 15. Cybercrooks in charge of the Philadelphia ransomware campaign start employing the RIG exploit kit in its multi-layered distribution mechanism. The exploit kit first drops a malware downloader component called Pony, which in its turn deposits the crypto infection onto PCs.

May 14. Brad Smith, Microsoft’s president and chief legal officer, publishes an article providing some food for thought on the WannaCry epidemic. One of the takeaways is that the NSA should do a much better job safeguarding the exploits it discovers.

May 13. Security enthusiast from the UK accidentally stops WannaCry distribution for a while by registering what’s called the “kill switch” domain. It turns out that the ransomware completes its attack chain only if this domain is unregistered.

May 12. WannaCry, or Wana Decrypt0r 2.0, begins its large-scale extortion campaign. It quickly becomes the world’s top ransomware threat due to a sophisticated attack vector involving NSA exploits dubbed EternalBlue and DoublePulsar. Effectively, the malicious code enters computers via open SMB ports, so users get hit without clicking anything.

May 11. The new Jaff ransomware is spotted in the wild. Its makers appear to have borrowed some features from Locky, which could be an indicator that the two are from the same family. In particular, Jaff uses the same Tor payment page and spreads with the Necurs botnet.

May 8. A law firm based in Rhode Island demands insurance compensation over a ransomware attack. The firm had purportedly paid a ransom of $25,000 to restore their proprietary records and lost about $700,000 in billings because of the compromise.

May 5. New Jigsaw ransomware edition that appends the .fun string to locked files doesn’t follow the classic spam or exploit kit based infection scenario. Its payload is camouflaged as a credit card generator called CCgen2017.

May 3. The Cerber ransomware reaches version 6 and now goes equipped with top-notch AV evasion capabilities. It also accommodates anti-VM features that prevent researchers from reverse-engineering the code.

May 1. Emsisoft CTO Fabian Wosar creates a free decryption tool for the CryptON ransomware variant called Cry123, which contaminates computers by compromising remote desktop services.


Apr. 30. New CryptoMix offspring uses the .wallet extension to speckle hostage files. This indicator of compromise tangles ransomware identification because some other strains, including Dharma and CrySiS, append data entries with the exact same string. The crooks should expand their vocabulary, obviously.

Apr. 29. Malware researchers discover the Mini ransomware. It’s not a commonplace sample because its code is based on Hidden Tear, a benign proof-of-concept ransom Trojan originally pursuing educational purposes.

Apr. 27. The Cerber ransomware starts spreading via “Blank Slate” spam campaign that disseminates a contagious email attachment in RTF format. When opened, this document harnesses CVE-2017-0199 vulnerability to execute a malicious Visual Basic script behind the user’s back.

Apr. 25. Mole ransomware, a new sample from the CryptoMix lineage, propagates via an intricate scheme that engages a phony Word online site hosting a ZIP archive with malicious JavaScript file inside. This payload delivery mechanism also promotes click-fraud malware called Kovter and Miuref.

Apr. 23. Ransomware victims can use additional new features of the ID Ransomware portal. Different strains are now identifiable by Bitcoin address, email or Tor URL provided in the ransom note.

Apr. 21. Having vanished from the ransomware radar in late 2016, the Locky ransomware resumes its extortion activity. Its Osiris variant is deposited on computers via botnet-backed spam. Bogus Word receipts embedded in these emails contain malicious VBA macros.

Apr. 20. Proliferation of a new sample called AES-NI relies on NSA hacking tools leaked by black hat hackers in mid-April. In particular, this strain takes advantage of security loopholes in server message block (SMB) protocol.

Apr. 18. Security analysts discover a Russian Ransomware-as-a-Service (RaaS) platform sustaining the distribution of the Karmen ransomware. This infection is based on Hidden Tear, the ill-famed academic ransomware by Turkish coder named Utku Sen.

RELATED: Get Vigilant About Phishing – One click and you’ll know

Apr. 14. According to Cybercrime tactics and techniques Q1 2017 report by Malwarebytes, the Cerber ransomware is the world’s most widespread file-encrypting threat. Its market share reached 86.98% in March.

Apr. 13. While some threat actors set up RaaS portals to push their despicable business forward on an affiliate basis, the authors of the Cradle ransomware went a different route. They elected to put up their source code, server scripts and payment console for sale. The price for this kit called CradleCore is negotiable, starting at 0.35 BTC.

Apr. 12. A strain called Mole appears. Its makers utilize an offbeat propagation mechanism, where would-be victims are duped into visiting a fake Microsoft Word Online page. This page hosts the bad payload camouflaged as a must-download plugin.

Apr. 10. Emsisoft updates their decryptor for the Cry9 ransomware to ensure smoother performance and broader coverage of the infection’s variants. The sample in question is a CryptON strain spinoff that infiltrates computers via hacked remote desktop services.

Apr. 7. The Matrix ransomware gets a substantial propagation boost. Its worldwide circulation engages several top-notch components, including the so-called EITest scripts running on compromised websites, as well as the RIG exploit kit that drops the payload proper.

Apr. 6. Korean programmer nicknamed Tvple Eraser creates a crypto virus called Rensenware. To decrypt their data, victims have to score 200 million in a computer game called TH12 ~ Undefined Fantastic Object. According to the ne’er-do-well’s tweets, his motivation was to have fun.

Apr. 6. Austrian law enforcement agency apprehends a 19-year-old individual on suspicion of infecting a local company’s computer network with the Philadelphia ransomware. The teenager reportedly demanded $400 worth of Bitcoin for decryption, but the infected Linz-based firm refused to pay up.

Apr. 4. Bitdefender releases a tool that cracks the Bart ransomware for free. This strain features offline encryption mode, appends files with the .perl, .bart or .bart.zip extension, and displays a Locky-style ransom screen.

Apr. 1. Taking the floor at Black Hat Asia 2017 conference, researchers from Cylance security firm present proof-of-concept UEFI ransomware. This academic infection compromises Gigabyte BRIX small computer kits by leveraging weaknesses in their firmware.

Stay tuned for the Q3 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q1 2017

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Ransomware epidemic grows, new online extortion trends taking root

Crypto infections rampant on open source DB servers and Android devices, Spora and Locky continue propagating.

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Apr. 6, 2017

The increasingly competitive ransomware ecosystem keeps spawning novel attack vectors. A series of large-scale extortion campaigns targeted thousands of MongoDB, CouchDB, Hadoop and MySQL servers in the first quarter of 2017. Some crooks have come to make emphasis on customer support, as is the case with the new Spora ransomware. Android crypto infections are starting to employ dropper techniques that used to be isolated to Windows only.

To top it all off, police departments, county governments, libraries, schools, hotels and CCTV systems are still as susceptible to ransomware attacks as before. What does the future hold? Hopefully a breakthrough in combating this ubiquitous epidemic.



Mar. 31. A strain dubbed the Sanctions ransomware surfaces, and it’s ironic to the bone. It got its name from the image in Restore_All_Data.html decryption how-to, where a hungry Russian Bear squeezes a person in its paw who says “Beware my sanctions!”

Mar. 29. Malwarebytes provides in-depth analysis of the Sage ransomware and explains what makes it one of the top crypto threats these days. In particular, this perpetrating program encrypts data in offline mode and uses a combo of elliptic curve cryptography (ECC) and ChaCha20 algorithm flawlessly.

Mar. 28. An Android ransomware sample is discovered that flies under the radar of mobile security programs. Its payload is camouflaged a popular Russian social networking app called OK. The infection demands 500 Rubles, which is worth about $9, for unlocking a device.

Mar. 27. Security patches included in iOS 10.3 release address a notorious ransomware issue, where cybercrooks were able to lock Safari browser on Apple’s mobile devices and request a ransom payable in iTunes gift cards.

Mar. 23. MalwareHunterTeam, a research group specializing in ransomware identification and analysis, provides disconcerting statistics on the reported Spora ransomware incidents. The infection encrypted 48466020 files belonging to 646 victims.

Mar. 22. A new variant of the prolific Jigsaw ransomware goes bundled with a cracked edition of a remote access tool (RAT) called Imminent Monitor. Interestingly, this strain provides data decryption steps right in the extension appended to scrambled files.

Mar. 22. Emsisoft CTO Fabian Wosar updates his previously released free decryptor for the Globe3 ransomware. The tool now supports the latest version of this file-encrypting Trojan.

Mar. 22. Researchers at the ERPScan business application security provider discover a vulnerability in SAP enterprise software that may allow threat actors to send and execute ransomware payloads on SAP Windows clients.

Mar. 20. Locky ransomware, one of the prevalent crypto infections in 2016, appears to be gradually vanishing from the cybercrime arena. Analysts found ties between this extortion campaign and the Necurs botnet, which no longer spews Locky spam.

Mar. 16. CryptON, or Nemesis, ransomware is no longer a problem as the Emsisoft team devises a free decryption tool for this sample. The solution can handle all variants of this perpetrating program, including the latest one.

Mar. 16. The new Star Trek themed Kirk ransomware is definitely not a run-of-the-mill strain. This Python-based infection accepts the Monero cryptocurrency rather than the widespread Bitcoin and uses a decryption service called Spock.

Mar. 14. An offbeat incarnation of the notorious Petya ransomware called PetrWrap is spotted in the wild. This one is leveraged in targeted attacks against organizations. Similarly to its prototype, PetrWrap encrypts the MFT (Master File Table) of NTFS partitions on infected machines.

Mar. 11. Fabian Wosar, a renowned researcher mentioned above, demonstrates the process of analyzing and cracking the new Damage ransomware in a live video session.

Mar. 10. Two multinational technology companies discover that 38 Android smartphones used by their employees were shipped with pre-installed Slocker ransomware and Loki adware. Security analysts blame it on parties involved in the supply chain.

Mar. 9. A fresh version of the Cerber ransomware keeps original filenames intact instead of replacing them with 10 random hexadecimal characters as it used to do. It still appends files with a four-character extension that matches the computer’s MachineGuid value.

Mar. 8. Cisco’s Talos Intelligence Group dissects the new Crypt0L0cker, or TorrentLocker, a campaign that broke out after a year-long pause. The article covers new features of the ransomware and reveals that the epidemic is mostly isolated to Europe.

Mar. 6. The computer infrastructure of the Pennsylvania Senate Democratic Caucus gets hit by an unidentified ransomware strain. The infection rendered the target’s entire IT network inoperable.

Mar. 2. Kaspersky Lab updates their RakhniDecryptor solution so that it can restore data ciphered by the Dharma ransomware. This win became possible after someone released the master decryption keys for this sample on Bleeping Computer security forums.


Feb. 23. The latest version of the Android.Lockdroid.E ransomware stands out from the crowd because it has added a speech recognition feature to the extortion cycle. It instructs victims to speak their unlock code obtained after paying the ransom.

Feb. 22. New ransom Trojan called MacOS Patcher infects Mac machines under the guise of cracking tools for popular software suites, including Adobe Premiere Pro CC 2017 and Office 2016. The crypto is buggy, so it may be impossible to restore files even if the ransom is paid.

Feb. 22. Cybercrooks start distributing Trump Locker, a ransomware strain functionally similar to the existing VenusLocker sample. This provocative infection fully encodes widespread types of files and applies partial encryption for less popular ones.

Feb. 21. Avast devises a free decryption tool that reinstates data scrambled by an edition of the CryptoMix ransomware that operates in offline, or autopilot, mode.

Feb. 20. A research team at Emsisoft updates their decryptor for MRCR or Merry X-Mas ransomware. The utility is now capable of restoring files with the .merry extension locked by the newest variant of the plague.

Feb. 16. Online extortionists’ worst enemy Fabian Wosar of Emsisoft sets up a streaming video session where he reverse-engineers the new Hermes ransomware and finds vulnerabilities in its crypto implementation.

Feb. 15. In a defiant move, the developers of Cerber ransomware release a variant that does not encode files related to antivirus suites. This way, the threat actors may be demonstrating that the present-day security solutions aren’t much of a hindrance to this nefarious business.

Feb. 14. According to Kaspersky Lab, about 75% of ransomware samples propagating in 2016 were attributable to the activity of Russian-speaking threat actors.

Feb. 14. Three researchers from the Georgia Institute of Technology take the floor at RSA Conference in San Francisco to present their proof-of-concept ransomware that targets industrial control systems (ICS).

Feb. 9. New crypto threat called the Serpent ransomware is discovered. It hails from the same family as the notorious WildFire Locker and Hades Locker samples. Serpent spreads via spam and zeroes in on Danish-speaking users.

Feb. 8. The ID Ransomware online portal by MalwareHunterTeam reaches an important milestone. It is now capable of identifying 300 different ransomware lineages by ransom notes or sample encrypted files.

Feb. 6. The Android.Lockdroid.E ransomware, which targets Android devices, gets more sophisticated. It starts leveraging a dropper technique to determine whether a gadget is rooted or not and then proceeds with the infection chain based on the response.

Feb. 3. A British man and Swedish woman, both 50 years old, get arrested in London for infecting the closed-circuit television system of Washington, D.C. with ransomware. The cyber-attack, which affected 70% of storage devices on the CCTV network, reportedly took place a week before Donald Trump’s inauguration.

Feb. 2. Avast complements its list of free decryptors with three more tools. The new ones can unencrypt data scrambled by the Jigsaw, Hidden Tear, and Stampado ransomware.


Jan. 31. An aggressive ransomware infection poisons computer systems of the government of Licking County, Ohio. Collateral damage from the attack is that local 911 emergency services stopped functioning as well.

Jan. 31. An intricate campaign involving fake Google Chrome font update popups distributes the Spora ransomware. The contamination chain is triggered behind the scenes as soon as an unsuspecting user opts for the bogus font update for the browser.

Jan. 29. Four-star Austrian hotel Romantic Seehotel Jaegerwirt falls victim to ransomware. The perpetrating code affects the hotel’s cash desk, reservation, and electronic key lock systems.

Jan. 26. The Osiris variant of Locky ransomware contaminates the IT infrastructure of Cockrell Hill police in Texas. The infection cripples a vast amount of evidence, including all Microsoft Office documents, photos, surveillance and body camera videos.

Jan. 24. Predictably enough, the high-profile Spora ransomware expands its reach. Having originally propagated in former Soviet countries only, it starts infecting users worldwide.

Jan. 23. Security analysts state that the new Sage 2.0 ransomware is shaping up to be a major player in the online extortion ecosystem. It is being distributed by the same cybercrime ring as the one behind Locky, Cerber and Spora strains.

Jan. 20. Ransomware infects 16 branches of the Saint Louis Public Library, holding valuable data on more than 700 machines hostage. The crooks demand a ransom of $35,000 for recovery.

Jan. 19. Researchers discover a new Ransomware as a Service portal supporting the Satan ransomware campaign. The service enables interested parties to build their custom edition of the Trojan. The architects of this RaaS get a 30% cut from all ransoms paid by victims.

Jan. 18. A group of cybercrooks targets unsecured CouchDB and Hadoop servers around the world. The attackers hijack such databases, erase their content and instruct victims to submit 0.2 Bitcoin to restore the data.

Jan. 15. Michael Gillespie, the author of ID Ransomware service, releases a tool called CryptoSearch. It scans a computer for files encrypted by ransomware and allows the victim to back them up to a specified location. This should streamline the data recovery process if an ad hoc decryptor appears in the future.

Jan. 12. Emsisoft tailors a free decryption tool for the new Marlboro ransomware, which appends the .oops extension to locked files. Interestingly, it took the company’s research team less than one day to defeat the crypto and release the fix.

Jan. 10. Ransomware called Spora is spotted in the wild. This sample is out of the ordinary because it operates in an offline mode, implements the crypto part immaculately and boasts a professionally crafted payment service.

Jan. 10. Los Angeles Valley College suffers the consequences of a newsmaking ransomware attack that made its email servers and student data inaccessible. The LA college district ends up paying a hefty ransom of $28,000.

Jan. 7. Ransomware deployers zero in on UK educational institutions, cold-calling school staff and duping them into opening malicious ZIP files attached to rogue emails.

Jan. 4. A strain called the Merry X-Mas ransomware makes an appearance. The developers of this Christmas-themed infection identify themselves as ComodoSecurity. The pest is equipped with a data-stealing module powered by the DiamondFox malware.

Jan. 4. Emsisoft cooks up another decryptor. The free tool can restore data encoded by Globe ransomware version 3, which blemishes files with the .decrypt2017 or .hnumkhotep extensions.

Jan. 3. Extortionists hit poorly protected MongoDB databases, export their content and replace it with an instruction to pay 0.2 Bitcoin to get the stolen data back. The number of compromised servers reaches 28,000 in a few days.

Jan. 1. Senate Bill 1137 takes effect in California. It identifies ransomware distribution as a standalone felony rather than a type of hacking or money laundering. This initiative should considerably facilitate the prosecution workflow.

Stay tuned for the Q2 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Q4 2016

RansomwareReport.com provides a quarterly diary of noteworthy ransomware-related events that impacted end users and organizations around the globe.


Crypto ransomware targeting critical infrastructure

davidbalabanbwDavid Balaban

Menlo Park, Calif. – Jan. 14, 2016

Along with commonplace extortion campaigns affecting end users, threat actors pulled off a number of high-profile ransomware attacks during the final quarter of 2016.

In late November, an infection called HDDCryptor compromised the IT network of San Francisco Municipal Transit Agency, paralyzing the company’s critical services for several days. Another attack hit Carleton University in Canada around the same time. Obviously, the crooks are taking their nefarious activities to a whole new level.



Dec. 30. An article posted on the MalwareTech security blog dissects the controversial issue of proof-of-concept ransomware. The researchers emphasize that cybercriminals often leverage open source ransomware code to deploy real-world attacks.

Dec. 28. Security analysts discover a new screen locker that targets LG Smart TVs. This Android ransomware displays a counterfeit FBI themed warning on an infected device’s screen and asks for $500 to unlock it.

Dec. 24. A ransomware strain called DeriaLock emerges on Christmas Eve. Its uniqueness revolves around the fact that the author can unlock all contaminated computers by executing a single command remotely.

Dec. 22. One of the most prolific ransomware samples of 2016 called Cerber gets updated. The new edition no longer obliterates Shadow Copies of its victims’ files and mainly targets Microsoft Office documents.

Dec. 21. The ransom note created by the new Free-Freedom ransomware mentions that its maker is 13 years old. Script kiddies are apparently trying their hand at something more sophisticated than defacing websites and hacking for fun.

Dec. 20. By virtue of the latest update, the RannohDecryptor tool by Kaspersky Lab is now capable of decrypting .cryp1, .crypt and .crypz files locked by the CryptXXX ransom Trojan.

Dec. 19. The Cybereason security firm creates a tool called RansomFree. The solution can detect most of the present-day ransomware strains and prevents them from compromising Windows computers.

Dec. 15. No More Ransom is a project containing a database of known ransomware families and providing free decryption tools. As of December 2016, this initiative engaged 34 new partnering organizations to fight the crypto epidemic.

Dec. 14. The distributors of the Cerber ransomware adopt a new social engineering tactic to deposit their malicious code on computers. Misleading emails disguised as credit card reports entice recipients into opening contagious Microsoft Word files.

Dec. 12. Analysts at Palo Alto Networks scrutinize the activity of the Samas, or SamSa, cybercriminal ring and come up with astonishing conclusions. The group’s estimated earnings amounted to more than $450,000 in 2016 alone.

Dec. 9. Cybercrooks use the CryptoWire proof-of-concept ransomware to devise real-world threats. The spinoffs called Lomix and UltraLocker are based on the open-source code published on GitHub.

Dec. 8. Victims of the new ransomware called Popcorn Time face an awful dilemma: to pay the ransom, or get their decryption key for free by sending the payload to two more people and getting them infected.

Dec. 6. A new GoldenEye ransomware specimen surfaces. Similarly to its prototype called Petya, it corrupts an infected machine’s master boot record and encrypts the master file table to render the system inoperable.

Dec. 5. The Locky ransomware, which gained notoriety for uncrackable crypto and massive distribution campaigns, got updated. Its new version appends the .osiris extension to encrypted files, paying homage to Egyptian mythology.

Dec. 4. A 40-year-old ransomware developer nicknamed Pornopoker is apprehended at the Moscow Domodedovo Airport. He is suspected of creating and spreading the Ransomlock.P screen locker.

Dec. 2. The turkney RaaS (Ransomware as a Service) kit called Alpha Locker is sold on Russian hacking forums for $60. This offending program is written in C# and boasts a lightweight 50 KB downloader.

Dec. 1. Researchers at Avast create four new decryption tools for the Alcatraz Locker, CrySiS, Globe, and NoobCrypt ransomware lineages. Those infected can download and use these apps for free.


Nov. 30. Security experts discover a rogue application called Electrum Coin Adder, which drops a sample of the Jigsaw ransomware along with a stealthy Bitcoin stealer.

Nov. 29. Crypto ransomware compromises email servers and a number of other administrative services at Carleton University in Canada. The attackers demand 39 Bitcoins for data recovery.

Nov. 28. The San Francisco Municipal Transit Agency (SFMTA) gets hit by HDDCryptor, a ransomware strain that overwrites computers’ master boot records. The attack paralyzes SF Muni’s automated faring system for several days. The malefactors demand 100 Bitcoins, or about $73,000.

Nov. 23. Cisco Talos Group spots a new Locky ransomware spam campaign disseminating malicious MHT files. The fake emails pretend to be from the HSBC financial services organization.

Nov. 21. A new .aesir file extension variant of Locky goes live. It spreads via Facebook spam luring users into opening booby-trapped SVG images. The infection chain involves the infamous malware downloader called Nemucod.

Nov. 18. The ID Ransomware service by MalwareHunterTeam can identify 238 ransomware types as of mid-November. It allows victims to upload a random encrypted file or ransom note and determine what ransomware strain they are confronted with.

Nov. 17. New Dharma ransomware appears literally days after the authors of its precursor called CrySiS released Master Decryption Keys for the previous campaign. The new variant appends crippled files with the threat actors’ email address and the .wallet extension.

Nov. 17. Fabian Wosar, a security researcher at Emsisoft, updates his free decryptor for the Globe ransomware. The app can now decode files with the .blt, .raid10 and .zendr4 extensions locked by Globe2.

Nov. 16. The Apocalypse ransomware developer contacts Fabian Wosar of Emsisoft, asking for assistance in fixing a bug in the crypto. The researcher refuses to help.

Nov. 14. The author of the CrySiS ransomware releases all Master Decryption Keys so that victims can restore their data. Experts at Kaspersky Lab use the keys to update their RakhniDecryptor app.

Nov. 9. New Telecrypt ransomware is discovered. It is one of a kind because it uses the Telegram API to communicate with Command and Control servers.

Nov. 8. An offbeat German ransomware surfaces. It pretends to be a PaySafeCard PIN code generator, thus obfuscating the file encryption routine. This sample concatenates the “.cry_” extension to one’s mutilated files.

Nov. 7. A new variant of the Jigsaw ransomware specifically targets French users. It leaves a ransom note in French and uses the .encrypted suffix to label affected files. Fortunately, its crypto is buggy, so researchers found a recovery workaround.

Nov. 4. Researchers at RSA Link publish an in-depth report on the evolution of the Cerber ransomware. In particular, the article provides an insight into Cerber’s Command and Control infrastructure and the new extension assigning principle in versions 4.1.x and later.

Nov. 3. The strain known as zScreenLocker adds some dirty politics to the extortion mix, displaying a desktop background that reads “Ban Islam.” This ransomware is potentially decryptable through brute-forcing of the unlock key.

Nov. 1. The Cerber ransomware starts indicating its version number explicitly in the warning message that replaces a victim’s original desktop background.


Oct. 27. The author of the fs0ciety ransomware sends a message to Emsisoft researcher Fabian Wosar, trying to sell 200 decryption keys for 10 Bitcoins. Mr. Wosar rejects the offer as he has already come up with a way to restore files encrypted by this infection.

Oct. 25. Locky ransomware starts appending the .thor extension to encrypted files. This edition can encrypt data in offline mode without requesting crypto keys from its C2 server.

Oct. 23. A new file-encrypting threat called Angry Duck features an apropos desktop background, uses the .adk file extension and demands an unusually high ransom of 10 Bitcoins.

Oct. 20. The sample dubbed JapanLocker zeroes in on web servers rather than personal data stored on victims’ computers. Coded in PHP, this infection encrypts website content and provides an email address for webmasters to reach the attacker for recovery steps.

Oct. 20. Cisco Talos Group creates MBRFilter, a tool that prevents ransomware from modifying a computer’s master boot record. In particular, this solution detects and blocks such strains as Petya and the GoldenEye ransomware.

Oct. 18. Another unordinary ransomware is discovered. It is camouflaged as a Click Me game, encouraging a victim to chase the button across the screen while the infection is encrypting important files and appending them with the .hacked extension.

Oct. 18. A Polish security researcher @hasherezade releases free decryption tools for several variants of the 7ev3n ransomware.

Oct. 15. Malwarebytes analysts create a tool that decrypts files with the !XPTLOCK5.0 extension scrambled by the newest version of the DMA Locker ransomware.

Oct. 14. The new LockyDump command line tool by Talos Security Intelligence and Research Group facilitates the analysis of different Locky ransomware variants. Its virtualized environment enables researchers to safely extract configuration details and other properties of the infection.

Oct. 14. The Exotic Ransomware distributed by a cybercriminal ring dubbed EvilTwin operates in a bizarre way. It encrypts executables along with regular data objects, which may lead to a system crash.

Oct. 13. Researchers at Doctor Web discover Trojan.Encoder.6491, the first piece of ransomware written in the Go programming language. Fortunately, the experts also create an automatic decoder for this threat.

Oct. 11. The specificity of the new VenisRansomware is that it enables Remote Desktop Host as part of the compromise. This allows the attackers to hack into infected machines remotely.

Oct. 8. Similarly to its prototype called Fantom, the new Comrade Circle ransomware displays a fake Windows update screen during unauthorized data encryption in the background.

Oct. 5. The Hades Locker strain is discovered. It turns out to be a successor of the WildFire Locker ransomware, whose command and control infrastructure was seized by a Dutch law enforcement agency in late August.

Oct. 4. Cerber ransomware version 4 goes live. It appends encrypted files with a victim-specific 4-character extension and leaves the Readme.hta ransom note.

Oct. 2. Written in Python, the latest edition of Fs0ci3ty L0ck3r features an extortion scheme with the incremental ransom. The amount increases by 1 Bitcoin every day after the initial 24-hour period expires.

Oct. 1. Emsisoft releases a free decryptor for the Purge movie themed Globe ransomware. This infection uses Blowfish block cipher to render victims’ data inaccessible and concatenates the .purge, .globe or .okean-1955@india.com extension to crippled files.

Stay tuned for the Q1 2017 edition of the Ransomware Report.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.