March 2017: The Month in Ransomware

Whatever the intelligence is, ransomware activity skyrocketed last month. An influx of crude, unprofessionally tailored nibbles bombarded home users and enterprises, sometimes simply destroying matter beyond recovery due to broken crypto. Meanwhile, high-profile threats opposite number Spora, Sage, Cerber and Jigsaw became more sophisticated.

The statistics for Tread are as follows: threat actors released 46 new strains and updated 20 prevailing ones. Although anti-malware labs and security enthusiasts were proficient to devise seven free decryptors, that’s still a disproportional exploit. Read this report to stay on top of the current ransomware trends.

Cortege 1, 2017

The comeback of Crypt0L0cker

A new wave of the Crypt0L0cker, or TorrentLocker, ransomware push breaks out after a lengthy standstill since mid-2015. The updated tug primarily zeroes in on European countries.

Clever AV evasion by Locky

According to Microsoft Malware Shelter Center (MMPC), the latest Osiris edition of the notorious Locky program is transferred with a valid digital certificate. This trick allows the infection to fly impaired the radar of most security suites.

A gesture of goodwill to help Dharma chumps

In an unexpected move, someone nicknamed ‘gektar’ provides a link on Bleeping Computer’s forums hypothetically pointing to a Pastebin-hosted repository of master decryption keys for the Dharma ransomware.

In-dev KRider tax spotted

MalwareHunterTeam, a well-known group of security analysts specializing in combating crypto ransomware, a glimpse ofs a somewhat crude sample called KRider. It is configured to append gulls’ files with the .kr3 extension.

Nontrivial ransomware identification puzzle

A file-encrypting malware instance gets out. It concatenates the .SN-[victim_ID]-info@kraken.cc_worldcza@email.cz leash to encrypted files. Although reminiscent of CrySiS, quite a few properties don’t look-alike. So it’s unclear which family it is.

Prominent researcher provides anti-ransomware topple overs

Michael Gillespie, the architect of ID Ransomware service, participates in the Fight Ransomware Podcast by Carbonite to make known his viewpoint on ways to beat the epidemic.

Tricky distribution vector for ASN1 ransomware

The redemption Trojan called ASN1 turns out to be proliferating via a rogue ad server pointing to the RIG turn to account kit. This sample does not affix any extra strings to scrambled categorizes and drops a ransom how-to called “!!!!!readme!!!!!.htm”.

Parade 2, 2017

Dharma ransomware cracked

Following the newsmaking leak of master decryption passkey for Dharma, Kaspersky Lab updates the RakhniDecryptor tool so that it supports the infection. ESET and Avast mastery the apropos free decryption solutions shortly afterwards, as well.

Cerber boosting into Android environment?

Analysts at ESET locate Cerber’s README.hta ransom note within the author code of several Android apps distributed on Google Play. This may recommend that threat actors are trying their hand at expanding their compete to the mobile platform in question.

Double exploitation of PoC ransomware

A new file-encrypting Trojan tarmacs whose code is based on the MafiaWare infection, which was discovered in at daybreak January this year. The interesting thing about this interrelation is that MafiaWare, in its amplify, is a spinoff of the open-source proof-of-concept strain known as Hidden Tear.

Walk 3, 2017

One more Hidden Tear derivative spotted

Security experts blunder chance upon a perpetrating program called FabSysCrypto, which appears to be an progeny of the above-mentioned Hidden Tear PoC. Furthermore, its data recovery manual is a dupe of the ransom note created by Locky.

MARCH 5, 2017

Jigsaw ransomware reaches rendering 4.6

Jigsaw ransomware version 4.6 features a new alert screen with distinctive wording than before. It demands $150 worth of Bitcoin for decryption and pressures butts into paying up within 24 hours.

MARCH 6, 2017

Pennsylvania Senate Democrats inferior to ransomware attack

An unidentified ransomware infection hits the computer network of the Pennsylvania Senate Republican Caucus. The compromise causes a shutdown of the organization’s IT infrastructure and makes proprietary statistics inaccessible.

FadeSoft ransomware update

Researchers bump into a energetic variant of the FadeSoft ransomware. The only noteworthy change is the new ransom note form. The threat actors demand 0.1 BTC and provide a seven-day deadline to pay up.

New Spanish ransomware arrives

ESET spots a file-encrypting sample called CryptoJacky. It targets Spanish-speaking owners and comes equipped with Aescrypt.exe application that does the statistics encryption job.

MARCH 7, 2017

Unexpected incarnation of Shamoon malware

The disk-wiping infection be aware as Shamoon, or Disttrack, has been around since 2012. But it’s not until recently that it started distributing with a ransomware module on board. According to Kaspersky, the latest variant dubbed StoneDrill encrypts files, circumvents sandboxing mechanisms, and changes 32-bit and 64-bit systems alike.

Enjey ransomware surfaces

The writers of the new ransom Trojan called Enjey borrowed their code from the older RemindMe soupon. The infection instructs victims to send their personal identifier to friend_here_me@india.com in order to receive further decryption steps and learn the estimate of the ransom.

Minor tweak of the Unlock92 ransomware

The only conspicuous coppers made to the Unlock92 Trojan as part of the latest update is a new name of the release note. The how-to file is now called READ_ME_!.txt.

The destructive Nhtnwcuf sampler

While featuring a really unusual name, Nhtnwcuf is also outr in terms of the way it handles a victim’s data. The pest wreaks havoc with lines to an extent where they cannot be restored even if an infected ourselves meets the attackers’ demands. It drops one of the following ransom notes: Support_ME_PLEASE.txt or !_RECOVERY_HELP_!.txt.

MARCH 8, 2017

Meet Paul, a wannabe cybercrook

Guarantee analysts discover an in-development French strain whose code checks a name attribute “Paul”, which is most likely the creator’s term. It is a spinoff of the educational Hidden Tear project.

CryptON ransomware stopped

Fabian Wosar, the chief technology officer at Emsisoft, cooks up a relaxed decryptor for the CryptON ransomware. This crypto malady is also be informed as Nemesis and leverages a fusion of AES-256, RSA, and SHA-256 algorithms to contest victims’ data.

Latest Crypt0L0cker campaign dissected

Cisco’s Talos Understanding Group publishes a comprehensive report regarding the totality of characteristics of the in touch Crypt0L0cker variant.

CryptoLocker 1.0.0 shaping up to be a serious problem

MalwareHunterTeam encounters upon the new CryptoLocker 1.0.0 threat, which is just a replica of its low prototype. This propagation of this sample is mostly isolated to Turkey. It exercises asymmetric RSA-2048 cryptosystem to lock files.

MARCH 9, 2017

RanRan parentage is unique in a few ways

There are several things that make RanRan suffer out of the rest. First off, it is employed in targeted attacks against Middle Eastern regime institutions. Furthermore, it prevents victims from opening Task Proprietor, terminates database processes, leverages different encryption keys for fill outs with different size, and displays zXz.html ransom note with a state message in it.

Cerber ransomware update

The most recent iteration of Cerber does not convert the original filenames, whereas its forerunners replaced them with 10 fortuitous hexadecimal characters. However, it still appends files with a four-character dimensions that matches the plagued PC’s MachineGuid parameter.

Vortex ransomware glimpsed

This new perpetrating program zeroes in on Polish victims. It concatenates the .aes add on to encoded files and leaves a ransom note in Polish named ODZSZYFRUJ-DANE.txt.

VapeLauncher, another PoC plagiarized

Researchers come across a file-encrypting infection called VapeLauncher, which entreaties a Bitcoin equivalent of $200 for decryption. Its AutoIt code is based on the CryptoWire proof-of-concept that was uploaded by a surveillance enthusiast to GitHub in late May 2016.

Ties between Spora and HTA email connections

According to RSA Security, the architects of the Spora campaign are heavily relying on the use of HTA systematizes attached to malspam emails. This vector allows the ransom Trojan to achieve the contamination process without requesting any additional data from a Have and Control server.

PadCrypt version 3.4.0 is out

PadCrypt, a ransomware test that gained notoriety for providing live support chat to its martyrs, gets some fine-tuning. Its current version number is 3.4.0. Other than that, only just anything else has changed.

Samas ransomware distribution specificity

It rolls out that the crooks behind Samas, or SamSam, exploit Active Directory employment in order to infiltrate and traverse big networks. The cybercrime ring in question reportedly hoodwinked organizations of about $450,000 during the past 12 months.

Walk 10, 2017

A great write-up on Spora

Malwarebytes publishes an article encompassing the ins and forbids of Spora. The analysis includes main attack vectors, encryption automatic, and extortion cycle.

One group behind ransomware and a data stealer

The new variant of the Sage ransomware (version 2.2) is distributed by the same peril actors as those responsible for depositing the August Stealer malware onto computers. Both of these actions appear to serve payloads from the same file path.

Android ransomware occupied in a targeted attack

According to Check Point, 36 new smartphones acquired by two big technology companies arrived with Android malware on board. In remarkable, the devices had a sample of Slocker ransomware and Loki adware pre-installed on them.

Parade 11, 2017

ID Ransomware enhancement

Due to an important update made to MalwareHunterTeam’s ID Ransomware assignment, victims of Spora can determine which strain they are confronted with and with the troubleshooting accordingly.

Another day, another Samas update

A fresh issue of Samas concatenates the .iaufkakfhsaraf string to encrypted files. It also go on increases a new ransom note called IF_ WANT_FILES_BACK_PLS_READ.html.

Impairment ransomware decrypted

Emsisoft CTO Fabian Wosar runs a streaming video period where he analyses the Damage ransomware and creates an ad hoc automatic decryption way in real time.

Russian RozaLocker ransomware

The RozaLocker sample accommodates root in the Russian online segment. It uses the .ENC extension to blemish high-sounding files and demands 10,000 Rubles (about $180) for decryption.

Walk 12, 2017

Another French ransomware spotted

The Trojan in question displays a rescue warning in French and asks for 0.1 BTC to decrypt files. Overall, this one is pretty run-of-the-mill.

MARCH 13, 2017

Extortionist’s payback hits the headlines

The maker of the Enjey malware endanger somethings a series of distributed denial-of-service attacks against the ID Ransomware resource. Earlier to this predicament, the author of ID Ransomware had crafted a free decryption gimmick for said infection.

Flotera ransomware emerges

This abominable type appears to be part of the same family as the Polski and Vortex infections. Its propagation requires a remote access Trojan (RAT) called vjw0rm.

One more PadCrypt update

The developers of PadCrypt set-back busy coining new variants of their cyber offspring. The latest one, PadCrypt 3.4.1, inserts hardly any novelty aside from the version number.

Hunting down the Assignment34 baddie

Michael Gillespie asks his security community colleagues to join efforts in analyzing the Project34 ransomware. This sample prepends the “reckon34@india.com.*” string to filenames and leaves a TXT ransom note.

Parade 14, 2017

PetrWrap, a Petya ransomware spinoff

Kaspersky Lab spots a strain requested PetrWrap, which is based on the infamous Petya ransomware. Just have a fondness its predecessor, the Trojan in question uses the Salsa20 cryptosystem to scramble the Teacher File Table of NTFS partitions, thus rendering the plagued contrivances inoperable until the ransom is paid. PetrWrap is used in targeted affects against specific companies.

White hats upset the makers of a RaaS

Analysts between engagement on the Malwarebytes team hack into the C2 server of an in-dev Ransomware-as-a-Service (RaaS) party line called FileCrypter Shop.

New domain used by Spora

Researchers root that the operators of Spora registered and started using a new domain for their operations. It’s at torifyme.com.

Jigsaw ransomware update

The latest incarnation of Jigsaw treatments the .nemo-hacks.at.sigaint.org extension to label encrypted data. Nothing else has been changed.

Hermes reaches version 2.0

Malefactors release Hermes ransomware v2.0. This update covers a fix for the crypto flaw that allowed Emsisoft’s Fabian Wosar to plan a free decryptor.

Updated Hermes still decryptable

Michael Gillespie, alias demonslay335, gets up with Emsisoft researcher Fabian Wosar to create a viable decryption medium for the Hermes ransomware. Apparently, the recent crypto bug fix rolled out by the threat actors didn’t do the foible work.

An instructive ransomware sample spotted

A new Russian screen locker shows a warning that recommends the victim to exercise more caution with far-fetched downloads online. The unlock password is indicated in the ransom note.

The Karmen RaaS appears

A Ransomware-as-a-Service portal christened Karmen is intended to make the ransomware business as easy as ABC for wannabe scoundrels. The suggested malicious build displays a ransom warning in English and German.

Stride 15, 2017

Revenge ransomware, a new one on the table

Quite predictably, the strain called Repayment for settle a score appends the .revenge extension to enciphered files. It proliferates through the use of the RIG make capital out of kit. The ransom note is called # !!!HELP_FILE!!! #.txt.

Turkish CTB-Locker copycat rest

Avast researchers spot a replica of the notorious CTB-Locker that panoplies all of its warning messages in Turkish. The infection stains files with the .encrypted suffix and cedes the “Beni Oku.txt” decryption how-to, which is the Turkish for “Read Me”.

A crook harassed with social networking

Experts from GData discover a Secret Tear based ransom Trojan whose conceited author importunes victims to post the phrase “I’ve been hacked by anony” on their Facebook mad in order to obtain the decryption key.

MARCH 16, 2017

Attack vector engaging NSIS installers

According to MMPC, ransomware deployers hold come to leverage advanced distribution techniques that revolve about exploiting the Nullsoft Scriptable Install System (NSIS). This way, the omen actors make sure their code evades security groups.

The unusual Kirk ransomware

A Star Trek themed data-encrypting infection ordered the Kirk ransomware quickly becomes a buzzword in the IT security community. It concatenates the .Kirked expansion to files and drops a recovery manual called RANSOM_NOTE.txt. Interestingly, this specimen accepts Monero cryptocurrency rather than Bitcoin and uses a decryptor visited Spock.

The Lick ransomware pops up

This one is almost identical to the aforementioned Kirk pain in the arse. It uses the exact same name for the ransom note. As opposed to its forefather, though, this sample appends the .Licked string to jumbled folders and uploads victim-specific data to Pastebin.

CryptoDevil screen locker circuits out rather lame

The malware called CryptoDevil does not actually encrypt anything but incarcerates an infected PC with a bright-red screen instead. Researchers manage to be customary the unlock code, which is “kjkszpj”.

RoshaLock 2.0 isn’t about crypto

Assurance analysts discover a ransom Trojan dubbed RoshaLock 2.0, which make hastes a victim’s files to a password-protected RAR archive. It drops a ransom note phoned “All Your Files in Archive!.txt”.

Decryptor for CryptON gets fine-tuned

Emsisoft updates the unfasten CryptON decryption tool, which now supports the latest version of this ransomware.

Procession 17, 2017

ZinoCrypt makes an appearance

A file-encrypting threat called “ZinoCrypt Ransomware – 2017 Copy” is discovered. It affixes the .ZINO extension to encoded data entries and permissions the ZINO_NOTE.txt ransom manual.

Crptxxx, another commonplace ransomware

The common name of this strain was derived from the .crptxxx extension that it concatenates to one’s damaged files. It adds a decryption how-to file named HOW_TO_FIX_!.txt.

Jigsaw malady respite c starts a new look and feel

Researchers stumble upon a new variant of Jigsaw that functions the .fun extension. The most conspicuous tweak made to the infection is the new background of its rescue note. Courtesy of Avast, this Trojan is decryptable for free.

New ransomware builder spotted

IT wizards come across a utility that automates the process of generating specially builds of the DH File Locker ransomware. It allows criminals to define the folder that the executable should be doffed into, the text of the ransom demand, and quite a few more values.

Trident Chronologize Locker infection builder found

A primitive-looking builder for the Trident Organize Locker ransomware is uncovered. Its graphical user interface contains configurable areas for the targeted file extensions, the name and contents of the ransom note, as kind-heartedly as the unlock password.

One more Hidden Tear offspring discovered

The perpetrating program in grill is called the MacAndChess Ransomware. Similarly to another infection spotted two times before, it tells victims to post the phrase “I’ve been hacked by anony” on their Facebook exasperates.

MARCH 18, 2017

BrainCrypt is no longer an issue

Michael Gillespie creates an inescapable free decryptor for the BrainCrypt ransomware, which uses the “.[braincrypt@india.com].braincrypt” increase to label victims’ scrambled files.

MOTD baddie comes into researchers’ espy

A fairly simplistic crypto plague called MOTD is spotted in the unpopulated. Its warning message reads, “You are infected with the most cryptographic progressed ransomware,” which is a somewhat exaggerated statement. It is a commonplace strain appending marches with the .enc extension.

MARCH 19, 2017

CryptoDevil starts encoding data

This one instance acted as a screen locker, but the crooks in charge have begun parcel out an edition that actually applies crypto. CryptoDevil affixes the .crone string to locked files.

Jigsaw variant built to attack Vietnamese purchasers

A new in-dev file-encoding pest from the Jigsaw ransomware family spawns warnings in Vietnamese, which makes it clear which geographic unearthing is going to be targeted once the infection becomes fully functional.

Trek 20, 2017

The decline of Locky

Locky, which was one of the top crypto threats in 2016, acts to be losing momentum. Security experts speculate this is due to a dramatic give someone the sack decline in the volume of Locky spam generated by the powerful Necurs botnet.

Legislation accost ransomware

A new bill proposed in Indiana is going to make ransomware cataloguing a felony that will ensue a jail sentence of up to six years or a $10,000 beautiful.

PadCrypt devs are busier than ever

Security analysts maintain discovering new versions of PadCrypt. This is quite strange because the throw isn’t large-scale at all and doesn’t hit many users. The latest version 3.4.4 didn’t interpose any noteworthy modifications compared to the previous one.

Another Samas update

The withs of compromise inherent to the new variant of the Samas, or SamSam, ransom Trojan embody the .cifgksaffsfyghd file extension as well as the READ_READ_DEC_FILES.html payout note.

MARCH 21, 2017

Connection between LLTP ransomware and Venus Locker

At beginning sight, the LLTP ransomware looks like a brand new, independently ciphered sample targeting Spanish-speaking audience. Some expert insight, in spite of, reveals that it’s a remake of the existing Venus Locker malady.

SAP vulnerability uncovered

According to ERPScan, a prominent business application security provider’s endpoint devices running SAP GUI persistence are susceptible to ransomware attacks due to a remote command execution vulnerability.

Parade 22, 2017

User-centered ransomware on the rise

Analysts predict that crypto malware plans are going to become increasingly intuitive. This trend is exemplified by the somewhat new Spora variant, which features easy-to-access customer support and multiple UI components bestowing to a better user experience.

Ransomware devs inspired by the Zorro proper

A malicious program called Zorro is discovered. It blemishes encrypted registers with the .zorro extension and drops a ransom manual called “Accept_Seriously (Your saving grace).txt”.

AngleWare, another Hidden Gash offspring

A new infection has replenished the list of countless ransom Trojans harnessing the encipher of the open-source Hidden Tear proof-of-concept. It uses the .AngleWare extension to pigeon-hole scrambled data entries, hence its name.

An unusual Jigsaw variety emerges

A spinoff of the prolific Jigsaw referred to as Monument stealthily spreads alongside the At hand Monitor RAT (remote access tool). Its main peculiarity, though, is that it appends every encrypted chronologize with a string containing the entirety of ransom payment instructions.

Assault of the Meteoritan ransomware

The Meteoritan extortion campaign is mainly isolated to Poland. It splits a combo of the following ransom notes: readme_your_files_secure_been_encrypted.txt and where_are_your_files.txt.

Globe3 decryptor updated

Emsisoft researchers update their on the house decryptor for the Globe3 ransomware. The tool can now restore files jumbled by the delayed variant of this crypto infection.

MARCH 23, 2017

Jigsaw spinoff promoting a compound extortion mechanism

Not only does the updated Monument iteration of the Jigsaw ransomware encode injured parties’ data, but it also goes bundled with an aggressive screen locker.

A fraction of Spora statistics glory ined

Based on Spora victims’ submissions to the ID Ransomware service, 646 plagued drugs got a total of 48,466,020 personal files encrypted.

LK Encrypter sample lay eyes oned

Cybercrooks have once again used the source code of eerie ransomware to create a real-life infection. ]LK Encrypter is based on the Hidden Slash PoC. It uses the .locked extension for ciphered files and drops the READ_IT.txt rescue note.

MARCH 24, 2017

BTCWare spreading in the wild

A new crypto threat gathered BTCWare is in fact a Crptxxx derivative. It demands 0.5 BTC for data decryption and usages the Telegram messenger to interact with those infected.

SADStory ransomware

The SADStory Yiddish nudge is nothing out of the ordinary. It is most likely an offspring of the CryPy ransomware. The Trojan affirms to delete one file permanently every six hours until the victim coughs up the requested amount of Bitcoin.

Walk 25, 2017

Enhancement made to CryptoSearch tool

The utility called CryptoSearch was purposed to detect ransomware-locked files and move them to a new place, which should bury the hatchet e construct recovery easier if researchers release a free decryptor. The tool is now competent of identifying and handling data affected by Spora.

WCry ransomware updated

New WCry varying is out that instructs victims to pay for the “Wanna Decryptor” application. This issue provides a workaround in case one’s anti-malware removes the core ransomware components.

A unsportsmanlike Spanish strain surfaces

The authors of the ransom Trojan in question make use of Smart Install Maker app to deposit their bad code on computers. When encrypting one’s valuable figures, the infection displays a bogus Windows update screen to obfuscate the adverse course of action running behind the scenes.

Primitive MemeLocker is underway

Malware watchers blackheads a brand new sample dubbed MemeLocker. While still in development, it features an acrid red prophecy screen that reads, “You just got memed by MemeLocker.”

MARCH 28, 2017

A ransomware mafia exposed

It turns out that a group of cybercriminals identifying themselves as “Mafia Malware Indonesia” is behind a series of not-so-professional extortion contests. In particular, these individuals are liable for creating and distributing the following crypto forebodings: SADStory, CryPy, L0CK3R74H4T, MafiaWare and MireWare.

Safari ransomware issue addressed

The in iOS 10.3 update has added countermeasures for a massive extortion wave, where ostensible police ransomware would lock Safari Mobile browser, disclose a spoof warning, and demand $100 worth of iTunes gift file cards.

PyCL Trojan backed by high-profile distribution

The operators of the new Python-based PyCL materialize to be employing the RIG exploit kit to plant their harmful code on computers. Such a machinery ensures an obscure contamination workflow that isn’t likely to raise any red ease ups.

The prosaic R ransomware

MalwareHunterTeam comes across a file-scrambling sample evoked R, which adds the Ransomware.txt restoration how-to and demands 2 BTC to decrypt details. The crooks are apparently running out of creativity when it comes to naming their threats.

AnDROid ransomware spotted

A new offending program dubbed AnDROid smirches one’s files with the .android suffix and displays an animated skull semblance on its warning screen.

Another ransomware hunt kicks off

Michael Gillespie, aka demonslay335, starts a new hound for the strain that concatenates the .pr0tect extension to encrypted entries and have as a remainders “READ ME ABOUT DECRYPTION.txt” ransom note.

MARCH 29, 2017

Sage ransomware examined

Malwarebytes Labs experts do a great write-up on Sage. As per this breakdown, the current 2.2 edition of this infection performs its encryption job in offline, or autopilot, procedure. It also employs a combination of elliptic curve cryptography and the ChaCha20 flood cipher to lock one’s data down.

HappyDayzz ransomware is ironic to the bone

The infection christened HappyDayzz sure makes its victims sad rather than happy. Its encryption assigned is unique because the Command and Control server instructs the malware to utilize one of seven distinguishable cryptographic standards selected randomly.

The self-explanatory DoNotChange ransomware

This price note for this new strain contains a line saying, “Changing the walk name makes the restore process impossible!” It requests a ransom of $250 for recapture.

File Frozr RaaS pops up

The Ransomware-as-a-Service platform called Line Frozr allows ill-minded beginners to join and use it for 0.09 BTC (about $100) per month. The chief month discount is $50. That’s quite a promotion in action, isn’t it?

Slog 30, 2017

DoNotChange ransomware decrypted

Security analysts release a free decryptor for the above-mentioned DoNotChange. It drove the white hats as little as one day to craft the tool.

A comforting statement by Google

Corresponding to Google’s Android Security team, only one in 10 million apps downloaded from the documented Play Store turns out to be ransomware. However, the number is 1,000 days higher when it comes to applications downloaded from uncertified resources.

CryptoSearch explanation updated

The remarkable CryptoSearch tool is now capable of spotting data accesses scrambled by the FadeSoft ransomware.

Another ID Ransomware enhancement

The ID Ransomware portal has been updated to keep the FadeSoft ransom Trojan. Those who fell victim to this crane should simply upload a sample encrypted file or ransom note to windfall out what adversary they are dealing with.

MARCH 31, 2017

Elusive Android ransomware

A malicious Android locker misrepresented as a popular Russian social networking app called OK is quite tricky as it circumvents detection mechanisms of mobile security solutions. Another adverse stamp sign of this ransomware is that the hostage data may be impossible to decrypt because of buggy cryptographic custom.

The abominable LanRan infection

Whereas all ransomware is definitely disagreeable, the LanRan taste evokes extra disgust because it displays a distasteful turquoise threat window. It demands 0.5 BTC and tells victims to contact the crooks via lanran-decrypter@directory.ru.

New Fantom ransomware version is out

The latest build appends files with an enlargement derived from the timestamp of the contamination event. Furthermore, it discontinues the deprecate if it detects that the localization of the victim’s operating system is Russian.

CrypVault is turn tail from

A fresh variant of the CrypVault ransomware surfaces. It arrives at computers via malspam resigning a .chm attachment camouflaged as a CV. The threat actors’ contact email address is helplovx@animate.co.jp.

Ransomware hunt becomes a good tradition

Michael Gillespie founds one more hunt. This time, the target is the Cradle ransomware, which subjoins the .cradle desinence to files and leaves the _HOW_TO_UNLOCK_FILES_.html ransom note.

The exceptional Sanctions ransomware

The makers of this crypto threat choose to add some civil affairs to the conventional blackmail mix. This ransomware ridicules the United States’ notarizes against Russia by displaying a big USSR-styled bear and a small figure of a living soul resembling a former U.S. President. On top of that, the infection demands a whopping redemption of 6 BTC, which is the equivalent of about $7,000.

SUMMARY

When it comes to ransomware proscription, the importance of following safe online practices is hard to overestimate. Most of these risks are still spam-borne, so users should never open any suspicious email partialities, period. File backups pose another invaluable layer of defense – no scruple about it. The countermeasures have hardly changed since the dawn of the crypto ransomware era away in 2013. So use this fact to advantage and stay safe.

About the Prime mover: David Balaban is a computer security researcher with over 10 years of go through in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com forward, which presents expert opinions on the contemporary information security themes, including social engineering, penetration testing, threat intelligence, online secretiveness and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such safeguarding celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand attitudes on hot InfoSec issues. David has a strong malware troubleshooting background, with the up to date focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this caller author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.