December 2016: The Month in Ransomware

Online extortionists closed 2016 with a spike in ransomware activity. The statistics for December were alarming: 32 new samples emerged and 33 existing strains got updated. The fact that security researchers released nine decryption tools is quite promising, but it is still a weak countervailing factor. The report below explores the ins and outs of the crypto threat landscape for December 2016.DECEMBER 1, 2016New Matrix ransomware leverages GnuPG cryptosystemResearchers spotted a ransom Trojan called Matrix in the wild. It uses the open source GnuPG cryptosystem to deny access to one’s personal data. The sample leaves a ransom note named matrix-readme.rtf and instructs victims to contact the threat actors at [email protected] or [email protected]Decryption breakthrough by AvastSecurity analysts at Avast developed free decryption tools for the following ransomware families: CrySiS, Globe, Alcatraz Locker, and NoobCrypt. Those who fell victim to one of these strains can download the appropriate decryptor on a dedicated web page.DECEMBER 2, 2016Alpha Locker ransomware for saleWannabe online extortionists can unleash their evil potential by purchasing a build of the Alpha Locker ransomware on darknet forums. This perpetrating program is written in C#. The payload is only 50 KB in size. The turnkey infection kit costs $65.Ransomware author sends a secret message to a researcherThe creator of NMoreira ransom Trojan, also referred to as XPan, used an interesting tactic to leave a message for Emsisoft’s Fabian Wosar, a prominent security analyst who has cracked dozens of crypto threats. An individual calling himself NMoreira Core Dev embedded some text in the code of his latest extortion product. Here’s an interesting phrase from the message, “Hope you can break this, too.” Mr. Wosar commented on the occurrence this way, “At least they are polite idiots this time. Still idiots, though.”New Phoenix ransomware on the tableWhile still in development, Phoenix crypto-malware has the potential to become a major security concern. It concatenates the .R.i.P extension to encrypted files and drops a decryption manual called Important!.txt.DECEMBER 3, 2016PadCrypt updateA fresh edition of PadCrypt surfaced. Other than the new 3.1.2 version name, this build features hardly any noteworthy tweaks.DECEMBER 4, 2016Russian ransomware maker apprehendedA 40-year-old cyber crook who goes by the handle Pornopoker got arrested by the Russian police at an airport near Moscow. The authorities charged this individual with developing and distributing an aggressive screen locker called Ransomlock.P, which impersonated law enforcement agencies of different countries to defraud victims out of money.Emsisoft creates another free decryptorFabian Wosar, the above-mentioned researcher at Emsisoft, released an application that dencrypts files locked by the latest variant of Nemucod.Apocalypse ransomware updateA new version of the Apocalypse ransom Trojan went live. It scrambles file names according to the following pattern: [original_filename].ID-*[random_8_chars + country_code][[email protected]].[random_7_chars].New variant of the Globe ransomwareThis one appends one’s encrypted files with the .lovewindows extension and tells victims to reach the attacker at [email protected]DECEMBER 5, 2016Botnet-backed distribution of the Shade ransomwareThe notorious botnet known as Kelihos was found to sustain the proliferation of Shade, or Troldesh, ransomware. The newest build of this offending program adds the .no_more_ransom extension to locked files.Screen locker with crypto featuresResearchers spotted a new screen locker that’s supposed to implement a data encryption routine. However, the early edition of this complex infection didn’t function correctly, with no actual crypto activity observed. A victim’s files get the .encrypted string appended to them. The ransom amounts to 0.3 Bitcoin.Locky ransomware tweakAnother iteration of the infamous Locky ransomware is out. It features an Egyptian mythology theme, concatenating the .osiris extension to scrambled files. The ransom notes are named OSIRIS-[4_hexadecimal_chars].htm.DECEMBER 6, 2016The GoldenEye ransomware surfacesThis sample appears to be a successor of Petya, which was in active rotation as of late spring 2016. Just like its prototype, GoldenEye replaces a computer’s master boot record (MBR) with a rogue one and encrypts the master file table (MFT), thus preventing the victim from accessing the system altogether. As opposed to Petya, though, this strain encodes one’s important files before denying access to the OS.DECEMBER 8, 2016Cybercriminals come up with a cynical extortion schemeThe authors of a strain dubbed Popcorn Time urge their victims choose the lesser of two evils, so to speak. Those who are infected can get their files back by coughing up one Bitcoin, or they can get their decryption key for free. The latter route, though, presupposes that the user send a custom ransomware downloader to two more people and get them infected.Another Jigsaw ransomware variant goes liveThe updated threat displays a warning screen with the word HACKED in the center. It instructs victims to submit 0.25 Bitcoin within 24 hours. Otherwise, the ransom goes up to 0.35 Bitcoin. Fortunately, this one is decryptable for free, courtesy of Michael Gillespie (@demonslay335).SamSam ransomware emergesThis crypto infection strain encrypts files with the .VforVendetta extension and drops a ransom note named 000-PLEASE-READ-WE-HELP.html.One more spinoff of educational ransomwareSecurity analysts discovered a new ransomware strain based off of the controversial educational project called EDA2/Hidden Tear. While using the open source code as the core, the sample in question has significant code tweaks under the hood. Cyber crooks can buy the readily available infection on darknet sites.DECEMBER 9, 2016The CryptoWire POC abusedThreat actors took advantage of the new open-source CryptoWire ransomware to build real-world infections called Lomix and UltraLocker. The code of the proof-of-concept project under consideration was available on GitHub, so online crooks didn’t fail to abuse it and launch their own extortion campaigns.UltraLocker distribution tactic revealedThe above-mentioned UltraLocker spinoff of the educational CryptoWire ransomware was found to spread via a spam wave involving booby-trapped .doc files.Cyber SpLiTTer Vbs ransomware 2.0This breed of file-encrypting malware is based on Hidden Tear, a proof of concept project by Turkish security enthusiast Utku Sen. The updated infection asks for 0.5 Bitcoin for data decryption. If a victim doesn’t pay up within a 76-hour deadline, the ransomware claims to delete all files beyond recovery.The Locked-In ransomware is underwayThe new strain in question uses the AES-256 symmetric cryptographic standard to lock one’s files. It leaves a ransom note named RESTORE_CORRUPTED_FILES.html. The deadline for decryption key buyout is 15 days.DECEMBER 10, 2016The ‘cartoonish’ CHIP ransomwareA fresh edition of the CHIP ransomware appends files with the .DALE extension and drops DALE_FILES.txt ransom notes. The updated list of email addresses to reach the attackers is as follows: [email protected], [email protected], [email protected], and [email protected]Deadly_60 screen locker in rotationAlthough the sample called Deadly_60 only locks one’s screen and doesn’t encrypt any personal data, it is quite a drag due to an obnoxious animation displayed in the background.PadCrypt 3.1.5 goes liveJust like the previous edition of PadCrypt, this one doesn’t feature any conspicuous changes except for the 3.1.5 version indication.M4N1F3STO screen lockerThe new low-impact infection locks the screen rather than perform file encryption. It demands 0.3 Bitcoin to recover from the attack. Fortunately, researchers were able to figure out the unlock code.DECEMBER 12, 2016Samas cybercrime ring’s earnings leakedHaving analyzed the operations of the group behind the Samas ransomware, researchers at Palo Alto Networks calculated the syndicate’s revenue. The extortionists made more than $450,000 in 2016. The attacks mostly zero in on large organizations.PayDay ransomware spottedA new breed dubbed PayDay targets Windows computers with Portuguese language pack installed. It appends the .sexy extension to files and drops !!!!! ATENÇÃO!!!!!.html ransom notes. It is another Hidden Tear variant.You Have Been Hacked!!! ransomwareThe warning message displayed by this sample reads, “You Have Been Hacked!!!” It concatenates the .Locked extension to crippled files and also tries to steal victims’ login credentials for various online accounts. The size of the ransom is 0.25 Bitcoin.Kraken ransomwareVictims’ files are suffixed with the .kraken string, and file names get base64-encoded. The ransom notes are called _HELP_YOUR_FILES.html.DECEMBER 13, 2016Another screen locker releasedThe offending program generates a scary lock screen saying, “Your Windows Has Been Banned.” The ban is claimed to have occurred due to terms of use violations. Luckily, security researchers discovered that the unlock code is ‘nvidiagpuareshit.’CryptoMix ransomware updateThe new edition of CryptoMix uses a long, complex extension to label all files that underwent encryption. Its format is as follows: .email[[email protected]]id[unique_victim_ID].lesli. The ransom notes are called INSTRUCTION RESTORE FILE.txt.Locked-In ransomware crackedMichael Gillespie (@demonslay335) creates a free decryptor for the Locked-In strain. The ransomware uses the .novalid file extension.DECEMBER 14, 2016New spam wave propping Cerber distributionThe operators of Cerber ransomware launched a new social engineering campaign. It revolves around rogue credit card reports sent over email. The misleading messages state that the recipients will be billed a certain amount of money and recommend them to open the attached Microsoft Word document to cancel the transaction. Once the file is loaded, macro scripts will complete the contamination part.Xorist ransomware tweakThe latest edition of the Xorist ransom Trojan adds the .antihacker2017 extension to locked files and instructs victims to contact the attacker at [email protected] Fortunately, Emsisoft’s Decrypter for Xorist can restore these files for free.New Globe ransomware version is outThe most recent edition concatenates the [email protected] extension to encrypted data objects. The ransom amounts to 1.5 Bitcoin.Screen locker called CIA Special Agent 767This one is a M4N1F3STO ransomware spinoff that features a different lock screen design. It originally demanded $100 worth of Bitcoin, but the price increased to $250 in five days.FenixLocker updateThe new ransom notes are called “Help to decrypt.txt.” Victims are told to shoot an email to [email protected] for recovery steps.Koolova ransomware being developedSecurity analysts were able to get a copy of an in-development ransomware dubbed Koolova. The warning message is written in Italian. The infection provides a 48-hour deadline for payment. Otherwise, the ransom will increase.DECEMBER 15, 2016Achievements of the No More Ransom ProjectThe No More Ransom Project is a unique initiative that aggregates data on numerous ransomware families, facilitates analysis thereof, and provides victims with free decryption tools. As of mid-December, the project had brought on 34 new partners to combat the ransomware plague.Distribution specificity of the BandarChor ransomwareThis strain was found to propagate via contagious ads displayed on adult online resources and an e-commerce websites selling drones.Meet Chris, another wannabe cybercriminalResearchers got ahold of the code for an in-dev ransomware based on Hidden Tear. The lines of code contain the name “Chris” here and there, so that’s probably a new threat actor trying his hand at online extortion.Cryptorium, a new ransomware on the looseThe sample under scrutiny is somewhat buggy as it simply renames its victims’ files rather than encrypt them. Cryptorium appends the .ENC extension to all affected data entries.DECEMBER 16, 2016A Globe ransomware lookalike surfacesThis unnamed specimen is a replica of the Globe ransomware. It concatenates the .crypt extension to every scrambled file and drops the HOW_OPEN_FILES.hta ransom note. Victims are told to reach out to the extortionists at [email protected] for instructions.Changes made to the Cerber ransomware campaignThe operators of Cerber modified the set of IPs that are used for statistical purposes. The new ranges are as follows:,, and Globe variant goes liveThe only significant change in the updated build of Globe is the file extension format. Data items are now appended with the [email protected] suffix.DECEMBER 18, 2016New Dharma spinoff appearsA fresh version of Dharma tells infected users to send an email to [email protected] for detailed data recovery steps.CryptoBlock is on its wayResearchers discovered an in-dev strain called CryptoBlock. It utilizes an asymmetric RSA-2048 cryptographic algorithm and demands 0.3 Bitcoin for decryption.DECEMBER 19, 2016Evolution of Android banking malwareIt turns out that some of the present-day Android banking Trojans accommodate device-locking features. Some samples may even encode users’ data.RansomFree, a new solution preventing ransomwareDeveloped by the Cybereason security firm, the app called RansomFree thwarts ransomware attacks on different versions of Windows.Apocalypse updateA new iteration of Apocalypse drops a TXT ransom note and instructs users to shoot an email to [email protected] for payment directions.M4N1F3STO pest adds crypto to its arsenalThe “Jhon Woddy” version of the M4N1F3STO screen locker now comes equipped with a file encryption module, so it’s now double trouble. This sample masks its data encoding process with a fake Windows Update message within an old school application interface.MNS CryptoLocker surfacesThis new strain uses RESTORE_YOUR_FILES.txt ransom notes and tells infected users to reach the crooks at [email protected]DECEMBER 20, 2016Kaspersky’s tool handles CryptXXX
Kaspersky Lab updated their RannohDecryptor solution, which can now restore data locked by CryptXXX. In particular, the tool decrypts files with the .cryp1, .crypt and .crypz extensions.New Samas version spottedAlso known as SamSam, this ransomware now subjoins .theworldisyours to enciphered files. The decryption manual is named CHECK-IT-HELP-FILES.html.The Go language getting popular with cyber crooksResearchers discovered a new ransomware specimen written in the Go programming language. It adds the .braincrypt extension to mutilated files and leaves a ransom note called “!!! HOW TO DECRYPT FILES !!!.txt”. The contact email address is [email protected]Indonesian users targeted by EnkripsiPC ransomwareEnkripsiPC, also referred to as IDRANSOMv3, derives the decryption key from the name of the infected computer. The circulation of this sample is localized to Indonesia. Michael Gillespie, a well-known security researcher, found a way to decrypt the files.DECEMBER 21, 2016The new Manifestus ransomwareThis sample appears to be a variant of the M4N1F3STO pest, which locks the screen and encodes data. The parasite demands 0.2 Bitcoin for decryption.ProposalCrypt, a new sample at largeThis infection concatenates the .crypted extension to skewed files. The size of the ransom is 1 Bitcoin.Padlock screen locker isn’t that dangerousThe Padlock malware displays a lock screen saying, “Your files have been deleted and your PC has been locked.” This is a bluff, though – it doesn’t actually erase anything. The unlock code is ajVr/GRJz0R.Free-Freedom ransomwareThe warning window displayed by this sample says it was coded by a 13-year-old boy. Fortunately, Free-Freedom doesn’t do any crypto for real – it wreaks havoc with file permissions instead. Analysts were able to determine that the unlock code is ‘adam,’ which is probably the kid’s name.DECEMBER 22, 2016Cerber ransomware adopts a new tacticAs opposed to all the earlier variants, the latest edition of Cerber no longer deletes Shadow Copies of files. Furthermore, it skips quite a few directories that used to be targeted. The threat actors also chose to capitalize on locking Microsoft Office documents in the first place.Winnix Cryptor details revealedThis strain appends files with the .wnx extension and creates YOUR FILES ARE ENCRYPTED!.txt ransom note. The attackers were found to access servers remotely and execute a batch file inside the targeted environment. The ransomware leverages GPG (GNU Privacy Guard) cryptosystem to encode data.Cerber starts using new IP rangesIn order to get around blacklisting when obtaining accurate UDP statistics, Cerber now switches to using the following IP ranges:,, and abominable Guster ransomwareThe new Guster sample affixes the .locked extension to scrambled data entries and generates a very obnoxious warning screen featuring animation effects and audio.Free-Freedom ransomware tweakUnlike the original variant of the Free-Freedom infection, the newest one has been renamed “Roga.” It uses the .madebyadam file extension. As per the analysis of this sample, the decryption password is ‘adamdude9’.DECEMBER 23, 2016Koolova ransomware gets instructiveThere is an interesting way for users infected with the fresh version of the Koolova ransomware to get their personal files back. The program decrypts data for free on condition that the victim reads a few articles on methods to avoid ransomware.A CryptoLocker copycat discoveredThe perpetrating program in question is camouflaged as CryptoLocker but actually doesn’t have much in common with its infamous prototype. The impostor uses the .cryptolocker extension to stain encoded files.Cerber devs looking forward to ChristmasAccording to MalwareHunterTeam, some of the new domains used by the operators of the Cerber ransomware have the word “Christmas” in their URLs.The enduring VenusLocker ransomwareAlthough the cyber parasite called VenusLocker seemed to have gone extinct for good, it reemerged in a new campaign. This ransomware asks for one Bitcoin and sets a 72-hour deadline for paying up.Details of the Alphabet ransomwareThe in-dev malady called Alphabet is supposed to combine screen-locking mechanisms and data encryption – at least, that’s what its warning screen says. However, the current version doesn’t encode files and provides the unlock code.DECEMBER 24, 2016GlobeImposter decryptedGlobeImposter is a replica of the Globe ransomware, borrowing its prototype’s ransom notes, the extension being appended to files, as well as the general look and feel. It uses the .crypt string to label encrypted data entries and leaves a ransom note named HOW_OPEN_FILES.hta. Fortunately, Emsisoft’s Fabian Wosar was able to create a free decryptor for GlobeImposter.DeriaLock ransomware hitting the headlinesThe uniqueness of the new DeriaLock ransom Trojan is that its author can unlock all infected computers in a few keystrokes. That’s what the analysis of its code reveals. Having locked a victim’s screen, the program demands $30. Those infected are supposed to contact a specified Skype account for payment details.Another Cerber updateCerber ransomware makers released a new edition featuring an updated range of IP addresses for UDP statistics. Another change is that the ransom notes are now called _[random]_README.hta and _[random]_README.jpg.DECEMBER 25, 2016BadEncript authors should work on their spellingThe new sample called BadEncript concatenates the .bript extension to one’s locked files and drops the More.html ransom manual on the desktop. The quality of the ransomware name spelling, however, leaves a lot to be desired.New extension used by the Jigsaw infectionJigsaw ransomware operators updated their  tool on Christmas day. The new iteration appends the .hush extension to encrypted objects while keeping the original file names intact.Latest NMoreira variant defeatedCourtesy of Fabian Wosar, Windows users hit by the .maktub file extension version of NMoreira (XPan or XRatTeam) can get their files back for free. The tool called Emsisoft Decrypter for NMoreira can decrypt most file types scrambled by this offending program. Be advised the recovery process can be time-consuming, though.DECEMBER 27, 2016The comeback of ODCODC ransomwareResearchers spotted a fresh sample of the ODCODC ransom Trojan that creates HOW_TO_RESTORE_FILES.txt help file and scrambles file names according to the following pattern: C-email-[attacker’s_email_address]-[original_filename].odcodc.DECEMBER 28, 2016Ransomware on Smart TVsAn Android screen locker was discovered that targets LG Smart TVs. The infection displays a fake FBI warning and demands $500 for unlocking the compromised device.New sample appending files with an email addressAnother crypto ransomware surfaced that concatenates the [email protected] string to one’s locked files and leaves “!!!.txt” ransom note.DECEMBER 29, 2016KillDisk virus starts exhibiting ransomware behaviorThe new version of the malicious software called KillDisk has got extortion properties under the hood. Rather than simply erase its victims’ files, now it encrypts them and asks for a whopping ransom of 222 Bitcoin.Ransomware disguised as popular security suitesSecurity analysts stumbled upon an instance of the GoldenEye disk-encrypting ransomware whose payload is camouflaged as ESET antivirus installer. Another sample called Stampado was found to arrive at PCs as a rogue AVG product.Dharma ransomware opts for using HTA ransom manualAs part of the recent update, Dharma ransomware authors have adopted a new victim interaction principle where the ransom note is in HTA format. It is now called Info.hta.DECEMBER 30, 2016Samas ransomware tweakThe latest edition of the Samas, or SamSam, ransomware uses the .whereisyourfiles extension and WHERE-YOUR-FILES.html ransom note.The open source ransomware issue dissectedAn article published on MalwareTech explains on the ins and outs of proof-of-concept ransomware projects, emphasizing that they are more beneficial to cyber criminals than researchers.SUMMARYThe main takeaway remains the same: users and organizations are much better off having a plan B in ransomware attack scenarios than dealing with the aftermath of such compromises. The countermeasures should revolve around safe online practices and reliable data backups. Hopefully, 2017 is going to become a game changer in favor of the security industry when it comes to defeating ransomware. 

david balaban

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply