Specific Ransomware Families and Types

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only. Here are some alternative resources that have been of value, but I’m not monitoring them at this point.

Bleeping Computer has been particularly sound on ransomware. Mainstream anti-malware companies – too many to list – often maintain databases of malware and malware families that include information on ransomware, which still seems to be a major concern, judging from the way the now-suspended ransomware page on this site is still attracting visitors. No More Ransomware partners with many companies as well as organizations such as Europol, and offers links to decryption tools.

David Harley, 15th April 2020

I’m afraid this was never intended to be a complete list of ransomware families: I just couldn’t give it that much time. Which is why there’s often no commentary from me, just one or more links to information to be found elsewhere. Where possible, though, I did attempt to give at least one link to as many families as I could.

[Edited in view of the number of people who are still checking this page, even though I haven’t maintained it in about 18 months. (May 1st 2020)

[May 12th 2018]

This page now includes information on wipers, which often resemble or masquerade as ransomware but are essentially just destructive. Here’s a useful article from Kaspersky Threat Post: Secrets of the Wiper: Inside the World’s Most Destructive Malware.

“Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and/or data, usually causing great financial and reputational damage to victim companies.”

[May 12th 2016] Ransomware is not a static landscape. One of the reasons I have tried not to oversell the Specific Ransomware Families and Types page is that I can’t guarantee that it’s up to date at all times, even on the limited range of ransomware it covers. In the same way, the information in the Google spreadsheet here may also become outdated, but it does seem to have a number of potential contributors to help maintain it. On the other hand, that might actually mean that it remains partial because it favours the resources with which the contributors are associated, and while I’ve seen it suggested that it covers all ransomware, that’s just wishful thinking.Nonetheless, it could certainly be useful as a starting point when looking for information, but I’d suggest that you don’t assume that it is authoritative.

Some specific families and types are now being linked from sub-pages rather than summarized directly on this page. This is an ongoing process, intended for ease of maintenance.

[If you want to know more about specific ransomware, BleepingComputer is worth trying, as well as other resources such as anti-malware vendor encyclopaedias.]

Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14% – noting that:

2,896 modifications were made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
The ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
Mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

Specific ransomware families and types

‘Educational’ Ransomware

*Included in list of ransomware for which decrypters are available according to ZDnet (not checked, but the sources are reasonably reputable).

777*
7ev3n
Al-Namrood*
Alma
Alpha
AlphaLocker
AndroidLocker/Dogspectus
Android/Lockerpin
Android/Lockdroid.E
Android.Lockscreen
Angler Exploit Kit
AnonPop
Apocalypse*
ApocalypseVM*
Arena – see Dharma/Crysis
Autolocky*
Badblock*
Bad Rabbit – see Petya
Barack Obama Blackmail Virus
Bart*
Bitcrypter/Bitcryptor*
BitLocker
BitPaymer
Black Energy (wiper)
Black Ruby
Blank Slate Campaign
Bluff – fake ransomware attacks
Browlock
BTCWare
Cerber/CRBR (version 1*)
Charger
Chimera*
CoinVault*
Coverton
CRBR – see Cerber
Crowti
CrypBoss*
CryptoBlock
CryptoDefense*
CryptInfinite*
CrypMIC
Crypt38
Crypt888 (see also Mircop)
CryptFile2
Cryptobit
CryptoHitman
CryptoHost (a.k.a. Manamecrypt)
Cryptojoker
Cryptolocker
CryptoMix
CryptoRoger
CryptoWall
CryptXXX
CryptXXX v.1 & 2*
CryptXXX v1, 2, 3, 4, 5*
CryPy
Crysis
CTB-Locker
Cyber.Police
DDoS Extortion and Ransomware a.k.a. Ransom DDoS (RDoS) and DDoS-for-Bitcoin
Death Threat Ransom email
Defray
Delilah
DeriaLock
Destover (wiper)
DetoxCrypto
Deuscrypt/desuCrypt
The Devil (see MBR-ONI – apparently Oni can mean The Devil in Japanese)
Dharma – also, see Crysis
Diablo6 – see Locky
DiskWriter (UselessDisk)
DMA Locker*
DoubleLocker
Doxing as a Service
Doxware
Dridex-related
DXXD
ElGato
ElasticSearch
Empty
Encryptor RAAS
Enigma
Enrume
Erebus
EV (see also WordPress)
Everbe
Evil Santa Ded
ExPetr (wiper) – see Petya
Extortion (generic extortion, not necessarily malware/ransomware)
Fabiansomware*
FairWare
FakeCry [See also WannaCry and Petya]
Faketoken
Fantom
FBI virus
FenixLocker*
FireCrypt
Flocker
Flotera
FLUX: see Ransomware as a Service
FriedEx: see BitPaymer
Frozrlock
Gamma: see Crysis
GandCrab
GhostCtrl (see also OmniRAT)
Gibon
Globe*
GlobeImposter
Goldeneye [see also Petya]
GOLDLOWELL – see SamSam
Goliath
Gomasom*
Hades Locker
Harasom*
HDD Cryptor
Hitler
HolyCrypt
HOSTMAN: see Ransomware as a Service
HPE
HydraCrypt*
Jaff
JapanLocker
JBoss Backdoors
Jigsaw*/CryptoHit
Karmen
Kelihos
KeRanger
KeyBTC*
KillDisk
KimcilWare
Kirk
Koolova
Kovter
Kraken
LeakerLocker
LeChiffre
Lechiffree*
Legion
Lime
Lockdroid
Locker
Locky
LogicLocker
Lokibot
Lukitus (Locky variant)
MacRansom (& MacSpy)
Magic
Magniber
Maktub
Mamba (See HDD Cryptor)
Manamecrypt (a.k.a. CryptoHost)
Marlboro
MarsJoke*
Matrix
MBR-ONI
Mircop*
Mischa
MongoDB hacking
Mysterybot
Nanolocker
Necurs
Nemucod*
njRAT
NOOB
‘Notification’ ransomware
NotPetya (wiper) – see Petya
nRansomware
Nuclear – see BTCWare
Odin
Olympic Destroyer (wiper)
OmniRAT (see also GhostCtril)
ONI (see MBR-ONI)
Operation Global III*
Ordinypt
OSX.FileCoder.E {see Patcher}
OSX.Filezip {see Patcher}
PadCrypt
Patcher
PClock*
PetrWrap (see Petya)
Petya* (and also NotPetya/ExPetr/PetyaWrap etc.)
Philadelphia* [See also Ransomware As A Service]
PHP Ransomware
Polsk – see Flotera
Polyglot – see MarsJoke*
Pompous
Popcorn Time
PornDroid
PoshCoder
PowerWare*
Power Worm
Princess Locker
PUBG
PWSSynch-B
qkG
Quant
RAA
Rakhni & similar*
Rannoh*
RanRan
Ranscam
RansSIRIA
Ransoc
Ransom32
Ransomlock.AT
Ransomware Affiliate Network: see Ransomware as a Service
Ransomware as a Service
Ransomware via RDP
RansomWarrior
Rapid
RDoS – see DDoS
Redboot
RensenWare
Reveton
Reyptson
Rokku
Ryuk
Sage
Samas
SamSam
Sarento
Satan: see also Ransomware as a Service
Satana
Scarab/Scarabey
Serpent
7ev3n
Sextortion
Shade
Shade v1 & 2*
Shamoon (wiper)
Shark
shc – see JapanLocker
Shinigami Locker
ShiOne
Shujin
ShurL0ckr
Simplocker
Slocker
SNSLocker*
Sorebrect
Spora
Spider
Stampado*
Surprise
Svpeng
SynAck
SyncCrypt
SZFlocker
TeamXRat
Tech Support Scams and Ransomware
Teerac
Telecrypt
TeslaCrypt
TeslaCrypt v1, 2, 3, 4*
Tescrypt
Thanatos
Tordow (Android.spy.Tordow)
Towelroot
Troldesh
TrueCrypter
Tyrant
UmbreCrypt*
UselessDisk – see DiskWriter
Vandev*
VinCE [See Tech Support Scams and Ransomware]
Virlock
Viro
Vortex – see Flotera
WannaCryptor (WannaCry, WannaCrypt, wCrypt etc.)
WannaLocker
Wildfire*
Wipers
WordPress (see also EV)
XData
XIAOBA
Xorist*
Xpan
XZZX – see Cryptomix
Ykcol/.YKCOL – see Locky
Zcryptor
Zepto
ZAYKA

‘Educational’ Ransomware

[20th June 2016] David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

An article by David Bisson – Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project -looks at the complicated relationship between unequivocal ransomware (Magic, Ransom_Cryptear.B) and open-source ‘educational’ malware (Hidden Tear, EDA2). Not to mention the unfortunate affair of the free-hosting service that suspended the author’s account and deleted the data, so that even the criminal is unable to decrypt affected files now.

A later article by David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

More hopefully, Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

Cylance indicates that AlphaLocker (see below) is based on EDA2.

Alma

Lawrence Abrams for Bleeping Computer: New Alma Locker Ransomware being distributed via the RIG Exploit Kit

Analysis by PhishLabs: Alma Ransomware: Analysis of a New Ransomware Threat (and a decrypter!)

Al-Namrood

Al-Namrood Ransomware (.access_denied) Support & Help Topic

Alpha

David Bisson for Graham Cluley’s blog: How to recover from an Alpha ransomware attackDo your files have the .ENCRYPT extension? You may have been hit by the Alpha ransomware.

Lawrence Abrams for Bleeping Computer: Decrypted: Alpha Ransomware accepts iTunes Gift Cards as Payment

A free decryptor is available.

Catalin Cimpanu for Softpedia: Decrypter for Alpha Ransomware Lets Victims Recover Files for Free

AlphaLocker

Analysis by Cylance of ransomware of which a unique copy plus administrative panel is sold (very cheaply) to each customer, who then manages the rest of the attack himself. (HT to Artem Baranov for flagging the article.)

Commentary by Kaspersky: Criminals Peddling Affordable AlphaLocker Ransomware

Android.Locker/Dogspectus

Android/Lockerpin

Aggressive Android ransomware spreading in the USA

Android.Lockdroid.E

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here.

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

Android.Lockscreen

September 29th 2016

Older versions of screenlockers often labelled Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

SYMANTEC’S ARTICLE: ANDROID.LOCKSCREEN RANSOMWARE NOW USING PSEUDORANDOM NUMBERS – THE LATEST ANDROID.LOCKSCREEN VARIANTS ARE USING NEW TECHNIQUES TO IMPROVE THEIR CHANCES OF OBTAINING RANSOM MONEY.

COMMENTARY BY DAVID BISSON FOR TRIPWIRE.

Angler Exploit Kit

[23rd June 2016]

Joseph C. Chen for TrendLabs: After Angler: Shift in Exploit Kit Landscape and New Crytpo-Ransomware Activity. Interesting figures on a number of exploit kits.

[20th June 2016]: Is Angler EK Sleeping with the Fishes? Neutrino exploit kit now distributing most CryptXXX

Neat summary by Paul Ducklin for Sophos: Angler exploit kit rings in 2016 with CryptoWall ransomware. Also noted in the Cryptowall section below.

Angler takes a lead role in an article by Graham Cluley for Tripwire: Crypto-ransomware Spreads via Poisoned Ads on Major Websites

ArsTechnica report

Malwarebytes report

[19th April 2016] Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222.

AnonPop

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

ApocalypseVM

Decryptor made available by Emsisoft: Emsisoft Decrypter for ApocalypseVM. VMProtect was used in the vain hope of preventing security researchers from reverse-engineering this variant. For some reason, this story came back to life six months after the Bleeping Computer Story, in January 2017.

Two decrypters from AVG for different versions.

Arena

[1st September 2017]

Bleeping Computer reports a CryptoMix version that also uses the ‘Arena’ file suffix: New Arena CryptoMix Ransomware Variant Released. Lawrence Abrams says:

The easiest way to tell the difference between the CryptoMix and Crysis variants, is that the CryptoMix variant will turn the filenames into a hexadecimal strings…

[25th August 2017]

Apparently related to Dharma/Crysis. ESET calls it Filecoder.Crysis. No reliable decryption and recovery at present. Minimal analysis here.

AutoLocky

[16th April 2016] Emsisoft gives a brief description of ransomware written in AutoIt that imitates Locky, but not very well, apparently. At any rate, Emsisoft also offers a decrypter.

Emsisoft Decrypter for AutoLocky

More description and commentary from David Bisson for Graham Cluley’s blog: Decryption tool released for Locky ransomware impersonator – AutoLocky ransomware has a “laughable” flaw

Bleeping Computer: AutoLocky

BadBlock

Laurence Abrams describes this horrible piece of scumware here: the decryptor by Fabian Wosar of Emsisoft can be downloaded from here, but Abrams gives detailed instructions on the process.

Decrypter from AVG

Barack Obama Blackmail Virus

Bleeping Computer: Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files – “It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid. ”

Bart

The Register: Eat my reports! Bart ransomware slips into PCs via .zip’d JavaScript – ¡Ay caramba!

David Bisson: Bart ransomware takes files hostage by hiding them in password-protected ZIP files – What’s Locky ransomware got to do with it? Lots!

22nd July 2016: Zeljka Zorz reports that Bart ransomware victims get free decryptor. The decryptor is the work of AVG’s Jakub Kroustek and available for download. In order to generate the key the decryptor has to have access to one of the original files as well as its encrypted version.

See also under Jaff.

Droidjack

David Bisson for Graham Cluley’s blog (again): Pokémon Go for Windows? Beware ransomware! Pokémaniacs at risk.

DXXD

David Bisson for Graham Cluley’s blog: Decrypt THIS! Ransomware dev taunts security researchers in support forum – DXXD doesn’t display a ransom note like other ransomware…

ElasticSearch

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

ElGato

Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato

Empty

[29th August 2017]

The Merkle: CryptoMix Ransomware Developers Struggle to Keep Their Creation Relevant

[25th August 2017]

Bleeping Computer: New EMPTY CryptoMix Ransomware Variant Released

Encryptor RAAS

TrendLabs: The Rise and Fall of Encryptor RaaS

Enigma

Information from Bleeping Computer on Enigma (the ransomware, not the WW2 machine): The Enigma Ransomware targets Russian Speaking Users. While it appears to try to delete Shadow Volume Copies, it seems it doesn’t always succeed: if this is the case for you, this may help.

Enrume

Microsoft: Enrume

Erebus

Graham Cluley for ESET: Web-hosting firm agrees to pay over $1 million to ransomware extortionists [20-6-2017]

Erebus Ransomware Bypasses UAC for Privilege Elevation

EV (WordPress)

[18th August 2017]

Ransomware targeting WordPress sites

WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’

I hope the company won’t mind my quoting this important paragraph:

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites

Everbe

Pierluigi Paganini – Experts released a free decryptor for Everbe Ransomware

Evil Santa Ded Crypto

David Bisson for Graham Cluley’s blog: Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list – Nothing is nice about this EDA2-based variant.

Extortion (not necessarily directly malware/ransomware)

13th October 2018

David Bisson for Tripwire: New Sextortionist Scam Uses Email Spoofing Attack to Trick Users – “As reported by Bleeping Computer, an attack email belonging to this ploy attempts to lure in a user with the subject line “[email address] + 48 hours to pay,” where [email address] is their actual email address.”

In the Bleeping Computer article, Lawrence Abrams says: “In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.”

Originally published on Chainmailcheck, but reproduced here with some additional commentary.

Here’s an interesting article by Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

[Commentary from Sophos here.]

Additional commentary from me for an internal ESET article:

In a related *thread on Reddit, one comment indicated that there have also been attempts to log on to accounts associated with the same user using the leaked password, which I’d say amounts to a good reason for:

(a) Not using the same password across multiple accounts in general (though some people use a ‘throwaway’ password on ‘throwaway’ accounts where a later breach wouldn’t actually matter).

(b) Checking other accounts where you might have duplicated a password. It’s perfectly possible in such a case that the password is no longer current on the email account where the extortion mail was received, but not on other accounts, perhaps used less often.

One slightly disturbing feature of that Reddit thread is that it was sparked by an extortionate email to an admin account where the password given by the scammer was still current. Fortunately, the company concerned seems to have taken appropriate actions on seeing the email, but it’s a salutary reminder that administrators are not always any better at routine security measures than the rest of us.

*Hat tip to Aryeh Goretsky for bringing it to my attention.

Also: Bruce P. Burrell for ESET: I saw what you did…or did I?
“It might seem legit but there are several reasons why you should not always hit the panic button when someone claims to have your email password”

ArsTechnica: All of Mugshots.com’s alleged co-owners arrested on extortion charges

Graham Cluley: Sex extortion emails now quoting part of their victim’s phone number Why only part of the number? Graham puts forward a couple of ideas that have been suggested.
Along the same lines, Lawrence Abrams reports for Bleeping Computer: New Hacked Phone + Partial Number Extortion Emails Making a Lot of Money
Didier Stevens for the Internet Storm Center: New Extortion Tricks: Now Including Your (Partial) Phone Number!

Brian Krebs: Who’s Behind the Screencam Extortion Scam? (26th August 2018) Not that he really knows, but interesting theorizing/research.

[18th August 2018]

John Leyden for The Register: Sextortion scum armed with leaked credentials are persistent pests – “If you’re going to batter 8,497 folk with over 60,000 threats, odds are someone will crack”

FairWare

Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

FakeCry

The Register: Cha-ching! NotPetya hackers cash out – but victims won’t ever see that data again – Plus, bonus ransomware strain found in bottom of source code. [John Leyden reported that ‘A new analysis by Kaspersky Lab reports that:

NotPetya was not the only ransomware pushed through the trojanised M.E.Doc update. Unpacking the source code reveals that the project’s name was “WannaCry” and that it pretends to be “made in China”. These factors have prompted Kaspersky Lab researchers to dub the malware “FakeCry”.’

Faketoken

Romain Unuchek for SecureList: The banker that encrypted files

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. In Lucian’s article he links to a September article by Anton Kivva on Tordow (see below), not to the one he quotes by Romain Unuchek (as above) on Trojan-Banker.AndroidOS.Faketoken. I’ve messaged him, so that may have changed by the time you read this. [Or not…]

Commentary by Richard Chirgwin for the Register: Bad news, fandroids: Mobile banking malware now encrypts files – First Faketoken stole credentials, now it holds data to ransom

Fantom

Kaspersky: Fantom ransomware poses as Windows Update

The FBI Virus

A misnomer. It isn’t a single threat, it isn’t a virus, and while it does attempt to pass itself off as an action taken on behalf of a law enforcement agency imposing a fine on the victim for viewing pornography or using pirated software, the FBI is by no means the only agency whose name is taken in vain. It’s seen across a variety of systems, and historically has often relied on tricking the user into thinking the system is locked rather than seriously disrupting or blocking the use of the system, so that recovery can sometimes be effected by quite simple means like the steps described here. However, the social engineering component (fake ‘policeware’) of the attack is increasingly seen used in quite different threats that are less easily dealt with, such as Lockerpin. See also Flocker.

FireCrypt

Analysis by MalwareHunter and Bleeping Computer: FireCrypt Ransomware Comes With a DDoS Component. There are similarities with the Deadly for a Good Purpose ransomware.

Flocker

Flotera

Catalin Cimpanu for Bleeping Computer: Author of Polski, Vortex, and Flotera Ransomware Families Arrested in Poland. “Authorities were able to recover data from the suspect’s laptop and remote servers, including encryption keys. Polish police are now encouraging victims of the Polski, Vortex, and Flotera ransomware families to file official complaints with local authorities so they can receive a decryption key for their files.”

FriedEX – see BitPaymer

Frozrlock

[13th May 2017]

David Bisson for Graham Cluley’s blog: A ‘great security tool’ that encrypts files? Think again! It’s ransomware – A license for FrozrLock isn’t all that expensive, either…

Fusob

Tom Spring for Kaspersky: SVPENG BEHIND A SPIKE IN MOBILE RANSOMWARE. In Ransomware in 2016-2017 “In its analysis, Kaspersky Lab singled out two malware families, Svpeng and Fusob, as dominating the mobile ransomware space.”

GandCrab

[Added 17th November 2018]

The Register: Nice work if you can get it: GandCrab ransomware nets millions even though it has been broken – “”Considering the lowest ransom note is $600 and almost half of infected victims give in to ransomware, the developers might have made at least $300m in the past couple of months alone,” says BitDefender’s Liviu Arsene.”

[Added 25th October 2018]

ESET releases new decryptor for Syrian victims of GandCrab ransomware – https://www.welivesecurity.com/2018/10/25/eset-releases-new-decryptor-syrian-victims-gandcrab-ransomware/

[Added 19th October 2018]

Bleeping Computer: GandCrab Devs Release Decryption Keys for Syrian Victims – “After seeing this tweet, the GandCrab developers posted on a forum that they have released the keys for all Syrian victims. They also stated that it was a mistake that Syria was not added to the original list of countries that GandCrab would not encrypt, but did not say if they would be added going forward.”

[Added 28th September 2018]

Zeljka Zorz for Help Net: Phorpiex bots target remote access servers to deliver ransomware – “Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning.”

[Added 22nd August 2018]

Trend Micro: .EGG Files in Spam Delivers GandCrab v4.3 Ransomware to South Korean Users Apparently the otherwise obscure .EGG file compression format is widely used in South Korea.

Commentary by Graham Cluley: Rotten EGGs spread ransomware in South Korea – “RANSOMWARE CHANGES FILE EXTENSION TO .KRAB.”

Commentary by David Bisson for Tripwire: Spam Campaign Targeting South Korean Users With GandCrab v4.3 Ransomware

[Added 22nd July 2018]

Catalin Cimpanu for Bleeping Computer: Vaccine Available for GandCrab Ransomware v4.1.2 Cimpanu reckons that “The GandCrab ransomware has slowly become the most widespread ransomware strain in use today.” At the moment Ahnlab’s vaccine app only works with version 4.1.2 of GandCrab, but Cimpanu suggests that it might be backported. The app can be downloaded from here or here.

[Added 11th July 2018]

John Leyden for The Register: Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

[Added 1st March 2018]

BitDefender: GandCrab Ransomware decryption tool

[Added 28th February 2018]

John Leyden for The Register: Got that itchy GandCrab feeling? Ransomware decryptor offers relief – Claw back your stuff without paying asshat for pricey cracker

GhostCtrl

Catalin Cimpanu: GhostCtrl Is an Android RAT That Also Doubles as Ransomware

… can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections…

…according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT … that can target four major operating systems: Android, Linux, macOS, and Windows.

Trend Micro report cited by Cimpanu.

Gibon

[6th November 2017]

Bleeping Computer: GIBON Ransomware Being Sold on Underground Criminal Forums; and earlier (and including link to decrypter) GIBON Ransomware Being Distributued [sic] by Malspam

Pierluigi Paganini: The GIBON Ransomware appears in the threat landscape

Globe

Lawrence Abrams for Bleeping Computer: The Globe Ransomware wants to Purge your Files

GlobeImposter

Bleeping Computer discussion: GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext – !back_files!.html )

Goldeneye [see also Petya]

[July 7 2017]

Malwarebytes: The key to old Petya versions has been published by the malware author. Won’t help people/organizations affected by NotPetya/EternalPetya or whatever your name of choice is, but may be good news for victims of Petya/Goldeneye if they’ve retained disk images.

Earlier…

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.

Paul Ducklin for Sophos: Goldeneye ransomware: the resumé that scrambles your computer twice

Malwarebytes: Goldeneye Ransomware – the Petya/Mischa combo rebranded

Added 5th January 2016:

Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.

Goliath

May 19th, 2016.

Lawrence Abrams for Bleeping Computer: Goliath Ransomware for sale on Dark Web – Linked to Jigsaw?
David Bisson for Graham Cluley’s blog: Ransomware for sale on nonsensical dark web malware site”Everyone knows Locky! Time has come, new ransomare is arrived. Goliath is sell here”.

Hades Locker

Proofpoint: Hades Locker Ransomware Mimics Locky

HDD Cryptor

Kaspersky: The return of Mamba ransomware

Trend Micro Analysis: BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

Brian Krebs: San Francisco Rail System Hacker Hacked

Ars Technica: Ransomware locks up San Francisco public transportation ticket machines – Some systems now restored; attacker demanded $73,000.

Hitler

For once, an article about Hitler that doesn’t invoke Godwin’s law…

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

HolyCrypt

Lawrence Abrams for Bleeping Computer: New Python ransomware called HolyCrypt Discovered. The sample analysed by AVG’s Jakub Kroustek ‘appears to be a development version used by the malware developer to test the ransomware.’

HPE

Bleeping Computer: Ransomware Hits HPE iLO Remote Management Interfaces “Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. ”

Jaff

Some sources link the WannaCryptor outbreak with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSIsoft. Commentary by The Register.

Apparently Kaspersky’s RakhniDecryptor tool v.1.21.2.1 now decrypts Jaff-encrypted files.

JapanLocker

For Fortinet, Artem Semenchenko and Joie Salvio examine the resemblances between ‘JapanLocker’ and the surprisingly similar open-source ransomware ‘shc’.

“JapanLocker”: An Excavation to its Indonesian Roots

JBoss Backdoors [18th April 2016]

Alexander Chiu for Talos looks hard at the JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

Jigsaw/CryptoHitMan

Karmen

[18th April 2017]

Ransomware-as-a-Service derived from Hidden Tear, sold by DevBitox on the dark web.

Analysis by Recorded Future: Karmen Ransomware Variant Introduced by Russian Hacker

Recorded Future on Hidden Tear

Commentary by John Leyden for The Register: Profit with just one infection! Crook sells ransomware for – Nifty dashboard shows the bitcoin rolling in

Kelihos

KeRanger

[15th February 2017] Sophos: RSA 2017: Deconstructing macOS ransomware

[14th April 2016] F-Secure’s Mikko Hypponen believes that Keranger’s is a forerunner of ransomware targeting not only local files but backups stored on network-attached and in-the-Cloud devices. In-the-cloud? Techrepublic states:

However, analysis of KeRanger also revealed work-in-progress code intended to also scramble files backed-up to attached storage via OS X’s Time Machine service.

Palo Alto reported on March 6th that New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer: they believe this to be ‘the first fully functional ransomware seen on the OS X platform.’ At any rate, it looks like a capable piece of malware. According to fortune.com, Palo Alto plans ‘to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data’. [Updated 7th March 2016: additional commentary by Graham Cluley for Intego – Mac Users Hit by Rare Ransomware Attack, Spread via Transmission BitTorrent App – and Darren Pauli for The Register – First working Apple Mac ransomware infects Transmission BitTorrent app downloads: If you downloaded 2.90, you’ve got a few hours to get rid of it.] Bleeping Computer: KeRanger. Analysis by ESET: New Mac ransomware appears: KeRanger, spread via Transmission app

(Yes, this is duplicated in the OS X section above, for the moment: also commented on in some Mac Virus articles.)

Help Net Security has published some comments it has received from the industry on KeRanger: specifically from Aviv Raff of Seculert, Van Abernethy of NSFOCUS IB, and David Kennerley of Webroot. Mostly the sort of advice you’d expect to get from people in the security industry. Reactions to the KeRanger ransomware for Macs

According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert.

KillDisk

[3rd April 2018] Peter Kálnai and Anton Cherepanov for ESET: Lazarus KillDisks Central American casino – “The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets.”

CyberX reports that KillDisk, already associated with cybersabotage, is now also being used as a basis for ransomware, demanding a hefty 222 bitcoin in ransom.

NEW KILLDISK MALWARE BRINGS RANSOMWARE INTO INDUSTRIAL DOMAIN

Commentary by Catalin Cimpanu for Bleeping Computer: KillDisk Disk-Wiping Malware Adds Ransomware Component.

Commentary by David Bisson for Tripwire: KillDisk Wiper Malware Evolves into Ransomware.

Added 5th January 2017:

For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.

Analyses by McAfee [added 14th February 2017]: Analyzing KillDisk Ransomware, Part 1: Whitelisting; Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

KimcilWare

Bleeping Computer: KimcilWare

Kirk

Lawrence Abrams for Bleeping Computer: Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!

David Bisson for Graham Cluley’s blog: Kirk ransomware sports Star Trek-themed decryptor and little-known crypto-currency – “It’s ransomware, Jim, but not as we know it!”

Koolova

Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s Stay safe while browsing and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?

Kovter

Jai Vijayan for Dark Reading: New Kovter Trojan Variant Spreading Via Targeted Email Campaign – The authors of a malware sample that has been around for more than two years have yet another trick for distributing it.

[Older content]

Fake IRS refund carries Kovter ransomware downloader

To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.

According to Heimdal’s Andrea Zaharia, the spam message looks something like this:

From: [spoofed / fake return address]

Subject Line: Payment for tax refund # 00 [6 random numbers]

Attached:
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js

Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign

Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware

Check Point [19th April 2016]: KOVTER RANSOMWARE – THE EVOLUTION: From Police Scareware to Click Frauds and then to Ransomware

An article by Reaqta explores the relationship between Kovter and Nemucod: Nemucod meets 7-Zip to launch ransomware attacks

Kraken

David Bisson for Tripwire: Kraken Ransomware Now Being Distributed by Fallout Exploit Kit

LeakerLocker

[1st August 2017]

Trend Micro: LeakerLocker Mobile Ransomware Threatens to Expose User Information

[13th July 2017]

David Bisson for Graham Cluley’s blog: LeakerLocker ransomware threatens to dox Android users as extortion – Digital threat spotted in two apps on Google’s Play Store.

LeChiffre

Malwarebytes: LeChiffre

Legion

Decrypter from AVG

Lime

Zscaler: njRAT pushes Lime ransomware and Bitcoin wallet stealer

Lockdroid

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone. [23rd February 2017]

Locker

An internal discussion regarding the closing down of TeslaCrypt reminded me that it’s not the first time that ransomware has been closed down with some measure of apology and remediation. On the 30th May 2016, a post appeared on Pastebin announcing that:

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing “bitcoin address, public key, private key” as CSV. This is a dump of the complete database and most of the keys weren’t even used…

The poster went on to give a variety of information about the malware.

Locky (see also Jaff)

Lukitus

[September 1st 2017]

Zeljka Zorz for HelpNet: Locky ransomware returns with new tricks up its sleeve

[August 30th 2017]

Malware Breakdown: “IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

LogicLocker

14th February 2017:

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

David Bisson for Tripwire: New Proof-of-Concept Ransomware Can Target PLCs at Industrial Sites
Original Georgia Institute of Technology paper: Out of Control: Ransomware for Industrial Control Systems. “In this work, we develop the first known version of ransomware that targets programmable logic controllers, discuss the economic implications of such an attack, and lay out a generic framework for ICS ransomware to aid in future study and defenses. “
Eduard Kovacs for SecurityWeek: Simulation Shows Threat of Ransomware Attacks on ICS
Nextgov article on the demonstration at RSA 2017: WATER TREATMENT PLANT HACK KICKS OFF RSA CONFERENCE. I can’t help thinking this is more about tying a spectacular demonstration of an (admittedly worrying) possible ICS attack to the scare story du jour, rather than an inevitable next step in ransomware and extortion. But I can’t say it isn’t going to happen. Especially now the possibility has been aired so publicly.

LokiBot

David Bisson for Tripwire: LokiBot Banking Malware Triggers Ransomware if User Tries to Remove It

MacRansom (& MacSpy)

MacSpy isn’t ransomware, but seems to have been developed by the same author, and both are offered as as-a-service malware.

Zeljka Zorz for HelpNet Security: Two Mac malware-as-a-Service offerings uncovered. According to HelpNet ‘Patric Wardle’s RansomWhere? tool can also stop MacRansomware from doing any damage.’

Rommel Joven and Wayne Chin Yick Low, for Fortinet: MacRansom: Offered as Ransomware as a Service

Sophos: More evidence Mac ransomware exists

Fortinet notes that “Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file…”

AlienVault: MacSpy: OS X RAT as a Service

Magic

Bleeping Computer: Magic

Magniber

Malwarebytes: Magniber ransomware: exclusively for South Koreans

Magnitude Exploit Kit

[3rd August 2017]

Jérôme Segura for Malwarebytes: Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain. Magnitude ‘is mainly used to deliver the Cerber ransomware to specific countries in Asia.’ Interesting techniques.

Maktub

[14th April 2016] Paul Ducklin, for Sophos: The ransomware attack that knows where you live

[24th March, 2016] Hasherazade for Malwarebytes: Maktub Locker – Beautiful And Dangerous

[23rd March 2016] Lawrence Abrams for Bleeping Computer: The Art of the Maktub Locker Ransomware

Mamba

See HDD Cryptor

Manamecrypt (a.k.a. Cryptohost)

Marlboro

Catalin Cimpanu for Bleeping Computer: Marlboro Ransomware Defeated in One Day

Emsisoft’s decryptor. However, due to the bugginess of the malware, Fabian Wosinar, who created the decryptor, notes that:

“…the malware will truncate up to the last 7 bytes from files it encrypts,” the researcher said. “It is, unfortunately, impossible for the decrypter to reconstruct these bytes.”

MarsJoke

Proofpoint: MarsJoke Ransomware Mimics CTB-Locker

Kaspersky: MARSJOKE RANSOMWARE TARGETS .EDU, .GOV AGENCIES

Kaspersky: RESEARCHERS BREAK MARSJOKE RANSOMWARE ENCRYPTION

Commentary by SC Magazine: Multilingual ransomware Polyglot talks good game, but can’t match CTB-Locker

Matrix

Pierluigi Pagannini: Matrix Ransomware being distributed through malvertising. Based on inf o from Malwarebytes:

“Security expert Jérôme Segura from Malwarebytes has spotted that Matrix Ransomware has risen again, it is now being distributed through malvertising.”

I feel very old: I can remember a time when Matrix (or MTX) referred to very different malware…

MBR-ONI

John Leyden for The Register: Bootkit ransomware baddy hops down BadRabbit hole in Japan – Spirited away…

‘MBR-ONI, a new bootkit ransomware, relies on modified version of a legitimate open-source disk encryption utility called DiskCryptor for its encryption routines – the same tool abused by the Bad Rabbit ransomware last week….Cybereason reckons the malware strains are being used as destructive wipers meant to cover up evidence of targeted attacks against Japanese companies.’

Pierluigi Paganini: MBR-ONI ransomware involved in targeted attacks against Japanese organizations

Infosecurity Magazine: The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware

Mircop

TrendLabs: MIRCOP Crypto-Ransomware Channels Guy Fawkes, Claims To Be The Victim Instead. Some victim… demanding a ransom of 48.48 bitcoins.

Decrypter from AVG

Mischa

[24th October 2016]

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

Summary by David Bisson, for FightRansomware.com.
Report of testing the utility against Satana, Petya, and Petya/Mischa by Lawrence Abrams for Bleeping Computer

[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead. See also MISCHA RANSOMWARE Support and Help Topic – YOUR_FILES_ARE_ENCRYPTED.HTML & TXT.

July 31st 2016

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

MongoDB

Following reports of tens of thousands of MongoDB database installations attacked with ransomware, the maker published advice on how to avoid unsafe defaults. Thomas Claburn for The Register (11th January 2017):

How to secure MongoDB – because it isn’t by default and thousands of DBs are being hacked – Stop right now and make sure you’ve configured it correctly

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

Mysterybot

Bleeping Computer: New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

NanoLocker

Bleeping Computer: NanoLocker

Necurs

The AVIEN Portal

Portal project for AVIEN, formerly the Anti-Virus Information Exchange Network

Specific Ransomware Families and Types

Share this: