The Week in Ransomware – September 8th 2017 – Locky and Small Releases

We have good news for once, which is a really slow week when it comes to ransomware. While we still had our share of smaller ransomware variants being release, overall there was not a lot of activity. The biggest activity is the continued by Locky distributors to become more widespread through the use of a variety of SPAM campaigns.

Contributors and those who provided new ransomware information and stories this week include: @FourOctets, @jorntvdw, @DanielGallagher, @demonslay335, @campuscodi, @BleepinComputer, @LawrenceAbrams, @Seifreed, @malwareforme, @fwosar, @hexwaxwing, @PolarToffee, @struppigel, @malwrhunterteam, @Plazmaz, and @0xDUDE .

September 4th 2017

Massive Wave of MongoDB Ransom Attacks Makes 26,000 New Victims

Dylan Katz and Victor Gevers discovered a new wave of ransom attacks on MongoDB databases rekindled last week and over the weekend with the emergence of three new groups that hijacked over 26,000 servers, with one group hijacking 22,000.

Nulltica Ransomware Discovered

GData’s Karsten Hahn discovered a new variant of HiddenTear called Nulltica. This ransomware is a bit unique compared to other HiddenTear as it contains code to spread by sending messages to Facebook contacts. This ransomware will append the .locked extension to encrypted files.

Ultimo Ransomware Discovered

Karsten Hahn discovered the Ultimo Ransomware, which is based off of HiddenTear. It also appends the .locked extension to encrypted files.

Variant of the Windows Has Been Banned Locker Discovered

MalwareHunterTeam discovered a new variant of the Your Windows Has Been Banned screenlocker.

GlobeImposter uses the Clinton Extension

Michael Gillespie has found submissions to ID-Ransomware that are for a new GlobeImposter variant that appends the .clinTON extension and uses an email of

Conficker Ransomware Discovered

Michael Gillespie discovered a new ransomware based off of HiddenTear that calls itself Conficker Ransomware and appends the .Saramat extension to encrypted files. This ransomware has not affiliate with the conficker infection.

September 5th 2017

SynAck Ransomware Sees Huge Spike in Activity

Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to victims who sought assistance in the Bleeping Computer ransomware support forums and from submissions to the ID-Ransomware service.

TeamWinLockerWindows Screenlocker.

Karsten Hahn discovered a new screenlocker called TeamWinLockerWindows, which is quite the mouthful. Modifies the HOSTS file and displays fake kernel exception messages.

September 6th 2017

Turkish ApolloLocker Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called ApolloLocker that contains a Turkish ransom note and also acts as a information stealer. This ransomware appends the .locked extension to encrypted files and drops ransom notes named DOSYALARI-KURTAR [num].txt and DOSYALARI-KURTAR [num].url.

Hacked Ransomware Discovered

Lawrence Abrams discovered a new ransomware called Hacked. This ransomware appends the .hacked extension and includes ransom notes in Italian, Turkish, Spanish, and English.

In-Dev FRansomware Discovered

Lawrence Abrams discovered a new in-development ransomware called FRansomware. It currently does not encrypt and only shows the ransom screen.

DilmaLocker Ransomware Discovered

A new ransomware was discovered by Emsisoft security researcher xXToffeeXx that is named after the former President of Brazil. This ransomware is called DilmaLocker and appends the .__dilmaV1 extension to encrypted files and drops a ransom note named RECUPERE_SEUS_ARQUIVOS.html.

September 7th 2017

Signed Version of GlobeImposter Discovered

MalwareHunterTeam discovered a signed variant of GlobeImposter that appends the .f41o1 extension and drops a ransom note named READ_IT.html.

Amnesia Variant Pretends to be WannaCry

MalwareHunterTeam noticed an increase in submissions to ID-Ransomware from an Amnesia variant that is pretending to be WannaCry. This variant appends the .wncry extension to encrypted files.

New GlobeImposter Quickly Released with Cert Revoked

MalwareHunterTeam noticed that a few hours after the previous GlobeImposter, a new variant was released with the cert revoked and appending a new extension,  .4035, to encrypted files.

September 8th 2017

In-Dev ArmaLocky Discovered

Karsten Hahn discovered a new in-dev ransomware that impersonates Locky and appends the .armadilo1 extension to encrypted files.

New Samas Variant Appends .disposed2017

Michael Gillespie found a new SamSam/Samas Ransomware variant that appends the .disposed2017 extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!