Remove PClock Cryptolocker Ransomware and Decrypt Encrypted Files

This is a comprehensive report on ransomware-related events covering a timeframe of January 2017 through June 2018. The incidents remove PClock Cryptolocker Ransomware and Decrypt Encrypted Files are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead of having to collect data from multiple different sources. SAMAS RANSOMWARE UPDATED The extension being appended is .

NEW SAMPLE CALLED FIRSTRANSOMWARE The executable is firstransomware. RED ALERT RANSOMWARE SPOTTED A derivative of the open source Hidden Tear Offline ransomware. N-SPLITTER USING RUSSIAN FILE EXTENSION Another Hidden Tear spinoff. NEW EDA2 POC SPINOFF EXPOSED Brand-new sample based on EDA2 proof of concept ransomware. Extension and the name are a match. 2 BTC to return hostage databases.

User Ratings

ROBOT SERIES THEMED INFECTIONS ON THE RISE A group of crooks calling themselves FSociety have been busy coining multiple screen lockers and crypto ransomware samples. MERRY X-MAS RANSOMWARE DISCOVERED Uses the . RARE1 file extension and creates YOUR_FILES_ARE_DEAD. TIES BETWEEN PSEUDO-DARKLEECH AND RANSOMWARE The pseudo-Darkleech cybercrime network was found to be responsible for multiple ransomware campaigns in 2016. GLOBE V3 DECRYPTED Emsisoft’s Fabian Wosar cracks Globe ransomware version 3, which uses the . FIRECRYPT THREAT EQUIPPED WITH DDOS FEATURE Appends the . Also crams up HDD with junk files.

Words near crypto-fascism in the dictionary

NEW LEGISLATION ON RANSOMWARE TAKES EFFECT A law passed in California defines ransomware distribution as a standalone felony rather than part of money laundering schemes. KILLDISK RANSOMWARE ENHANCED Now attacks Linux machines along with ones running Windows. Separate files for encryptor, live chat and TOR. SKYNAME RANSOMWARE IS UNDERWAY In-development Hidden Tear POC spinoff.

NEW VIRUS PUSHING RANSOMWARE INTRICATELY Researchers discovered malicious code adding multiple desktop shortcuts that, once clicked, execute ransomware. YET ANOTHER HIDDEN TEAR DERIVATIVE SPOTTED Concatenates the . Goes equipped with a remote shell. THE ENLIGHTENING OCELOT RANSOMWARE The sample called Ocelot Locker is instructive because it doesn’t do crypto and instead demonstrates how bad a real attack can be. MONGODB APOCALYPSE STATS REVEALED The number of online-accessible MongoDB databases hit by the MongoDB Apocalypse ransomware reaches a whopping 10,000. UK SCHOOL STAFF SOCIAL-ENGINEERED Malefactors pretending to be government officials cold-call schools in the United Kingdom, duping staff into installing ransomware.

VBRANSOM 7 RANSOMWARE DISCOVERED Written in Visual Basic . NET, this strain uses the . It’s in-dev and doesn’t do actual crypto at this point. MONGODB APOCALYPSE CAMPAIGN GETS WORSE Ever since the Kraken cybercrime ring had stepped in, the quantity of ransomed MongoDB databases went up to 28,000. RANSOMEER STRAIN IS UNDERWAY New Ransomeer sample is being developed. 3169 BTC and provide a 48-hour payment deadline.

SPORA RANSOMWARE DISCOVERED New Spora ransomware can operate offline, features unbeatable encryption and a professionally tailored payment service. MERRY X-MAS STRAIN DECRYPTED Emsisoft releases a decryptor for the Merry X-Mas ransomware, which appends . NEW MARLBORO RANSOMWARE SURFACES Arrives with spam, concatenates the . MARLBORO RANSOMWARE DEFEATED Having looked into the code of the Marlboro ransomware, Emsisoft’s Fabian Wosar creates a decrypt tool in less than a day.

Henry Brade

Fails to encode data due to a flaw in crypto implementation. SAMSAM RANSOMWARE UPDATE Appends the . CERBER RANSOMWARE TWEAK TAKES EFFECT A new edition of Cerber leaves ransom notes called _HELP_HELP_HELP_. CERBER AND SPORA SHARE DISTRIBUTION INFRASTRUCTURE Threat actors in charge of the Spora ransomware campaign were found to use the same proliferation sites as Cerber. CANCER SERVICES ORGANIZATION HIT BY RANSOMWARE A cancer services agency in Indiana, U. CRIMINALS CAPITALIZE ON DATABASE VULNERABILITIES Unidentified cybercrime rings hijack Hadoop and CouchDB databases, erasing data or demanding ransoms for recovery. SPORA TURNS OUT TO HAVE WORM-LIKE PROPERTIES The sophisticated Spora ransomware leverages an infection vector relying on .

LNK files, so it may act as a shortcut worm. MERRY X-MAS RANSOMWARE DECRYPTOR UPDATE Emsisoft’s Fabian Wosar adjusts his decryptor for the Merry X-Mas ransomware, which can now decode . LOCKY ENFEEBLED WHILE NECURS BOTNET IS OFFLINE Analysts see a drastic decrease in spam spreading the Locky ransomware during temporary inactivity of the Necurs botnet. NEW SAMPLE TARGETING BRAZILIAN USERS Uses the .

“How to HOST a SCREENING” with Kevin Hines & Friends

CERBER’S RANSOM NOTES CHANGED AGAIN As part of another tweak, Cerber ransomware has started to drop _HOW_TO_DECRYPT__. NEW ANDROID TROJAN HITTING RUSSIAN USERS The Russian language Android ransomware locks a device’s screen and instructs the user to hand over their credit card details. SATAN RANSOMWARE AS A SERVICE GOES LIVE The RaaS allows crooks to build their custom version of Satan, which uses . NEW TURKISH RANSOM TROJAN BEING CREATED The in-dev ransomware is supposed to target Turkish victims and append encrypted files with the .

CRYPTOSHADOW STRAIN IS UNDERWAY Based off of the Hidden Tear POC. GLOBEIMPOSTER DECRYPTOR UPDATED Emsisoft updates the decryptor to support the variant that uses . DNRANSOMWARE ISN’T THAT BAD New strain called DNRansomware uses the . RANSOMWARE TWEAK Uses the same source code as DNRansomware.

0 STRAIN IS UNDERWAY Created by the same crooks as those behind Cerber, Locky and Spora. NEW SAMAS RANSOMWARE VERSION RELEASED Appends the . JIGSAW RANSOMWARE UPDATED Concatenates the . Expert-made free decryptor already supports this variant.

NEW CRYPTOMIX VARIANT SPOTTED Uses the . SPORA RANSOMWARE DISTRIBUTION EXPANDS While the Spora ransomware originally proliferated in Eastern Europe only, it starts targeting victims around the globe. RUSSIANROULETTE RANSOMWARE SURFACES A spinoff of the Philadelphia strain. VXLOCK RANSOMWARE LINEAGE APPEARS The name of this new crypto ransomware family stems from the . Lock extension being appended to scrambled files. NEW POTATO RANSOMWARE RELEASED Concatenates the . ONE MORE POLICE DEPARTMENT HIT BY RANSOMWARE The Cockrell Hill Police Department in Texas admits to have been attacked by ransomware.

Ripple Junction Womens Tops & T-Shirts –

SPECIFICITY OF THE CRYPTCONSOLE RANSOMWARE Scrambles filenames rather than encrypt files proper. THE COMEBACK OF VIRLOCKER Impersonates law enforcement agencies while blocking computers. Researchers discovered that the unlock code is 64 zeros. UPSWING OF MERRY X-MAS RANSOMWARE CAMPAIGN Analysts note that the propagation of MRCR, aka Merry X-Mas, ransomware is starting to skyrocket. MERRY X-MAS RANSOMWARE DECRYPTOR UPDATED Emsisoft’s decryptor for MRCR now supports the latest variant, which leaves MERRY_I_LOVE_YOU_BRUCE. ANOTHER UPDATE OF THE JIGSAW RANSOMWARE New variant concatenates the .

RANSOMPLUS, NEW SAMPLE ON THE TABLE Adds the . XCRYPT RANSOMWARE SPOTTED This new strain creates ransom note called Xhelp. Victims are told to use ICQ to reach the criminals. EMSISOFT SITE DDOSED OVER RANSOMWARE Emsisoft’s official website suffers a DDoS attack after the vendor updates their free decryptor for Merry X-Mas ransomware. 0 RANSOMWARE DETAILS UNCOVERED Swiss Government CERT publishes a comprehensive report on the Sage 2. 0 ransomware dissecting its main characteristics. NEW RANSOMWARE CALLED ZYKA Zyka ransomware appends the .

NEW INFECTION VECTOR OF THE SPORA PEST Researchers discovered a Spora ransomware distribution campaign involving bogus Chrome Font Pack update. JIGSAW RANSOMWARE UPDATED AGAIN The only noteworthy change is the . CHANGES MADE TO EVIL-JS RANSOMWARE The latest version of Evil-JS appends the . ANOTHER DECRYPTION BREAKTHROUGH Avast analysts release automatic free decrypt tools for Hidden Tear, Jigsaw and Stampado ransomware families. RANSOMWARE ATTACKS ONE MORE ORGANIZATION A number of IT systems of Ohio’s Licking County government services get affected by unidentified ransomware.

TWO RANSOMWARE DISTRIBUTORS APPREHENDED London police arrest man and woman who infected Washington’s closed-circuit television network with ransomware in mid-January. RANION RAAS DISCOVERED Security researchers stumble upon a new low-cost Ransomware-as-a-Service platform called Ranion. YOURRANSOM VIRUS IS QUITE INSTRUCTIVE Appends files with . The size of the ransom is 0. SPORA STRAIN FEATURES RESPONSIVE TECH SUPPORT As bizarre as it sounds, operators behind the Spora ransomware deliver quality customer care as they respond to victims’ queries. ANDROID RANSOMWARE GETS SMARTER The Android. E virus was found to use a dropper that scrutinizes an infected device before deploying the right payload.

UNIQUENESS OF THE EREBUS RANSOMWARE New sample. Circumvents UAC prompt while getting admin privileges. No particular changes have been made to its code. AW3S0M3SC0T7 RANSOMWARE SPOTTED IN THE WILD Researchers discover Aw3s0m3Sc0t7 ransom Trojan created by someone named Scott. NEW SAMPLE TARGETING HIGHLY SENSITIVE FILES ONLY Unnamed strain is discovered that pilfers . ANOTHER PORTUGUESE RANSOM TROJAN SPOTTED Uses the . SERPENT RANSOMWARE CAMPAIGN IS UNDERWAY Presumably a Hades Locker spinoff.

DYNA-CRYPT IS MORE THAN JUST RANSOMWARE The new DynA-Crypt infection encodes victims’ data and steals various personally identifiable information. DIGISOM, ONE MORE HIDDEN TEAR DERIVATIVE Based on open-source Hidden Tear. FADESOFT PEST PAYS HOMAGE TO A MOVIE Ransom warning contains a logo of Umbrella Corporation from Resident Evil series. SERBRANSOM 2017, A NEW ONE ON THE TABLE Concatenates the .

Worth reading: Bitcoin, BlackBerry, time travel and other outcomes

WCRY SPECIMEN IS RUN-OF-THE-MILL Appends the . NEW RANSOMWARE THAT ARCHIVES FILES A strain is spotted that moves a victim’s files to a password-protected RAR archive and requests 0. 35 BTC for the unlock password. 2016 were created by Russian-speaking crooks.

CERBER SKIPS AV-RELATED FILES When scouring infected computers for data, a new variant of the Cerber ransomware ignores files associated with security suites. Tor address of the decryption service. RESEARCHER DEMONSTRATES RANSOMWARE REVERSING Fabian Wosar of Emsisoft sets up a streaming session where he reverses new Hermes ransomware and finds its weaknesses. KASISKI RANSOM TROJAN APPEARS IN THE WILD This new Spanish sample uses the prefix to label encrypted files and leaves INSTRUCCIONES.

XYZWARE, NEW BADDIE ON CYBERCRIME STAGE New XYZWare is a Hidden Tear POC derivative most likely hailing from Indonesia. MRCR RANSOMWARE DECRYPTOR UPDATED Emsisoft’s Fabian Wosar updates his decryptor for the Merry X-Mas ransomware so that it can handle new versions of the plague. ANDROID RANSOMWARE TRENDS DISSECTED ESET publishes a whitepaper on how Android ransomware has mutated and grown in volume since 2014. SAGE RANSOMWARE UPDATED TO VERSION 2. 2 Aside from the new version name, Sage 2. HELP_SOS ransom notes on the desktop and inside folders.

NEW VARIANT OF THE SAMAS RANSOM TROJAN Concatenates the . CRYPTOMIX VARIANT DECRYPTED BY AVAST Avast, in cooperation with CERT. NEW SAMPLE CODED IN PYTHON Avast researchers spot a new Python-based strain that appends the . PATCHER RANSOMWARE TARGETING MAC OS X Payloads are disguised as patchers for various Mac OS apps. Files cannot be decrypted for free. THE UNUSUAL UNLOCK26 RANSOMWARE Provides no contact details.

Before submitting the ransom to unlock files, a victim is instructed to solve a math problem. ANDROID RANSOMWARE THAT CAN LISTEN New Lockdroid ransomware spinoff unlocks a device after the victim pronounces the unlock code obtained after payment. PICKLES RANSOMWARE EMERGES Written in Python. GO-BASED VANGUARD RANSOMWARE New Vanguard ransomware is written in Google’s Go programming language.