Ransomare Attacks in February, 2017

Thankfully Feb, 2017 is going slow for ransomware attacks as there are relatively slow reports of malware threats as compared to last months and few months back in 2016. The major news of ransomware attack came as POC ransomware targeting ICS/SCADA. Another data-encrypting malware came as Hermes ransomware which are live streamed by Fabian Wosar.

11th Feb, 2017

Security researcher from MalwareHunter discovered that many of the malware strains including SerbRansom were developed by ultranationalist developer from Serbia and Russia.

Another malware researcher, Michael Gillespie discovered that many of the new ransomware are locking the victim’s files by adding it in password-protected RAR archives. They use WinRar to put the targeted files in a RAR file protected with password and demands the a ransom of .35 bitcoin in exchange of the password.

13th Feb, 2017

Another News came from Michael Gillespie as well when he discovered new sample of Samas/SamSam ransomware. This new version adds .encryptedyourfiles extension name to the locked files. Its ransom note is stored in a webpage named as 001-READ-FOR-DECRYPT-FILES.html.

Karsten Hahn discovered an updated version of CyberSplitter Ransomare that shows ransom message coming from FBO and says that “Computer Has Been Locked”.

14th Feb, 2017

Shocking news came regarding the source of ransomware attacks. According to Kaspersky Lab, most of the ransomware families discovered in 2016 which ware are around 62 in number, were some kind of associated with Russian speaking criminals. About 47 of them are directly associated to Russian speaking area.

Karsten Hahn detected two new version of CyberSplitter ransomware where as new variant of JobCrypter Ransomware was discovered by MalwareHunterTeam.

15th Feb, 2017

“Trend Micro” has discovered a new variant of Cerber Ransomware which can avoid encrypting the files associated to security programs and thus the security applications like anti-malware, firewalls will still work even after the System is has been locked by Cerber.

Michael Gillespie researched that N1N1N1 ransomware is now using 333333333333 as the filemarker in encrypted files.

16th Feb, 2017

Michael Gillespie discovered that “PrincessLocker” is using a new ransom note named as @_USE_To_FIX_JJnY.txt while Marcelo Rivero from Malwarebytes has discovered a new ransomare named as Kasiski Ransomware. It uses a ransom note file named as INSTRUCCIONES.txt.