The Week in Ransomware – November 4th 2016 – Cerber, PayDOS, Alcatraz Locker, and More!

The Week in Ransomware – November 4th 2016 – Cerber, PayDOS, Alcatraz Locker, and More!

  • November 4, 2016
  • 05:48 PM
  • 2

Wow..lots of annoying little ransomware variants. Many of which will probably never make it too far into distribution. The biggest news is the release of new Cerber versions that now helpfully tell us the version number in the ransom note. Also for those older computer users, we have some ransomware created using batch files.

Contributors and those who provided new ransomware info this week include: @JakubKroustek@struppigel@malwrhunterteam@hasherezade@fwosar@demonslay335@PolarToffee@DanielGallagher@JAMESWT_MHT, @Seifreed@BleepinComputer, @nyxbone, @w1mp1k1ng. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.

October 29th 2016

New EDA2 Ransomware variant called MasterBuster Discovered

GData malware analyst Karsten Hahn has discovered a new ransomware based off of the EDA2 ransomware project. This ransomware will create a ransom note called CreatesReadThisFileImportant.txt.

New Ransomware 2.0 Screenlocker Discovered

Karsten Hahn discovered a screenlocker called Ransomware 2.0 that does not encrypt files, but just acts as a nuisance.

October 29th 2016

New Ransomware that uses a file marker of !Locked#2.0

Michael Gillespie discovered a new ransomware that adds a file marker of !Locked#2.0 to encrypted files. Malwarebytes security researcher hasherezade has created an experimental decryptor for this variant here.

October 30th 2016

New Ransomware called Alcatraz Locker was discovered.

A new ransomware called Alcatraz Locker was discovered by xXToffeeXx that adds .Alcatraz extension to encrypted files and creates the ransomed.html ransom note on the desktop.

November 1st 2016

Cerber Ransomware 4.10 now shows the Version Number in Ransom Notes

Cerber Ransomware 4.1.0, and soon thereafter 4.1.1, was released that now displays its version number in the ransom note used as the Windows desktop background. In the past the only way to determine the version of the installer Cerber variant was to examine the extension appended to encrypted files.  Now this information is readily available in the ransom note as seen below.

November 3rd 2016

Smash! Ransomware is Cute rather than Dangerous

A new malware program was discovered by MalwareHunterTeam that calls itself Smash! Ransomware and uses a cute image of the Super Mushroom from Super Mario Bros holding a knife. Thought it calls itself a ransomware and threatens to delete your files after a timer runs down, in reality this malware is more like a screenlocker and does not delete anything from the computer. Furthermore, many of the functions are not coded yet so this is either a poorly created program or a development version.

New Encrypting Ransomware/ScreenLocker Hybrid called DummyLocker

A new ransomware called DummyLocker was discovered by Karsten Hahn  that acts as a screenlocker and ransomware hybrid. When it encrypts your files it will append the .dCrypt extension to encrypted files.

New Anti-Islam Ransomware called zScreenLocker Discovered

A new ransomware that was discovered by Karsten Hahn that not only encrypts your files but also spreads hatred was discovered This ransomware is called zScreenLocker and displays a Ban Islam flag

New ransomware called encryptJJS was Discovered

A new ransomware called encryptoJJS was discovered by Jakub Kroustek that encrypts your data and appends the .enc extension to encrypted files. This ransomware has been confirmed as decryptable and if any victims show up a decryptor will be made.

November 4th 2016

Ransomware goes Retro with PayDOS and Serpent written as Batch Files

When it comes to ransomware, we are seeing the oddest variants being released. This is no exception with a batch file ransomware discovered by Avast malware analyst Jakub Kroustek that runs within the Windows command prompt.

New In-Development Gremit Ransomware

Karsten Hahn has been on a warpath lately with another discovery of a new ransomware. This time it is called the Gremit Ransomware and only encrypts files located in our buddy Tim’s C:\Users\Tim\Desktop\encrypt\ folder. When it encrypts files it will add the .rnsmwr extension to the file name.

The Evolution of Cerber… v4.1.x

RSA published an article on their analysis of Cerber 4.1.x and some interesting correlations between its distribution and other campaigns.

Source: The Week in Ransomware – November 4th 2016 – Cerber, PayDOS, Alcatraz Locker, and More!