Ransomware activity was on a fairly high level till mid-December but slowed down by the end of the month, perhaps due to threat actors’ holiday spree.

Some of the newsmaking events include the onset of the first-ever blackmail virus targeting network-attached storage devices; the breach of California voter database; and arrests of CTB-Locker and Cerber distributors in Romania.

Here is what December 2017 was like statistically: 27 new ransomware samples were discovered, 26 existing ones got a makeover; and one free decryptor was released by researchers.

DECEMBER 1, 2017

CryptoMix ransomware slightly modified

The latest edition of the CryptoMix strain switches to using the .TEST extension for encrypted files as well as an updated list of contact email addresses. The name of the rescue note has not changed, still being _HELP_INSTRUCTION.txt.

The ‘low-cost’ Halloware infection

Security analysts discover a new ransomware sample called Halloware being marketed on dark web forums. It stands out from the rest due to the low price its developer asks for the kit – only $40.

BTCWare undergoes a tweak

The BTCWare family of crypto parasites spawns a new variant. It affixes the .[attacker email]-id-id.shadow extension to hostage files. As before, the perpetrating program is distributed via compromised remote desktop services.

Globe2 ransomware updated

The ransomware lineage codenamed Globe2 expands with a fresh version that scrambles filenames and blemishes them with the .abc extension. Fortunately, Emsisoft’s free decryption tool for Globe2 supports this variant.

False alarm on the Clico Cryptor specimen

This one acts like garden-variety ransomware, but its actual gist is trickier than it appears. Clico Cryptor turns out to have been made by Polish researchers and pursues the goal of testing antivirus and sandbox products for detection efficiency.

Magniber ransomware keeps mutating

Magniber, the inheritor of Cerber ransom Trojan spreading via the (Read more...)