Ransomware

Jul 2016

• 2016-07-08 -- Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains. The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. In a post to the company’s blog on Wednesday, Sucuri CTO and founder Daniel Cid claimed the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
• 2016-07-07 -- For the second time since June 1, the handlers of CryptXXX ransomware have changed their ransom note and Tor payment site. More importantly to those developing detection signatures and administrators, this update no longer makes changes to the file extensions of encrypted files. The new payment instructions, for example, point to a new .onion website on the Tor network, and the payment site is called Microsoft Decryptor. On June 1, the previous update was pointing to a site called Ultra Decryptor.
• 2016-07-07 -- New CryptXXX changes name to Microsoft Decryptor. Now an encrypted file will retain the same filename that it had before it was encrypted.
• 2016-07-07 -- New Locky variant – Zepto Ransomware Appears On The Scene.
• 2016-07-07 -- Satana, a new ransomware family that emerged in the past week, has copied some of its functionality from Petya and Mischa, two connected crypto-lockers observed over the past several months.
• 2016-07-12 -- Nukeware: New malware deletes files and zaps system settings
• 2016-07-12 -- Researchers create effective anti-ransomware solution