July 2016 Ransomware Roundup: New Strains And New Nasty Features

The ransomware market is rapidly maturing, we start seeing upgraded strains and rebranded versions sold cheaply in the Dark Web. And mainstream media have finally glommed on after years of being oblivious, trumpeting the FBI recently projected that the losses caused by ransomware infections could reach a billion dollars in 2016 alone. Here is your July Ransomware Roundup.

Satana ransomware code

New Hybrid MBR Ransomware Strain

To start off, there is a new ransomware strain from hell called "Satana" (the reference is clear, just take the last "a" off) which is a blend between classing file encryption malware and the Petya / Misha strain which locks the Master Boot Record (MBR).  This looks like a Petya copycat, for each encrypted file, Satana prepends their email address to each file like this: "email@domain.com_filename.extension".

Satana then encrypts the MBR and replaces it with its own. The first time when a user reboots their workstation, Satana's MBR boot code will load and the only thing the machine will show is Satana's ransom note. Here is how the note looks as a text file:

Satana Ransomware

Security researcher Hasherezade posted the initial discovery at Malwarebytes, and stated it might be possible to recover the original MBR. That does not mean you can decrypt the files though. Recovering MBR records via Windows' cumbersome command-line interface is not for the weak of heart. Paying the ransom is a crapshoot, "because you do not know if the C&C server went offline when encryption happened," she writes. According to the Hasherazade, the code looks like a work-in-progress, as its developers are still working on it.  Stay tuned, this puppy might cause some damage.

New Zepto Is A Kleptomaniac Locky Spinoff

The new Zepto strain is a monster. It's spewing out spam messages at an alarming rate, and looks very much like Locky, which in itself is a bad sign because it could be the very same cyber mafia and these guys are very sophisticated.

Locky is a dangerous as-yet unbroken ransomware that helped the authors of the Nuclear exploit kit to score US$12 million in revenue from 1.8 million attacks cast over one month. Monthly income for developers sits around US$100,000. Here is a short video of an anti-ransomware product which blocks Zepto: https://youtu.be/ZycM5ULBK4M

Cisco's Talos researchers are particularly concerned that Zepto will move into exploit kits and that attackers will move on from spam to other distribution methods, such as malvertising, according to ThreatPost.

4x Growth In Android Ransomware Attacks

New numbers published by Kaspersky found that the number of ransomware attacks on their Android users from April 2015 to March 2016 had quadrupled compared to the same period 12 months prior. The Fusob family of ransomware was responsible for over half of all reported attacks. (Tripwire)

EduCrypt Ransomware Teaches Users A Much Needed Lesson?

EduCrypt is based on the Hidden Tear ransomware strain. EduCrypt encrypts only a small part of the file and folders and it doesn’t communicate with a Command & Control server. EduCrypt is basically harmless and intends to teach users a lesson, but it's "shock therapy" and causes a lot of lost time for IT people to fix it.  

Educrypt uses an extension list and files will be encrypted with a static password of HDJ7D-HF54D-8DN7D, and the encrypted files have the .isis file extension.  Once the encryption process ends a note called README.txt is created on the desktop and the note also comes with a link to the decryptor.

An infection with EduCrypt is still a major hassle and you could see it as a shot across the bow to make sure you have all security layers in place to make sure this does not happen with the real thing.

Upgraded Strains


You, yes, YOU could be an infection vector, making your customers a ransomware victim.

Late July, thousands of legit wordpress business sites were hijacked by a botnet named SoakSoak to deliver ransomware to anyone who visits their website. If you are running wordpress as your website or blog platform, you really want to upgrade to the very latest version and minimize your plugins to make the attack surface as small as possible. The hijacked websites were redirecting visitors to a compromised site, where the payload was the very latest CryptXXX, one of the more infamous ransomware strains.

Another CryptXXX changes its name to Microsoft Decryptor and no longer appends an extension to decrypted files, meaning an encrypted file keeps the same filename as it had before the infection.


The leading cybermafias are furiously innovating to stay ahead of the copycats. Cerber has updated its code numerous times, like adding a DDoS and the use of double-zipped Windows Script Files (WSFs) to evade detection, July saw the release of Cerber’s latest variant that put Office 365 users in homes and in businesses at the crosshairs of attack. The attack vector? Phishing with Office documents laced with macros and once your user opens on the attachment, Cerber encrypts 442 file types using combined AES-256 and RSA encryption. This new strain was also pushed by the Rig and Magnitude exploit kits which both are using 0-day vulnerabilities.


After 4 months of not seeing a new version of the PadCrypt Ransomware, I discovered a new sample today.  This ransomware will encrypt your files and add the .padcrypt extension to them.  (Hat Tip to Larry Abrams at Bleepingcomputer.)

Two Ransomware Strains Are Copycats of Earlier Families


Mid-July a new ransomware type surfaced that has some similarities to CryptoLocker and Jigsaw in terms of functionality. Stampado (detected by Trend Micro as RANSOM_STAMPADO.A) was heavily advertised in the cybercrime underground for a fraction of the price of malware typically sold in the Ransomware-as-a-Service market at 39 bucks, with training videos that show how it works. Stampado encrypts files using AES and deletes chunks of the hostaged files after a time period lapsed without paying the ransom. Stampado gives a 96-hour deadline before all files get deleted.


The moment CrypMIC was found, malware researchers immediately saw it was a copycat of CryptXXX, trying to rake in bitcoin with a copied entry point, ransom note, and even its payment user interface. One twist is that CrypMIC does not append any extension name to files that it has already encrypted, which makes it hard to spot which of the files have been affected.

New Blood: Brand New Strains

CryptoFinancial was discovered by Malwarebytes security researcher S!Ri. This malware pretends to be a ransomware program that encrypts your files, but instead will delete your files and not provide a way of recovering them. A new ransomware called Bitstak was discovered by MalwareHunterTeam. This ransomware has very interesting, if not laughable, programming that allowed Michael Gillespie to create a decryptor for it.

PizzaCrypts has been discovered by security researcher Brad Duncan. This ransomware is currently spreading via the Neutrino Exploit Kit and when it encrypts your files it will append the .id-[victim_id]-maestro@pizzacrypts.info extension to their filenames.

cuteRansomware uses Google Docs and other cloud apps to transmit encryption keys and gathering user information to evade detection.

Alfa ransomware looks like a descendant of Cerber, the malware scans its infected system’s local drives and encrypts over 142 file types, appending a “.bin” extension name to the locked file

CTB Faker copycats CTB Locker. This variant is spread via bogus profiles from adult sites that trick users with the promise of access to a password-protected striptease video. The poisoned link then leads to the download of the ransomware hosted on JottaCloud.

Ranscam was also discovered in July, which threatens to delete files unless a 0.2 bitcoin-ransom is paid. The tricky part, though, is that the files are deleted even if the ransom has already been paid for, probably buggy code so wait for the next version to fix that.

Find out which of your users' email addresses are exposed before the bad guys do.

The Email Exposure Check is a one-time free service. We will email you back a report containing the list of exposed addresses and where we found them within 2 business days, or sooner! This shows you your phishing attack surface which the bad guys will use to try to social engineer your users into opening an attachment infected with ransomware.

Send Me My Report

Don't like to click on redirected buttons? Cut & Paste this link in your browser instead:



Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews