{
	"id": "ca16027d-b312-4933-a3f7-14ada65733ef",
	"created_at": "2026-04-06T00:15:56.401024Z",
	"updated_at": "2026-04-10T03:23:51.959683Z",
	"deleted_at": null,
	"sha1_hash": "55d3a2fb09297f93403c7307cec3415e490e9bf7",
	"title": "Ransomware Recap: January 14 - 29, 2017",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2202289,
	"plain_text": "Ransomware Recap: January 14 - 29, 2017\r\nArchived: 2026-04-05 13:32:17 UTC\r\nNetflix, with its vast and fast-growing consumer base of over\r\n93 million subscribers in 190 countries, is no stranger to being a subject of cybercriminal activities , with online\r\ncriminals finding various ways to leverage the streaming service's immense popularity.  In the past, we have seen\r\nhow malefactors used creative methods for stealing credentialsnews- cybercrime-and-digital-threats that can later\r\non be sold in underground markets, exploit vulnerabilities, and create and distribute malware that enables the theft\r\nof user information for profit. Recently, we observed the service being used as a lure, with the promise of a \"free\r\nNetflix account\" as a hook for distributing ransomware.\r\n[Related: Netflix users are becoming favored hacking targets]\r\nIn the last week of January, a new ransomware leveraging on the popularity of the video-distribution network was\r\nuncovered by researchers highlighting the perils of content piracy. Based on a sample we analyzed, this particular\r\nmethod lures its would-be victim with \"free Netflix access\" via a supposed login generator for Windows/PC users\r\nthat, in turn, would lead to the download of a new strain of ransomware (detected by Trend Micro as RANSOM_\r\nNETIX.A).\r\nFigure 1: Fake Netflix login generator\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 1 of 9\n\nFigure 2: Prompt window of login information from a supposed genuine Netflix account\r\nTypically found on suspicious sites offering cracked applications and unauthorized access to premium\r\nmembership accounts, this ransomware variant takes the form of an executable named Netflix Login Generator\r\nv1.1.exe that drops a copy of itself upon execution. The bogus login generator, once clicked by the victim, will\r\nprompt another window that displays login information belonging to a genuine Netflix account paired with a fake\r\npassword. This is done to distract its victim from the ransomware routines running stealthy in the background.\r\nFigure 3: Ransom note\r\ndisplayed as wallpaper\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 2 of 9\n\nFigure 4: Ransom note containing payment instructions\r\nUsing AES-256 encryption, this variant is capable of encrypting 39 file types, appending them with a .se extension\r\nonce done. The ransom will then demand a payment of 0.18 bitcoins, or an amount equivalent to over US$100.\r\nInterestingly, the malware will not carry out its routine if the victim's system isn't running on Windows 7 or\r\nWindows 10.\r\nDespite the number of social engineering tactics being used to distribute ransomware, these non-technical methods\r\nare still proving to be very effective. According to recent reportsnews article, a police department in Cockrell Hill,\r\nTexas, admitted to being hit by a ransomware infection that cost the department eight years’ worth of evidence—\r\nan incident that highlighted the importance of implementing a sound backup strategy.\r\nIn an initial press release issued by Chief of Police Stephen Barlag, it was noted that the ransomware infiltrated\r\nthe department’s systems early in December of 2016. Following instructions made by the FBI Cybercrimes unit,\r\nservers were wiped clean “to ensure that all affected files were deleted”. This led to the loss of bodycam, in-car,\r\nand department surveillance videos, and some archived photos dating back to 2009.\r\nA more detailed press release dated January 25, 2017 stated that the ransomware in question was named “Osiris”,\r\noriginating from a spam email message that spoofed a legitimate department-issued email address. Security\r\nexperts believe that the infection was carried out by a ransomware variant with the same name, but the police\r\ndepartment could have been hit by a version of Lockynews- cybercrime-and-digital-threats (detected by Trend\r\nMicro as RANSOM_LOCKY.EXE)—one that  appended filenames with an .osiris extension. This version\r\nemerged shortly after another version of Locky (one that used a .aesir extension) was released, continuing a line of\r\nvariants that has used extension names alluding to mythological characters, including Odinnews- cybercrime-and-digital-threats and Thornews- cybercrime-and-digital-threats.\r\nAccording to the statement, the ransomware demanded a ransom that amounted to almost $4,000 in bitcoin. In\r\naddition to the affected in-house videos and photos, all Microsoft Office suite documents from Word and Excel\r\nwere affected. While no evidence points to whether any of the affected files were extracted and taken out of the\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 3 of 9\n\ndatabase, the files have all been corrupted and lost. However, the department noted that files stored in DVD and\r\nCD format are still accessible.\r\nDays prior to the inauguration of President-elect Donald Trump, another police department got hit by ransomware.\r\nAccording to reports, the attack paralyzed 70% of storage devices that record data for the D.C. police surveillance\r\ncameras. Between January 12 and January 15, 123 of 187 network video recorders were affected, forcing the city\r\ntechnicians to wipe its IT systems clean and reboot the devices across the city. Network video recorders are\r\nconnected to as many as four cameras at each site.\r\nWashington D.C. Chief Technology Officer Archana Vemulapalli said that no ransom was paid. Going into the\r\ndetails of the infection, Vemulapalli noted that the attack impacted only the installed police cameras set up to\r\nmonitor public areas and did not reach and spread into the D.C. computer networks. Secret Service official Brian\r\nEbert then shared that public safety wasn't compromised.\r\nNot long after this incident, in Europe, a ransomware infection forced officials of four-star Austrian hotel\r\nRomantik Seehotel Jaegerwirt to pay the demanded ransom of €1,500 (or US$1,605) in bitcoins. This is the\r\nsecond time the 111-year-old luxury hotel has been hit by a cyber-attack. This is different from previous attacks\r\nthat focused on extracting payment card details. This time, extortionists prevented hotel admins from\r\nprogramming and issuing room keycards to incoming guests, and left those who left their rooms unable to re-enter.\r\nManaging director Christoph Brandstaetter admitted to caving in to the extortion demand, and shared that plans of\r\nreverting to old-fashioned door locks are set to be implemented. Ultimately, the incident serves as a warning to the\r\nhotel industry about the importance of security.\r\nHere are other notable ransomware sightings over the past two weeks:\r\nVirLock\r\nWhen it was first reported, VirLock (detected by Trend Micro as PE_VIRLOCK), was a unique ransomware\r\nvariant that was not only capable of locking the computer screen but also of infecting files. It targets specific file\r\ntypes to encrypt and infect, from executable, common document, archive, audio/video, image, and certificate files.\r\nIt will then stealthily add an .RSRC section to the infected file. This includes the resources used by the executable\r\nthat are not considered part of the executable, such as icons, images, menus, and strings. This is done to store the\r\nresources of the host file, which tricks unsuspecting users into executing the infected files.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 4 of 9\n\nFigure 5: Sample ransom note reported in 2015\r\nBefore January drew to a close, the variant made a comebacknews article (with samples detected by Trend Micro\r\nas PE_VIRLOCK.K and PE_VIRLOCK.K-O), with operations and routines similar to when it was first\r\ndiscovered and reported. This variant encrypts a victim’s files and repackages them into an executable file.\r\nBecause Windows installations do not normally display file extensions, and part of VirLock’s routine is to keep\r\nthe source file’s icons, an unsuspecting user could execute the infected files, and worse, unknowingly distribute it\r\nto other users. Interestingly, it was reported that entering a 64-zeroes code to the “Transfer ID” section of the\r\nransomware tricks the malware into believing that the ransom—amounting to $250 in bitcoins—has been paid.\r\nCharger Android Ransomware\r\nGoogle’s Play Store recently removed a malicious app that reportedly carried a new ransomware variant called\r\nCharger (detected by Trend Micro as AndroidOS_ChgLocker.A). According to reportsnews article, EnergyRescue,\r\nan app disguised as a battery-saving application, gained access and stole a victim’s SMS messages and contact list\r\nbefore locking the user’s device. A ransom note then appeared, threatening to publish collected data online if the\r\nransom is not paid—a routine  characteristic of “doxware” as stated below:\r\nYou need to pay for us, otherwise we will sell portion of your personal information on black market every 30\r\nminutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT.\r\nWE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING\r\nOFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE\r\nSTILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal\r\ndata. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your\r\nfriends and family.\r\nSome of the threats were deemed empty, as there is no evidence that it can exfiltrate information.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 5 of 9\n\nSecurity researchers who looked into Charger note that it possesses sophisticated characteristics that make it\r\ndifferent from other Android ransomware variants—particularly the techniques it uses to mask its malicious\r\nbehavior to bypass detection.\r\nHavoc\r\nHavoc (detected by Trend Micro as RANSOM_HAVOC.A) is a newly-discovered variant that appends affected\r\nfiles with the .HavocCrypt extension name. This variant performs routines typical of a ransomware type that uses\r\nsymmetric and asymmetric cryptography to encrypt its targeted files.\r\nFigure 6: Havoc ransom note\r\nA ransom of $150 in bitcoins comes with a 48-hour deadline. Failure to do so would result in the permanent\r\ndeletion of the decryption key provided by the online criminals. Apart from a countdown timer, the ransom note\r\nalso indicates that any form of attempt to close or shut down the ransomware application will also lead to the\r\ndeletion of the decryption key.\r\nVxLock\r\nAlso discovered in the last two weeks is a new ransomware (detected by Trend Micro as RANSOM_VXLOCK.A)\r\nnamed after the extension name it adds to the files it encrypts. With attributes common to ransomware variants\r\nseen in the past, this variant targets files and appends the extension name .vxlock to its encrypted file, renaming a\r\nlocked Word document with the file name file.doc into file.doc.vxlock.\r\nWhile researchers observe that this variant is set to undergo further development, it is notable that at this stage,\r\nVxlock has AntiVM, Anti-debug and Anti-Sandbox features.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 6 of 9\n\nFigure 7: Vxlock Anti-AV checking\r\nCrypto1CoinBlocker\r\nThis particular variant (detected by Trend Micro as RANSOM_XORIST) surfaced as an updated version of an\r\nearlier released ransomware, Xorist. Using RSA-2048 cryptography, it targets affected system’s files and appends\r\nrandom alpha-numeric numbers serving as the victim’s dedicated Bitcoin wallet address to the file name of the\r\nencrypted file. Following encryption, it displays a fake error message, a pop-window, and a text file placed on the\r\ndesktop, all signaling compromised data.\r\nFigure 8: \r\nFake error message\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 7 of 9\n\nFigure 9: Ransom note replacing the system's wallpaper\r\nThe fake message, appearing after the locking of files was carried out alerts the victim to pay a hefty sum of 5\r\nbitcoins or an amount reaching almost US $ 5,000. Clicking “OK” to the message would prompt the desktop to\r\ndisplay a new wallpaper that interestingly asks for a smaller ransom of 1 bitcoin—almost $1,000—to be settled\r\nwithin a given time frame.\r\nA multi-layered approachnews- cybercrime-and-digital-threats is key to defending all possible gateways from\r\nmalware. IT administrators in organizations should empower the workforce with necessary education to keep\r\nemployees well informed of attack tactics. On the other hand, a solid back-up strategy of important files\r\nsignificantly mitigates damages brought by a ransomware infection.\r\nRansomware solutions:\r\nTrend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize\r\nthe risk of getting infected by ransomware:\r\nEnterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by\r\nthese threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email\r\nInspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint\r\nlevel, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning,\r\nbehavior monitoring and application control, and vulnerability shielding that minimizes the impact of this\r\nthreat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro\r\nDeep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.\r\nFor small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security\r\nthrough Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior\r\nmonitoring and real-time web reputation in order detect and block ransomware.\r\nFor home users, Trend Micro Security 10 productsprovides strong protection against ransomware by blocking\r\nmalicious websites, emails, and files associated with this threat.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 8 of 9\n\nUsers can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool,\r\nwhich is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware\r\nFile Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the\r\nuse of the decryption key.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017"
	],
	"report_names": [
		"ransomware-recap-january-14-29-2017"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55d3a2fb09297f93403c7307cec3415e490e9bf7.pdf",
		"text": "https://archive.orkl.eu/55d3a2fb09297f93403c7307cec3415e490e9bf7.txt",
		"img": "https://archive.orkl.eu/55d3a2fb09297f93403c7307cec3415e490e9bf7.jpg"
	}
}