{ "id": "10aede2e-9967-421f-b7bf-3937fbba4a8d", "created_at": "2026-04-06T00:19:07.76878Z", "updated_at": "2026-04-10T03:37:08.843068Z", "deleted_at": null, "sha1_hash": "8c7f7b45c6864223635a7159f7f6b3df74222da3", "title": "Ransomware Recap: Dec. 19 - Dec. 31, 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 901998, "plain_text": "Ransomware Recap: Dec. 19 - Dec. 31, 2016\r\nArchived: 2026-04-05 17:02:23 UTC\r\nChristmas brought an unwanted surprise to one family in\r\n2016. On December 25, software engineer Darren Cauthon tweeted an imageopen on a new tab showing his\r\nfamily's LG smart TV had been infected with ransomwareopen on a new tab. The smart TV was disabled, and\r\ndisplayed a ransom note mimicking a notification from the FBI demanding a payment of US$500. It’s worth\r\nnoting that the LG TV was an older model running Google TV, a platform that was abandoned in 2014.\r\nCauthon asked LG to help him restore the TV to its factory settings. At first the company told him to bring it to a\r\nsupport center but eventually relented and gave him instructions for a factory reset. The Christmas story had an\r\neventual happy ending—the factory reset worked and Cauthon posted a videoopen on a new tab of the process to\r\nhelp other smart TV owners who might encounter the same problem.\r\nIn this particular case, the ransomware that infected the smart TV was identified as the Android mobile\r\nransomware FLocker. First discovered in May 2015, the notorious mobile ransomware has since been rewritten\r\nthousands of times to evade detection. The Cauthon incident follows the pattern of recent variants of FLocker\r\n(detected as ANDROIDOS_FLOCKER.Aopen on a new tab): the ransomware impersonates law enforcement\r\nagencies, accuses the victim of crimes they didn’t commit and then demands a ransom. In June of 2016, Trend\r\nMicro already recognized that it was capable of infecting smart TVsopen on a new tab. We also noted that it is not\r\nthe first ransomware to target TVs; and with the proliferation of smart devices across the world, it won’t be the\r\nlast. Users should take steps to secure their smart devices and be wary about the apps they download and install.\r\nHere are some other notable ransomware stories from the last two weeks of December:\r\nKillDisk\r\nKillDiskopen on a new tab is a malware well-known for being used in cyber-espionage and sabotage operations\r\nthat hit several companiesopen on a new tab in the utilities sector. The most well-known case was when it was\r\nused in the BlackEnergyopen on a new tab attacks that victimized Ukrainian energy companiesopen on a new tab\r\nin late December 2015.\r\nIn mid-December of 2016, KillDisk was reportedly deployed in an operation hitting Ukrainian banksopen on a\r\nnew tab. According to reportsopen on a new tab, after the TeleBot backdoor Trojan was installed, KillDisk\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 1 of 7\n\ndeleted, replaced, or rewrote crucial files to render computers unbootable and cover up illicit operations. The\r\nmalware is believed to be developed by the TeleBots group, which created the TeleBot backdoor Trojan.\r\nNow, KillDisk (detected as RANSOM_KILLDISK.A) has been updated with a ransomware feature that encrypts\r\ntargeted files and appends them with string \"do not touch crypted file.\" After encryption, it locks out the user and\r\ndisplays a simple ransom note. Other reportsopen on a new tab show that the KillDisk ransomware component\r\nasks for a huge ransom: 222 Bitcoin, which amounts to about US$210,000.\r\nFigure 1.KillDisk sample encrypted file\r\nFigure 2. KillDisk ransom note\r\nWe have identified that KillDisk fulfills a certain purpose for cybercriminals, the ‘clean up’ after a Trojan\r\ninstallation to hide traces of the infection. This new ransomware update adds another layer to that—if the victim is\r\npreoccupied by the ransomware, he or she might not look for another type of malware infection.\r\nKoovla\r\nKoovla (detected as RANSOM_EDA2RUNSOME.B) is a new and unusual ransomware variant. It calls itself a\r\nJigsawopen on a new tab “twin”, but doesn’t follow the behavior of the older ransomware. After it encrypting\r\ntargeted files, Koovla offers a free decryption key if the victim reads two security articles, one about safe\r\nbrowsingopen on a new tab and the other about the Jigsaw ransomwareopen on a new tab. The motive behind this\r\ntactic is unclear, but if the aim of the ransomware operators is to raise awareness then they follow the footsteps of\r\nother “educational” families such as EduCryptopen on a new tab and Shinolockeropen on a new tab.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 2 of 7\n\nIn their ransom note, the ransomware operators say that if the victim is too “lazy” to read the articles, their files\r\nwill be deleted. It doesn’t seem ready for distribution though, as the sample obtained will actually terminate if the\r\nbutton of its message window is clicked.\r\nThe complete text of the ransom note reads:\r\n\"Hello, I'm nice Jigsaw or more commonly known as Jigsaws twin.\r\nUnfortunately all of your personal files (pictures, documents, etc...) have beenencrypted by me, an evil computer\r\nvirus know as 'Ransomeware'.\r\nNow now, not to worry I'm going to let you restore them but only if you agree to stop downloading\\unsafe\r\napplications off the internet.\r\nIf you continue to do so may end up with a virus way worse than me! You might even end up meetingmy infamous\r\nbrother Jigsaw :(\r\nWhile you're at it, you can also read the small article below by Google's security team on how to stay safe online.\r\nOh yeah I almost forgot! In order for me to decrypt your files you must read the two articles below, once you have\r\nclick the \\\"Get My Decryption Key\\\" button.\r\nThen enter in your decryption key and click the \\\"Decrypt My Files\\\" button. Eventually all of your files will be\r\ndecrypted :)\r\nIf the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two\r\narticles.”\r\nAdam Locker\r\nAdam Locker (detected as RANSOM_ADAMLOCK.A) encrypts targeted files on a victim’s system but offers\r\nthem a free decryption key which can be accessed through Adf.lyopen on a new tab, a URL shortening and\r\nadvertising service. Victims just need to click on the \"Open\" button on the ransom note and they are led to\r\nadf[.]ly/1h2U8c. The shortened link redirects them to http://adamlocker[.]000webhostapp[.]com/key.html, a page\r\nthat shows the decryption key.\r\nThis ransomware veers away from traditional extortion techniques: instead of demanding ransom from victims\r\ndirectly, it uses them to earn money through Adf.ly’s payment scheme. The company promises that people can\r\n“earn money just by posting links”. Adf.ly typically shows ads before leading users to their intended link, and the\r\nlink posters get paid for driving traffic to the ads.\r\nThe company compensates each poster every time their link is clicked —the more views, the more money earned.\r\nThe ransomware operators are simply driving up their page views and making money by abusing this legitimate\r\nservice.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 3 of 7\n\nFigure 3.The\r\nAdamLocker ransom note\r\nFigure 4.Adam Locker’s decryption screen\r\nDeriaLock\r\nAnother ransomware family that was spotted during the Christmas holidays was DeriaLock. First seen on\r\nChristmas Eve and updated only a few days after, this particular family asks victims to contact a Skype account\r\nfor the ransom payment.\r\nThe first variant (detected as RANSOM_DERIALOCK.A) was only a screenlocker. The second variant (detected\r\nas RANSOM_DERIALOCK.B) was updated with an encryption routine and appends .deria to the names of files\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 4 of 7\n\nthat it encrypts. \r\nEven after the update, victims are still asked to contact a Skype account for payment purposes. The amount\r\ndemanded is actually US $10 less than the first variant. The updated version also has a progress bar showing the\r\ntime allotted for paying the ransom: 1 day. If payment is not made by that time, it claims that it will delete all\r\nprivate files.\r\nFigure 5. DeriaLock’s first variant was a simple screenlocker\r\nFigure 6. DeriaLock is updated with an encryption routine and new visuals\r\nHidden Tear variantsTwo new Hidden Tear-based variants were spotted in late December 2016. The first is\r\nKoKoKrypt (detected as RANSOM_HIDDENTEARKOKO.A), which is a very straightforward ransomware. It\r\nencrypts files and adds the extension .kokolocker. Victims are served a ransom note demanding .1 Bitcoin, or\r\nUS$90. \r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 5 of 7\n\nThe second is the Guster ransomware (detected as RANSOM_HIDDENTEARGUSTER.A). It uses the extension\r\n.locked. This particular ransomware has an animated screenlocker with a voice-over and a 48:00:00 countdown.\r\nThe ransom is set at .4 Bitcoin, or roughly $365. \r\nThe continuing emergence of Hidden Tear variants shows just how dangerous open source ransomwareopen on a\r\nnew tab is. Opportunistic malware developers will abuse any available resource.\r\nFigure 7.The ransom\r\nnote for Guster\r\nRansomware solutions:\r\nTrend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize\r\nthe risk of getting infected by ransomware:\r\nEnterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by\r\nthese threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector open\r\non a new taband InterScan™ Web Security open on a new tabprevents ransomware from ever reaching end users.\r\nAt the endpoint level, Trend Micro Smart Protection Suitesopen on a new tab deliver several capabilities like\r\nhigh-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that\r\nminimizes the impact of this threat. Trend Micro Deep Discovery Inspector open on a new tabdetects and blocks\r\nransomware on networks, while Trend Micro Deep Security™ open on a new tabstops ransomware from reaching\r\nenterprise servers–whether physical, virtual or in the cloud.\r\nFor small businesses, Trend Micro Worry-Free Services Advanced open on a new taboffers cloud-based email\r\ngateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as\r\nbehavior monitoring and real-time web reputation in order detect and block ransomware.\r\nFor home users, Trend Micro Security 10 open on a new tabprovides strong protection against ransomware by\r\nblocking malicious websites, emails, and files associated with this threat.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 6 of 7\n\nUsers can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Toolopen\r\non a new tab, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Toolopen on a new tab, which can decrypt certain variants of crypto-ransomware\r\nwithout paying the ransom or the use of the decryption key.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" ], "report_names": [ "ransomware-recap-dec-19-dec-31-2016" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434747, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c7f7b45c6864223635a7159f7f6b3df74222da3.pdf", "text": "https://archive.orkl.eu/8c7f7b45c6864223635a7159f7f6b3df74222da3.txt", "img": "https://archive.orkl.eu/8c7f7b45c6864223635a7159f7f6b3df74222da3.jpg" } }