Introduction Sage is a new ransomware family, a variant of CryLocker. Currently it’s distributed by the same actors that are usually distributing Cerber, Locky and Spora. In this case malspam is the infection vector. Emails from the campaign contain only malicious zip file without any text. Inside zip attachment …

Introduction Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. This incarnation of Nymaim was interesting for us because it gained banking capabilities and became a serious threat …

Introduction Initially Evil was brought to our attention by an incident reported on 2017-01-08. By that time the Internet was completely silent on that threat and we had nothing to analyze. We found first working sample day later, on 2017-01-09. In this article we will shortly summarize our analysis and …

Campaign CryptoMix is another ransomware family that is trying to earn money by encrypting victims files and coercing them into paying the ransom. Until recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and now it’s called CryptoMix. It was observed in …