This malware was discovered by a honeypot triggered during a malvertising campaign. The campaign used the RIG exploit kit. 

Interesting features of this ransomware:
Uses elliptic curve cryptography for the encryption of files. (I believe this is the first ransomware to use such methods)
Spread using an EK all variants were FUD at time of discovery.
Price can be changed depending on geo-location, United States being the most expensive
No support for unicode at the moment, although that's likely to change.
Public keys are pre-packed in the malware and their corresponding private keys are generated server side and then sent once the ransom is paid.
Payment page is hosted on tor, making a shut down incredibly hard.

Extensions encrypted;
"accdb",0,".ai",0,".arw",0,".bay",0,".blend",0,".cdr",0,".cer",0,".cr2",0,".crt",0,".crw",0,".dbf",0,".dcr",0,".der",0,".dng",0,".doc",0,".docm",0,".docx",0,".dwg",0,".dxf",0,".dxg",0,".eps",0,".erf",0,".indd",0,".jpe",0,".jpg",0,".jpeg",0,".kdc",0,".mdb",0,".mdf",0,".mef",0,".mrw",0,".nef",0,".nrw",0,".odb",0,".odm",0,".odp",0,".ods",0,".odt",0,".orf",0,".p12",0,".p7b",0,".p7c",0,".pdd",0,".pdf",0,".pef",0,".pem",0,".pfx",0,".ppt",0,".pptm",0,".pptx",0,".psd",0,".pst",0,".ptx",0,".r3d",0,".raf",0,".raw",0,".rtf",0,".rw2",0,".rwl",0,".srf",0,".srw",0,".wb2",0,".wpd",0,".wps",0,".xlk",0,".xls",0,".xlsb",0,".xlsm",0,".xlsx",0,0" The same extensions both cryptolocker and torlocker use.

Once the files are encrypted payment is demanded by text files filling the desktop with the ransom notice. A 3 day timer begins, when this timer runs out the ransom fee increases. Bitcoin is once again the currency of choice and a US victim is charged $300 for the decryption key.

Strangely, the malware generates a HWID (HardWare Identification) number to ensure only one sample can be generated per PC, these can be blacklisted to prevent encryption if the actors deem it necessary.

Due to the fact that a public key is already present in the file encryption can begin without internet connectivity or user interaction. This makes stopping the infection before its too late significantly harder.


Samples, Hashes and Scans:
Scan: http://nodistribute.com/result/M3sGCPTit4eAK
Hash: e17da8702b71dfb0ee94dbc9e22eed8d
Sample:  THIS IS MALWARE http://bit.ly/1yMMRwf THIS IS MALWARE