This week was mostly small variants released, but we did have some interesting news. First we had a Microsoft engineer facing federal charges for involvement in the Reveton Ransomware, we then had a decryptor released for Vortex, the Magnitude exploit kit is now pushing GandCrab, and a ransomware is trying to make money off of Syrian Refugees.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @BleepinComputer, @Seifreed, @campuscodi, @fwosar, @malwrhunterteam, @LawrenceAbrams, @struppigel, @jorntvdw, @DanielGallagher, @hexwaxwing, @malwareforme, @PolarToffee, @FourOctets, @BBCNews, @bartblaze, @MarceloRivero, @Damian1338, @JakubKroustek, @jeromesegura, @Malwarebytes, @CERT_Polska, @GrujaRS, @TrendMicro.
A Microsoft network engineer is facing federal charges in Florida for allegedly helping launder money obtained from victims of the Reveton ransomware.
Bart updated his article on Iron Ransomware:
In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.
MalwareHunterTeam discovered a new ransomware called Tron that appends the extension .tron to encrypted files.
Bart blogged about a new ransomware called Spartacus that appends the .[MastersRecovery@protonmail.com].Spartacus extension.
GrujaRS discovered a new variant of the NM4 ransomware that appends the .NMCRYPT! extension to encrypted files.
Marcelo Rivero, who has been tracking GandCrab, found a new variant of the GandCrab ransomware that sends a little alert that states "Hello, Marcelo :)".
The authors of the XiaoBa ransomware have retooled their malware's code into a cryptocurrency miner (coinminer). Unfortunately, despite not encrypting files anymore, the XiaoBa coinminer still destroys users' data thanks to a series of bugs that primarily corrupt a user's executable files.
According to the BBC:
The government and NHS bodies have been criticised by MPs for failing to implement measures to improve cyber-security nearly a year after a major ransomware attack on the service.
In an article in Malwarebytes blog, Jérôme Segura details how on April 16, they discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.
Michael Gillespie noted that the GlobeImposter distributors continue to add the "+" symbol to their extensions.
Karsten Hahn found a new Jigsaw Ransomware variant called Apophis.
When ransomware developers achieve huge media buzz like we saw with the PUBG Ransomware, it is not surprising to see other developers creating copycats. This is the case with two new in-development ransomware programs discovered by MalwareHunterTeam for both Minecraft and Counter-Strike: Global Offensive (CS: GO).
Jakub Kroustek discovered a new ransomware called "Meine_ransomware_PGP_DANGEROUS" that may be a Test/PoC written in Python. It appends the .enc extension to encrypted files and drops a note named ENCRYPTION_DETAILS.txt.
Michael Gillespie discovered the Satyr Ransomware, which appends the .Satyr extension to encrypted files.
A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims.