This was an interesting week for ransomware with various government servers being infected with VevoLocker, a new ransomware attack again HP iLO remote management interfaces, and the KCW Ransomware targeting web sites in Pakistan.
Otherwise, it was a mix of new variants of existing ransomware infections or new in-dev ransomware that were released.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @demonslay335, @hexwaxwing, @Seifreed, @jorntvdw, @campuscodi, @struppigel, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @DanielGallagher, @FourOctets, @BleepinComputer, @bartblaze , @M_Shahpasandi, @PEIGuardian, @BBCNews, @MarceloRivero, @nullcookies, @JakubKroustek, and @leotpsc.
Jakub Kroustek discovered the BlackHeart Ransomware. This ransomware appends the .pay2me or .BlackRouter extension to encrypted files and drops a ransom note named ReadME-BLackHeart.txt.
Leo found a new in-development ransomware called Kraken that was using a Discord server and a Discord webhook to act as the C2 server for infected victims.
Bart blogs about how a new variant of the Satan Ransomware added the EternalBlue exploit:
In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.
The Guardian reports that the Prince Edwards Island government web site was infected with ransomware. This ransomware is VevoLocker.
The P.E.I. government’s website was held for ransom Monday, but a spokesman for the province says no personal data was breached.
Marcelo Rivero discovered that a version 2.1 of the GandCrab ransomware was released. This version uses code injection into svchost.exe and uses a new proxy domain of ahnlab.com.
MalwareHunterTeam found a new variant of the PUBG Ransomware called "Special 999Hours" / "TALK SHOP Edition". This variant requires you to play 999 hours to decrypt your files.
MalwareHunterTeam found a new Xorist variant that uses the very long and annoying extension of PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_to_make_the_payment".
Michael Gillespie spotted the Oblivion Ransomware from submissions to ID-Ransomware. This ransomware scrambles the file name and then appends the .OBLIVION extension and drops a note named OBLIVION DECRYPTION INFORMATION.TXT.
According to the BBC, the Ukraine energy ministry was infected with the VevoLocker ransomware:
Hackers have used ransomware to take the website of Ukraine's energy ministry offline and encrypt its files. The website currently contains a message written in English, demanding a ransom of 0.1 bitcoin - worth $927.86 (£664.98) by today's exchange rate.
Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. While it has not been 100% confirmed if the hard drives are actually being encrypted, we do know that multiple victims have been affected by this attack since yesterday.
A new in-development ransomware was discovered by MalwareHunterTeam that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.
Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.
MalwareHunterTeam discovered a new ransomware called RandomLocker that appends the .rand extension to encrypted files. Possibly being used for manual infections.