This was an interesting week for ransomware with various government servers being infected with VevoLocker, a new ransomware attack again HP iLO remote management interfaces, and the KCW Ransomware targeting web sites in Pakistan.

Otherwise, it was a mix of new variants of existing ransomware infections or new in-dev ransomware that were released.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @demonslay335, @hexwaxwing, @Seifreed, @jorntvdw, @campuscodi, @struppigel, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @DanielGallagher, @FourOctets, @BleepinComputer, @bartblaze , @M_Shahpasandi, @PEIGuardian, @BBCNews, @MarceloRivero, @nullcookies, @JakubKroustek, and @leotpsc.

April 21st 2018

BlackHeart Ransomware discovered

Jakub Kroustek discovered the BlackHeart Ransomware. This ransomware appends the .pay2me or .BlackRouter extension to encrypted files and drops a ransom note named ReadME-BLackHeart.txt.

April 22nd 2018

Kraken Ransomware uses Discord as a C2

Leo found a new in-development ransomware called Kraken that was using a Discord server and a Discord webhook to act as the C2 server for infected victims.

Satan ransomware adds EternalBlue exploit

Bart blogs about how a new variant of the Satan Ransomware added the EternalBlue exploit:

In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.

April 23rd 2018

P.E.I. government website hit by ransomware attack

The Guardian reports that the Prince Edwards Island government web site was infected with ransomware. This ransomware is VevoLocker.

The P.E.I. government’s website was held for ransom Monday, but a spokesman for the province says no personal data was breached.

GandCrab v2.1 Released

Marcelo Rivero discovered that a version 2.1 of the GandCrab ransomware was released. This version uses code injection into svchost.exe and uses a new proxy domain of ahnlab.com.

New PUBG Ransomware "Special 999Hours" / "TALK SHOP Edition"

MalwareHunterTeam found a new variant of the PUBG Ransomware called "Special 999Hours" / "TALK SHOP Edition". This variant requires you to play 999 hours to decrypt your files. 

April 24th 2018

Xorist variant with an incredibly annoying extension

MalwareHunterTeam found a new Xorist variant that uses the very long and annoying extension of PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_to_make_the_payment".

Oblivion Ransomware spotted

Michael Gillespie spotted the Oblivion Ransomware from submissions to ID-Ransomware. This ransomware scrambles the file name and then appends the .OBLIVION extension and drops a note named OBLIVION DECRYPTION INFORMATION.TXT.

Ransomware infects Ukraine energy ministry website

According to the BBC, the Ukraine energy ministry was infected with the VevoLocker ransomware:

Hackers have used ransomware to take the website of Ukraine's energy ministry offline and encrypt its files. The website currently contains a message written in English, demanding a ransom of 0.1 bitcoin - worth $927.86 (£664.98) by today's exchange rate.

April 25th 2018

Ransomware Hits HPE iLO Remote Management Interfaces

Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. While it has not been 100% confirmed if the hard drives are actually being encrypted, we do know that multiple victims have been affected by this attack since yesterday.

New .mich LockCrypt variant can be decrypted

Michael Gillespie spotted a new variant of the LockCrypt ransomware and was able to decrypt it. If you are infected with a variant that appends the .mich extension, contact Michael.

April 26th 2018

New C# Ransomware Compiles itself at Runtime

A new in-development ransomware was discovered by MalwareHunterTeam that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

New CryptConsole variant

Michael Gillespie found a new CryptConsole variant that uses the xzet@tutanota.com email and is still decryptable.

April 27th 2018

KCW Ransomware Encrypting Web Sites in Pakistan

Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.

RandomLocker discovered

MalwareHunterTeam discovered a new ransomware called RandomLocker that appends the .rand extension to encrypted files. Possibly being used for manual infections.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

GandCrab Devs Release Decryption Keys for Syrian Victims