Was a good week as not a lot of news when it comes to ransomware. Some more in-dev crap and nothing really new this week. The biggest news is that Cerber is now being distributed via MALSPAM that utilizes CVE-2017-0199 in the attached DOC files.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer, @malwrhunterteam, @demonslay335, @PolarToffee, @DanielGallagher, @campuscodi, @struppigel, @JAMESWT_MHT, @Seifreed, @matthew_d_green, @JakubKroustek, @jiriatvirlab, @malware_traffic, @bartblaze, @PaloAltoNtwks, and @kaspersky.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
BleepingComputer discovered a Brazilian ransomware called JeepersCrypt. This ransomware appends the .jeepers extension. Can be decrypted if anyone becomes infected.
Emsisoft malware analyst xXToffeeXx discovered a sample of the AES-NI ransomware. The ransomware injects into svchost.exe, appends the .aes_ni_0day extension to encrypted files, and drops a ransom note named !!! READ THIS - IMPORTANT !!!.txt.
Security researcher Bart discovered a new CryptoWire variant dubbed Hopeless ransomware due to the Sem Solução of the ransomware screen. When encrypting files, the ransomware appends the .encrypted extension. Bart goes on to say that the ransomware can be decrypted simply using the password of 123.
Kaspersky discusses how they are able to decrypt Xpan versions with the .one extension appended to encrypted files.
MalwareHunterTeam discovered a new ransomware called PshCrypt. This ransomware appends the .psh extension to encrypted files. Thankfully, it can be decrypted simply by entering HBGP into the serial code field.
You have to love when ransomware infections are decrypted before they are even released. Bonehead ransomware devs. This is the case with a new in-dev ransomware found by Michael Gillespie that appends the .FailedAccess extension to encrypted files. Currently it only encrypts files located in the C:\Users\houcemjouini\Desktop\projet sans fils\test folder. It can easily be decrypted using Michael's StupidDecryptor.
MalwareHunterTeam discovered a new ransomware that appears to be part of a CTF challenge. If nothing else, has a nice screenlocker background. Key is generated using the MD5 of the computer's MAC address. Appends .CTF to encrypted files.
On April 11th 2017, we saw a new malicious spam campaign using United States Postal Service (USPS)-themed emails with links that redirected to fake Microsoft Word online sites. These fake Word sites asked victims to install malware disguised as a Microsoft Office plugin.
This campaign introduced a new ransomware called Mole, because names for any encrypted files by this ransomware end with .MOLE. Mole appears to be part of the CryptoMix family of ransomware since it shares many characteristics with the Revenge and CryptoShield variants of CryptoMix.
The campaign quickly changed tactics and increased complexity.
MalwareHunterTeam found a sample of NMoreira 4, otherwise known as NM4 Ransomware. This ransomware appends the .NM4 extension to encrypted files and drops a ransom note named Recovers your files.html.
MalwareHunterTeam noticed that Cerber changed their ransom note names to _!!!_README_!!!_%random%_.hta and _!!!_README_!!!_%random%_.txt. The current sample is distributed using CVE-2017-0199 to install Cerber.
MalwareHunterTeam found a sample of a new in-dev ransomware that will be titled International Police Association. This ransomware will zip up files into password protected archives and then append the " .locked" extension. Notice the space is intentional. The password to the archives is currently ddd123456.
Brad Duncan wrote an article about how Cerber is now using CVE-2017-0199 to distribute Cerber via Malspam.
MalwareHunterTeam found a sample of the Mordor Ransomware. The only thing interesting about it is that it is named Mordor. This is a HiddenTear variant that has been modified to be part of a RaaS. When encrypting a file it appends the .mordor extension and drops a ransom note named READ_ME.html.