This has been a really busy ransomware week. In addition to lots of crapware released, we also saw an EDA2 branch called Stolich that is only going to lead to more skidware being released. We also saw a new codebase actively being used to pump out small ransomware infections, which like HiddenTear and EDA2, is just going to become a pain to keep up with.
The big news was the POC for a UEFI Ransomware presented at BlackHat Asia, Matrix Ransomware being distributed by RIG and having worm characteristics, and the joke ransomware called RensenWare that required a victim to get a very high score in a game to get a decryption key.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher , @campuscodi, @JAMESWT_MHT, @Seifreed, @emsisoft, @malware_traffic, @cylanceinc, @sans_isc, and @F5Labs.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
At the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware.
BleepingComputer discovered the new in-dev GX40 Ransomware, which appears to be a new codebase that is used to push out ransomware infections. Add the .encrypted extension to encrypted files and has a payment email email@example.com.
A new variant of the Krider ransomware called AngryKite was discovered by BleepingComputer. AngryKite randomizes filename and appends the .NumberDot extension to encrypted files. Wants you to call 855-455-6800 for help. May be decryptable.
BleepingComputer discovered the new Fluffy-Tar Ransomware. Currently in-dev, but sports a cute mascot, supports French and English, and comes with a TOR site.
BleepingComputer discovered that someone named "Faizal" is playing with HiddenTear. The ransomware appends the .gembok extension to encrypted files.
Bitdefender releases a decryptor for the Bart Ransomware. One was already released a while back by Avast.
Michael Gillespie discovered a new Jigsaw Ransomware variant discovered that appends the .I'WANT MONEY extension to encrypted files and then says to email firstname.lastname@example.org. Michael's decryptor updated to support this variant.
Karsten Hahn discovered a new in-development ransomware written in Python.
Karsten Hahn discovered a new Turkish HiddenTear variant called Dikkat. This ransomware is x64 only.
An Indian developer is playing around with an open source ransomware builder, which in the long run may end up causing serious problems for innocent users. This developer, who goes by the nickname of Empinel and claims to be based in Mumbai, has forked the open source code of the EDA2 project, and with the help of another user, has removed the backdoor hidden in EDA2's original code.
Austrian police arrested a 19-year-old teenager from Linz for infecting the network of a local company with the Philadelphia ransomware. The incident in question took place last year and targeted an unnamed company based in Linz. The attacker locked the company's servers, including its production database. The attacker asked for $400 to unlock the company's systems, but the victim refused and instead recovered its data via older backups.
A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye!
Both F5 Labs and SANS ISC released research detailing how for about the last month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows.
After the publication of an article in Security Affairs called "ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems," security researchers used Twitter to bash CRITIFENCE for what they felt were lies about real world attacks, the company orchestrating a media stunt, and not releasing any research they could vet.
Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.
Karsten Hahn discovered a new CyberSplitterVBS variant called Cerberos.