This week has been dominated by GlobeImposter releases that do not seem to stop. We also have a few CryptoMix variants and smaller ransomware variants. Otherwise, no big news released this week, which is always a good thing.

Contributors and those who provided new ransomware information and stories this week include: @FourOctets, @LawrenceAbrams, @PolarToffee, @DanielGallagher, @struppigel,  @campuscodi, @demonslay335, @fwosar, @malwrhunterteam, @malwareforme, @jorntvdw, @Seifreed, @BleepinComputer, @leotpsc, @MarceloRivero, @JakubKroustek, @jeromesegura, @SickSkillz1, @Malwarebytes.

August 5th 2017

New Karmen Variant Called 3301 Ransomware

Security researcher MalwareHunterTeam discovered a new variant of the Karmen Ransomware called 3301 Ransomware. This ransomware appends .3301 to the encrypted files.

August 6th 2017

GlobeImposter Variant that Adds the .mtk118 Extension

Avast security researcher Jakub Kroustek discovered a new GlobeImposter variant that appends the .mtk118 extension and creates ransom notes named how_to_back_files.html.

Polski Ransomware Released

Jakub Kroustek discovered a variant of the AESxWin ransomware called Polski Ransomware. Appends the .ZABLOKOWANE and drops a ransom note named ### - ODZYSKAJ SWOJE DANE - ###.TXT.

New HiddenTear Variant Called Balbaz Ransomware

BleepingComputer owner, Lawrence Abrams, discovered a new HiddenTear variant called Balbaz Ransomware that appends the .WAmarlocked and drops a ransom note named READ_IT.txt.

UEFI Ransomware Released

Security researcher Leo discovered the in-dev UEFI Ransomware. Does not current encrypt.

August 7th 2017

TPS Ransomware Changes its Name to Why-Cry

The latest version of TPS ransomware now calls itself Why-Cry. You can use the code YANGTGTDKYFWSBDAUWPMFNHBUGPFUCKYOUBITCH to decrypt.


New Ogonia CryptoMix Variant

Malwarebytes security researcher Marcelo Rivero discovered a new variant of the CryptoMix ransomware that appends the .OGONIA extension to encrypted files and drops a ransom note named _HELP_INSTRUCTION.TXT.

CNC CryptoMix Variant Released

MalwareHunterTeam discovered a new CryptoMix variant that appends the .CNC extension and drops a ransom note named _HELP_INSTRUCTION.TXT.

GlobeImposter Variant Targeting Russian Victims

Lawrence Abrams discovered a new GlobeImposter targeting Russian victims. This variant uses the emails & and and appends the .crypt extension to encrypted files.

Coded GlobeImposter Variant Discovered

Lawrence Abrams discovered a new GlobeImposter that uses the emails & and appends the .coded extension to encrypted files.

Astra GlobeImposter Variant Released

SickSkillz discovered another GlobeImposter variant that appends the .astra extension to encrypted files and drops a note called here_your_files!.html.

492 GlobeImposter Variant

Lawrence Abrams discovered a new variant of GlobeImposter that appends the .492 extension to encrypted files and uses the & in the ransom note.

Diamond Computing Encryption Ransomware Discovered

Emsisoft security researcher xXToffeeXx discovered a new ransomware calling itself Diamond Computer Encryption. It appends a random [a-z0-9]{6} extension per file and drops a _READ_IT_FOR_RECOVER_FILES.html ransom note.

August 8th 2017

Lockd Screen Locker

MalwareHunterTeam discovered a screenlocker called LOCKD.

New CryptoWire Variant Calling Itself WanaCry 4

Karsten Hahn discovered a new CryptoWire variant called WanaCry4. This variant modifies the file name so that the string encrypted is added before the extension. For example, Test.encrypted.jpg.

New HELLO Xorist Variant Discovered

Lawrence Abrams discovered a new Xorist Ransomware Variant that appends the .HELLO extension to encrypted files and drops a ransom note named HOW TO DECRYPT FILES.txt

.TXT GlobeImposter Variant Discovered

Palo Alto Unit 42 security researcher Brad Duncan discovered a new GlobeImposter variant that appends the ..TXT extension to encrypted files.

August 9th 2017

FBI Used Booby-Trapped Video to Catch Suspected Sextortionist Hiding Behind Tor

On Monday, US authorities announced the arrest of a suspect who used Tor to disguise his online identity and coerce underage female victims into sending sexually explicit images and videos in a tactic commonly referred to as "sextortion."

New Oxar Variants Discovered

MalwareHunterTeam discovered two new Oxar ransomware variants that append the .PEDO & .ULOZ extensions. According to MalwareHunterTeam it also uploads some system info to a FTP server and has speak feature.

Cerber ransomware delivered in format of a different order of Magnitude

Malwarebytes security researcher Jérôme Segura discusses how the Magnitude exploit kits is used to distribute Cerber.

August 10th 2017

IsraBye is a Anti-Israel Data Wiper Disguised as Ransomware

An anti-Israel & pro-Palestinian data wiper called IsraBye has been discovered that pretends to be a ransomware. Unfortunately, even though the lock screen implies that the files can be recovered, the contents of the files are actually replaced with an anti-Israel message. 

Rumblegoodboy GlobeImposter Discovered

ID-Ransomware's Michael Gillespie discovered a new GlobeImposter variant that adds the odd .rumblegoodboy to encrypted files.

New .NET Ransomware Impersonates Globe

MalwareHunterTeam discovered a new .NET ransomware whose ransom note impersonates Globe/GlobeImposter. This ransomware drops a ransom note named HOW_TO_BACK_FILES.html and appends the .[] extension to encrypted files.

New FDP Oxar Variant

MalwareHunterTeam discovered a new Oxar variant that appends the .FDP extension to encrypted files.

August 11th 2017

Ukraine Police Arrest Man for Spreading NotPetya Ransomware in Tax Evasion Scheme

Ukrainian authorities have arrested a 51-year-old man from Nikopol, Dnipropetrovsk region, on accusations of distributing a version of the NotPetya ransomware.

BTCWare Variant Called Gryphon Ransomware Adds .Crypton Extension

A new variant of the Gryphon Ransomware has been discovered by ID-Ransomware's Michael Gillespiethat appends the %s.[   ].crypton extension to encrypted files. First discovered at the end of July 2017, Gryphon Ransomware is actually a variant of the BTCWare ransomware.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

The Week in Ransomware - June 1st 2018 - From Russia with Love and a Facepalm

New Backup Cryptomix Ransomware Variant Actively Infecting Users