This week we had seen quite a few campaigns that had widespread distribution. These campaigns are either being installed over accessible Remote Desktop Services or malspam. The biggest news is a variant of the Hermes ransomware called Ryuk that has generated over 600k USD for the developers.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @Seifreed, @malwrhunterteam, @jorntvdw, @struppigel, @fwosar, @demonslay335, @FourOctets, @BleepinComputer, @campuscodi, @LawrenceAbrams, @PolarToffee, @Amigo_A_, @malwareforme, @vishuwerehere, @yvesago, @Jan0fficial, and @CheckPointSW.
August 18th 2018
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Towards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.
August 20th 2018
Beware of Spam with Fake Invoices Pushing Hermes 2.1 Ransomware and AZORult
A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.
New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles
A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.
New TorchWood Ransomware Variant
Amigo-A found a new variant of the Russian TorchWood ransomware that uses the .TRCHWD extension for encrypted files and is installed over RDP.
New NinjaLock Ransomware
MalwareHunterTeam found a new ransomware called NinjaLock. Jack shared the image and stated it does not encrypt.
New Creeper Ransomware variant
Amigo-A found a new variant of the Creeper Ransomware variant that appends the .crypton extension and drops a ransom note named DECRIPT_FILES.txt.
New Jigsaw variant with new background
Michael Gillespie found a new Jigsaw Ransomware variant that uses the .fun extension and the following background image.
New Scarab Ransomware variant
Michael Gillespie found a new Scarab Ransomware variant that utilizes the .CYBERGOD extension and another that uses the .rent extension.
August 21st 2018
Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge
A new ransomware strain named Ryuk is making the rounds, and, according to current reports, the group behind it has already made over $640,000 worth of Bitcoin.
New RotorCrypt Ransomware
Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !@#$_(decryp in the EMail)____nautilus369alarm@gmail.com____$#@..AlfaBlock extension to encrypted files.
New Rapid Ransomware v1 Variant
MalwareHunterTeam found a new Rapid v1 Ransomware variant that now uses the .no_more_ransom extension on encrypted files.
New Xorist variant discovered
Michael Gillespie found a new Xorist Ransomware variant that uses the extensions .PrOtOnIs and .PrOtOnIs.VaNdElIs.
New n1n1n1 ransomware variant
Michael Gillespie noticed a new n1n1n1 variant uploaded to ID Ransomware that uses the "jpa." prefix on files and drops a ransom note named why files renamed jpa..txt.
New Why Ransomware discovered
Michael Gillespie noticed a new ransomware variant uploaded to ID Ransomware that uses the .WHY extension and drops a ransom note named !!!WHY_MY_FILES_NOT_OPEN!!!.txt.
August 23rd 2018
New TotalWipeOut ransomware
MalwareHunterTeam found a new ransomware called TotalWipeOut.
New PyLocky variant
MalwareHunterTeam found a new PyLocky variant that appends the .lockedfile extension to encrypted files.
New Oni Ransomware variant
MalwareHunterTeam found a new Oni Ransomware variant that drops ransom notes named RESTORE_ONI_FILES.txt and renamed files to the "%original file name (incl. extension) converted to hex%.ONI" format.
New Jigsaw Ransomware variant
Michael Gillespie found a new Polish Jigsaw Ransomware variant that appends the extension .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#.
Comments
Amigo-A - 1 year ago
Thank you!
In addition to the above-mentioned Scarab-CyberGod variant, scarabs of all suits and colorings emerged from their holes at the past week, according to the colors of the flags where they live or spread.
This is variants of Scarab-Amnesia Ransomware
Scarab-Bin Ransomware
Scarab-Danger Ransomware
Scarab-Omerta Ransomware
Scarab-Scarabey Ransomware
After a little lull in August, it's really a lot. They multiply and no one can (does not want to) stop them.
If someone is interested, then the links can be found through the main article.
https://id-ransomware.blogspot.com/2017/06/scarab-ransomware.html
Added a link to the English translation from Google. It does not translate very well, but you can understand the main text.
Good news: all versions of the Scarab can be deciphered. Yes it is possible!
If someone else, except the experts Dr.Web and ESET will take up this case, then this will stop the procession of this extortion on the planet.