Not a lot out this week other than some new variants of CryptoMix, Crysis, and someone paying homage to security researcher Karsten Hahn. Of particular interest is an Android application that allows anyone to generate a fully-working Android ransomware just by filling in a form and pushing a few buttons.
Contributors and those who provided new ransomware information and stories this week include: @FourOctets, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @malwareforme, @demonslay335, @campuscodi, @DanielGallagher, @BleepinComputer, @jorntvdw, @Seifreed, @fwosar, @struppigel, @ChristiaanBeek, @issp_info, @MalwareResearch, & @proofpoint.
GData malware researcher Karsten Hahn discovered the Cyron Ransomware. This ransomware appends the .CYRON extension to encrypted files.
Karsten Hahn discovered a new Oxar variant called Kappa.This ransomware appends the .OXR extension to encrypted files.
Karsten Hahn discovered another ransomware called Trojan Dz that is a CyberSplitter variant. This ransomware will append the .Isis extension to encrypted files.
Karsten Hahn discovered another Oxar variant that utilizes animated text and appends the .OXR extension to encrypted files.
Even ransomware devs know that Karsten is a ransomware hunting machine and wanted to say "Hello". MalwareHunterTeam & researcher Elise discovered this program based off of HiddenTear that shows his picture. This does not encrypt and prob made by a fan :)
McAfee's Christiaan Beek tweeted that 30% of the ransomware McAfee detected in June was based off of HiddenTear. Hey, it was only "educational".
Karsten Hahn discovered a ransomware written by self proclaimed script kiddies that should really be considered trollware. Based off of EDA2 and appends the .xolzsec extension to encrypted files.
MalwareHunterTeam discovered a French HiddenTear variant that has very detailed payment instructions. Appends the .locked extension and drops ransom notes named TUTORIEL.bmp and READ_IT_FOR UNLOCK.txt.
Ukrainian authorities and businesses are on alert after local security firm ISSP reported that another accounting software maker got hacked and its servers were being used to spread malware.
Karsten Hahn discovered a new HiddenTear variant called FlashChestWare that appends the .flat extension to encrypted files. This ransomware is decryptable.
Karsten Hahn discovered another French HiddenTear variant called VideoBelle that appends the .locked extension to encrypted files. This ransomware is decryptable.
Karsten Hahn found the manual encryption tool for the Cryakl Ransomware.
MalwareHunterTeam discovered a new in-development Python ransomware called Cypher. This ransomware appends the .enc extension to encrypted files.
MalwareHunterTeam discovered a new in-development .NET ransomware that downloads and installs TOR. While currently in-development, it will append the .wooly extension to encrypted files.
Yesterday, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses empty, it is clear that the developers are running out of ideas for extensions.
Symantec android malware researcher Dinesh Venkatesan discovered that Chinese malware developers have created a specialized Android application that allows anyone to generate a fully-working Android ransomware just by filling in a form and pushing a few buttons.
MalwareHunterTeam found a new in-development ransomware called PA-SIEM. This ransomware appends the .PA-SIEM extension to encrypted files.
Yesterday, ID-Ransomware's Michael Gillespie discovered a new variant of the Crysis/Dharma ransomware that is appending the .arena extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware.
Proofpoint discovered a new ransomware called Defray that is targeting healthcare, education, manufacturing, and technology veriticals.
Proofpoint threat researchers recently analyzed Defray Ransomware, a previously undocumented ransomware strain. So far in August, we have observed only two small and selectively targeted attacks distributing this ransomware. One was primarily aimed at Healthcare and Education verticals; another targeted Manufacturing and Technology verticals. We selected the name “Defray” based on the command and control (C&C) server hostname from the first observed attack.