This week was mostly small variants, but we did have some interesting news. First we had a in-depth look at the SamSam ransomware by Sophos that details the staggering amount of money they are generating. The other interesting story is the developers of the GandCrab ransomware getting revenge on AhnLab for creating a vaccine for their ransomware. In their attempt at revenge, the GandCrab developers included code that could possibly DDOS AhnLab Lite v3.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Seifreed, @jorntvdw, @hexwaxwing, @demonslay335, @fwosar, @BleepinComputer, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @struppigel, @FourOctets, @malwareforme, @campuscodi, @AltShiftPrtScn, @thyrex2002, @Amigo_A_, @Damian1338B, @malware_traffic, @siri_urz, @MarceloRivero, and @SophosLabs.
Michael Gillespie found a new variant of the Animus/Aurora ransomware that appends the .desu extension to encrypted files. It will also rename the original file name to its hex equivalent. It is still decryptable.
Damian1338 noticed that the GandCrab team added more languages to their payment page.
Brad found a new ransomware calling itself Locky. This is not a new variant of the old ransomware of the same name, but an imposter. else been seeing this?
The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam's activity, containing information since the ransomware's launch in late 2015 and up to attacks that have happened earlier this month.
On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.
MalwareHunterTeam found a new in-development ransomware that is based on Stupid Ransomware. This ransomware contains an image of Liviu Dragnea as its background. The sample does not currently encrypt, but if it did, it would use the .dragnea extension.
S!Ri discovered a new ransomware called Ann that renames files to the ""[AskHelp@protonmail.com]..ANN" " pattern.
Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .RECOVERYOURFILES extension and drops a ransom note named INSTRUCTIONS_RECOVER_FILES.txt.
Michael Gillespie found a new variant of the Matrix Ransomware uploaded to ID Ransomware that renames files to "[BatHelp@protonmail.com].-.CORE" and drops a ransom note named #CORE_README#.rtf.
Michael Gillespie f found a new Scarab Ransomware variant that uses the same email from a Animus attacker. This variant appends the .email@example.com extension to encrypted files.
The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware. Due to this they decided to include an alleged zero-day for the AhnLab v3 Lite antivirus in their recent builds.
MalwareHunterTeam found a new AutoIt ransomware called wannacryV2 that appends the .wannacryv2 extension to encrypted files and provides a decryptor.