This week was mostly about in-dev ransomware or new variants of older ransomware being released. The biggest news was the File Spider Ransomware campaign that was targeting countries in the Balkans. The other big news, though a ransom and not ransomware, was what appears to be the entire California voters database being leaked on the Internet and now being held for ransom. 

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @BleepinComputer, @malwareforme, @demonslay335, @LawrenceAbrams, @campuscodi, @Seifreed, @PolarToffee, @jorntvdw, @malwrhunterteam, @FourOctets, @fwosar, @hexwaxwing@siri_urz@Malwarebytes, @Amigo_A_, @MayhemDayOne, @B_H101, @neonprimetime, @sdkhere.

December 9th 2017

Napoleon: a new version of Blind ransomware

Malwarebytes discovered a new variant of the Blind Ransomware that utilizes the .napoleon extension for encrypted files.

December 10th 2017

New in-dev ransomware called D4rkL0cker Test

Lawrence Abrams discovered a new in-dev ransomware called D4rkL0cker Test. The ransomware does not currently encrypt.

December 11th 2017

File Spider Ransomware Targeting the Balkans With Malspam

A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia.  These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.

Analysis of File-Spider Ransomware

Reverse engineer SDK provides another analysis of the File Spider ransomware.

New variant of NxRansomware called I'll Make You Cry

Karsten Hahn discovered a new variant of the NxRansomware called I'll Make Your Cry. 

In-dev screenlocker asks for credit cards

Karsten Hahn discovered an in-dev screenlocker that asks for your credit card number. Does not encrypt.

December 13th 2017

WORK Cryptomix Ransomware Variant Released

Lawrence Abrams discovered a new variant of the CryptoMix ransomware that appends the .WORK extension to encrypted files and changes the contact emails used by the ransomware. 

New HC7 Ransomware variant

Michael Gillespie posted about a new variant of the HC7 Ransomware that now utilizes the .DS335 extension for encrypted files.

New Noblis Ransomware variant

Amigo-A discovered a new variant of the Noblis Ransomware that appends the  .noblis extension to encrypted files.

New Blind Variant

Michael Gillespie found a new sample of the Blind Ransomware that appends the .[].skeleton extension and drops a ransom note named How_Decrypt_Files.txt.

TrOwX Ransomware discovered

MalwareHunterTeam discovered a new HiddenTear variant called TrOwX that drops a ransom note named READ_AND_CRY+[passTxt].txt and uses the .locked extension for encrypted files.

December 14th 2017

Hunt initiated for the rsa-ni ransomware

Michael Gillespie discovered a ransom note uploaded to ID Ransomware for a ransomware called rsa-ni.

December 15th 2017

California Voter Database Compromised in MongoDB Incident

The details of over 19 million California voters were left exposed online in an unsecured MongoDB database and were later held for ransom, according to researchers from the Kromtech Security Center.

According to Kromtech:

If there is one thing that the 2016 US election has taught us it is that the entire electoral process needs to be revamped and a more uniform secure process. There have been several high profile leaks of voter data in recent months but in this case the entire voting population of California has had their information taken by cyber criminals. 

The Satan's Doom Ransomware Discovered

Karsten Hahn discovered a new HiddenTear variant called Satan's Doom. Satan's Doom drops a ransom note named READ_IT.txt and appends the .locked extension to encrypted files. Has a hardcoded unlock ID of 63uh2372gASd@316.

Cyclone Ransomware discovered

Karsten Hahn discovered a python based ransomware called Cyclone. This ransomware will append the .Cyclone extension to encrypted files.

Cryptomaniac Ransomware discovered

Karsten Hahn discovered a new in-dev python based ransomware called Cryptomaniac. Cryptomaniac appends the .maniac extension to encrypted files and drops a ransom note named Readme_to_recover_files.txtReadme_to_recover_files.html.

Godra Ransomware Discovered

S!Ri discovered the Godra Ransomware, which appends the .godra extension to encrypted files and drops a ransom note named  KAKO OTKLJUCATI VASE DATOTEKE.txt.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message