This week was mostly about in-dev ransomware or new variants of older ransomware being released. The biggest news was the File Spider Ransomware campaign that was targeting countries in the Balkans. The other big news, though a ransom and not ransomware, was what appears to be the entire California voters database being leaked on the Internet and now being held for ransom.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @BleepinComputer, @malwareforme, @demonslay335, @LawrenceAbrams, @campuscodi, @Seifreed, @PolarToffee, @jorntvdw, @malwrhunterteam, @FourOctets, @fwosar, @hexwaxwing, @siri_urz, @Malwarebytes, @Amigo_A_, @MayhemDayOne, @B_H101, @neonprimetime, @sdkhere.
Malwarebytes discovered a new variant of the Blind Ransomware that utilizes the .napoleon extension for encrypted files.
Lawrence Abrams discovered a new in-dev ransomware called D4rkL0cker Test. The ransomware does not currently encrypt.
A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.
Reverse engineer SDK provides another analysis of the File Spider ransomware.
Karsten Hahn discovered a new variant of the NxRansomware called I'll Make Your Cry.
Karsten Hahn discovered an in-dev screenlocker that asks for your credit card number. Does not encrypt.
Michael Gillespie found a new sample of the Blind Ransomware that appends the .[firstname.lastname@example.org].skeleton extension and drops a ransom note named How_Decrypt_Files.txt.
MalwareHunterTeam discovered a new HiddenTear variant called TrOwX that drops a ransom note named READ_AND_CRY+[passTxt].txt and uses the .locked extension for encrypted files.
Michael Gillespie discovered a ransom note uploaded to ID Ransomware for a ransomware called rsa-ni.
The details of over 19 million California voters were left exposed online in an unsecured MongoDB database and were later held for ransom, according to researchers from the Kromtech Security Center.
According to Kromtech:
If there is one thing that the 2016 US election has taught us it is that the entire electoral process needs to be revamped and a more uniform secure process. There have been several high profile leaks of voter data in recent months but in this case the entire voting population of California has had their information taken by cyber criminals.
Karsten Hahn discovered a new HiddenTear variant called Satan's Doom. Satan's Doom drops a ransom note named READ_IT.txt and appends the .locked extension to encrypted files. Has a hardcoded unlock ID of 63uh2372gASd@316.
Karsten Hahn discovered a python based ransomware called Cyclone. This ransomware will append the .Cyclone extension to encrypted files.
Karsten Hahn discovered a new in-dev python based ransomware called Cryptomaniac. Cryptomaniac appends the .maniac extension to encrypted files and drops a ransom note named Readme_to_recover_files.txt & Readme_to_recover_files.html.
S!Ri discovered the Godra Ransomware, which appends the .godra extension to encrypted files and drops a ransom note named KAKO OTKLJUCATI VASE DATOTEKE.txt.