It has been a busy ransomware week with lots of small and some bigger variants released. This week we had a new CryptoMix, a new BTCWare, and a few new malspam campaigns for GlobeImposter and Sigma. Even better, we had a few new and updated decryptors released so that people can recover their files for free.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @hexwaxwing, @BleepinComputer, @fwosar, @struppigel, @LawrenceAbrams, @DanielGallagher, @demonslay335, @malwareforme, @campuscodi, @FourOctets, @malwrhunterteam, @jorntvdw, @PolarToffee, @emsisoft, @leotpsc, @zscaler, @GrujaRS, @dvk01uk, @Farenain
A new ransomware being dubbed StorageCrypt is targeting WD MyCloud NAS devices as reporting in a topic at BleepingComputer.com. When encrypted, files will have the extension .locked and a ransom note will be dropped named _READ_ME_FOR_DECRYPT.txt.
Michael Gillespie discovered a new Samas/SamSam variant submitted to ID-R that appends the .areyoulovemyrans extension to encrypted files.
Michael Gillespie found another variant of the Magniber Ransomware that appends the .vpgvlkb extension and drops a ransom note named read me for decrypt.txt.
Michael Gillespie initiated a ransomware hunt for a ransomware that appends the .locked extension to encrypted files and drops a ransom note named READ_ME_FOR_ALL_YOUR_FILES.txt.
MalwareHunterTeam discovered a new variant of Crypton that is masquerading as a keygen for EaseUS Data Recovery. This ransomware appends the .encrptd extension to encrypted files. A decryptor for this ransomware was created by Fare9.
Michael Gillespie initiated a ransomware hunt for the MaxiCrypt ransomware. This ransomwar appends the extension .[email@example.com].maxicrypt and drops a ransom note named How to restore your data.TXT.
MalwareHunterTeam discovered a new in-development Brazilian ransomware called WannaPeace that replaces the extension with _enc+extension. So test.jpg would be renamed as test_encjpg. Currently only encrypts the c:\testes folder.
GrujaRS discovered a new variant of the Crypt888 Ransomware that uses the email address firstname.lastname@example.org.
Michael Gillespie is looking for a sample of the hc7 Ransomware that may be appending the .GOTYA extension to encrypted files.
Based on data from ID-Ransomware, MalwareHunterTeam has noticed that there is an ongoing ACCDFISA campaign targeting Brazilian victims.
MalwareHunterTeam discovered a new ransomware that had a filename of REAL DANGEROUS RANSOMWARE.exe. Thankfully, it does not encrypt and simply is a basic screenlocker.
Derek of MyOnlineSecurity discovered that Necurs started a malspam campaign that was distributing the GlobeImposter Ransomware.
MalwareHunterTeam discovered a new variant of the CryptoMix ransomware was discovered today that appends the .TEST extension to encrypted files and changes the contact emails used by the ransomware.
Catalin Cimpanu discovered that a malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.
A new variant of the BTCWare ransomware was discovered by Michael Gillespie, that appends the .[email]-id-id.shadow extension to encrypted files. The BTCWare family of ransomware infections targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.
Michael Gillespie discovered a new variant of the Globe 2 ransomware that utilizes the .abc extension for encrypted files. This should not be confused with the TeslaCrypt variant, which is decryptable. The good news, is that variant is decryptable as well with Emsisoft's decryptor.
Zscaler wrote an article about the analysis of two .NET based ransomware strains using open source code repository