Lots of small ransomware infections / screenlockers this week, but no major infections were discovered. Thankfully, security researchers were able to create a bunch of decryptors and make them available for victim's to recover their files. Of particular note was the San Francisco MTA getting hit hard by the HDDCryptor ransomware, which caused them to provide rail service for free for a day or so.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @demonslay335, @JakubKroustek, @struppigel, @malwrhunterteam, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @jiriatvirlab, @Seifreed, @nyxbone, @avast_antivirus, @malwarebread, @TheWack0lian, @hasherezade, @Malwarebytes, and @rommeljoven17.
If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
Security researcher Jiri Kropac discovered a new screenlocker that states that the computer is locked because viruses have been detected. Victim's can use the password 01548764GHEZG784 to unlock the screen. A removal guide can be found here: Your computer is locked Screenlocker Removal Guide.
Security researcher Jiri Kropac discovered a new ransomware called Crypter that targets Brazilian victims. This ransomware does not actually encrypt the files, but simply renames them.
I discovered a new screenlocker from the same family as the one discovered by Jiri Kropac called Your Windows Hasbeen Banned. The code to unlock the screen is 123456. A removal guide can be found here: Your Windows Hasbeen Banned Screenlocker Removal Guide.
The Kangaroo ransomware is the latest ransomware from the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda. What makes this version stand out a bit more is the use of a legal notice as a ransom note that is displayed to all victims before they login to their computer. This makes it so a victim has to view the ransom note before they are able to login to Windows.
Malwarebytes and independent security researcher @TheWack0lian have released free decryptors for a new ransomware variant that appeared last week, which mimics a tech support scam and employs the Pastebin API to save decryption keys. Turns out that this ransomware was actually created by
Ransomware known as HDDCryptor (or Mamba) has infected 2,112 computers belonging to the San Francisco Municipal Railway system (nicknamed Muni). The infection took place over the weekend and Muni officials had to allow locals to ride the railway system for free after they couldn't issue tickets.
Security researcher Jiri Kropac discovered a new PowerShell based ransomware.
I discovered a new in-development ransomware based off of Hidden-Tear called HTCryptor. This ransomware includes a feature to disable the victim's windows firewall.
The San Francisco Municipal Transportation Agency (SFMTA, also nicknamed Muni) has published a statement denying rumors that the hacker who infected their systems with ransomware might have stolen data from its servers.
Large ransomware outbreaks seem to be a theme this week with first the San Francisco MTA getting hit by HDDCryptor and now Carleton University in Canada being affected by an unknown ransomware. Starting this morning at 8:51am EST, Carleton's Computing and Communications Services department started tweeting updates about networking and computer issues that were impacting the services at the college.
Avast security researcher Jakub Kroustek discovered a new variant of the Zeta ransomware that now uses the .rmd extension for encrypted files.
Security researcher xXToffeeXx discovered a new version of Torrentlocker/Crypt0l0cker that uses random 6 lower alphabetic characters as the extension and uses ransom note named HOW_TO_RESTORE_FILES.txt/html.
Security researcher xXToffeeXx discovered a new version of PrincessLocker that has ransom notes named !_HOW_TO_RESTORE_*id*.txt and a .*id* extension, where ID is 4-6 characters a-z (lowercase), 0-9.
Rommel Joven discovered a new ransomware called Matrix that utilizes GnuPG to encrypt a victim's data.
Malware Bread discovered a new ransomware called Alpha Locker being sold for $65 on underground criminal and hacking forums.
After Emsisoft security researcher Fabian Wosar created a decryptor for their ransomware, the developer of NMoreira/Xpan sent him a message in a newer variant.
A new Hidden-Tear ransomware is in development called Phoenix Ransomware. It currently only targets the Important folder on the logged in user's desktop. When it encrypts files it will append the .R.i.P extension and creates a ransom note called Important!.txt.