This week was mostly about small ransomware variants being released, but we did have some big stories. First, we have HC7, which is targeting entire networks through hacked remote desktop services, then we had StorageCrypt being installed on NAS devices using SambaCry, and finally we have county computers of Mecklenburg County, North Carolina being infected with LockCrypt.
While malspam is still a large component of ransomware, the trend towards targeting entire networks by hacking exposed remote desktop services is definitely on the uptick. Whoever is currently using remote desktop and has it connected directly to the Internet really needs to put it behind a VPN.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @PolarToffee, @FourOctets, @Seifreed, @malwrhunterteam, @struppigel, @fwosar, @demonslay335, @hexwaxwing, @jorntvdw, @DanielGallagher, @campuscodi, @LawrenceAbrams, @BleepinComputer, @siri_urz, @myfox9, @themonsterpus, @0xec_, @JakubKroustek .
Jakub Kroustek found a new Blind ransomware variant that appends the .napoleon extension and drops a ransom note named How_Decrypt_Files.hta.
Karsten Hahn discovered the in-dev Stupid variant called Eternity Ransomware that crashes because of a missing audio file. Appends the .eTeRnItY extension to encrypted files.
Karsten Hahn discovered a new variant of a Vietnamese JCoder ransomware that appends .MTC to encrypted files.
Leo discovered a new in-dev ransomware being dubbed "Payment". It does not encrypt.
Extreme Coders wrote an great writeup on their analysis of the HC6 ransomware.
Lawrence Abrams discovered a jokeware program called Handsomeware pretending to be ransomware. Does not encrypt.
Lawrence Abrams discovered a new HiddenTear variant called Crypt0 Ransomware that appends a random extension for each encrypted file. Does not currently encrypt.
Michael Gillespie noted that the Dharma/Cyrsis .java variant changed the extension so it uses curly braces instead of brackets.
Michael Gillespie discovered another Magniber variant that uses the .dxjay extension.
Lawrence Abrams discovered a new HiddenTear variant called Shadow Blood Ransomware. It is currently in-dev as it only encrypts %Userprofile%\desktop\test and appends the .TEARS extension to encrypted files. Has a interesting ransom note.
Ryan wrote an interesting article on how victims can try to recover the password for the HC7 ransomware using memory forensics.
Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back.
According to Fox 9:
A Twin Cities fertility clinic says a ransomware attack may have exposed some patients’ personal and health information.
Michael Gillespie found a new variant of the BTCWare ransomware that uses the .wallet extension for encrypted files. Cannot be decrypted without a memory dump, so do not turn off your computer if you are infected and give us a ring for help.
MalwareHunterTeam discovered a new in-dev ransomware based off of CryptoJoker called ExecutionerPlus ransomware. This ransomware is also the first one we have seen using CoinHive in the ransom notes. The ransomware will append the .pluss.executioner & .destroy.executioner extensions.
A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.
This articles provides information on the status of the Mecklenburg County computer systems after being hit with the LockCrypt Ransomware.
Karsten Hahn discovered the Merry Christmas Ransomware that is just in time for the holidays!
S!Ri discovered a new Xorist Ransomware variant that appends the .CerBerSysLocked0009881 extension to encrypted files.December 8th 2017
Lawrence Abrams discovered the Santa Encryptor. Currently in-dev and does not encrypt, but looks like they are trying to implement XOR encryption.