This week was mostly about small ransomware variants being released, but we did have some big stories. First, we have HC7, which is targeting entire networks through hacked remote desktop services, then we had StorageCrypt being installed on NAS devices using SambaCry, and finally we have county computers of Mecklenburg County, North Carolina being infected with LockCrypt.

While malspam is still a large component of ransomware, the trend towards targeting entire networks by hacking exposed remote desktop services is definitely on the uptick. Whoever is currently using remote desktop and has it connected directly to the Internet really needs to put it behind a VPN.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @PolarToffee, @FourOctets, @Seifreed, @malwrhunterteam, @struppigel, @fwosar, @demonslay335, @hexwaxwing, @jorntvdw, @DanielGallagher, @campuscodi, @LawrenceAbrams, @BleepinComputer, @siri_urz, @myfox9, @themonsterpus, @0xec_, @JakubKroustek .


December 2nd 2017

New Napoleon Blind Ransomware variant 

Jakub Kroustek found a new Blind ransomware variant that appends the .napoleon extension and drops a ransom note named How_Decrypt_Files.hta.

Eternity Ransomware discovered

Karsten Hahn discovered the in-dev Stupid variant called Eternity Ransomware that crashes because of a missing audio file. Appends the .eTeRnItY extension to encrypted files.

New variant the of Jcoder Ransomware discovered

Karsten Hahn discovered a new variant of a Vietnamese JCoder ransomware that appends .MTC to encrypted files.

New Magniber variants discovered

Michael Gillespie noticed other Magniber variants uploaded to ID Ransomware that use  the .dwbiwty, .fbuvkngy, and .xhspythxn extensions.

Payment Ransomware discovered

Leo discovered a new in-dev ransomware being dubbed "Payment". It does not encrypt.

RansomMine Ransomware discovered 

Karsten Hahn discovered a Korean ransomware called RansomMine. The ransom will decrypt if it Minecraft 1.11.2 and uses the extension .RansomMine.

December 3rd 2017

Reversing a PyInstaller based ransomware

Extreme Coders wrote an great writeup on their analysis of the HC6 ransomware.

Handsomeware Discovered

Lawrence Abrams discovered a jokeware program called Handsomeware pretending to be ransomware. Does not encrypt.

Crypt0 Ransomware discovered

Lawrence Abrams discovered a new HiddenTear variant called Crypt0 Ransomware that appends a random extension for each encrypted file. Does not currently encrypt.

Slight modification to the Java Crysis/Dharma Ransomware

Michael Gillespie noted that the Dharma/Cyrsis .java variant changed the extension so it uses curly braces instead of brackets.

Another Magniber variant

Michael Gillespie discovered another Magniber variant that uses the .dxjay extension.

Shadow Blood Ransomware discovered

Lawrence Abrams discovered a new HiddenTear variant called Shadow Blood Ransomware. It is currently in-dev as it only encrypts %Userprofile%\desktop\test and appends the .TEARS extension to encrypted files. Has a interesting ransom note.

December 4th 2017

Decrypting hc7

Ryan wrote an interesting article on how victims can try to recover the password for the HC7 ransomware using memory forensics.

French HiddenTear variant has an interesting wallpaper

MalwareHunterTeam found a new variant of the French .hacking Hidden Tear that now sets an ineresting wallpaper.

ID Ransomware can now identify Magniber Submissions

Michael Gillespie added a new signature to ID Ransomware that can detect the Magniber infection.

December 5th 2017

StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back.

Twin Cities fertility clinic hit by ransomware attack

According to Fox 9

A Twin Cities fertility clinic says a ransomware attack may have exposed some patients’ personal and health information. 

New BTCWare uses the Java extension

Michael Gillespie found a new variant of the BTCWare ransomware that uses the .wallet extension for encrypted files. Cannot be decrypted without a memory dump, so do not turn off your computer if you are infected and give us a ring for help.

New ransomware called ExecutionerPlus

MalwareHunterTeam discovered a new in-dev ransomware based off of CryptoJoker called ExecutionerPlus ransomware. This ransomware is also the first one we have seen using CoinHive in the ransom notes. The ransomware will append the .pluss.executioner & .destroy.executioner extensions.

December 6th 2017

HC7 GOTYA Ransomware Installed via Remote Desktop Services. Spread with PsExec

A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.

December 7th 2017

Mecklenburg County, North Carolina computer systems infected with LockCrypt

This articles provides information on the status of the Mecklenburg County computer systems after being hit with the LockCrypt Ransomware.

Merry Christmas Ransomware spreads some holiday cheer

Karsten Hahn discovered the Merry Christmas Ransomware that is just in time for the holidays!

New Xorist Ransomware variant

S!Ri discovered a new Xorist Ransomware variant that appends the .CerBerSysLocked0009881 extension to encrypted files.December 8th 2017

Santa Encryptor Discovered

Lawrence Abrams discovered the Santa Encryptor. Currently in-dev and does not encrypt, but looks like they are trying to implement XOR encryption.

December 8th 2017

GlobeImposter variant impersonating Crysis

Michael Gillespie found a new GlobeImposter variant that pretends to be Crysis with the .[].arena.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens