The biggest news this week is the UK formally attributing NotPetya to Russian attackers. Also if interest this week is the release of the Saturn Ransomware, which has a more organized feel compared to other ransomware distributions currently being distributed.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwareforme, @campuscodi, @hexwaxwing, @Seifreed, @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @FourOctets, @LawrenceAbrams, @jorntvdw, @fwosar, @BleepinComputer@dvk01uk, @bartblaze, and @leotpsc.

February 11th 2018

TBlocker Ransomware discovered

Leo discovered the TBlocker Ransomware. This ransomware is decryptable.

February 12th 2018

Rapid Ransomware Being Spread Using Fake IRS Malspam

A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.

Defender Ransomware discovered

Bart discovered the Defender Ransomware, which attempts to impersonate Windows Defender. When encrypting a computer it appends the .defender extension.  According to Michael Gillespie, this ransomware does not save the key and thus is not decryptable.

Blank Ransomware discovered

Bart discovered the Blank ransomware, which appends the .blank extension to encrypted files.  If you click on "What the hell is my password?!", it will give you the decryption password.

New desuCrypt variant appends Tornado

Michael Gillespie found a new variant of the desuCrypt Ransomware that appends the .Tornado extension to encrypted files and drops a ransom note named key.txt.d BLOB).

Pendor Ransomware decryptor released

Michael Gillespie released a decryptor for the Pendor Ransomware (.pnr extension). This decryptor can be downloaded here.

February 13th 2018

New Korean Jigsaw Ransomware variant

Michael Gillespie found a new Korean Jigsaw Ransomware variant that appends the .locked extension and uses a new background image.

February 14th 2018

UK Formally Accuses Russian Military of NotPetya Ransomware Outbreak

The UK has become the first major Western country to formally accuse the Russian military of orchestrating and launching the NotPetya ransomware outbreak.

February 15th 2018

GlobeImposter being used in targeted attacks

MalwareHunterTeam found a GlobeImposter variant that appears to be used in targeted attacks against entire networks. This variant appends the .suddentax extension to encrypted files.

Umaru Ransomware discovered

MalwareHunterTeam discovered a new Japanese ransomware that is based off of Himouto! Umaru-chan manga. This extension appends the extension to .干物妹!, but does not drop a ransom note.

February 16th 2018

New Saturn Ransomware Actively Infecting Victims

A new ransomware was discovered this week by MalwareHunterTeam called Saturn. This ransomware will encrypt the files on a computer and then append the .saturn extension to the file's name. The Saturn Ransomware is being actively distributed, but at this time it is unknown what distribution methods are being used.

That's it for this week! Hope everyone has a nice weekend!

 

Related Articles:

The Week in Ransomware - August 24th 2018 - Hermes, Fox, and Ryuk

The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma

The Week in Ransomware - August 10th 2018 - BitPaymer & KeyPass

Bitdefender Releases Decryption Tool for Older Version of LockCrypt Ransomware