The biggest news this week is the UK formally attributing NotPetya to Russian attackers. Also if interest this week is the release of the Saturn Ransomware, which has a more organized feel compared to other ransomware distributions currently being distributed.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwareforme, @campuscodi, @hexwaxwing, @Seifreed, @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @FourOctets, @LawrenceAbrams, @jorntvdw, @fwosar, @BleepinComputer, @dvk01uk, @bartblaze, and @leotpsc.
Leo discovered the TBlocker Ransomware. This ransomware is decryptable.
A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.
Bart discovered the Defender Ransomware, which attempts to impersonate Windows Defender. When encrypting a computer it appends the .defender extension. According to Michael Gillespie, this ransomware does not save the key and thus is not decryptable.
Bart discovered the Blank ransomware, which appends the .blank extension to encrypted files. If you click on "What the hell is my password?!", it will give you the decryption password.
Michael Gillespie found a new variant of the desuCrypt Ransomware that appends the .Tornado extension to encrypted files and drops a ransom note named key.txt.d BLOB).
Michael Gillespie found a new Korean Jigsaw Ransomware variant that appends the .locked extension and uses a new background image.
The UK has become the first major Western country to formally accuse the Russian military of orchestrating and launching the NotPetya ransomware outbreak.
MalwareHunterTeam found a GlobeImposter variant that appears to be used in targeted attacks against entire networks. This variant appends the .suddentax extension to encrypted files.
MalwareHunterTeam discovered a new Japanese ransomware that is based off of Himouto! Umaru-chan manga. This extension appends the extension to .干物妹！, but does not drop a ransom note.
A new ransomware was discovered this week by MalwareHunterTeam called Saturn. This ransomware will encrypt the files on a computer and then append the .saturn extension to the file's name. The Saturn Ransomware is being actively distributed, but at this time it is unknown what distribution methods are being used.