While we are continuing to see less ransomware developed and more attackers focusing on a few large-impact strains, Ransomware is unfortunately not dead. This was particularly apparent this week with plenty of news to go around.
The biggest news were the high profile and big ransom payments for SamSam. As ransomware shifts away from malspam, it is important to really secure remote desktop services. Unsecured remote desktop services allow a hacker to gain access to not only the machine, but the whole network. This just leads to big paydays for the developer.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwrhunterteam, @demonslay335, @struppigel, @Seifreed, @BleepinComputer, @fwosar, @hexwaxwing, @FourOctets, @malwareforme, @LawrenceAbrams, @DanielGallagher, @PolarToffee, @campuscodi, @leotpsc, @GrujaRS, @sdkhere, @TrendMicro, @Malwarebytes, @stopka_martin, @ESET.
A new version of the KillDisk disk-wiping malware has hit companies in the financial sector in Latin America, Trend Micro reported yesterday.
An Indiana hospital paid a ransom of $55,000 to get rid of ransomware that had infected its systems and was hindering operations last week. The infection took root last week, on Thursday, January 11, when attackers breached the network of Hancock Health, a regional hospital in the city of Greenfield, Indiana.
MalwareHunterTeam discovered a new in-dev ransomware called Killbot Virus. Just shows the ransom screen at this point.
Microsoft will add a new feature to OneDrive for Business that will let users create backup points and restore to previous versions of their entire OneDrive account. The new feature is codenamed Files Restore and Microsoft says it will allow users to recover files "from disastrous events such as mass deletes, corruption, and other data loss scenarios."
The SamSam ransomware group seems to have gotten to a "great" start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.
Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.
Michael Gillespie discovered a new Jigsaw Ransomware variant called Mada Ransomware that appends the .LOCKED_BY_pablukl0cker extension to encrypted files. It uses the following desktop background.
Lawrence Abrams discovered a Korean HiddenTear variant called Talk Ransomware. It is currently in-dev as it only targets the desktop. It will append the .암호화됨 extension to encrypted files.
Lawrence Abrams discovered another Korean HiddenTear variant call RansomUserLocker. This is from the same devs as Talk Ransomware and is in-dev as well. This ransomware appends the .RansomUserLocker extension to encrypted files and drops a Read_Me.txt ransom note.
Lawrence Abrams discovered the Ghack ransomware. In-dev and broken as it currently throws errors and only shows the below screen.
Lawrence Abrams discovered the in-dev SureRansom Ransomware. It does not currently encrypt.
Lawrence Abrams discovered the in-dev RancidLocker. Currently in-dev and does not do much of anything. Uses the following background.
Leo discovered, with further analysis by GrujaRS, a new ransomware being called Qwerty Ransomware that appends the .qwerty extension to encrypted files. This is HiddenTear variant, which can be decrypted with HiddenTearDecryptor.
A modified version of the open-source ransomware project called desuCrypt is being used as the base code for a new ransomware family being actively distributed. This family currently has two variants being distributed, with one appending the .insane extension and the other appending .DEUSCRYPT. The good news is that a decryptor has been released for the Insane version and the Deuscrypt variant is currently being analyzed for weaknesses as well.
A new ransomware is being spread called Rapid Ransomware that stays active after initially encrypting a computer and encrypts any new files that are created. While this behavior is not unique to Rapid, it is not a common behavior we see too often.
GrujaRS discovered a new GlobeImposter 2 variant that appends the .crypted! to encrypted files.
A new ransomware called MoneroPay has been discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin. While users were installing what they thought was a new cryptocoin, MoneroPay was silently encrypting the files on the computer.
The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017.
A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.
An end-of-the-year report from US cyber-security firm Malwarebytes reveals that ransomware, adware, and cryptojacking were extremely popular with cyber-criminals in 2017. Data compiled by the company's security products reveals growth in almost all cyber-crime categories, with 2017 being a very successful year across the board for malware authors, phishers, and other cyber-criminal groups.
Michael Gillespie discovered a new RotorCrypt Ransomware variant that uses the really really long extension of !==SOLUTION OF THE PROBLEMemail@example.com==.Black_OFFserve.
A new ransomware is actively infecting victims called the Velso Ransomware. This ransomware appends the .velso extension to encrypted files and then drops a ransom note that contains an email address that a victim can use to contact the developer.
The authors of the infamous Dridex banking trojan and the Necurs spam botnet appear to have also created the FriedEx (BitPaymer) ransomware, according to an ESET report released earlier today.