While we are continuing to see less ransomware developed and more attackers focusing on a few large-impact strains, Ransomware is unfortunately not dead. This was particularly apparent this week with plenty of news to go around.

The biggest news were the high profile and big ransom payments for SamSam. As ransomware shifts away from malspam, it is important to really secure remote desktop services. Unsecured remote desktop services allow a hacker to gain access to not only the machine, but the whole network. This just leads to big paydays for the developer.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwrhunterteam, @demonslay335, @struppigel, @Seifreed, @BleepinComputer, @fwosar, @hexwaxwing, @FourOctets, @malwareforme, @LawrenceAbrams, @DanielGallagher, @PolarToffee, @campuscodi, @leotpsc, @GrujaRS@sdkhere@TrendMicro@Malwarebytes, @stopka_martin, @ESET.

January 15st 2018

KillDisk Fake Ransomware Hits Financial Firms in Latin America

A new version of the KillDisk disk-wiping malware has hit companies in the financial sector in Latin America, Trend Micro reported yesterday.

January 16th 2018

Hospital Pays $55K Ransomware Demand Despite Having Backups

An Indiana hospital paid a ransom of $55,000 to get rid of ransomware that had infected its systems and was hindering operations last week. The infection took root last week, on Thursday, January 11, when attackers breached the network of Hancock Health, a regional hospital in the city of Greenfield, Indiana.

In-dev Killbot Virus Ransomware discovered

MalwareHunterTeam discovered a new in-dev ransomware called Killbot Virus. Just shows the ransom screen at this point.

R3vo Ransomware discovered

Leo discovered, with further analysis by SDK, a new ransomware called R3vo was discovered that appends the .Lime extension to encrypted files.

January 17st 2018

Because Ransomware: OneDrive for Business to Get "Files Restore" Option

Microsoft will add a new feature to OneDrive for Business that will let users create backup points and restore to previous versions of their entire OneDrive account. The new feature is codenamed Files Restore and Microsoft says it will allow users to recover files "from disastrous events such as mass deletes, corruption, and other data loss scenarios."

January 19th 2018

SamSam Ransomware Hits Hospitals, City Councils, ICS Firms

The SamSam ransomware group seems to have gotten to a "great" start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.

Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.

New Mada Ransomware variant discovered

Michael Gillespie discovered a new Jigsaw Ransomware variant called Mada Ransomware that appends the .LOCKED_BY_pablukl0cker extension to encrypted files. It uses the following desktop background.

January 21st 2018

Korean Talk Ransomware discovered

Lawrence Abrams discovered a Korean HiddenTear variant called Talk Ransomware.  It is currently in-dev as it only targets the desktop. It will append the .암호화됨 extension to encrypted files.

RansomUserLocker discovered

Lawrence Abrams discovered another Korean HiddenTear variant call RansomUserLocker. This is from the same devs as Talk Ransomware and is in-dev as well. This ransomware appends the .RansomUserLocker extension to encrypted files and drops a Read_Me.txt ransom note.

Ghack Ransomware discovered

Lawrence Abrams discovered the Ghack ransomware. In-dev and broken as it currently throws errors and only shows the below screen.

SureRansom discovered

Lawrence Abrams discovered the in-dev SureRansom Ransomware. It does not currently encrypt.

RancidLocker discovered

Lawrence Abrams discovered the in-dev RancidLocker. Currently in-dev and does not do much of anything. Uses the following background.

Qwerty Ransomware discovered

Leo discovered, with further analysis by GrujaRS,  a new ransomware being called Qwerty Ransomware that appends the .qwerty extension to encrypted files. This is HiddenTear variant, which can be decrypted with HiddenTearDecryptor.

January 22nd 2018

desuCrypt Ransomware in the Wild with DEUSCRYPT and Decryptable Insane Variants

A modified version of the open-source ransomware project called desuCrypt is being used as the base code for a new ransomware family being actively distributed. This family currently has two variants being distributed, with one appending the .insane extension and the other appending .DEUSCRYPT. The good news is that a decryptor has been released for the Insane version and the Deuscrypt variant is currently being analyzed for weaknesses as well.

January 23rd 2018

Rapid Ransomware Continues Encrypting New Files as they Are Created

A new ransomware is being spread called Rapid Ransomware that stays active after initially encrypting a computer and encrypts any new files that are created. While this behavior is not unique to Rapid, it is not a common behavior we see too often.

New GlobeImposter 2 variant

GrujaRS discovered a new GlobeImposter 2 variant that appends the .crypted! to encrypted files.

January 24th 2018

MoneroPay Ransomware Disguised as Wallet for Fake SpriteCoin CryptoCurrency

A new ransomware called MoneroPay has been discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin.  While users were installing what they thought was a new cryptocoin, MoneroPay was silently encrypting the files on the computer.

January 25th 2018

Maersk Reinstalled 45,000 PCs and 4,000 Servers to Recover From NotPetya Attack

The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017.

BlackMailware Found On Porn Site Threatens to Report Users are Spreading Child Porn

A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.

Malwarebytes: Ransomware Was Bigger Than Ever in 2017

An end-of-the-year report from US cyber-security firm Malwarebytes reveals that ransomware, adware, and cryptojacking were extremely popular with cyber-criminals in 2017. Data compiled by the company's security products reveals growth in almost all cyber-crime categories, with 2017 being a very successful year across the board for malware authors, phishers, and other cyber-criminal groups.

New RotorCrypt Ransomware variant

Michael Gillespie discovered a new RotorCrypt Ransomware variant that uses the really really long extension of !==SOLUTION OF THE PROBLEM==blacknord@tutanota.com==.Black_OFFserve.

January 26th 2018

The Velso Ransomware Being Manually Installed by Attackers

A new ransomware is actively infecting victims called the Velso Ransomware. This ransomware appends the .velso extension to encrypted files and then drops a ransom note that contains an email address that a victim can use to contact the developer.

Dridex Group Created BitPaymer (FriedEx) Ransomware

The authors of the infamous Dridex banking trojan and the Necurs spam botnet appear to have also created the FriedEx (BitPaymer) ransomware, according to an ESET report released earlier today.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More

DOJ Indicts Two Iranian Hackers for SamSam Ransomware Operation

The Week in Ransomware - November 23rd 2018 - STOP, Dharma, and More

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More