Cyber Lock

This week we saw victims continuing to use the legal system to target ransomware operators' assets and services as well as a new ransomware targeting vulnerabilities.

The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous Southwire lawsuit against Maze and this week with a UK judge freezing the ransomware wallet for Bitpaymer.

Also of interest, we saw actors exploiting the Citrix ADC vulnerability to install the Ragnarok Ransomware on compromised networks.

Other than that, we continue to see new variants of existing ransomware such as Dharma, LockBit, and STOP.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @PolarToffee, @DanielGallagher, @demonslay335, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @struppigel, @jorntvdw, @FourOctets, @malwrhunterteam, @Seifreed, @malwareforme, @emsisoft, @campuscodi, @albertzsigovits, @VK_Intel, @Amigo_A_, @KPN, and @rikvduijn.

January 25th 2020

DoppelPaymer finally gets its own extension

MalwareHunterTeam noticed that DoppelPaymer has finally switched to its own extension of .doppled and now ends their ransom notes with .how2decrypt.txt.

Strawberry Fields Crypto Locker discovered

MalwareHunterTeam discovered a new ransomware called "Strawberry Fields Crypto Locker" that does not encrypt. Looks like a joke ransomware.

Strawberry fields locker

January 26th 2020

New CryptLive Dharma Ransomware variant

Amigo-A found a new Dharma Ransomware variant that appends the .LIVE and drops the ransom notes Info.hta and FILES ENCRYPTED.txt. Appears to call itself CryptLive.

CryptLive Ransomware

January 27th 2020

New 2NEW Dharma Ransomware variant

Michael Gillespie found a new Dharma Ransomware variant that appends the .2NEW extension to encrypted files.

January 28th 2020

Ransomware Bitcoin Wallet Frozen by UK Court to Recover Ransom

A victim's insurance company convinced the UK courts to freeze a bitcoin wallet containing over $800K worth of a ransomware payment.

Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender

A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit.

Maze Ransomware pokes at security researchers

Vitali Kremez has noticed that the Maze Ransomware operators are taunting and having some fun with security researchers.

Maze taunts

Tracking REvil

After the message GandCrab quit, a hole was left in the scene. It was time for a new contender. In the last few months REvil/Sodinokibi seems to have filled that gap. There already have been multiple blogs describing the similarities between GandCrab and REvil affiliates. We’ll stay clear of the similarities in this blog and focus on the usage statistics of the ransomware family by looking at samples, infection rates and ransom demands.

New CryptoPatronum Ransomware Discovered

Amigo_A found the new CryptoPatronum Ransomware that appends the .cryptopatronum@protonmail.com.enc and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.txt.

CryptoPatronum

January 29th 2020

New BTOS STOP Djvu Ransomware

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .btos extension to encrypted files.

New NPSG STOP Djvu Ransomware

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .npsg extension to encrypted files.

January 30th 2020

Ransomware predicted to target U.S. 2020 election – and local governments are not prepared

We now feel it necessary to issue a similar warning in relation to the threat ransomware presents to the 2020 election and again call on governments to act immediately to improve their security.

New LockBit variant

Albert Zsigovits found a new variant of the LockBit ransomware that appends the .lockbit extension.

LockBit
LockBit

January 31st 2020

New REPP STOP Djvu Ransomware

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .repp extension to encrypted files.

Ransomware hits TV & radio news monitoring service TVEyes

A ransomware infection has brought down TVEyes, a company that manages a popular platform for monitoring TV and radio news broadcasts, broadly used by newsrooms and PR agencies across the globe.

New ALKA STOP Djvu Ransomware

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .alka extension to encrypted files.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - December 13th 2019 - Data Extortion

The Week in Ransomware - January 24th 2020 - Duck for Cover!

The Week in Ransomware - December 20th 2019 - Attacks Everywhere

Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail

Bouygues Construction Shuts Down Network to Thwart Maze Ransomware