2017 is here and ransomware continues to pump out at a rapid pace. We have a lot of little variants popping up this week, with a special emphasis on malware devs adopting the FSociety brand name. We also have some new decryptors, a Christmas related ransomware, a great analysis of CryptoMix/CryptFile2, and plenty of small ransomware infections.
Contributors and those who provided new ransomware information and stories this week include: , @fwosar, @demonslay335, @BleepinComputer, @malwrhunterteam, @struppigel, @campuscodi, @PolarToffee, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @nyxbone, @0xDUDE, @dvk01uk, @jiriatvirlab, @Techhelplistcom, @CERT_Polska_en, @malware_traffic, @PaloAltoNtwks, @JaromirHorejsi, @ESET, and @JakubKroustek.
If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
I discovered a new ransomware called EdgeLocker that appends .edgel extension to encrypted files.
Jiri Kropac discovered that the Globe Ransomware was ported to C/C++. Appends the .locked extension to encrypted files.
A new ransomware was discovered by Avast analyst Jaromir Horejsi that goes by the filename firstransomware.exe. The ransom screen will have a title of Death Bitches. Uses the .locked extension and a ransom note named \Desktop\test\READ_IT.txt.
Avast analyst Jaromir Horejsi discovered the Red Alert ransomware that is based off of Hidden Tear Offline.
I discovered a new EDA2 ransomware variant that appends .L0CKED to encrypted files and drops a ransom note called DecryptFile.txt ransom note. Uses a TOR payment site.
I discovered a new in-dev Russian Koolova variant called кибер разветвитель (Cyber Hub). This ransomware adds .кибер разветвитель to encrypted files.
An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a Bitcoin ransom to return the data. These attacks have been happening for more than a week and have hit servers all over the world. The first one to notice the attacks was security researcher Victor Gevers, who, as part of Project 366 with the GDI Foundation, has been busy searching for unprotected MongoDB servers and alerting companies about their status.
In the past few weeks, more or less talented malware authors have resorted to naming their newly launched threats using the "FSociety" brand, made famous by the Mr. Robot TV series.
The Merry X-Mas Ransomware is here and it's not bringing you any presents. First discovered by @dvk01uk with the help of @Techhelplistcom, it is being named the Merry Christmas, or Merry X-Mas, Ransomware due to the title of the infection's ransom note. Encrypted files will have one of the .PEGS1, .MRCR1, or .RARE1 extensions appended to it and the ransom note is named YOUR_FILES_ARE_DEAD.hta.
A cyber-crime infrastructure known in infosec circles as pseudo-Darkleech has been the source of many ransomware infections during the past year, either by malicious spam attachments or via automated attacks carried out via exploit kits. This article discussed various research done by Palo Alto Networks and Brad Duncan of Malware-Traffic-Analysis.net.
Once again, Fabian Wosar of Emsisoft has come to the rescue and released a decrypter for version 3 of the Globe Ransomware. This decryptor will decrypt the Globe Ransomware variants that commonly append the .decrypt2017 and .hnumkhotep extensions to encrypted files. This ransomware will also display a ransom note similar to the one below.
A ransomware family named FireCrypt was discovered by MalwareHunterTeam that will encrypt the user's files, but also attempt to launch a very feeble DDoS attack on a URL hardcoded in its source code. Appends the .firecrypt extension to encrypted files and creates a ransom note named [random_chars]-READ_ME.html.
The Computer Emergency Readiness Team of Poland has published an analysis of the CryptoMix/CryptFile2 ransomware family.
On January 1, 2017, a new law went into effect in California that makes ransomware use a standalone crime. Technically, ransomware usage was an illegal activity before, but all people engaged in such activities were trialed based on state extortion laws or computer hacking and money laundering charges.
This new law makes ransomware use a standalone crime, allowing prosecutors to charge suspects much easier, without having to spend time proving the suspect was involved in a money laundering operation.
ESET has discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files.
I discovered a new version of the iLock Ransomware that bundles TOR, Live Chat, & an encryptor as individual files. TOR site is currently down.
MalwareHunterTeam discovered a new in-dev ransomware called SkyName that targets Czech victims. It is based on HiddenTear.
I discovered a new new HiddenTear variant called depsex or MafiaWare. Appends .Locked-by-Mafia to encrypted files and drops a ransom note named READ_ME.txt.
That is it for this week! See you next Friday!