This week has mostly been small variants released, with a bunch of new Scarab Ransomware variants. The most interesting ransomware news this week are the CoinVault authors being in a Netherlands court in front of a three-judge panel.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @DanielGallagher, @PolarToffee, @fwosar, @BleepinComputer, @campuscodi, @FourOctets, @LawrenceAbrams, @jorntvdw, @struppigel, @hexwaxwing, @malwareforme, @demonslay335, @Seifreed, @kaspersky, @Amigo_A_, and @r0ny_123.

July 7th 2018

New RaRansomware variant

Michael Gillespie found a new RaRansomware variant that uses the extension .XVNAW.

July 8th 2018

Hacker seeks $400 to unlock hotel’s data held for ransom 

A hotel in India was hit with ransomware that demanded $400 to decrypt the files.

July 9th 2018

New .bin Scarab Ransomware variant

Amigo-A found a new Scarab Ransomware variant that appends the .[mrbin775@gmx.de].bin extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

New Xorist with horrible extension

Amigo-A found a new Xorist sample that appends the .DATA_IS_SAFE_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_LOST_FOREVER_PLEASE_BE_REZONABLE_IS_NOT_A_JOKE_TIME_IS_LIMITED extension.

New RotorCrypt variant

Michael Gillespie found a new RotorCrypt variant that uses the !@$#-unlock-email______zepro190@gmail.com______#$!...ES_HELPs extension for encrypted files.

New zzz12 Ransomware discovered

Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that appends the .zzz12 extension to encrypted files and drops a ransom note named Notice.txt.

Evil Locker Ransomware discovered

Michael Gillespie found a new ransomware called Evil Locker uploaded to ID Ransomware that appends the .[evil@cock.lu].EVIL", note "!_HOW_RECOVERY_FILES_!.txt extension to encrypted files.

FireEye Ransomware discovered

Michael Gillespie discovered a new ransomware named BlackRansomwareFireeye that appends the .jes extension to encrypted files and saved the encrypted file in Base64 format.

July 10th 2018

Cass Regional Medical Center Hit With Unidentified Ransomware

Cass Regional Medical Center, a Missouri health care center, announced on their Facebook page that they have been affected by an undisclosed ransomware. This incident affected their internal communications system and their electronic health record (EHR) system.

New Recovery Scarab Ransomware variant

Amigo-A found a new Scarab ransomware variant that appends the extension .BD.Recovery to encrypted files and drops a ransom note named HOW TO RECOVER FILES.TXT.

Everbe 2.0 Ransomware discovered

Michael Gillespie found a sample of a ransomware called Everbe 2.0 that uses the .[eV3rbe@rape.lol].eV3rbe extension for encrypted files. Cannot be decrypted.

New Rapid Ransomware variant

MalwareHunterTeam found a Rapid Ransomware variant that appends the .RPD extension to encrypted files.

New Polish Jigsaw variant

Michael Gillespie found a new Polish Jigsaw Ransomware variant that appends the .##___POLICJA!!!___TEN_PLIK_ZOSTA extension to encrypted files. Uses the below background.

July 11th 2018

New Bitpaymer variant

MalwareHunterTeam found a new Bitpaymer variant that appends the .LOCK extension and drops a ransom note named HOW_TO_DECRYPT.txt.

New Everbe 2.0 variant

Michael Gillespie found a new variant of the Everbe 2.0 Ransomware that calls itself Hyena Locker. This variant appends the .[hyena@rape.lol].HYENA extension and drops a ransom note named !_HOW_RECOVERY_FILES_!.txt.

July 12th 2018

CoinVault Ransomware Authors Have Their Day in Court in the Netherlands

The authors of the CoinVault ransomware have had their day in court today in the Netherlands, where their case was presented in front of a three-judge panel.

New .lock Scarab Ransomware variant

Amigo-A found a new Scarab Ransomware variant that appends the .[Filesreturn247@gmx.de].lock extension.

New Bitpaymer variant

Rony discovered a new variant of the Bitpaymer variant that drops a ransom note that appears to be named after encrypted files.

XeroWare Ransomware discovered

MalwareHunterTeam discovered a new HiddenTear ransomware variant named XeroWare Ransom 1.2 that appends the .XERO extension to encrypted files.

CryptoLite Ransomware discovered

MalwareHunterTeam found a ransomware named CryptoLite that appends the .encrypted extension to encrypted files.

July 13th 2018

Predator the Cipher Ransomware discovered

Michael Gillespie found a new ransomware uploaded to ID Ransomware called "Predator the Cipher". This ransomware appends the .predator extension to encrypted files and drops a ransom note named README.txt.

New in-dev ransomware pretends to be a Java update

Karsten Hahn found a new in-development ransomware that fakes a Java update message.  This ransomware appends the .locked extension to encrypted files.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - June 1st 2018 - From Russia with Love and a Facepalm

CoinVault Ransomware Authors Have Their Day in Court in the Netherlands

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

The Week in Ransomware - July 20th 2018 - Developer's Vent, Ransomware Attacks, and More

King Ouroboros Ransomware Dev Vents to Researchers on Twitter