This week has mostly been about small variants being released, GlobeImposters all over the place, and some new CryptoMix variants. Of particular interest is the creation of a self-healing file system called ShieldFS that shows great promise in protecting against ransomware and some research from Google about how most ransomware devs use the BTC-E platform to cash out their bitcoins.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwareforme, @demonslay335, @fwosar, @FourOctets, @PolarToffee, @campuscodi, @LawrenceAbrams, @malwrhunterteam, @struppigel, @BleepinComputer, @DanielGallagher, @JAMESWT_MHT, @Seifreed, @MarceloRivero, @JakubKroustek, @hasherezade, @Malwarebytes, @jiriatvirlab, @GrujaRS, @Google.

July 22nd 2017

New GlobeImposter Variant

ID-Ransomware creator Michael Gillespie discovered a new GlobeImposter that appends the .GOTHAM extension to encrypted files.

Another GlobeImposter Variant

Another GlobeImposter variant was discovered by BleepingComputer's ​​Lawrence Abrams that appends the .crypt extension to encrypted files. This variant drops a ransom note named how_to_back_files.html that utilizes the and emails for payment instructions. 

And Another GlobeImposter Variant

Lawrence Abrams discovered another GlobeImposter variant that utilizes the .HAPP extension and uses the & contact emails. The note remains how_to_back_files.html.

New Zilla Ransomware Variant Released

Security researcher MalwareHunterTeam discovered a new Zilla ransomware variant that appends the .Atom extension to encrypted files and drops the ReadMeNow.txt ransom note.

SimpleRansomware Discovered

​​Lawrence Abrams discovered an n-dev ransomware called SimpleRansomware. This variant uses a Pastebin to determine if a user paid and should be decrypted. Also appears to be trying to make a VB rootkit.

July 23rd 2017

BAM! Ransomware Discovered

​​Lawrence Abrams discovered the Bam! Ransomware. This ransomware appends .bam! to encrypted files and changes the desktop background to the below ransom note.

JCoder Variant gets on the Petya Train

Michael Gillespie discovered a new JCoder variant that utilizes the .Petya extension for encrypted files.

July 24th 2017

New DCry Ransomware Variant Released

Michael Gillespie discovered a new variant of the DCry Ransomware that uses the extension .qwqd for encrypted files. Victims can use Michael's DCry decrypter ro recover their files for free.

Fake Turkish WannaCry Immitation Released

A new Turkish fake WannaCry screenlocker that sends emails to thev dev when you click on the buttons. According to Emsisoft security researcher xXToffeeXx, this is just the screen locker portion and "Attacker enters via RDP and uses EncryptedOnClick software to create a password protected ZIP file with extension .EOC, then runs this file."

Bye, bye Petya! Decryptor for old versions released

According to Malwarebytes and security researcher hasherezade:

Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story here.

New GlobeImposter Variant Discovered

Avast security researcher Jakub Kroustek ​found a new GlobeImposter variant that appends the .707 extension to encrypted files and uses a ransom note named RECOVER-FILES.html.

Another GlobeImposter Variant Discovered

Malwarebytes security researcher Marcelo Rivero discovered another GlobeImposter variant that appends the .{email}.BRT92 extension to encrypted files.

July 25th 2017

VindowsLocker is back

MalwareHunterTeam found a new sample of the joke ransomware called VindowsLocker. Created by a group that trolls tech support scammers.

RanDsomeWare Gives you a Warning First

​​Lawrence Abrams discovered a new ransomware called "RanDsomeWare" or RDW that appends the .RDWF extension to encrypted files. This ransomware actually gives a warning before its executed, so may be a test/joke ransomware. The unlock code is  SUPER_SECRET_KEY.

GlobeImposter Variants Keep Being Released

​​Lawrence Abrams discovered another GlobeImposter variant. This variant appends the .p1crypt  extension to encrypted files. The ransom note is still how_to_back_files.html.

July 26th 2017

Striked Ransomware Decrypter Updated

Michael Gillespie updated his Striked Decrypter to support the latest v

ariant that utilizes the email.

New Variant of the Serpent Ransomware Discovered

Researcher GrujaRS discovered a new variant of the Serpent Ransomware that utilizes the .srpx extension and drops ransom notes named README_TO_RESTORE_FILES_t7Q.html and README_TO_RESTORE_FILES_t7Q.txt.

Polish Ransomware Being Developed

GData security researcher Karsten Hahn discovered an in-development Polish ransomware. Uses 12345 as the encryption key.

ABC Locker Discovered

MalwareHunterTeam discovered and Karsten Hahn analyzed a new variant of CloudSword called ABC Locker. 

In-Dev Invincinble Ransomware Discovered

Karsten Hahn discovered a new in-dev ransomware called Invincible Ransomware. Does not currently encrypt and trying to copy the WannaCry template.

July 27th 2017

Spongebob Ransomware Discovered

Karsten Hahn discovered a in-dev ransomware utilizing a Spongebob theme. Does not encrypt.

Zuahahhah Ransomware Discovered

ESET security researcher Jiri Kropac discovered a new Crypt888 variant called Zuahahhah ransomware.

New Version of the LambdaLocker Released

​Jakub Kroustek​ discovered a new version of the LambdaLocker that uses the ransom note UNLOCK_guiDE.tXT and appends the .MyChemicalRomance4EVER extension to encrypted files. Can be decrypted.

95% of All Ransomware Payments Were Cashed out via BTC-e Platform

Research presented yesterday at the Black Hat USA 2017 security conference revealed that Bitcoin trading platform BTC-e is responsible for cashing out 95% of all ransomware payments made since the start of 2014.

ShieldFS Can Stop and Revert the Effects of Ransomware Infections

Italian researchers have developed a Windows drop-in driver and custom filesystem called ShieldFS that is capable of detecting the telltale signs of a ransomware infection, stop any malicious actions and even revert any encrypted files to their previous state.

BTC-e Owner Arrested for Laundering Stolen Bitcoin, Ransomware Payments

Greek police arrested a Russian national, Alexander Vinnik, 38, for his role as owner of the BTC-e Bitcoin trading platform. In the US, the Department of Justice (DOJ) formally indicted Vinnik on 21 charges related to money laundering and the operation of an unlicensed money exchange.

July 28th 2017

Two New CryptoMix Variants Released

Karsten Hahn and MalwareHunterTeam discovered two new CryptoMix variants. Both now use _HELP_INSTRUCTION.TXT as the ransom note, and the new encrypted file extensions are .ZERO and .DG.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More