This week we had a new version 4 of the GandCrab ransomware released with a new KRAB extension as well as a new ransomware called Nozelesn that has been heavily distributed. The Nozelesn campaign started out targeting Poland, but since then has hit numerous other countries, including the USA.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwareforme, @FourOctets, @struppigel, @BleepinComputer, @Seifreed, @hexwaxwing, @campuscodi, @LawrenceAbrams, @PolarToffee, @fwosar, @DanielGallagher, @jorntvdw, @malwrhunterteam, @Amigo_A_, @RevToJa, @china591, @Securelist, @MarceloRivero, and @kaspersky.
Amigo-A updated his article with new information on the KingOuroboros Ransomware.
MalwareHunterTeam discovered the Whoopsie Ransomware.
A distribution campaign for a new ransomware called Nozelesn is currently underway that is targeting Poland. This campaign started July 1st and we already have reports from victims in our forums and numerous cases have been spotted on ID Ransomware.
Karsten Hahn discovered RaRansomware that has a ransom note named RaRansomware - Recovery Instructions.html. Michael found a later sample that appends the extension .KUAJW.
Over the weekend, the GandCrab V4 Ransomware was released with numerous changes. These changes include a different encryption algorithms, a new .KRAB extension, a new ransom note name, and a new TOR payment site.
MalwareHunterTeam discovered The Brotherhood Ransomware that appends the .ransomcrypt extension and a ransom note named RansomNote.jpg . Most likely in development as it has a hardcoded key and only encrypts the Documents folder.
Michael Gillespie found a working sample of the NotAHero/KyMERA Ransomware that adds the " locked.zip" to encrypted files. Can still be decrypted.
Michael Gillespie found a new ransomware on ID Ransomware with the extension +email@example.com and a ransom note named INSTRUCTIONX.txt that appears to be targeting Belarus.
Michael Gillespie found another new ransomware uploaded to ID Ransomware that appends the .[firstname.lastname@example.org].meduza extension to encrypted files.
MalwareHunterTeam noticed that the Magniber ransomware is targeting other Asian countries rather than just South Korea.
Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .email@example.com extension.
MalwareHunterTeam found a new ransomware called Shrug ransomware that appends the .SHRUG. Kinda funny ransom note.
Kaspersky Lab has discovered a new version of the old Rakhni ransomware still going around, but this new version will scan users' systems and decide between running the ransomware, or installing a cryptocurrency miner.
Michael Gillespie may have found a new variant of the Everbe Ransomware that uses the extension .[eV3rbe@rape.lol].eV3rbe.
Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .24H extension to encrypted files and drops a ransom note named ReadME-24H.txt.