This week we had a new version 4 of the GandCrab ransomware released with a new KRAB extension as well as a new ransomware called Nozelesn that has been heavily distributed. The Nozelesn campaign started out targeting Poland, but since then has hit numerous other countries, including the USA.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwareforme, @FourOctets, @struppigel, @BleepinComputer, @Seifreed, @hexwaxwing, @campuscodi, @LawrenceAbrams, @PolarToffee, @fwosar, @DanielGallagher, @jorntvdw, @malwrhunterteam, @Amigo_A_, @RevToJa, @china591, @Securelist, @MarceloRivero, and @kaspersky.

June 30th 2018

KingOuroboros article updated

Amigo-A updated his article with new information on the KingOuroboros Ransomware.

Whoopsie Ransomware discovered

MalwareHunterTeam discovered the Whoopsie Ransomware.

July 2nd 2018

Nozelesn Ransomware Reportedly Using Spam to Target Poland

A distribution campaign for a new ransomware called Nozelesn is currently underway that is targeting Poland. This campaign started July 1st and we already have reports from victims in our forums and numerous cases have been spotted on ID Ransomware.

 

RaRansomware discovered

Karsten Hahn discovered RaRansomware that has a ransom note named RaRansomware - Recovery Instructions.html. Michael found a later sample that appends the extension .KUAJW.

New Red Scarab Ransomware variant

Michael Gillespie noticed a new Scarab Ransomware variant uploaded to ID Ransomware that uses the .red extension and drops a note named HOW TO RECOVER ENCRYPTED FILES.TXT.

Gollum Ransomware discovered

Michael Gillespie noticed a new ransomware called Gollum uploaded to ID Ransomware that uses the ransom note ransom_pay.html.

Boris Ransomware

Michael Gillespie found a new HiddenTear variant that appends the [decode77@sfletter.com].boris string to encrypted files and drops a ransom note named README.txt.

July 3rd 2018

GandCrab V4 Released With the New .KRAB Extension for Encrypted Files

Over the weekend, the GandCrab V4 Ransomware was released with numerous changes. These changes include a different encryption algorithms, a new .KRAB extension, a new ransom note name, and a new TOR payment site.

The Brotherhood Ransomware

MalwareHunterTeam discovered The Brotherhood Ransomware that appends the .ransomcrypt extension and a ransom note named RansomNote.jpg . Most likely in development as it has a hardcoded key and only encrypts the Documents folder.

Choda Jigsaw Ransomware variant

Michael Gillespie found a new Korean Jigsaw Ransomware variant that appends the .choda extension to encrypted files.

July 4th 2018

Working sample of the NotAHero/KyMERA Ransomware found

Michael Gillespie found a working sample of the NotAHero/KyMERA Ransomware that adds the " locked.zip" to encrypted files. Can still be decrypted.

July 5th 2018

New ransomware targeting Belarus

Michael Gillespie found a new ransomware on ID Ransomware with the extension +superuser111@0nl1ne.at and a ransom note named INSTRUCTIONX.txt that appears to be targeting Belarus.

Meduza Ransomware discovered

Michael Gillespie found another new ransomware uploaded to ID Ransomware that appends the .[btc2018@tutanota.de].meduza extension to encrypted files.

Magniber targeting more Asian countries

MalwareHunterTeam noticed that the Magniber ransomware is targeting other Asian countries rather than just South Korea.

New Coder007 Jigsaw Ransomware variant

Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .coder007@protonmail.com  extension.

July 6th 2018

Shrug Ransomware discovered

MalwareHunterTeam found a new ransomware called Shrug ransomware that appends the .SHRUG. Kinda funny ransom note.

Rakhni Ransomware Adds Coinminer Component

Kaspersky Lab has discovered a new version of the old Rakhni ransomware still going around, but this new version will scan users' systems and decide between running the ransomware, or installing a cryptocurrency miner.

Possible new variant of Everbe Ransomware

Michael Gillespie may have found a new variant of the Everbe Ransomware that uses the extension .[eV3rbe@rape.lol].eV3rbe.

24H Ransomware found

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .24H extension to encrypted files and drops a ransom note named ReadME-24H.txt.

Updated KingOuroboros Ransomware

Amigo-A found a new variant of the KingOuroboros Ransomware. His article has been updated

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit