For the most part, mostly in-development ransomware released this week. No really major ransomware variants released that are much of a threat. The big news, though, is that Kaspersky was able to figure out how to crack the decryption for the Jaff Ransomware and release a free decryptor.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @aeris22, @kaspersky, @PrivacyFanatic, and @avast_antivirus.
Two days after the WannaCry ransomware outbreak wreaked havoc across the world, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks.
BleepingComputer discovered the new svpps.xyz screenlocker. Does not encrypt, but is in-development.
GData security researcher Karsten Hahn discovered a new HiddenTear variant called Facebook Ransomware. When encrypting files, this ransomware will append the .Facebook extension to encrypted file's names. Last week we had Youtube ransomware, this week Facebook, is next week Instagram?
MalwareHunterTeam discovered a new Dutch ransomware called R4bb0l0ck. This ransomware is based on Hidden Tear and drop a ransom note named LEES_MIJ.txt and appends the .R4bb0l0ck extension to encrypted files.
BleepingComputer discovered the in-development CA$HOUT Ransomware. Currently just a big mess and doesn't work.
Security researchers have finally got their hands on samples of two new strains of Mac malware that have been offered through Malware-as-a-Service (MaaS) portals on the Dark Web for almost two weeks now.
Both portals were launched on May 25 and were discovered by BleepingComputer security editor Catalin Cimpanu during a routine scan of the Dark Web. The first site is named MacSpy and peddles Mac spyware, while the second is named MacRansom, and is renting ransomware in a classic RaaS scheme.
Michael Gillespie discovered a ransom note uploaded to ID-Ransomware that simply left me disgusted. This ransom note is titled "Save Children" and shows a picture of a starving 2 year old Nigerian orphan who was being given aid by humanitarian worker. This note then goes on to say that the ransomware victim is now part of the fictitious GPAA, or Global Poverty Aid Agency, which they state is a crowdfunding campaign to raise 1000 bitcoins to save children.
Karsten Hahn found an in-dev ransomware where someone is accepting PaySafeCards as a ransom payment. The ransomware will append the .rnsmwre extension to encrypted files and drop ransom notes named @decrypt_your_files.txt
Michael Gillespie found a new Stupid variant called WhyCry. Uses the extension .whycry for ecnrypted files.
Ms. Smith, a privacy and security reporter for NetworkWorld, wrote a story about a Korean web hosting company that was infected by the Erebus Ransomware.
Nayana, a web hosting company in South Korea, suffered a ransomware attack over the weekend which resulted in more than a hundred Linux servers and thousands of websites being infected with Erebus ransomware. The initial ransom amount was astronomically high.
We are happy to report that the Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab, has discovered a weakness in the Jaff ransomware and was able to release a decryptor for all variants that have been released to date. For those who were infected with the Jaff Ransomware and had their files encrypted with the .jaff, .wlu, or .sVn extensions, this decryptor can recover your files for free.
Avast Software released a free decryption tool for the EncrypTile Ransomware. This was a new one for me, but glad Avast is on top of it!
University College London (UCL) admitted in a status report published yesterday afternoon that it had succumbed to a ransomware infection that affected computers on its network.
The author of a new ransomware strain named Executioner has bungled the tool's encryption routine, which means security researchers will be able to decrypt victims' files. The good news is that this ransomware is not the subject of a massive distribution campaign, so the number of affected victims is low if any even exist.
Karsten Hahn found a screenlocker called Sandwidch. Yeah Sandwich. To unlock enter 0941-4234-6354-0235 into the first field and 4215-2511-7845-2135 into the second.
BleepingComputer found a screenlocker that pretends to be Cerber. Trashes startup repair, removes Task Manager from Windows security screen, and replaces the Shell with the locker. Doesn't appear to encrypt.