For the most part, mostly in-development ransomware released this week. No really major ransomware variants released that are much of a threat.  The big news, though, is that Kaspersky was able to figure out how to crack the decryption for the Jaff Ransomware and release a free decryptor.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek@aeris22, @kaspersky, @PrivacyFanatic, and @avast_antivirus.

June 10th 2017

BeethoveN Ransomware Switches to Hardcoded RSA Key

MalwareHunterTeam noted that the BeethoveN Ransomware has switched from using a C2 to now using hardcoded RSA keys and email communication.

June 11th 2017

French Police Seize Two Tor Relays in WannaCry Investigation

Two days after the WannaCry ransomware outbreak wreaked havoc across the world, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks. Screenlocker Discovered

BleepingComputer discovered the new screenlocker. Does not encrypt, but is in-development.

June 12th 2017

Facebook Ransomware Discovered

GData security researcher Karsten Hahn discovered a new HiddenTear variant called Facebook Ransomware. When encrypting files, this ransomware will append the .Facebook extension to encrypted file's names.  Last week we had Youtube ransomware, this week Facebook, is next week Instagram?

R4bb0l0ck Ransomware Discovered

MalwareHunterTeam discovered a new Dutch ransomware called R4bb0l0ck. This ransomware is based on Hidden Tear and drop a ransom note named  LEES_MIJ.txt and appends the .R4bb0l0ck extension to encrypted files.

Jigsaw Ransomware Variant uses the Ghost Extension

Michael Gillespie found a new Jigsaw Ransomware variant that uses the .Ghost extension. His decryptor has been updated to support this variant.

Virus Ransomware likes My Little Pony

MalwareHunterTeam discovered a new ransomware called Virus Ransomware. Nothing more than a nuisance. Doesn't encrypt.

CA$HOUT Ransomware Discovered

BleepingComputer discovered the in-development CA$HOUT Ransomware. Currently just a big mess and doesn't work.

MacRansom and MacSpy Malware-as-a-Service Portals Put Mac Users on Alert

Security researchers have finally got their hands on samples of two new strains of Mac malware that have been offered through Malware-as-a-Service (MaaS) portals on the Dark Web for almost two weeks now.

Both portals were launched on May 25 and were discovered by BleepingComputer security editor Catalin Cimpanu during a routine scan of the Dark Web. The first site is named MacSpy and peddles Mac spyware, while the second is named MacRansom, and is renting ransomware in a classic RaaS scheme.

GPAA Ransomware Shows the Depravity of Some Ransomware Developers

Michael Gillespie discovered a ransom note uploaded to ID-Ransomware that simply left me disgusted. This ransom note is titled "Save Children" and shows a picture of a starving 2 year old Nigerian orphan who was being given aid by humanitarian worker. This note then goes on to say that the ransomware victim is now part of the fictitious GPAA, or Global Poverty Aid Agency, which they state is a crowdfunding campaign to raise 1000 bitcoins to save children.

June 13th 2016

PaySafeCard Ransomware

Karsten Hahn found an in-dev ransomware where someone is accepting PaySafeCards as a ransom payment. The ransomware will append the .rnsmwre extension to encrypted files and drop ransom notes named @decrypt_your_files.txt

Jaff Ransomware Changes Ransom Note Names

MalwareHunterTeam discovered a new variant of the Jaff Ransomware that uses !!!!!SAVE YOUR FILES!!!!.txt and !!!SAVE YOUR FILES!.bmp for the ransom note names.

WhyCry Ransomware Discovered

Michael Gillespie found a new Stupid variant called WhyCry. Uses the extension .whycry for ecnrypted files.

South Korean web hosting company infected by Erebus ransomware

, a privacy and security reporter for NetworkWorld, wrote a story about a Korean web hosting company that was infected by the Erebus Ransomware.

Nayana, a web hosting company in South Korea, suffered a ransomware attack over the weekend which resulted in more than a hundred Linux servers and thousands of websites being infected with Erebus ransomware. The initial ransom amount was astronomically high.

June 14th 2017

Decrypted: Kaspersky Releases Decryptor for the Jaff Ransomware

We are happy to report that the Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab, has discovered a weakness in the Jaff ransomware and was able to release a decryptor for all variants that have been released to date. For those who were infected with the Jaff Ransomware and had their files encrypted with the .jaff, .wlu, or .sVn extensions, this decryptor can recover your files for free.

A new variant of the BTCWare MasterLock Version Discovered

MalwareHunterTeam found a new sample of the BTCWare MasterLock version that appends the .[].master extension to encrypted files.

Avast releases free decryption tool for EncrypTile ransomware

Avast Software released a free decryption tool for the EncrypTile Ransomware. This was a new one for me, but glad Avast is on top of it!

Sage Stops Using Version Numbers

MalwareHunterTeam noticed that a new variant of the Sage Ransomware was not using version nunmbers in the ransom note.

In-Development CryForMe Ransomware

MalwareHunterTeam discovered a new in-development ransomware called CryForMe.

June 15th 2017

UK University Blames Ransomware Infection on Zero-Day Vulnerability

University College London (UCL) admitted in a status report published yesterday afternoon that it had succumbed to a ransomware infection that affected computers on its network.

In-Development CryptoSpider Ransomware Discovered

MalwareHunterTeam found a new in-development ransomware called CryptoSpider. This ransomware appends the .Cspider extension to encrypted files.

WinUpdatesDisabler Ransomware Discovered

MalwareHunterTeam found a new ransomware called WinUpdatesDisabler that appends the .zbt extension to encrypted files.

New Windows Has Been Banned Variant

MalwareHunterTeam has found a new variant of the Windows Has Been Banned screenlocker. Enter 4N2nfY5nn2991 to unlock.

June 16th 2017

Author of Executioner Ransomware Bungles Encryption Routine

The author of a new ransomware strain named Executioner has bungled the tool's encryption routine, which means security researchers will be able to decrypt victims' files. The good news is that this ransomware is not the subject of a massive distribution campaign, so the number of affected victims is low if any even exist.


Sandwich Screenlocker Discovered

Karsten Hahn found a screenlocker called Sandwidch. Yeah Sandwich. To unlock enter 0941-4234-6354-0235 into the first field and 4215-2511-7845-2135 into the second.

Fake Cerber Screenlocker Discovered

BleepingComputer found a screenlocker that pretends to be Cerber. Trashes startup repair, removes Task Manager from Windows security screen, and replaces the Shell with the locker. Doesn't appear to encrypt.


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection