This was a busy week with lot's of new variants of active ransomware being released. We also have Sigrun offering free decryption to Russian victims and a awesome facepalm waiting for you at the end of the article.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @fwosar, @DanielGallagher, @hexwaxwing, @BleepinComputer, @struppigel, @jorntvdw, @FourOctets, @malwareforme, @campuscodi, @PolarToffee, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @thyrex2002, @GrujaRS, @Amigo_A_, @siri_urz.
GrujaRS discovered a new Dharma Ransomware variant that uses the extension .id-%id%[java2018@tuta io].arrow.
@Amigo_A_ discovered a new Scarab ransomware variant that appends the .osk extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
Alex Svirid found a new version of CryptoConsole2 that uses the email firstname.lastname@example.org and drops a ransom note named HOW DECRIPT FILES.hta.
MalwareHunterTeam found a new Aurora/OneKeyLocker Ransomware variant that uses a C2 server.
MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .BACKUP extension to encrypted files, changes the contact email, and slightly changes the ransom note's name.
ID Ransomware detected another Scarab Ransomware variant that uses the extension .REBUS and drops a ransom note named REBUS RECOVERY INFORMATION.TXT.
MalwareHunterTeam found a new ransomware called Pain Locker that drops a ransom note named !=How_recovery_files=!.txt and uses the extension .[email@example.com].pain. It could be a Everbe variant.
MalwareHunterTeam found a new ransomware dubbed LittleFinger that does not append an extension. May still be in development.
ID Ransomware detected another Scarab Ransomware variant that uses the extension .firstname.lastname@example.org and drops a ransom note named HOW TO RECOVER ENCRYPTED FILESemail@example.com.TXT.
S!Ri discovered a new variant of the BitPaymer ransomware.
The author of the Sigrun Ransomware is providing decryption for Russian victims for free, while asking for a ransom payment of $2,500 in Bitcoin or Dash for everyone else. It is not uncommon for Russian ransomware developers to purposely avoid targeting Russian citizens and to outwardly help such victims for free.
For our last entry before the weekend, let's have some fun show a big facepalm in a new ransomware :)
MalwareHunterTeam found a new ransomware called OpsVenezuela that is mostly Hidden Tear with some code from EDA2. The bonus, is how the malware dev assigns the password. Hint: "quotes".