This was a busy week with lot's of new variants of active ransomware being released. We also have Sigrun offering free decryption to Russian victims and a awesome facepalm waiting for you at the end of the article. 

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @fwosar, @DanielGallagher, @hexwaxwing, @BleepinComputer, @struppigel, @jorntvdw, @FourOctets, @malwareforme, @campuscodi, @PolarToffee, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @thyrex2002, @GrujaRS, @Amigo_A_, @siri_urz.

May 26th 2018

New Jigsaw Ransomware variant

Michael Gillespie found a Jigsaw Ransomware variant where someone added a C2 server to it. Normally, Jigsaw runs without needed to talk to another server.

May 27th 2018

New Dharma variant

GrujaRS discovered a new Dharma Ransomware variant that uses the extension .id-%id%[java2018@tuta io].arrow.

Dharma Ransomware

New Scarab Ransomware variant

@Amigo_A_ discovered a new Scarab ransomware variant that appends the .osk extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

May 29th 2018

New CryptConsole2 Variant

Alex Svirid found a new version of CryptoConsole2 that uses the email zeman@tutanota.de and drops a ransom note named HOW DECRIPT FILES.hta.

Aurora Ransomware now using a C2 Server

MalwareHunterTeam found a new Aurora/OneKeyLocker Ransomware variant that uses a C2 server.

New CryptConsole variant

Michael Gillespie found a new CryptConsole variant that uses the email helps@tutanota.com and is still decryptable.

May 30th 2018

New Backup Cryptomix Ransomware Variant Actively Infecting Users

MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .BACKUP extension to encrypted files, changes the contact email, and slightly changes the ransom note's name.

Cryptomix

New Scarab Ransomware variant

ID Ransomware detected another Scarab Ransomware variant that uses the extension .REBUS and drops a ransom note named REBUS RECOVERY INFORMATION.TXT.

Insta Ransomware Discovered

Michael Gillespie is looking for a new ransomware that appends the .insta extension and drops a ransom note named filesinfo.txt. A victim has already posted about it on our forums.

Jigsaw Ransomware being used as part of a Ethical Hacking course

Michael Gillespie found a Jigsaw variant being used as part of a Ethical Hacking course.

Pain Locker Ransomware discovered

MalwareHunterTeam found a new ransomware called Pain Locker that drops a ransom note named !=How_recovery_files=!.txt and uses the extension .[pain@cock.lu].pain. It could be a Everbe variant.

New Everbe Ransomware variant

Michael Gillespie found a new variant of the Everbe Ransomware that uses the extension .[embrace@airmail.cc].embrace.

Everbe Ransomware

New LittleFinger ransomware

MalwareHunterTeam found a new ransomware dubbed LittleFinger that does not append an extension. May still be in development.

New Cryptgh0st Ransomware

Michael Gillespie found a new ransomware named cryptgh0st that renames file to .cryptgh0st and drops a ransom note named READ_TO_DECRYPT.html.

May 31st 2018

New LockCrypt 2.0 Ransomware variant

Michael Gillespie found a new LockCrypt 2.0 Ransomware variant that uses the extension id-.BI_ID and drops a ransom note named How To Restore Files.txt.

LockCrypt

New Scarab Ransomware variant

ID Ransomware detected another Scarab Ransomware variant that uses the extension .infovip@airmail.cc and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT.

New Stop Ransomware variant

Michael Gillespie found a new Stop Ransomware variant that uses the extension .CONTACTUS and drops a ransom note named !!!!RESTORE_FILES!!!.txt.

New BitPaymer Ransomware variant

S!Ri discovered a new variant of the BitPaymer ransomware. 

BitPaymer

June 1st 2018

Sigrun Ransomware Author Decrypting Russian Victims for Free

The author of the Sigrun Ransomware is providing decryption for Russian victims for free, while asking for a ransom payment of $2,500 in Bitcoin or Dash for everyone else. It is not uncommon for Russian ransomware developers to purposely avoid targeting Russian citizens and to outwardly help such victims for free.

OpsVenezeula Ransomware Discovered

For our last entry before the weekend, let's have some fun show a big facepalm in a new ransomware :) 

MalwareHunterTeam found a new ransomware called OpsVenezuela that is mostly Hidden Tear with some code from EDA2. The bonus, is how the malware dev assigns the password. Hint: "quotes".

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - August 24th 2018 - Hermes, Fox, and Ryuk

The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma

The Week in Ransomware - August 10th 2018 - BitPaymer & KeyPass

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

New Brrr Dharma Ransomware Variant Released