This has been the week of the Scarab with a continuous stream of Scarab Ransomware variants being released. We also had a few decryptors and some smaller variants, but by far Scarab dominated the ransomware distribution. Thankfully, under certain conditions Scarab can be decrypted by Dr. Web, so be sure to check with them if you become infected.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @BleepinComputer, @PolarToffee, @malwareforme, @malwrhunterteam, @campuscodi, @FourOctets, @struppigel, @Seifreed, @hexwaxwing, @DanielGallagher, @fwosar, @demonslay335, @LawrenceAbrams, @GrujaRS, @Malwarebytes, @arealshadow, @Amigo_A_, @thyrex2002, @FraMauronz, and @leotpsc.

June 16th 2018

Decryptor for the Sepsis Ransomware released

Michael Gillespie and Francesco Muroni released a decryptor for the Sepsis Ransomware that uses the .[email].SEPSIS extension. According to Michael, a padding bug in the ransomware means the last block is corrupt and cannot recover up to last 16 bytes of files.

New Help50 variant discovered

Alex Svirid found a new variant of the help50 Ransomware that appends the .dat extension and uses the contact email of blackmagic8@yandex.com.

New Scarab Ransomware .good variant

Amigo-A wrote about a new Scarab Ransomware variant that is appending the .good extension to encrypted files. Under certain circumstances, can be decrypted by Dr. Web.

New in-dev BadMonkey Ransomware

MalwareHunterTeam found an in development ransomware called BadMonkey.

FileIce wants you to complete surveys

Leo found a new version of an in-development ransomware from 2016 called FileIce that requires users to complete surveys in order to decrypt files.  We wrote about it when first discovered in our In-Dev Ransomware forces you do to Survey before unlocking Computer article.

June 18th 2018

New Scarab Ransomware Danger variant

Amigo-A wrote about a new Scarab Ransomware variant that is appending the .fastrecovery@xmpp.jp extension to encrypted files. Under certain circumstances, can be decrypted by Dr. Web.

New Scarab .oneway variant

Michael Gillespie discovered a new variant of the Scarab Ransomware on ID Ransomware that appends the .oneway extension and drops a note named Расшифровать файлы.

June 19th 2018

New Pulpy Ransomware variant

GrujaRS discovered a new variant of the Pulpy Ransomware that appends the .AES extension and has a contact email of ThomasRaymond@protonmail.com.

Pulpy Ransomware Variant

New CyberSCCP Ransomware

A Shadow found a HiddenTear variant that appends the .CyberSCCP extension and drops a ransom note named READ_IT.txt.

BtcKING Ransomware found

Michael Gillespie found a new ransomware that appends the .BtcKING extension to encrypted files and drops a ransom note named How To Decode Files.txt.

New Scarab .bomber variant

Amigo-A wrote about a new Scarab Ransomware variant that is appending the .bomber extension to encrypted files. This ransomare has a strong campaign underway targeting Russian victims.

JungleSec Ransomware discovered

Michael Gillespie detected a new Linux ransomware called JungleSec that appends the .jungle@anonymousspechcom extension and drops a note named http://ENCRYPTED.md.

JungleSec

New EverBe Ransomware variant called Volcano

Michael Gillespie found a new variant of the EverBe ransomware called Volcano that appends the .[].volcano extension to encrypted files. Michael has updated his InsaneCryptDecrypter to handle this variant.

Another CyberSCCP variant

A Shadow discovered a new variant of the CyberSCCP ransomware.

June 20th 2018

CryptConsole has been modified, but still contains flaw

Michael Gillespie tweeted that CryptConsole has been modified, but still contains a flaw that could allow decryption.  Victims can contact him for help.

New Omerta Ransomware discovered

Michael Gillespie found a new ransomware that uses the .[XAVAX@PM.ME].omerta extension and drops a ransom note named READ THIS IF YOU WANT TO GET ALL YOUR FILES BACK.TXT. We are still looking for a sample.

June 21st 2018

New SamSam Variant Requires Special Password Before Infection

New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.

KingOuroboros Ransomware discovered

MalwareHunterTeam found a new ransomware called KingOuroboros that injects .king_ouroboros between the filename and extension. For example, Chrysanthemum.king_ouroboros.jpg.  

Another Scarab Ransomware variant appends .recme

Michael Gillespie found another Scarab Ransomware variant uploaded to ID Ransomware that uses the .recme extension and drops a ransom note named HOW_TO_RECOVER_ENCRYPTED_FILES.TXT.

June 22nd 2018

And another Scarab Ransomware variant

Michael Gillespie found a new Scarab variant uploaded to ID Ransomware that uses the extension .dan@cock.email and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES - dan@cock.email.TXT.

Blackmail Campaign Pretending to be WannaCry Is Really Just WannaSpam

A new spam campaign is underway that pretends to be from a group called the "WannaCry-Hack-Team" that states the infamous WannaCry Ransomware has returned, the recipients computer is infected, and they need to send some bitcoins or their files will be deleted. This is nothing more than WannaSpam, there is nothing wrong with your computer, and the email should simply be tossed into the trash where it belongs.

Ransomware extension that goes on and on

MalwareHunterTeam found a ransomware that utilizes the extension "....FILES_ARE_SAFE_THE_SIGNLE_AND_UNIQ_WAY_TO_RECOVER_YOUR_FILES_IS_TO_BUY_THE_CERBER_DECRYPTOR_PROGRAM_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOUR_OR_ALL_YOUR_FILES_WILL_BE_LOST_FORVER_PLEASE_BE_REZONABLE_AND_MAKE_THE_PAYMENT_URGENTLY". Your guess is as good as mine.

That's it for this week! Hope everyone has a nice weekend!

 

Related Articles:

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More

The Week in Ransomware - June 8th 2018 - CryBrazil, CryptConsole, and Magniber

The Week in Ransomware - June 1st 2018 - From Russia with Love and a Facepalm

The Week in Ransomware - May 18th 2018 - Mostly Small Variants