This has been the week of the Scarab with a continuous stream of Scarab Ransomware variants being released. We also had a few decryptors and some smaller variants, but by far Scarab dominated the ransomware distribution. Thankfully, under certain conditions Scarab can be decrypted by Dr. Web, so be sure to check with them if you become infected.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @BleepinComputer, @PolarToffee, @malwareforme, @malwrhunterteam, @campuscodi, @FourOctets, @struppigel, @Seifreed, @hexwaxwing, @DanielGallagher, @fwosar, @demonslay335, @LawrenceAbrams, @GrujaRS, @Malwarebytes, @arealshadow, @Amigo_A_, @thyrex2002, @FraMauronz, and @leotpsc.
Michael Gillespie and Francesco Muroni released a decryptor for the Sepsis Ransomware that uses the .[email].SEPSIS extension. According to Michael, a padding bug in the ransomware means the last block is corrupt and cannot recover up to last 16 bytes of files.
Alex Svirid found a new variant of the help50 Ransomware that appends the .dat extension and uses the contact email of firstname.lastname@example.org.
MalwareHunterTeam found an in development ransomware called BadMonkey.
Leo found a new version of an in-development ransomware from 2016 called FileIce that requires users to complete surveys in order to decrypt files. We wrote about it when first discovered in our In-Dev Ransomware forces you do to Survey before unlocking Computer article.
GrujaRS discovered a new variant of the Pulpy Ransomware that appends the .AES extension and has a contact email of ThomasRaymond@protonmail.com.
Michael Gillespie found a new ransomware that appends the .BtcKING extension to encrypted files and drops a ransom note named How To Decode Files.txt.
Michael Gillespie found a new variant of the EverBe ransomware called Volcano that appends the ..volcano extension to encrypted files. Michael has updated his InsaneCryptDecrypter to handle this variant.
Michael Gillespie tweeted that CryptConsole has been modified, but still contains a flaw that could allow decryption. Victims can contact him for help.
Michael Gillespie found a new ransomware that uses the .[XAVAX@PM.ME].omerta extension and drops a ransom note named READ THIS IF YOU WANT TO GET ALL YOUR FILES BACK.TXT. We are still looking for a sample.
New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.
MalwareHunterTeam found a new ransomware called KingOuroboros that injects .king_ouroboros between the filename and extension. For example, Chrysanthemum.king_ouroboros.jpg.
Michael Gillespie found another Scarab Ransomware variant uploaded to ID Ransomware that uses the .recme extension and drops a ransom note named HOW_TO_RECOVER_ENCRYPTED_FILES.TXT.
Michael Gillespie found a new Scarab variant uploaded to ID Ransomware that uses the extension .email@example.com and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES - firstname.lastname@example.org.TXT.
A new spam campaign is underway that pretends to be from a group called the "WannaCry-Hack-Team" that states the infamous WannaCry Ransomware has returned, the recipients computer is infected, and they need to send some bitcoins or their files will be deleted. This is nothing more than WannaSpam, there is nothing wrong with your computer, and the email should simply be tossed into the trash where it belongs.
MalwareHunterTeam found a ransomware that utilizes the extension "....FILES_ARE_SAFE_THE_SIGNLE_AND_UNIQ_WAY_TO_RECOVER_YOUR_FILES_IS_TO_BUY_THE_CERBER_DECRYPTOR_PROGRAM_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOUR_OR_ALL_YOUR_FILES_WILL_BE_LOST_FORVER_PLEASE_BE_REZONABLE_AND_MAKE_THE_PAYMENT_URGENTLY". Your guess is as good as mine.