What a crazy week. The biggest news is that we had a hosting company who actually paid a 1 million dollar (think Dr. Evil) ransomware payment. We then had the return of Locky, which at one point was the preminent ransomware being distributed. We will have to wait and see if it can become king of the hill again.
Other than that, its mostly been small ransomware variants being released that will probably never make it into any real distribution.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @MarceloRivero, @jiriatvirlab, @zackwhittaker, @hackerfantastic, @TalosSecurity, @VK_Intel, @FBI.
MalwareHunterTeam discovered a new variant of the Jigsaw Ransomware that uses the .sux extension for encrypted files.
MalwareHunterTeam discovered a HiddenTear variant called Wana Decrypt0r Trojan-Syria Editi0n. This ransomware is currently in development, but when done is intended to append the .Wana Decrypt0r Trojan-Syria Editi0n extension to encrypted files.
BleepingComputer discovered the in-development WinBamboozle Ransomware. Currently only encrypts the test subfolder and appends a random 5 character extension to encrypted files.
GData security researcher Karsten Hahn discovered a screenlocker called SkullLocker. You can use Alt+F4 to close it. Not very effective.
BleepingComputer discovered a Polish variant of the Dumb Ransomware.
BleepingComputer discovered a new in-development ransomware called DecrptOr 3.2/Decrypto 3.2. Does not encrypt.
BleepingComputer discovered a new HiddenTear variant called NSMF Ransomware. This ransomware only encrypts the desktop. When encrypting files it appends .nsmf extension and creates a ransom note named readme.txt.
Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers.
MalwareHunterTeam discovered a new screenlocker that asks a victim to input their credit card.
Malwarebytes security researcher Marcelo Rivero discovered a new variant of the Crypt888 Ransomware that prepends the Lock. string to an encrypted file name and uses a new background.
On Monday, Honda was forced to temporarily shut down its car plant in Sayama, Japan, after some of its computer systems were infected with the infamous WannaCry ransomware, reported Reuters today.
TeslaWare is currently being promoted and sold through black hat/criminal sites for 35 to 70 Euros depending on the customizations the buyer want in the ransomware. The good news is that this ransomware is decryptable.
Michael Gillespie is looking for a sample of the aZaZeL Ransomware after a ransom note was uploaded to ID Ransomware. This ransomware appends the .Encrypted extension and drops a ransom note named File_Encryption_Notice.txt.
MalwareHunterTeam discovered a new ransomware that appears to be in-dev or not properly built. Currently being called onecrypt.
Fifty-five speed and red-light cameras in the Australia's state of Victoria were infected with the WannaCry ransomware.
The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking files only on older Windows XP & Vista machines.
MalwareHunterTeam discovered a malware called AlixSpy that tries to steal the Growtopia save.dat, which contains the user's logins. It then displays a lock screen.
Despite being an expanding threat, ransomware infections are rarely reported to law enforcement agencies, according to conclusions from the 2016 Internet Crime Report, released yesterday by the FBI’s Internet Crime Complaint Center (IC3).
ZDNet security editor Zack Whittaker wrote a great article on why you should never call an operating system 100% secure from anything. The articles details how Hacker House co-founder Matthew Hickey was able to bypass security in Windows S to get system level access. From there, if he wished he would have been able to potentially install ransomware on the system that Microsoft has stated is immune to it.
Karsten Hahn discovered a new ransomware that appears to use a moduler system, where each process of the ransomware is handled by a different executable. For example, there is one executable that displays the ransom note, another than encrypts, etc. Karsten is still looking for the main dropper or the crypter executable, so if you find it, please let us know.
Looks like Trollware is making a come back. This is seen with a new screenlocker found by MalwareHunterTeam that locks your screen, but doesn't ask for money. Basically, they are just doing it to be a pain in the ass.
MalwareHunterTeam discovered a new HiddenTear variant called EyLamo. This ransomware will append the .lamo extension to encrypted files and drop a ransom note named READ_IT.txt.
The PC Security Channel's Leo found a ransomware called Kryptonite ransomware, which is disguised as a game of Snake. Currently crashes when I launch it. MalwareHunterTeam found a sample earlier this week, but that crashed immediately, so this appears to be in development.