It has been another crazy week when it comes to ransomware due to the NotPetya outbreak. This ransomware/destructive malware played havok all over the world, but especially the Ukraine, when it was unleashed on Tuesday. Other than that, the rest of the ransomware news was basically small variants being developed or released.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @emsisoft, @MarceloRivero, @LukasStefanko, @radware, @craiu @0xAmit, @ComaeIo, @kaspersky, @dvk01uk, @PhysicalDrive0, @Zerophage1337, @phage_nz, @VirITeXplorer, and @Malwarebytes.

June 24th 2017

New Jigsaw Ransomware Variant Appending the .Rat Extension

MalwareHunterTeam found a new Jigsaw Ransomware variant that utilizes the .rat extension for encrypted files.

New HiddenTear Variant Alludes to Targeting a Specific Company

MalwareHunterTeam found a new HiddenTear variant whose ransom note appears to be targeting a particular company. Joke, targeted blackmail? Who knows. This ransomware appends the .locked extension to encrypted files.

Koler Android Ransomware Targets the US with Fake PornHub Apps

During the past week, US users visiting adult-themed sites were targeted by ads for a fake PornHub app that contained a version of the Koler ransomware.

June 26th 2017

New HiddenTear Variant Pretending to be Battlefield

GData security researcher Karsten Hahn first spotted a new HiddenTear variant that pretends to be the Battlefield game. This ransomware appends the .locked extension to encrypted files.

MMM Ransomware Discovered

Karsten Hahn discovered a new ransomware that appends the .MMM extension to encrypted files. This ransomware appends the .0x004867 extension to encrypted files and also creates a .info file for each encrypted file that contains the encryption key.  Currently in development as it only encrypts the C:\Users\Work\Desktop\Test folder.

New Variant of Samas Discovered

Michael Gillespie found a new variant of the Samas/SamSam ransomware uploaded to ID Ransomware. This one appends the .moments2900 extension to encrypted files.

$1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks

The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies.

June 27th 2017

Karo Ransomware Discovered

MalwareHunterTeam discovered the Karo Ransomware. Karo appends the .ipygh extension to encrypted files and drops a ransom note named ReadMe.html.

ViaCrypt Ransomware Discovered

MalwareHunterTeam discovered the ViACrypt Ransomware. This ransomware appends the .via extension to encrypted files.

New Shifr RaaS Lets Any Dummy Enter the Ransomware Business

Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. The entry level for this new ransomware is hilariously low, compared to similar RaaS portals we've seen in the past.

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

This is the first article that covers the NotPetya ransomware attach that affected a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of and asks for a payment of $300 in Bitcoin.

Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files

Posteo, the email provider where the NotPetya author was hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account:

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software

The NotPetya outbreak allegedly has been caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies.

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers. Using this information Lawrence Abrams of BleepingComputer, put together a batch and executable that can be used to vaccinate a computer.

CryptoBubble Ransomware Discovered

Security researchers TG Soft discovered a new ransomware called CryptoBubble. This ransomware appends the .bubble extension to encrypted files. A decryptor for this ransomware can be downloaded here

New Variant of the Executioner Ransomware Released

Michael Gillespie discovered a new variant of the Executioner ransomware that appends a random 6 character extension for each encrypted file. This ransomware can be decrypted. Feel free to contact Michael for help.

Schroedinger’s Pet(ya)

Kaspersky Lab wrote an interesting blog post detailing their analysis of the encryption routine of the malware used in the Petya/ExPetr attacks. Based on this analysis they have determined that the threat actor cannot decrypt victims’ disk, even if a payment was made. It appears this malware campaign was designed as a wiper pretending to be ransomware.

June 28th 2017

Before NotPetya, There Was Another Ransomware That Targeted Ukraine Last Week

Last week, long before the Petya / NotPetya ransomware broke out, there was another ransomware campaign that targeted Ukrainian users with a vengeance. That ransomware's name was PSCrypt and is the third ransomware strain that has aggressively targeted Ukrainian users during the past month, after XData and NotPetya.

Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware

The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.

MusicGuy Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called MusicGuy. This ransomware appends the .locked extension to encrypted files.

Ransom6 Ransomware Sample Discovered

Random6 sample discovered by Malwarebytes researcher Marcelo Rivero. This ransomware appends a random 6-char extension to encrypted files and drops a ransom note named RESTORE-.-FILES.txt.

Gank Ransom Discovered

Lawrence Abrams of BleepingComputer discovered the in-development Gank Ransom. This ransomware appends the .gankLocked extension to encrypted files.


Pirateware Discovered

Lawrence Abrams discovered a new in-development ransomware called PirateWare. Does not encrypt anything.


June 29th 2017

Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware

This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. This would protect contents of protected folder from malware such as ransomware.

Cerber Renames Itself as CRBR ENCRYPTOR to Be a PITA

Security researcher PhysicalDrive0 was the first to spot that Cerber Ransomware rebranded itself as CRBR Encryptor. 

Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone

A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XDataPScrypt, and the infamous NotPetya. This particular ransomware is a .NET WannaCry imitator that may target the M.E.Doc accounting software, or at least hide within its folder.

ABCScreenLocker Discovered

MalwareHunterTeam discovered a new in-development ransomware called ABCScreenLocker. Doesn't do much than display the below.

New Variant of the Nemucod Ransomware Released

Michael Gillespie discovered a new Nemucod ransom note uploaded to ID-Ransomware. A sample was then discovered by My Online Security being distributed through spam emails.

June 30th 2017

More Security Firms Confirm NotPetya Shoddy Code Is Making Recovery Impossible

The bandwagon of cyber-security firms claiming that NotPetya was meant for destructive purposes is getting more crowded by the day, with three new additions from Cisco Talos, F-Secure, and Malwarebytes.

Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More