This week we have seen a lot of CryptConsole variants, Magniber activity, and smaller variants released. Ransomware continues to decline as malware developers move toward more profitable miners and information stealing Trojans. Ransomware is not going away, but is instead moving away from mass malspam campaigns to targeted network attacks where a ransom payment may be more likely.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @campuscodi, @malwareforme, @DanielGallagher, @struppigel, @malwrhunterteam, @Seifreed, @FourOctets, @fwosar, @hexwaxwing, @BleepinComputer, @jorntvdw, @PolarToffee, @LawrenceAbrams, @Damian1338B, @GrujaRS, @JakubKroustek , @bartblaze, and @leotpsc.
MalwareHunterTeam discovered a ransomware called CryBrazil that appends the .crybrazil extension to encrypted files. Uses a nicely designed ransom note.
Leo found a new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.
Amigo-A found a new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
MalwareHunterTeam found a new XiaoBa Ransomware variant that uses the .AdolfHitler extension and drops a ransom note named # # DECRYPT MY FILE # #.bmp .
Michael Gillespie spotted another variant of the CryptConsole Ransomware that uses the email@example.com email address. Victims can contact him for decryption.
The Atlanta Police Department has lost years worth of police car dashcam videos following the March ransomware attack that affected most of the city's IT infrastructure.
Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.
The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.
Michael Gillespie spotted a new Aurora variant uploaded to ID Ransomware that uses the
#RECOVERY-PC#.txt ransom note.
Michael Gillespie found a new variant of the CryptConsole ransomware that uses the address firstname.lastname@example.org and is still decryptable.
GrujaRS discovered a new variant of the GlobeImposter Ransomware that uses the extension .emilysupp.
Damian1338 discovered the Princess Ransomware being sold on an underground criminal site.
MalwareHunterTeam discovered a new variant of the PGPSnippet Ransomware that appends the extension .email@example.com to encrypted files. Victims can contact Michael Gillespie for decryption.
Michael Gillespie found a test version of the Spartacus Ransomware that uses the emails firstname.lastname@example.org and email@example.com and appends the .SF extension to encrypted files.
A new variant of the Magniber Ransomware was uploaded to ID Ransomware that uses the .ndpyhss extension for encrypted files.