Another week of mostly small ransomware releases. Ultimately, this is a good thing as the vast majority of these are never released. Of biggest note is a macOS RaaS, a new Jaff variant,  and the potential for a new ransomware called Spectre. 

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @dvk01uk ,@campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @HeimdalSecurity, @McAfee_Labs, @FortiGuardLabsand @msftmmpc

June 3rd 2017

Ramsey Ransomware Discovered

BleepingComputer discovered a new Jigsaw Ransomware variant called Ramsey Ransomware. Ramsey appends the .ram extension to encrypted files.

June 4th 2017

Executioner Ransomware Discovered

BleepingComputer discovered a new HiddenTear variant called Executioner Ransomware. This ransomware appends the a random extension and creates a ransom note named Sifre_Coz_Talimat.html.

 

Mora Project Ransomware Discovered

BleepingComputer discovered the in-development Mora Project Ransomware. This is a HiddenTear variant and appends .encrypted to encrypted files. It also creates a ransom note named ReadMe_Important.txt.

StrutterGear Jigsaw Variant Discovered

BleepingComputer discovered a new variant of the Jigsaw ransomware called StrutterGear. Currently in-dev and only encrypts a few files.

June 5th 2017

Cybercrime Market Shares Infrastructure With Jaff Ransomware Operation

According to Heimdal Security, the people who distribute the Jaff ransomware share server space with a cybercrime marketplace called PaySell.

Jigsaw Variant that uses the .Lost Extension

MalwareHunterTeam discovered a new variant of the Jigsaw ransomware that uses the .lost extension. Masquerades as Flash.

MrLocker Scareware Discovered

MalwareHunterTeam found a new scareware program that states that your files will be deleted if you do not pay the ransom. Doesn't actually do anything.

Jigsaw Decrypter Updated

Michael Gillespie updated his Jigsaw Decryptor to support the .lost, .ram, and .tax extensions.

TheDarkEncryptor Released

MalwareHunterTeam discovered a jigsaw-styled ransomware called TheDarkEncryptor. This variant appends the .tdelf extension to encrypted files and displays the desktop background below.

Ogre Ransomware Released with Some Nazi Undertones

MalwareHunterTeam discovered the new Ogre Ransomware. This ransomware will append the .ogre extension to encrypted files.

YouTube Screenlocker Discovered

MalwareHunterTeam spotted a new screenlocker pretending to be from YouTube. The passcode to unlock is law725.

$usyLocker Ransomware Discovered

MalwareHunterTeam discovered a new HiddenTear ransomware called $usyLocker. Appends the .WINDOWS extension to encrypted files and drops a ransom note named READ_IT.txt.

June 6th 2017

New BTCWare Variant Uses New Extension

MalwareHunterTeam spotted a new variant of BTCWare that uses the extension [3bitcoins@protonmail.com].blocking for encrypted files.

In-Dev CryMore Ransomware Discovered

MalwareHunterTeam discovered a new in-development ransomware called CryMore. Appends the .encrypt extension to encrypted files. Currently only encrypting the C:\Users\TMC\Desktop\testcd folder.

CryptoSearch Updated to Support More Ransomware Variants

Michael Gillespie updated CryptoSearch to version v0.9.7.0 in order to find files encrypted by Amnesia, Amnesia2, Cry9, Cry128, and Cry36 using filemarkers.

ID-Ransomware Updated to Latest Variants of the Cry Ransomware

Michael Gillespie added filemarker detection for Cry36 Ransomware, with the help of xXToffeeXx to ID-Ransomware

Zilla Ransomware Discovered

Avast security researcher Jakub Kroustek discovered the Zilla Ransomware. This ransomware appends .zilla to encrypted files and drops a ransom note named OkuBeni.txt.

June 7th 2017

BeethoveN Ransomware Discovered

New in-development ransomware called BeethoveN discovered by MalwareHunterTeam. Appends the extension .BeethoveN.

Another MrLocker ScreenLocker Discovered

GData security researcher Karsten Hahn discovered another MrLocker screenlocker. The unlock code is 6269521.

New Jigsaw Variant

Michael Gillespie spotted a new Jigsaw Ransomware variant with the extension .R3K7M9. His decryptor has been updated to support this variant.

June 8th 2017

No Known Ransomware Works Against Windows 10 S

No currently known ransomware strain can infect Windows 10 S, said Microsoft today with the release of a new report detailing the next-get ransomware protection features the company introduced with the release of the Windows 10 Creators Update last month.

In-Dev xXLecXx Ransomware Discovered

BleepingComputer discovered the in-dev xXLecXx Ransomware/Screenlocker. Does not encrypt. Alt+F4 to close.

New Ransomware Discovered that tells you to contact unlckr@protonmail.com

MalwareHunterTeam found a new ransomware that has a ransom note written in Russian. The ransomware places an encrypted your_key.rsa key file on the desktop and then tells you to contact unlckr@protonmail.com for payment instructions. Appends the .cr020801 extension to encrypted files.

CryptoGod Ransomware Discovered

MalwareHunterTeam discovered the CryptoGod ransomware, which is based off of MoWare H.F.D. CryptoGod appends the .payforunlock to encrypted files.

Is WannaCry Really Ransomware?

McAfee Labs published a good technical dive in to WanaCry about whether it really was designed for ransomware or possibly something else?

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

June 9th 2017

Spectre Ransomware May Be Coming for you Soon

A new ransomware was discovered today by MalwareHunterTeam called Spectre. This ransomware is currently in testing mode by the developer, but due to the time and effort that has been put into it's creation, I would not be surprised to see this go into distribution soon. With this in mind, I decided to play with the sample a bit and create a quick writeup on the Spectre ransomware from my own analysis.

Jaff Ransomware switches to the .sVn Extension

On Wednesday, security researcher Derek Knight discovered a new Jaff campaign spewing out emails that pretend to be emails from local copy machines. These SPAM emails contain attachments that include an executable file, which encrypt a victim's files and append the .sVn extension to encrypted file names.

MacRansom: Offered as Ransomware as a Service

Just recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS.