Another week of mostly small ransomware releases. Ultimately, this is a good thing as the vast majority of these are never released. Of biggest note is a macOS RaaS, a new Jaff variant, and the potential for a new ransomware called Spectre.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @dvk01uk ,@campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @HeimdalSecurity, @McAfee_Labs, @FortiGuardLabs, and @msftmmpc,
BleepingComputer discovered a new Jigsaw Ransomware variant called Ramsey Ransomware. Ramsey appends the .ram extension to encrypted files.
BleepingComputer discovered a new HiddenTear variant called Executioner Ransomware. This ransomware appends the a random extension and creates a ransom note named Sifre_Coz_Talimat.html.
BleepingComputer discovered the in-development Mora Project Ransomware. This is a HiddenTear variant and appends .encrypted to encrypted files. It also creates a ransom note named ReadMe_Important.txt.
BleepingComputer discovered a new variant of the Jigsaw ransomware called StrutterGear. Currently in-dev and only encrypts a few files.
According to Heimdal Security, the people who distribute the Jaff ransomware share server space with a cybercrime marketplace called PaySell.
Avast security researcher Jakub Kroustek discovered the Zilla Ransomware. This ransomware appends .zilla to encrypted files and drops a ransom note named OkuBeni.txt.
New in-development ransomware called BeethoveN discovered by MalwareHunterTeam. Appends the extension .BeethoveN.
GData security researcher Karsten Hahn discovered another MrLocker screenlocker. The unlock code is 6269521.
No currently known ransomware strain can infect Windows 10 S, said Microsoft today with the release of a new report detailing the next-get ransomware protection features the company introduced with the release of the Windows 10 Creators Update last month.
BleepingComputer discovered the in-dev xXLecXx Ransomware/Screenlocker. Does not encrypt. Alt+F4 to close.
MalwareHunterTeam found a new ransomware that has a ransom note written in Russian. The ransomware places an encrypted your_key.rsa key file on the desktop and then tells you to contact firstname.lastname@example.org for payment instructions. Appends the .cr020801 extension to encrypted files.
MalwareHunterTeam discovered the CryptoGod ransomware, which is based off of MoWare H.F.D. CryptoGod appends the .payforunlock to encrypted files.
McAfee Labs published a good technical dive in to WanaCry about whether it really was designed for ransomware or possibly something else?
Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.
A new ransomware was discovered today by MalwareHunterTeam called Spectre. This ransomware is currently in testing mode by the developer, but due to the time and effort that has been put into it's creation, I would not be surprised to see this go into distribution soon. With this in mind, I decided to play with the sample a bit and create a quick writeup on the Spectre ransomware from my own analysis.
On Wednesday, security researcher Derek Knight discovered a new Jaff campaign spewing out emails that pretend to be emails from local copy machines. These SPAM emails contain attachments that include an executable file, which encrypt a victim's files and append the .sVn extension to encrypted file names.
Just recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS.