This week we had some rather large or interesting ransomware infections released. We have a new CryptoMix variant called Revenge being distributed via RIG exploit kits and we have someone modifying Petya in order to get their own ransomware without having to create their own ransomware. We also have a Star Trek themed ransomware called Kirk Ransomware.
Some good news is that Fabian Wosar of Emsisoft released a decryptor for the Damage Ransomware and an update decryptor for CryptON.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @hasherezade, @siri_urz, @jiriatvirlab, @Malwarebytes, @Jan0fficial, @kaspersky, @msftmmpc, @BroadAnalysis, and @BleepinComputer.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
Michael Gillespie discovered a Samas/SamSam variant that appends the .iaufkakfhsaraf to encrypted files and drops a ransom note named IF_WANT_FILES_BACK_PLS_READ.html.
Jiri Kropac discovered a new Russian ransomware called RozaLocker that requesting 10.000 Rubles to decrypt victim's files. RozaLocker appends the .ENC extension to encrypted files.
Malwarebytes researcher S!Ri discovered a new ransomware targeting French victims.
The ID Ransomware service was hit by two DDoS attacks launched by the author of the Enjey ransomware, embittered after ID Ransomware's creator, Michael Gillespie, had found a way to decrypt his ransomware.
Michael Gillespie set off a ransomware hunt for a ransomware called Project34. This ransomware prepends email@example.com to filenames and drops a note called ПАРОЛЬ.txt.
Named PetrWrap, this Petya offspring is part of the arsenal of a new threat actor that's hacking corporate networks and then using the Windows PsExec utility to install PetrWrap on vulnerable servers and endpoints.
Malwarebytes disrupted a ransomware author's plans to launch a RaaS portal after they managed to infiltrate the crook's command and control server, hosted on a common shared hosting provider.
Michael Gillespie noted that someone uploaded a file from the Hermes v2 ransomware to ID-Ransomware.
Broad Analysis discovered a new CryptoMix, or CryptFile2, variant called Revenge that is being distributed via the RIG exploit kit. This variant appends the .REVENGE extension to encrypted files and drops a ransom note named # !!!HELP_FILE!!! #.txt.
Avast malware researcher Jakub Kroustek discovered a Turkish ransomware that impersonates CTB-Locker. This ransomware appends the .encrypted extension to encrypted files and drops a ransom note named Beni Oku.txt.
Microsoft's Malware Protection Center has recently observed a change in the way malware authors deploy malicious code via NSIS installers. The changes are at the lowest levels of the installers, at how files are arranged and named inside it. These changes are 100% invisible to end users but are enough to break common security threat detection systems.
Jakub Kroustek discovered a new ransomware called Kirk Ransomware. Boldly going where no man has gone before, the Kirk Ransomware brings so much nerdy goodness to the table that it could make anyone in IT interested. We have Star Trek, Low Orbital Ion Cannons, a cryptocurrency payment other than Bitcoin, and a decryptor named Spock! Need I say more?
This ransomware appends the .Kirked extension to encrypted files and drop a note called RANSOM_NOTE.txt.
Jakub Kroustek discovered another variant of the Kirk Ransomware called Lick Ransomware. This variant works pretty much the same way as Kirk, but also uploads a copy of the encrypted key and other information to PasteBin. This ransomware appends the ..Licked extension to encrypted files and drop a note called RANSOM_NOTE.txt.
A very ugly screen locker called "Ramsomware.CryptoDevil" was discovered by MalwareHunterTeam. The unlock code is kjkszpj. The file properties state it was created by someone going by the alias of "mutr0l".
Malwarebytes malware researcher S!Ri found RoshaLocker 2.0, which stores your files in a password protected RAR file and then demands a ransom to get the archive password.
MalwareHunterTeam discovered a new ransomware called ZinoCrypt Ransomware - 2017 Edition. ZinoCrypt drops a ransom note named ZINO_NOTE.TXT and appends the extension .ZINO to encrypted files.
Jakub Kroustek discovered a new variant of the Jigsaw ransomware that utilizes a new background.
Jªn Poulsen discovered a builder for the DH_File_Locker Ransomware.
Jªn Poulsen discovered a builder for the Trident File Locker.
Karsten Hahn discovered a new HiddenTear variant called MacAndChess Ransomware.
Michael Gillespie released a decryptor for the BrainCrypt Ransomware. This decryptor will decrypt files that have the following string appended to them: .[firstname.lastname@example.org].braincrypt. The decryptor can be downloaded here.