Lots and lots of little crappy ransomware released this week with nothing new or innovative. We do have some interesting Spora stats, lots of new Jigsaw variants, a story on the decline of Locky, and of course an updated decryptor by Fabian Wosar who continues to kick ransomware in the buttocks. Other than that, not really any of significance.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @BleepinComputer, @erpscan, @barklyprotects.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
A BleepingComputer member posted a new topic in the support forums about the new MOTD ransomware. This ransomware will encrypt files and append the .enc extension and drop ransom notes named motd.txt.
Emsisoft security researcher xXToffeeXx discovered a new variant of the in-development CryptoDevil ransomware that has started encrypted files. This variant will encrypt files under subfolders under the the folder it runs from. When encrypting a file it will add the .devil extension to the encrypted file's name.
This article discusses how the number of Locky ransomware infections have been going down over the last 6 months and have reached an all-time low this month in March.
A new Indiana bill plans to make ransomware attacks a crime on its own punishable with a sentence from one to six years in prison, and a maximum fine of up to $10,000. House Bill 1444 was proposed last year by State Rep. Christopher Judy’s (R-Fort Wayne), passed the Indiana House of Representatives in late February, and will be heard tomorrow in the Senate Corrections and Criminal Law Committee, one of the few final steps before reaching the governer's desk.
A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.
ERPScan discovered a remote code execution flaw in the SAP Windows client that opens the door for ransomware attacks targeting enterprises that rely on various SAP products to manage and keep track of their business operations. SAP, a German company that makes enterprise software used by over 335,000 customers in 190 countries, has patched the issue last week.
Barkly created an article about how Spora Ransomware has one of the most user-friendly payment systems.
BleepingComputer has discovered the Zorry Ransomware that appends the .zorro extension to encrypted files and drops a ransom note named Take_Seriously (Your saving grace).txt.
BleepingComputer discovered a new HiddenTear/MafiaWare variant called AngleWare that appends .AngleWare to encrypted files.
Jakub Kroustek found a modified Jigsaw Ransomware, being dubbed Monument, that adds payment instructions as the extension for encrypted files. MalwareHunterTeam also noted that this ransomware is bundled with the Imminent Monitor RAT.
This extension is .To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours.
And we end with a crappy ransomware discovered by MalwareHunterTeam called SADStory. This ransomware may be a variant of CryPy and uses an email address of firstname.lastname@example.org, which used to be associated with KimcilWare.