This week's article combines the previous week's stories as well. Lots of small in-dev ransomware over the last two weeks, a few RaaS (Ransomware as a Service) implementations were released, and a decryptor for GandCrab was released.
The biggest news was the release of a decryptor for the GandCrab ransomware. This decryptor only works on some versions of the software and the actors behind GandCrab have stated they are already working on a new version with a more secure Command & Control server.
In other news, the Colorado department of transportation was hit by SamSam, which caused them to have to shut down 2,000 computers.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @demonslay335, @BleepinComputer, @FourOctets, @jorntvdw, @struppigel, @campuscodi, @malwareforme, @hexwaxwing, @Seifreed, @fwosar, @DanielGallagher, @nao_sec, @Bitdefender, @malware_traffic, @PaloAltoNtwks, @siri_urz, @bartblaze, @alienvault, @ESET, @WITN, @samvdkris, @CryptoInsane, @GrujaRS, & @r00tbsd.
Karsten Hahn discovered a new in-development ransomware called Relec. Something tells me they meant to spell Relic. Regardless, it does not encrypt.
Karsten Hahn discovered discovered DeadRansomware. A ransomware so boring you simply die. In reality it's a screenlocker with the password "DeadRansomwareDecryptMyFiles".
Karsten Hahn found another in-dev ransomware that appends the .ransomwared extension to encrypted files. It only encrypts the Documents/target.txt file for now.
Karsten Hahn is killing it today with the finding of an in-dev ransomware called WannaCrypt. Has an unlock code of "542UTFQ2NDU2HM9K2YTVGZNZKNVSSE".
The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.
A North Carolina county government's computers have been infected by ransomware, slowing business to a crawl.
The number of ransomware infections on Android devices has gone down in 2017, according to an end-of-year report published by ESET last week.
I couldn't resist using that emoji for the discovery of the BananaCrypt Ransomware by MalwareHunterTeam. This ransomware appends the .bananaCrypt extension to encrypted file's names.
MalwareHunterTeam discovered a ransomware targeting Russian victims called Russenger. This ransomware drops a ransom note name Инструкция по дешифровке.txt and utilizes an the .messenger-%random% (changes for every file) extension for encrypted file names.
Today a reader sent me info regarding the LockCrypt Ransomware being actively distributed over hacked remote desktop services. This variant, when installed, will encrypt a victim's files and then append the .1btc extension to encrypted file names.
GrujaRS discovered a new variant of Shifr that appends appends the .cypher extension to encrypted files and drops a ransom note named How_To_Decrypt_Files.html.
The community leadership award for efforts to decrypt ransomware as a public service was given to Michael Gillespie. This special award, presented on behalf of the Director of the FBI, was formally created in 1990 as a way to honor individuals and organizations for their efforts in combating terrorism, cyber-crime, illegal drugs, gangs, and other crimes leading to violence in America. Michael Gillespie is one of 56 individuals or organizations around the United States who received this award this year.
Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can't run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.
The Colorado Department of Transportation (DOT) has shut down over 2,000 computers after some systems got infected with the SamSam ransomware on Wednesday, February 21.
Two days after crooks started advertising the Data Keeper Ransomware-as-a-Service (RaaS) on the Dark Web, ransomware strains generated on this portal have already been spotted in the wild, infecting the computers of real-world users.
Ransomware developers continue to release infections that are clearly not tested well and contain bugs that may make it difficult, if not impossible, for victims to recover their files. Such is the case with the new in the wild ransomware called Thanatos that has been discovered by security researcher MalwareHunterTeam.
The exploit kit landscape has continued its downfall started in the summer of 2016 and its leading player —the RIG exploit kit— has stopped delivering any ransomware strains in 2018, focusing now on spreading cryptocurrency miners (coinminers) and information-stealing trojans (infostealers).
MalwareHunterTeam found a new variant of the XiaoBa Ransomware that replaces the encrypted file's extension with .Encrypted[BaYuCheng@yeah.net].XiaoBa and drops a ransom note named _XiaoBa_Info_.hta.
Bitdefender has released a free decrypter that helps victims of GandCrab ransomware infections recover files without paying the ransom.
Even though Bitdefender released a GandCrab decryptor today, it is not stopping the GandCrab affiliates from continuing to use new methods to distribute their ransomware. Today malware traffic analysis nao_sec discovered that EITest was being used to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam.
Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .email@example.com to encrypted files. Michael's decryptor will decrypt this variant as well.
MalwareHunterTeam discovered a new ransomware that is using GPG to encrypt files and then SDeletes the original. This is similar to VaultCrypt and KeyBTC. This ransomware appends the ..qwerty extension to encrypted files. Most likely installed over hacked RDP.