This week's article combines the previous week's stories as well.  Lots of small in-dev ransomware over the last two weeks, a few RaaS (Ransomware as a Service) implementations were released, and a decryptor for GandCrab was released.

The biggest news was the release of a decryptor for the GandCrab ransomware. This decryptor only works on some versions of the software and the actors behind GandCrab have stated they are already working on a new version with a more secure Command & Control server.

In other news, the Colorado department of transportation was hit by SamSam, which caused them to have to shut down 2,000 computers.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @demonslay335, @BleepinComputer, @FourOctets, @jorntvdw, @struppigel, @campuscodi, @malwareforme, @hexwaxwing, @Seifreed, @fwosar, @DanielGallagher, @nao_sec, @Bitdefender, @malware_traffic, @PaloAltoNtwks, @siri_urz, @bartblaze, @alienvault, @ESET, @WITN, @samvdkris, @CryptoInsane, @GrujaRS, & @r00tbsd.

February 17th 2018

Relec Ransomware Discovered

Karsten Hahn discovered a new in-development ransomware called Relec. Something tells me they meant to spell Relic. Regardless, it does not encrypt.

DeadRansomware Discovered

Karsten Hahn discovered discovered DeadRansomware. A ransomware so boring you simply die. In reality it's a screenlocker with the password "DeadRansomwareDecryptMyFiles".

Ransomwared Ransomware Discovered

Karsten Hahn found another in-dev ransomware that appends the .ransomwared extension to encrypted files. It only encrypts the Documents/target.txt file for now.

WannaCrypt Ransomware Discovered

Karsten Hahn is killing it today with the finding of an in-dev ransomware called WannaCrypt. Has an unlock code of "542UTFQ2NDU2HM9K2YTVGZNZKNVSSE".

February 18th 2018

New Saturn RaaS Lets Everyone Become a Ransomware Distributor for Free

The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.

North Carolina county government computers hit by ransomware

A North Carolina county government's computers have been infected by ransomware, slowing business to a crawl.

February 19th 2018

Android Ransomware Numbers Went Down in 2017

The number of ransomware infections on Android devices has gone down in 2017, according to an end-of-year report published by ESET last week.

BananaCrypt Ransomware Discovered

I couldn't resist using that emoji for the discovery of the BananaCrypt Ransomware by MalwareHunterTeam.  This ransomware appends the .bananaCrypt extension to encrypted file's names.

The Russian Russenger Ransomware Discovered

MalwareHunterTeam discovered a ransomware targeting Russian victims called Russenger. This ransomware drops a ransom note name Инструкция по дешифровке.txt and utilizes an the .messenger-%random% (changes for every file) extension for encrypted file names.

February 20th 2018

LockCrypt .1BTC Variant Installed Over Hacked Remote Desktop Services

Today a reader sent me info regarding the LockCrypt Ransomware being actively distributed over hacked remote desktop services. This variant, when installed, will encrypt a victim's files and then append the .1btc extension to encrypted file names.

New Shifr appends Cypher

GrujaRS discovered a new variant of Shifr that appends appends the .cypher extension to encrypted files and drops a ransom note named How_To_Decrypt_Files.html

Michael Gillespie Interview – The FBI Awarded Cyber-Superhero

The community leadership award for efforts to decrypt ransomware as a public service was given to Michael Gillespie. This special award, presented on behalf of the Director of the FBI, was formally created in 1990 as a way to honor individuals and organizations for their efforts in combating terrorism, cyber-crime, illegal drugs, gangs, and other crimes leading to violence in America. Michael Gillespie is one of 56 individuals or organizations around the United States who received this award this year.

February 21st 2018

The Annabelle Ransomware Is a Horrific Mess

Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can't run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.

February 23rd 2018

SamSam Ransomware Hits Colorado DOT, Agency Shuts Down 2,000 Computers

The Colorado Department of Transportation (DOT) has shut down over 2,000 computers after some systems got infected with the SamSam ransomware on Wednesday, February 21.

Turkish Globe2 Ransomware

Michael Gillespie found a Turkish  Globe2 Ransomware that is using the .frmvrlr2017 extension for encrypted files. Can still be decrypted by Emsisoft's decryptor.

Baliluware Ransomware Discovered

Michael Gillespie found a new HiddenTear variant called Baliluware that has the very long extension of YOU-ARE-F*CKED-BY-BALILUWARE-(CODED-BY-HEROPOINT).

February 24th 2018

Data Keeper Ransomware Makes First Victims Two Days After Release on Dark Web RaaS

Two days after crooks started advertising the Data Keeper Ransomware-as-a-Service (RaaS) on the Dark Web, ransomware strains generated on this portal have already been spotted in the wild, infecting the computers of real-world users.

February 26th 2018

Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption

Ransomware developers continue to release infections that are clearly not tested well and contain bugs that may make it difficult, if not impossible, for victims to recover their files. Such is the case with the new in the wild ransomware called Thanatos that has been discovered by security researcher MalwareHunterTeam.

The Rig Exploit Kit Has Forsaken Ransomware for Coinminers

The exploit kit landscape has continued its downfall started in the summer of 2016 and its leading player —the RIG exploit kit— has stopped delivering any ransomware strains in 2018, focusing now on spreading cryptocurrency miners (coinminers) and information-stealing trojans (infostealers).

February 27th 2018

New XiaoBa Variant Discovered

MalwareHunterTeam found a new variant of the XiaoBa Ransomware that replaces the encrypted file's extension with .Encrypted[].XiaoBa and drops a ransom note named _XiaoBa_Info_.hta.

February 28th 2018

Free Decrypter Available for GandCrab Ransomware Victims

Bitdefender has released a free decrypter that helps victims of GandCrab ransomware infections recover files without paying the ransom.

EITest HoeflerText Scam Distributing GandCrab & Netsupport Manager

Even though Bitdefender released a GandCrab decryptor today, it is not stopping the GandCrab affiliates from continuing to use new methods to distribute their ransomware. Today malware traffic analysis nao_sec discovered that EITest was being used to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam.

Kwaak HiddenTear Variant

Lawrence Abrams found an in-dev HiddenTear variant called kwaak that appends the .kwaaklocked extension to encrypted files..

March 1st 2018

New Jigsaw Ransomware Variant

Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the to encrypted files. Michael's decryptor will decrypt this variant as well.

CryptConsole Decryptor Updated

Michael Gillespie spotted a criminal's decrypter for the CryptConsole Ransomware using the email Support was added to Michael's decryptor for this variant.

New Dharma Variant Released

Michael Gillespie's ID Ransomware service spotted the .id-.[].arrow extension now being used by Dharma. We still need a sample if anyone gets one.

Qwerty Ransomware uses GnuPG

MalwareHunterTeam discovered a new ransomware that is using GPG to encrypt files and then SDeletes the original. This is similar to VaultCrypt and KeyBTC.  This ransomware appends the ..qwerty extension to encrypted files. Most likely installed over hacked RDP.

PrincessLocker Still Active

Michael Gillespie's ID Ransomware spotted a submission for the PrincessLocker Ransomware using the =_HOW_TO_FIX_RQZLIN.txt ransom note. Surprised this one is still going.

March 2nd 2018

Big uptick in Magniber targeting South Korea

MalwareHunterTeam spotted a huge uptick in Magniber infections targeting South Korea. According to Paul Rascagnères, it could be because yesterday was South Korea's Independence Day.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More