It was mostly small variants released this week. We did have a new Cryptomix variant released, a wiper called UselessDisk disguised as a ransomware, and a strange report that Boeing had been infected with WannaCry. Overall, though, it has been a slow week.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @malwareforme, @jorntvdw, @BleepinComputer, @Seifreed, @hexwaxwing, @PolarToffee, @demonslay335, @fwosar, @LawrenceAbrams, @campuscodi, @FourOctets, @DanielGallagher, @struppigel, @DmitriyMelikov, @seattletimes, @leotpsc, @JakubKroustek, and @bartblaze .
A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered by Dmitry Melikov that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again.
Michael Gillespie spotted new extensions for the Paradise Ransomware being uploaded to ID Ransomware. These new extensions are: "[id-]..ransom" and "[id-]..logger".
Jakub Kroustek discovered a new in development ransomware called EggLocker that appends the .EGG extension to encrypted files.
Michael Gillespie saw a new ransom note uploaded to ID Ransomware for a ransomware called WhiteRose. This ransomware is currently using the ransom note name HOW-TO-RECOVERY-FILES.TXT and rename encrypted files to a name like BT2cJMtNeYlaKJHP_ENCRYPTED_BY.WHITEROSE.
Karsten Hahn discovered the new Sorry Ransomware that appears to be HiddenTear based. When encrypting files it will append the .sorry extension and drops a ransom note named How Recovery Files.txt & hrf.txt. It also has contact emails of email@example.com & firstname.lastname@example.org.
Karsten Hahn discovered a screenlocker called JFRansomware. This infection does not encrypt your files and simply shows a screenlocker that states "All of your files have been encrypted!". The unlock code is "Saus2018".
Karsten Hahn discovered a malware builder called Haxerboi that also includes a ransomware.
Bart discovered a L0cked variant that is most likely still in development. Will be using the .lckd extension and has a contact email of email@example.com.
Bart found a new WannaCry immitator that uses a Whatsapp icon and calls itself Bansomqare Manna. When encrypting files it will append the .bitcoin extension and uses a contact email of MildredRLewis@teleworm.us.
In a baffling turn of events, computers at Boeing have allegedly been infected with the WannaCry Ransomware. According to the Seattle Times, a memo was sent out by a Boeing employee that states that systems have been affected and that their were concerns the ransomware would "spread to airplane software".
The Boeing Twitter account later stated that this malware disruption was overstated.
Today MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .MOLE66 extension to encrypted files, changes the contact email, and slightly changes the ransom note's name. In the past, we used to see new Cryptomix variants a few times a month, but this time it has been almost 2 months since the previous System variant was released.
Leo discovered a new ransomware calling itself RansomwareTest. Obviously an in-dev ransomware and most likely not being distributed. Appends .crypt to encrypted file names and does not currently drop a ransom note.
MalwareHunterTeam discovered a new ransomware called H34rtBl33d. This ransom has a bunch of interesting features such as trying to infect files, spread via P2P using Limewire, and adding a copy of the ransomware to RAR files.
Looks like Satan Ransomware is still alive. Bart found a sample that is still appending the .satan extension and using the firstname.lastname@example.org contact email.