It was mostly small variants released this week. We did have a new Cryptomix variant released, a wiper called UselessDisk disguised as a ransomware, and a strange report that Boeing had been infected with WannaCry. Overall, though, it has been a slow week.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @malwareforme, @jorntvdw, @BleepinComputer, @Seifreed, @hexwaxwing, @PolarToffee, @demonslay335, @fwosar, @LawrenceAbrams, @campuscodi, @FourOctets, @DanielGallagher, @struppigel, @DmitriyMelikov, @seattletimes, @leotpsc, @JakubKroustek, and @bartblaze .

March 24th 2018

The DiskWriter or UselessDisk BootLocker May Be A Wiper

A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered by Dmitry Melikov that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again.

New extensions for Paradise Ransomware

Michael Gillespie spotted new extensions for the Paradise Ransomware being uploaded to ID Ransomware. These new extensions are: "[id-].[].ransom" and "[id-].[].logger".

EggLocker Ransomware discovered

Jakub Kroustek discovered a new in development ransomware called EggLocker that appends the .EGG extension to encrypted files.

March 26th 2018

WhiteRose Ransomware discovered

Michael Gillespie saw a new ransom note uploaded to ID Ransomware for a ransomware called WhiteRose. This ransomware is currently using the ransom note name HOW-TO-RECOVERY-FILES.TXT and rename encrypted files to a name like BT2cJMtNeYlaKJHP_ENCRYPTED_BY.WHITEROSE.

Sorry Ransomware discovered

Karsten Hahn discovered the new Sorry Ransomware that appears to be HiddenTear based.  When encrypting files it will append the .sorry extension and drops a ransom note named How Recovery Files.txt & hrf.txt. It also has contact emails of

JFRansomware screenlocker discovered

Karsten Hahn discovered a screenlocker called JFRansomware. This infection does not encrypt your files and simply shows a screenlocker that states "All of your files have been encrypted!". The unlock code is "Saus2018".

Haxerboi Ransomware discovered

Karsten Hahn discovered a malware builder called Haxerboi that also includes a ransomware.

March 27th 2018

New L0cked variant

Bart discovered a L0cked variant that is most likely still in development. Will be using the .lckd extension and has a contact email of

Bansomqare Manna Ransomware discovered

Bart found a new WannaCry immitator that uses a Whatsapp icon and calls itself Bansomqare Manna. When encrypting files it will append the .bitcoin extension and uses a contact email of

March 28th 2018

Boeing Is Dealing With a Suspected WannaCry Ransomware Outbreak

In a baffling turn of events, computers at Boeing have allegedly been infected with the WannaCry Ransomware. According to the Seattle Times, a memo was sent out by a Boeing employee that states that systems have been affected and that their were concerns the ransomware would "spread to airplane software".

The Boeing Twitter account later stated that this malware disruption was overstated.

March 29th 2018

Mole66 Cryptomix Ransomware Variant Released

Today MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .MOLE66 extension to encrypted files, changes the contact email, and slightly changes the ransom note's name. In the past, we used to see new Cryptomix variants a few times a month, but this time it has been almost 2 months since the previous System variant was released.

RansomwareTest dicovered

Leo discovered a new ransomware calling itself RansomwareTest. Obviously an in-dev ransomware and most likely not being distributed. Appends .crypt to encrypted file names and does not currently drop a ransom note.

March 30th 2018

H34rtBl33d Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called H34rtBl33d. This ransom has a bunch of interesting features such as trying to infect files, spread via P2P using Limewire, and adding a copy of the ransomware to RAR files.

Satan Ransomware spotted again

Looks like Satan Ransomware is still alive.  Bart found a sample that is still appending the .satan extension and using the contact email.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files