Typical week in ransomware with a lot of small little variants released and resurgence of activity from Crypt0L0cker. The biggest news this week is that someone posted the master decryption keys for the Dharma Ransomware in the BleepingComputer.com forums. These keys were analyzed by various anti-virus vendors and used to create decryptors for the Dharma Ransomware.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer, @malwrhunterteam, @demonslay335, @PolarToffee, DanielGallagher, @campuscodi, @struppigel, , @JAMESWT_MHT, @Seifreed, @matthew_d_green, @JakubKroustek, @jiriatvirlab, @ESET, @avast_antivirus, @Malwarebytes, @ransomware_it, @DynamicAnalysis, @kaspersky, and @msftmmpc.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
After the ransacking of MongoDB, ElasticSearch, Hadoop, CouchDB, and Cassandra servers, attackers are now hijacking hundreds of MySQL databases, deleting their content, and leaving a ransom note behind asking for a 0.2 Bitcoin ($235) payment.
Michael Gillespie found a HiddenTear based ransomware called BarRax. This ransomware will encrypt files and append the .BarRax extension to them. The bizarre part of this infection is that it also has a support forum. That's a good way to get busted.
A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week. First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.
I discovered a new in-dev ransomware called Sardoninir that includes 100 different email accounts that are used to send information about the victim to the ransomware developer. It appends the .enc extension to encrypted files.
Johns Hopkins cryptography professor Matthew Green wrote an interesting article about potential future methods of ransomware payment and key delivery. Definitely an interesting read.
ESET malware analyst Jiri Kropac discovered a new Czech-o-Slovak ransomware called FileLocker. When encrypting files it will append the .ENCR extension to the filenames.
Malwarebytes wrote an article on how to decrypt files encrypted by the macOS Findzip ransomware.
The Crypt0L0cker ransomware, otherwise known as Torrentlocker or Teerac, was a common ransomware infection that mostly targeted Australia and European countries in 2014. Towards the middle of 2015, though, this ransomware slowly started dying off to the point that it was hardly distributed anymore.
Fast forward to the beginning of February 2017 where we are now seeing Crypt0L0cker making a strong come back and targeting European countries once again.
Microsoft MMPC spotted a sample of the Locky Ransomware being distributed that is digitally signed. This variant continues to append the .OSIRIS extension to encrypted files.
Out of the blue, someone posted in the BleepingComputer.com forums the supposed master decryption keys for the Dharma Ransomware. This post was created at 1:42 PM EST by a member named gektar in the Dharma Ransomware Support Topic and contained a Pastebin link to a C header file that supposedly contains these master decryption keys.
MalwareHunterTeam discovered a new in-development ransomware called KRider. This ransomware appends the .kr3 extension to encrypted files.
Avast researcher Jakub Kroustek shows that it is becoming harder and harder to tell what ransomware familar a new variant belongs to. Jakub has discovered a new variant that appends the .SN-%IDfirstname.lastname@example.org_worldcza@email.cz extension to encrypted files. Is this a new Crysis variant? Who knows.
Malware Breakdown discovered that the ASN1 ransomware is being distributed by the RIG exploit kit. This ransomware will create ransom notes named !!!!!readme!!!!!.htm, but no extensions are appended to encrypted files.
Kaspersky has tested the keys that were released for Dharma and has determined that they are indeed legitimate. Using these keys, Kaspersky updated their RakhniDecryptor so that it can decrypt Darhama encrypted files. I tested this and the decryption worked flawlessly. Soon after, ESET and Avast released decryptors for Dharma as well.
ESET discovered that the ransom notes from Cerber ransomware infections have been found inside the source code of two Android applications available on the official Google Play Store.
MalwareHunterTeam found a sample of a new ransomware being developed that is based off the MafiaWare source.
GData security researched Karsten Hahn a new HiddenTear based ransomware called FabSysCrypto, This ransomware copies Locky's ransom note.