It has been a pretty slow ransomware week as most of the malware developers have started pushing cryptominers. We did see the continued distribution of the GnuPG based Qwerty Ransomware and a new variant of the GandCrab ransomware that makes it secure again.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @FourOctets, @PolarToffee, @malwrhunterteam, @struppigel, @demonslay335, @hexwaxwing, @Seifreed, @campuscodi, @LawrenceAbrams, @DanielGallagher, @fwosar, @BleepinComputer, @malwareforme, @GrujaRS, @malware_traffic, @NorwichBulletin, and @CyberEdgeGroup.
GrujaRS found a new GlobeImposter variant that utilizes the extension .encrypt and drops a ransom note named instructions.html.
Michael Gillespie found a new Jigsaw Ransomware variant that uses the extension .Bitconnect and new extortion text wanting you to take a photo of yourself to post on Instagram.
Michael Gillespie found a RotorCrypt Ransomware that appends the extension ! ,--, Revert Access ,--, firstname.lastname@example.org ,--,.BlockBax_v3.2.
MalwareHunterTeam discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version. In this article we will provide a quick overview as to what has changed and how you can identify that you are are infected with the GandCrab Ransomware.
Michael Gillespie noted that Cryakl Ransomware has been updated to version 184.108.40.206 based on a ransom note submitted to ID Ransomware.
Michael Gillespie found a new Spanish Jigsaw Ransomware variant that appends the .jes extension and utilizes a Cthulhu background image. Michael's decryptor was updated to handle this variant.
Brad Duncan analyzes a new malspam campaign that is pushing GandCrab and a GlobeImposter that had a redesign.
MalwareHunterTeam discovered a new ransomware called SilentSpring. This ransomware appends the .Sil3nt5pring extension to encrypted files.
Malwarebytes posted a good primer on how to break encryption.
A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand.
A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.
Karsten Hahn discovered the FRS Ransomware that appends the .FRS extension to encrypted files and drops a ransom note named READ_ME_HELP.png and READ_ME_HELP.txt.
The Connecticut State Judicial Branch’s computer system is currently down after a reported ransomware infection Friday morning, the branch said in a press release.
Karsten Hahn discovered a new HiddenTear variant named Ultimo that appends the .locked extension and drops a ransom note named READ_IT.txt.