Ransomware is definitely slowing down with most big attacks being targeted over RDP. With that said, we do see a steady stream of smaller ransomware infections that continue to be created, even if they never have much impact at all.

The biggest news over the past two weeks has been the continued releases of Gandcrab and some interesting writups about BlackHeart and SynAck.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @FourOctets, @jorntvdw, @malwareforme, @demonslay335, @PolarToffee, @hexwaxwing, @struppigel, @BleepinComputer, @LawrenceAbrams, @campuscodi, @Seifreed, @DanielGallagher, @malwrhunterteam, @FBI, @MarceloRivero@jeromesegura@zsawei@kaspersky, @antonivanovm, @TrendLabs@SophosLabs, @leotpsc, @bartblaze, and @Amigo_A_.

April 30th 2018

UK Health Agency Switches to Windows 10 Citing WannaCry Ransomware Outbreak

The UK Department of Health and Social Care has announced that it will transition all National Health Service (NHS) computer systems to Windows 10.

Officials cited the operating system's more advanced security features as the primary reason for upgrading current systems, such as the SmartScreen technology included with Microsoft Edge (a Google Safe Browsing-like system) and Windows Defender, Microsoft's sneakily good antivirus product.

Kraken 2.0 Hijacked for Malicious Purposes

According to a message sent to Leo, Kraken 2.0 was not meant for malicious purposes and has been hijacked by someone who has been spreading it.

May 1st

Sophos Whitepaper on BTCWare

Not 100% sure when this was released, but its a good whitepaper by Sophos on the BTCWare ransomware.

Legitimate Application AnyDesk Bundled with New Ransomware Variant

TrendLabs reports:

We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.

In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.

UselessFiles Ransomware

MalwareHunterTeam discovered the UselessFiles ransomware that appends the .UselessFiles extension to encrypted files.

May 2nd 2018

New XiaoBa Ransomware variant

MalwareHunterTeam found a new XiaoBa ransomware variant that appends the .[BaYuCheng@yeah.net].china extension to encrypted files.

May 4th 2018

GandCrab Version 3 Released With Autorun Feature and Desktop Background

GandCrab version 3 was released earlier this week with a few noticeable changes. The most noticeable change is the addition of a desktop background.

May 5th 2018

New Jigsaw Ransomware variant

Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .hac extension to encrypted files.

Vietnamese ransomware wants you to add credit to a mobile phone

Bart takes a look at BKRansomware, which is a Vietnamese ransomware that wants you to send money to their phone.

New MMM Ransomware variant

Michael Gillespie discovered a new variant of the MMM Ransomware that uses the extension .MMM and a ransom note of GET_YOUR_FILES_BACK.html.

May 6th 2018

New horsia@airmail.cc Scarab Ransomware variant

A user posted a topic in our forums about a new variant of the Scarab Ransomware that appends the .horsia@airmail.cc extension to encrypted files.

May 7th 2018

SynAck Ransomware Uses Process Doppelgänging Technique

A new and improved version of the SynAck ransomware has been spotted online these past days, and security researchers are reporting that the ransomware now uses the Process Doppelgänging technique.

New Matrix Ransomware variant

MalwareHunterTeam discovered a new Matrix ransomware variant that uses a ransom note of #What_Wrong_With_Files#.rtf. Does not append any extension.

PSCrypt ransomware: back in business

In this article, Bart talks about how the PSCrypt ransomware is back in business.

May 8th 2018

FBI: Number of Ransomware Complaints Went Down in 2017

The number of people who reported ransomware infections to US authorities has gone down last year, according to a yearly FBI Internet crime report.

May 9th 2018

RansomAES Ransomware discovered

MalwareHunterTeam discovered a new ransomware called RansomAES that appends the .RansomAES extension to encrypted files and a ransom note named READ ME.txt.

May 10th 2018

GandCrab version 3.0.1 Released

Jawe discovered that GandCrab v3.0.1 was release and no longer includes an autorun and wallpaper.

New Matrix Ransomware variant

MalwareHunterTeam discovered Matrix ransomware variant that performs console loggin and adds the extension [RestoreFile@qq.com].MTXLOCK and drops a ransom note named  #Decrypt_files_ReadMe#.rtf.

May 11th 2018

Facebook Ransomware spotted

Leo spotted a tr011 ransomware called Facebook Ransomware that appends the .Facebook extension to encrypted files.

 

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - May 18th 2018 - Mostly Small Variants

The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

SynAck Ransomware Uses Process Doppelgänging Technique

GandCrab Version 3 Released With Autorun Feature and Desktop Background

The Week in Ransomware - April 27th 2018 - iLO, KCW, and VevoLocker