What a crazy end of the week we had with the WanaCrypt0r RansomApocaGeddonWare! This ransomware literally took the entire world by storm by utilizing the NSA EternalBlue SMBv1 exploit to install ransomware on many high profile victims.
While that was definitely the big news of the week, we also saw a bunch of decryptors released, some new smaller variants released, and a new ransomware called Jaff being distributed by Necurs. All-in-all, this has been a pretty crappy week when it comes to ransomware and its victims.
Contributors and those who provided new ransomware information and stories this week include: @MalwareTechBlog , @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @siri_urz, @malware_traffic, @ Malwarebytes, @ CryptoInsane, @emsisoft, and @wandera.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
Bleeping Computer's security editor Catalin Cimpanu, with the help of David Montenegro and Jakub Kroustek, take a look at a new Ransomware-as-a-Service that has become available on the Dark Web, named FrozrLock, This new RaaS is available for only $220, and advertised under the tagline of "great security tool that encrypts most of your files in several minutes."
A BleepingComputer member posted about a Taiwan forum called eyny that was distributing a ransomware called ThunderCrypt.
ABA Journal had a story on how a company filed a lawsuit against its insurer over coverage for a ransomware attack that locked down the firm’s computer files for three months.
BleepingComputer found a new ransomware called BitKangoroo. In summary, this ransomware will encrypt a victim's files using AES-256 encryption and append the .bitkangoroo extension to encrypted files. It will then display a 60 minute countdown that when reached will cause the ransomware to delete one encrypted file. Once it deletes a file, it will reset the timer back to 60 minutes. Most importantly, this ransomware can be decrypted for free using Michael Gillespie's BitKangarooDecrypter.
BleepingComputer discovered a new ransomware that is delivered by a loader that includes the Gruxer screenlocker, a copy of HiddenTear, and image infector that injects a PNG file into JPG files. Bizarre little program.
A portal hidden on the Dark Web is responsible for the small deluge of recent PadCrypt ransomware versions that have been spotted almost on a monthly basis in the past year.
Today we are going to take a quick look at a new ransomware called RSAUtil that was discovered by Emsisoft malware researcher xXToffeeXx. RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.
Emsisoft security researcher xXToffeeXx discovered a new variant of Locky that continues the Norse mythology theme for encrypted file extensions. This variant appends the .loptr extension to encrypted files and drops a ransom note named loptr-*4characters*.htm.
Emsisoft's Fabian Wosar released an updated Amnesia decryptor that supports all existing variants of the ransomware.
A new ransomware was found today by MalwareHunterTeam called Jaff Ransomware. In general, there is nothing special about this ransomware other than it is being heavily distributed and that they stole the payment site html from Locky. Otherwise, Jaff is your garden variety ransomware that encrypts files using AES encryption and appends the .jaff extension to encrypted files.
Emsisoft posted a blog about the new Jaff Ransomware.
Jaff is written in C and is packed using a custom malware obfuscator. Obfuscators are tools that are used by malware authors to hide malware underneath potentially multiple layers of encryption and compression in order to make their analysis more difficult.
The SLocker Android ransomware is back with a new wave of infections, after previously wreaking havoc in the summer of 2016. This recent wave of infections was spotted by security firm Wandera, who reported yesterday about a new wave of infections that targeted users towards the start of the year.
The day started with a new version of an older ransomware that was making a large number of victims in Spain...
... but then turned into the biggest ransomware outbreak the Internet has ever seen, courtesy of NSA exploits leaked by the Shadow Brokers last month. The ransomware's name is Wana Decrypt0r, also known as WannaCry, WanaCrypt0r, WannaCrypt, and WCry. At the time of writing, victims had passed 57,000 and growing.
What's a massive ransomware outbreak without a technical nose dive. In this article we answer some questions about WanaCrypt0r and explain how it encrypts a computer.
Emsisoft has some good technical reading about Wcry and the various key files that it utilizes. A good read for those who want to get more technical info about this ransomware.
A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).
Following the massive Wana Decrypt0r ransomware outbreak from yesterday afternoon, Microsoft has released an out-of-bound patch for older operating systems to protect them against Wana Decrypt0r's self-spreading mechanism.