While we were all recovering from last week's WannaCry outbreak, ransomware developers continue to push out new ransomware. Due to the wide media attention of WannaCry, many of the ransom infections being developed this week were knockoffs of WannaCry, with most never being actually distributed.
We have quite a few big stories this week, which is the discovery of another ransomware called Uiwix that is infecting people via the EternalBlue exploit and the release of the Wallet Ransomware master decryption keys. Overall, its been a busy week for ransomware again.
Contributors and those who provided new ransomware information and stories this week include: @kafeine, @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @siri_urz, @malware_traffic, @Malwarebytes, @emsisoft, @benkow_, @msuiche, @DynamicAnalysis, @gentilkiwi, @MalwareTech, @FraMauronz, and @proofpoint.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
MalwareHunterTeam discovered a new in-development ransomware being developed by someone named CarlV. Appends the .tdelf extension to encrypted files but only targeting the D:\crypting_test folder currently.
MalwareHunterTeam & Michael Gillespie discovered a new junk ransomware called SecretSystem. This ransomware will append the .slvpawned extension to encrypted files. Michael's StupidDecryptor can decrypt encrypted files for free.
Malware Blocker found a new variant of the Stampado ransomware called Zelta. It appends the .locked extension to encrypted files.
The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow.
Microsoft's Chief Legal Officer Brad Smith has penned a blog post today, accusing the NSA of stockpiling exploits, failing to protect its hacking tools, and indirectly causing the WannaCry ransomware outbreak.
BleepingComputer discovered the self-titled "Fake Jigsaw Ransomware". This ransomware adds the .fun extension to encrypted files. You can use the code FAKEJIGSAWRansomware to decrypt.
Michael Gillespie discovered a new variant of the GlobeImposter that is impersonating the Dharma ransomware by appending the .wallet extension to encrypted files. It also drops a ransom note named how_to_back_files.html.
MalwareMan discovered a new variant of the GruXer ransomware. Still a buggy piece of ****.
With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations. BleepingComputer has discovered 5 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.
On Sunday, security researchers Benkow & Matthieu Suiche have detected a second WannaCry version that featured a different kill switch domain, which they quickly moved to register and point to MalwareTech's sinkhole in order to prevent further damage.
On Sunday, someone tried to create a version of the WannaCry ransomware that didn't feature the kill switch domain. Fortunately, the ransomware was never released in the wild, as this appeared to be only a test.
Malware Breakdown has discovered that the RIG exploit kit is installing Pony and Philadelphia Ransomware on affected computers.
MalwareHunterTeam discovered a new variant of BTCWare that is appending the .onyon extension to encrypte files and creating ransom notes named !#_DECRYPT_#!.inf. These ransom notes are utilizing the email addresses firstname.lastname@example.org & email@example.com. This variant can be decrypted.
MalwareHunterTeam discovered the May Ransomware. This ransomware appends the .locked extension to encrypte dfiles and creates ransom notes named Restore_your_files.txt. Michael Gillespie found a later version that appends the .maysomware extension.
BleepingComputer discovered a new ransomware that encrypts your files, but does not give an option to pay for decryption and get a key back and eventually deletes your files. They essentially encrypt your files and delete them to be jerks.
Yeah, we do not make up these names. Someone actually decided that they were going to make a ransomware that utilizes the .FartPlz extension for encrypted files. Originally found by a submission to ID-Ransomware, on May 15th a victim also created a topic on BleepingComputer about it, followed by a sample being found by MalwareHunterTeam, which was then analyzed by Fabian Wosar. As you can see ransomware research is a collaborative effort.
This ransomware is written in Python and after finishing encrypting a victim's files it will display a ransom note named ReadME_Decrypt_Help_.html.
New evidence has revealed that nearly three weeks before the WannaCry ransomware outbreak, at least one cybercrime group was using the same NSA exploits — ETERNALBLUE and DOUBLEPULSAR — to infect computers with malware that mined for the Monero cryptocurrency.
The only reason nobody noticed these attacks is that this particular malware discovered by Kafeine of Proofpoint — named Adylkuzz — did not destroy user data and was programmed to close down SMB ports.
While this action was done to prevent other malware from infecting the same computer and clogging precious mining resources, this had the secondary effect of protecting some previously vulnerable computers from the virulent WannaCry ransomware attacks that took place over the last 4-5 days.
Yes, WannaCry is horrible. It locked people's files and ruined businesses all over the world. With that being said, that doesn't mean people can't have fun with it.
Over the last few days, a new Internet meme has become popular among infosec professionals, and that's the act of photoshopping the WannaCry ransom note on anything that has a screen.
Users that have had their files encrypted via older versions of the BTCWare ransomware can recover their files for free after security researchers created a decrypter for this ransomware family.
This is one is interesting at least. GData malware analyst Karsten Hahn discovered a WannaCry imitator called Wanna Subscribe. Doesn't encrypt, but wants you to subscribe to a YouTube channel. Written in Java.
Emsisoft malware researcher xXToffeeXx discovered a new ransomware called Lockout that .Lockout extension and creates ransom notes named Payment-Instructions.txt. It also adds a legal notice before a user logs into Windows that contains payment information.
The number of security firms claiming they've identified and confirmed Google security researcher Neel Mehta's connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three. This is still not 100% indication that WannaCry was coded by North Korea as code reuse is common in malware creation.
Malwarebytes malware researcher S!Ri discovered a new variant of the GlobeImposter that appends the .hNcrypt extension. Security researchers Marco Wege and Michael Gillespie found the same that appends the .nCrypt extension.
It was discovered that malware distributors are utilizing the EternalBlue exploit to infected people with the Uiwix ransomware. Uiwix will encrypt a victim's files and append the ._[10_digit_victim_id].UIWIX extension to encrypted files and drop a ransom note named _DECODE_FILES.txt.
This morning a newly registered member posted the master decryption keys for the Wallet Ransomware in the BleepingComputer.com forums. These keys were then used by Avast to released a decryptor so people can get their files back for free.
The WanaCry impersonations keep coming. This is the case with a new varient of the Haters ransomware discovered by S!Ri that has modified their screen to look WanaCryish. Idiots also have a paypal option. Huh?
S!Ri discovered another fake WannaCry. This one is written by another scumbag as it just destroys a victim's data.
Benjamin Delpy released a tool called WanaKiwi that tries to extract the prime numbers used by WannaCry when it generates the encryption key. These prime numbers can then be used generate the public decryption key for the victim. While there have been reports that this tool works, it does so only under certain limitations. First, the computer cannot have been rebooted, the WannaCry process should not have been terminated, and the memory will hopefully not have been overwritten. If the stars align, then this tool could be of help. Unfortunately, I was not able to get to this work, but as I said, others have been able to. Therefore, if you meet these conditions, you should definitely try the tool.
Reports have surfaced that the WannaCry ransomware has infected actual medical devices, not just computers at medical facilities.
A new ransomware strain named XData has wreaked havoc in Ukraine in the last 24 hours, locking computers for hundreds of users. First to spot this new strain was Malwarebytes security researcher Emphyrio, but it was a security researcher that goes by the name of MalwareHunter that sounded the alarm earlier today.
BleepingComputer discovered a new variant of the garbage Hacked by Yuriz MA screenlocker. Doesn't encrypt. Alt+F4 to close.
BleepingComputer discovered some more garbage WannaCry imitations. Does not encrypt.
BleepingComputer discovered a new ransomware called VisionCrypt 2.0 that changes the extension to _[original_extension].VisionCrypt on encrypted files. For example, test.jpg would be encrypted and renamed test_jpg.VisionCrypt. This ransomware has a contact email of VisionDep@sigaint.org.