While we were all recovering from last week's WannaCry outbreak, ransomware developers continue to push out new ransomware. Due to the wide media attention of WannaCry, many of the ransom infections being developed this week were knockoffs of WannaCry, with most never being actually distributed.

We have quite a few big stories this week, which is the discovery of another ransomware called Uiwix that is infecting people via the EternalBlue exploit and the release of the Wallet Ransomware master decryption keys. Overall, its been a busy week for ransomware again.

Contributors and those who provided new ransomware information and stories this week include: @kafeine@BleepinComputer@malwrhunterteam@PolarToffee, @fwosar@struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @siri_urz, @malware_traffic, @Malwarebytes, @emsisoft, @benkow_, @msuiche, @DynamicAnalysis@gentilkiwi@MalwareTech@FraMauronz, and @proofpoint.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

May 13th 2017

Tdelf Ransomware Under Development

​​MalwareHunterTeam discovered a new in-development ransomware being developed by someone named CarlV. Appends the .tdelf extension to encrypted files but only targeting the D:\crypting_test folder currently.

SecretSystem Ransomware Discovered

​​MalwareHunterTeam & Michael Gillespie discovered a new junk ransomware called SecretSystem. This ransomware will append the .slvpawned extension to encrypted files. Michael's StupidDecryptor can decrypt encrypted files for free.

vCrypt Ransomware Rebrands as xCrypt

​​MalwareHunterTeam found that the vCrypt ransomware has rebranded as the xCrypt ransomware. Probably not worth keeping track of this one.

New Zelta Ransomware Stampado Variant

Malware Blocker found a new variant of the Stampado ransomware called Zelta. It appends the .locked extension to encrypted files.

May 14th 2017

Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes

The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow.

Microsoft Exec Blames WannaCry Ransomware on NSA Vulnerability Hoarding Program

Microsoft's Chief Legal Officer Brad Smith has penned a blog post today, accusing the NSA of stockpiling exploits, failing to protect its hacking tools, and indirectly causing the WannaCry ransomware outbreak.

Fake Jigsaw Ransomware Released

BleepingComputer discovered the self-titled "Fake Jigsaw Ransomware". This ransomware adds the .fun extension to encrypted files. You can use the code FAKEJIGSAWRansomware to decrypt.

New Variant of the GlobeImposter Impersonating Dharma

Michael Gillespie discovered a new variant of the GlobeImposter that is impersonating the Dharma ransomware by appending the .wallet extension to encrypted files. It also drops a ransom note named how_to_back_files.html.

New GruXer Variant Discovered

MalwareMan discovered a new variant of the GruXer ransomware. Still a buggy piece of ****.

May 15th 2017

With the Success of WannaCry, Imitations are Quickly In Development

With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations.  BleepingComputer has discovered 5 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.

WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down

On Sunday, security researchers Benkow & Matthieu Suiche have detected a second WannaCry version that featured a different kill switch domain, which they quickly moved to register and point to MalwareTech's sinkhole in order to prevent further damage.

Someone Created a WannaCry Version That Doesn't Use a Kill Switch

On Sunday, someone tried to create a version of the WannaCry ransomware that didn't feature the kill switch domain. Fortunately, the ransomware was never released in the wild, as this appeared to be only a test.

RIG Exploit Kit at Drops Pony, Downloads Philadelphia Ransomware

Malware Breakdown has discovered that the RIG exploit kit is installing Pony and Philadelphia Ransomware on affected computers.

New BTCWare Variant called OnyonLock Released

​​MalwareHunterTeam discovered a new variant of BTCWare that is appending the .onyon extension to encrypte files and creating ransom notes named !#_DECRYPT_#!.inf. These ransom notes are utilizing the email addresses decrypter@onyon.su & tk.btcw@protonmail.ch. This variant can be decrypted.

May Ransomware Discovered

​​MalwareHunterTeam discovered the May Ransomware. This ransomware appends the .locked extension to encrypte dfiles and creates ransom notes named Restore_your_files.txt. Michael Gillespie found a later version that appends the .maysomware extension.

Kee Ransomware is the Work of a Real Scumbag

BleepingComputer discovered a new ransomware that encrypts your files, but does not give an option to pay for decryption and get a key back and eventually deletes your files. They essentially encrypt your files and delete them to be jerks.

FartPlz Ransomware Released

Yeah, we do not make up these names. Someone actually decided that they were going to make a ransomware that utilizes the .FartPlz extension for encrypted files. Originally found by a submission to ID-Ransomware, on May 15th a victim also created a topic on BleepingComputer about it, followed by a sample being found by ​​MalwareHunterTeam, which was then analyzed by Fabian Wosar. As you can see ransomware research is a collaborative effort.

This ransomware is written in Python and after finishing encrypting a victim's files it will display a ransom note named ReadME_Decrypt_Help_.html.

May 16th 2017

Adylkuzz Cryptocurrency Miner May Have Saved You From the WannaCry Ransomware

New evidence has revealed that nearly three weeks before the WannaCry ransomware outbreak, at least one cybercrime group was using the same NSA exploits — ETERNALBLUE and DOUBLEPULSAR — to infect computers with malware that mined for the Monero cryptocurrency.

The only reason nobody noticed these attacks is that this particular malware discovered by Kafeine of Proofpoint — named Adylkuzz — did not destroy user data and was programmed to close down SMB ports.

While this action was done to prevent other malware from infecting the same computer and clogging precious mining resources, this had the secondary effect of protecting some previously vulnerable computers from the virulent WannaCry ransomware attacks that took place over the last 4-5 days.

People Are Photoshopping WannaCry Ransom Notes on Everything with a Screen

Yes, WannaCry is horrible. It locked people's files and ruined businesses all over the world. With that being said, that doesn't mean people can't have fun with it.

Over the last few days, a new Internet meme has become popular among infosec professionals, and that's the act of photoshopping the WannaCry ransom note on anything that has a screen.

BTCWare Ransomware Master Key Released, Free Decrypter Available

Users that have had their files encrypted via older versions of the BTCWare ransomware can recover their files for free after security researchers created a decrypter for this ransomware family. 

WannaCry Imitations continue with Wanna Subscriber

This is one is interesting at least. GData malware analyst Karsten Hahn discovered a WannaCry imitator called Wanna Subscribe.  Doesn't encrypt, but wants you to subscribe to a YouTube channel.  Written in Java.

New Xorist Version uses the SaMsUnG Extension

Michael Gillespie discovered a new Xorist sample that appends the .SaMsUnG extension to encrypted files.

New Jigsaw Variant that Utilizes the DIE Extension

Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .die extension to encrypted files.

New Lockout Ransomware Discovered

Emsisoft malware researcher xXToffeeXx discovered a new ransomware called Lockout that .Lockout extension and creates ransom notes named Payment-Instructions.txt. It also adds a legal notice before a user logs into Windows that contains payment information.

Spora is still Alive and Kicking

​​MalwareHunterTeam pointed out that Spora is still alive and kicking with major campaigns still underway. 


May 17th 2017

3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware

The number of security firms claiming they've identified and confirmed Google security researcher Neel Mehta's connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three. This is still not 100% indication that WannaCry was coded by North Korea as code reuse is common in malware creation.

New GlobeImposter using the hNcrypt and nCrypt Extensions

Malwarebytes malware researcher S!Ri discovered a new variant of the GlobeImposter that appends the .hNcrypt extension. Security researchers Marco Wege and Michael Gillespie found the same that appends the .nCrypt extension. 

May 18th 2017

Uiwix Ransomware Using EternalBlue SMB Exploit To Infect Victims

It was discovered that malware distributors are utilizing the EternalBlue exploit to infected people with the Uiwix ransomware. Uiwix will encrypt a victim's files and append the ._[10_digit_victim_id].UIWIX extension to encrypted files and drop a ransom note named _DECODE_FILES.txt.

Wallet Ransomware Master Keys Released on BleepingComputer. Avast Releases Free Decryptor

This morning a newly registered member posted the master decryption keys for the Wallet Ransomware in the BleepingComputer.com forums. These keys were then used by Avast to released a decryptor so people can get their files back for free.

New Variant of the Haters Ransomware Impersonating WanaCry

The WanaCry impersonations keep coming. This is the case with a new varient of the Haters ransomware discovered by S!Ri that has modified their screen to look WanaCryish. Idiots also have a paypal option. Huh?

WannaCry Ransomware: Interview with Emsisoft’s ransomware experts

Emsisoft CTO Fabian Wosar and ransomware researcher xXToffeeXx discuss WanaCry in an article on Emsisoft's blog.

Another Fake WannaCry Developed

S!Ri discovered another fake WannaCry. This one is written by another scumbag as it just destroys a victim's data.

WanaKiwi Gives a Slight Chance of Recovery WannaCryptor Keys

Benjamin Delpy released a tool called WanaKiwi that tries to extract the prime numbers used by WannaCry when it generates the encryption key. These prime numbers can then be used generate the public decryption key for the victim.  While there have been reports that this tool works, it does so only under certain limitations. First, the computer cannot have been rebooted, the WannaCry process should not have been terminated, and the memory will hopefully not have been overwritten. If the stars align, then this tool could be of help. Unfortunately, I was not able to get to this work, but as I said, others have been able to. Therefore, if you meet these conditions, you should definitely try the tool.

May 19th 2017

WannaCry Ransomware Infects Actual Medical Devices, Not Just Computers

Reports have surfaced that the WannaCry ransomware has infected actual medical devices, not just computers at medical facilities.

XData Ransomware on a Rampage in Ukraine

A new ransomware strain named XData has wreaked havoc in Ukraine in the last 24 hours, locking computers for hundreds of users. First to spot this new strain was Malwarebytes security researcher Emphyrio, but it was a security researcher that goes by the name of MalwareHunter that sounded the alarm earlier today.

BTCWare Decryptor Updated to Support .Theva and .Onyon Extensions

Michael Gillespie, with help from Francesco Muroni, were able to update the BTCWare Decrypter so that it supports files encrypted with the .[].theva and limited support of .onyon extensions.

Garbage Yuriz Screenlocker Released

BleepingComputer discovered a new variant of the garbage Hacked by Yuriz MA screenlocker. Doesn't encrypt. Alt+F4 to close.

More In-Development Fake WannaCry

BleepingComputer discovered some more garbage WannaCry imitations. Does not encrypt.

New VisionCrypt Ransomware Discovered

BleepingComputer discovered a new ransomware called VisionCrypt 2.0 that changes the extension to _[original_extension].VisionCrypt on encrypted files. For example, test.jpg would be encrypted and renamed test_jpg.VisionCrypt. This ransomware has a contact email of VisionDep@sigaint.org.


Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 23rd 2018 - STOP, Dharma, and More

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - December 14th 2018 - Slow Week

Company Pretends to Decrypt Ransomware But Just Pays Ransom