Another busy week in ransomware with kidz continuing to create WannaCry knockoffs and HiddenTear variants. While most of the ransomware we have seen this week will never be distributed, we did see a new variant of the Jaff ransomware that shows they are putting more time and effort into how their ransomware looks. Jaff is definitely a ransomware we need to keep an eye on.
This has also been a good week for the good guys as the author of AES-NI has decided to stop his project and release the master decryption keys. We have also seen updated decryptors for BTCWare, the "Stupid Ransomware" family, and a Avast decryptor that utilizes the released AES-NI keys.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @emsisoft, @siri_urz, @malware_traffic, @Malwarebytes, @MarceloRivero, @LadislavZezula, @MichalCebak, @MichalCebak, @drProct0r, and @avast_antivirus.
If you are interested in ransomware or infosec, I suggest you follow them on Twitter.
BleepingComputer discovered a WannaCry imitator that goes by the name of Wana Decrypt0r 3.0. It does not currently encrypt anything.
BleepingComputer found another WannaCry imitation that uses the original name of Wana Decrypt0r 2.0. Does not encrypt.
BleepingComputer discovered a new in-dev ransomware called Decryption Assistant. It appends the .pwned extension to encrypted files. It only encrypts c:\chicken folder. Wimp.
BleepingComputer found an in-dev ransomware called the D2+D Ransomware. This does not encrypt and the unlock password is 215249148.
BleepingComputer found a new in-dev screenlocker called Unidentified, The unlock password is aSFDDJGFffhsfcksggFffuygRFFJFffyhFFRYHCDTFJGFjg4257427544,
Michael Gillespie updated his decryptor so that if it cannot find the key for the .onyon variant it can still try and decrypt files under a certain size.
On Friday, North Korea denied allegations that it was somehow responsible for the WannaCry ransomware outbreak that affected over 240,000 computers in nearly 200 countries across the globe. Speaking at a press conference, Kim In Ryong, North Korea's deputy ambassador to the United Nations, called the allegations ridiculous and unfounded.
Michael Gillespie initiated a ransomware hunt for a ransomware that adds (Encrypted_By_VMola.com) to a filename and drops a ransom note named Ransom.rtf.
A new variant of the Jaff ransomware was discovered by security researchers Brad Duncan & Marcelo Rivero that includes an updated design for the ransom note and the new WLU extension for encrypted files. Like the first variant of Jaff, this new version continues to be distributed through MALSPAM campaigns that utilize malicious documents and macros to download and install the ransomware.
GData researcher Karsten Hahn discovered a new in-dev ransomware called CVLocker. This ransomware does not currently encrypt.
BleepingComputer found a new screenlocker called Widia. It is written in Romanian and states "De la Sorin pt voi", which translates to "From Sorin to you". Just Alt+F4 it.
Someone named AlecK is designing the Memeware Screenlocker. You can use the unlock code of: 290134884
Karsten Hahn discovered a screenlocker called Elmer's Glue Locker. Yeah, we do not make up these names. Just boot to safe mode with networking and remove.
Karsten Hahn discovered a HiddenTear variant called Deos. Like most HiddenTear crap, its broken.
Karsten Hahn discovered a .NET version of CryptoWall that appends the .wtdi extension to encrypted files. This ransomware can be decrypted.
As everyone expected, scammers are attempting to cash in on the mass hysteria currently surrounding the WannaCry ransomware outbreak, a mass-infection took place over the weekend of May 12 and 14, and whose effects we still feel today.
Karsten Hahn discovered another HiddenTear variant called MoWare. MoWare will append the .H_F_D_locked extension to encrypted files.
MalwareHunterTeam found a sample of a AutoIT scareware called Adonis Ransomware. When analyzed by security researcher Jack, it was discovered that it does not encrypt files, but does drop ransom notes named EN.html and DE.html.
These ransomware names are getting ridiculous. BleepingComputer discovered a new in-dev ransomware that encrypts files, but does not append a new extension. Sets the background to a picture of Thor.
BleepingComputer discovered a fake ransomware that creates a batch files that formats the hard drives in a computer.
BleepingComputer discovered the 4rw5w Ransomware, which really wants to imitate WanaCry. This ransomware contains a kill switch, similar file names for storing data and keys, and appends the .4rwcry4w extension to encrypted files.
The author of the AES-NI Ransomware has told BleepingComputer that he has decided to stop his "project" and release the master decryption keys for his ransomware. As promised, he has already released the keys for one variant and another master decryption key for the offline variant. He has told BleepingComputer that more decryption keys will be coming soon.
According to a linguistic analysis of the WannaCry ransom notes, the ransomware appears to be the work of a Chinese-speaking author, according to Jon Condra and John Costello, two Flashpoint researchers. After analyzing each of WannaCry's localized ransom notes, available in 28 different languages, the two feel pretty confident the ransom note was written by persons fluent in Chinese, but also in English.
MalwareHunterTeam discovered a different variant of the above ransomware, but it's now called CrystalCrypt. This variant appends the .blocked extension to encrypted files.
xXToffeeXx discovered that someone is using DMA Locker 3, asking for 1 BTC, and then instructing victims to email firstname.lastname@example.org for payment instructions. Uses the !Encrypt! filemarker in encrypted files.
MalwareHunterTeam discovered a new ransomware that appends the .WINDIE extension to encrypted files. Can be decrypted by Michael's StupidDecryptor.
BleepingComputer found a new in-development HiddenTear variant called Crying Ransomware or Cry Ransomware. This ransomware will encrypt files and append the .crying extension to encrypted files. It also drops a ransom note called READ_IT.txt that tells you to keep running the program until you see the form. Note to Dev: Remove Application.Exit().
ESET researcher Michal Cebak discovered a in-development screenlocker called Roblocker X that states it encrypts Roblox files. At this point it doesn't do anything but show the lock screen, which has a passcode of PooPoo. This screenlocker does not display the below lockscreen if a cmd prompt is open.
R0bert R0senb0rg found a new variant of the GlobeImposter Ransomware that appends the .write_us_on_email extension to encrypted files.
That's it for this week. Hope everyone has a nice weekend!