Wow! What a brutal week. This week we have 36 ransomware stories, with 10 of them being on May 1st alone. Most of the new ransomware releases continue to be real crap, but together they add up to a wave of garbage that can do some serious harm. We also saw previously small distributions gearing up with larger MALSPAM campaigns, such as GlobeImposter.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @struppigel, @demonslay335, @DanielGallagher, @malwrhunterteam, @fwosar, @malwareforme, @jorntvdw, @FourOctets, @BleepinComputer, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @malware_traffic, @FraMauronz, @JaromirHorejsi, @emsisoft, @sec_panda, @drProct0r, @TrendMicro, @McAfee, and @RecordedFuture.
If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.
BleepingComputer discovered a new in-development HiddenTear called Mini Ransomware. This ransomware appends the .maya extension to encrypted files and drops a ransom note named READ ME.txt.
Emsisoft malware researcher xXToffeeXx discovered a new ransomware called RSAUtil ransomware. The ransomware appends the .firstname.lastname@example.org.ID83994902 extension to encrypted files and creates a ransom note named How_return_files.txt. Uses payment email addresses of email@example.com and firstname.lastname@example.org.
BleepingComputer found a new in-developer ransomware targeting Brazillian victims called DeadSec-Crypto v2.1 Ransomware. It currently does not do much other than display a form and delete some test files.
R0bert R0senb0rg discovered a new CryptoMix, or CryptFile2, variant that is now using the .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is because the .WALLET extension has been used by Dharma/Crysis, Sanctions, and now we have CryptoMix. Currently payment email addresses are email@example.com, firstname.lastname@example.org, and email@example.com.
xXToffeeXx discovered a ransomware called Extractor that appends the .xxx extension to encrypted files and creates a ransom note named ReadMe_XXX.txt. Uses a payment email of firstname.lastname@example.org.
MalwareHunterTeam spotted a dev named Hayzam Sherif working Ruby ransomware. The ransomware will append the .ruby extension to encrypted files and create a ransom note on the desktop called rubyLeza.html.
Avast malware researcher Jakub Kroustek found a sample of Troldesh that uses the .crypted000007 for encrypted files.
Malware researched SecPanda discovered a new ransomware called Maykolin. This ransomware will append the .[email@example.com] extension to encrypted files and drop a ransom note named README.firstname.lastname@example.org. Has a payment email of email@example.com.
xXToffeeXx discovered a new ransomware that appends the .amnesia extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT. Uses a payment email of firstname.lastname@example.org.
Jakub Kroustek discovered a sample of the new FileFrozr RaaS that uses the Windows Cipher.exe tool to wipe free space in order to make it harder to recover files. Drops a ransom note named READ_ME.txt.
A member of the BleepingComputer forums posted about what appears to be another variant of the Amnesia ransomware discovered earlier this week. This one scrambles an encrypted file's name and then appends the .CRYPTBOSS extension.
MalwareHunterTeam discovered a new variant of GlobeImposter that uses the extension .keepcalm.
MalwareHunterTeam discovered the vCrypt ransomware that is targeting Russian victims. The ransomware appends the .vCrypt1 extension to encrypted files and drops a ransom note named КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt.
xXToffeeXx discovered the Italian PEC 2017 ransomware. PEC 2017 appends the .pec extension to encrypted files and creates a ransom note named AIUTO_COME_DECIFRARE_FILE.html.
Malwaresbyte malware researcher Marcelo Rivero discovered the Haters Ransomware. This ransomware will append the .haters extension to encrypted files. You can use StupidDecryptor to decrypts file affected by this ransomware.
Avast malware analyst JaromirHorejsi discovered a new ransomware that appends the .xncrypt extension to encrypted files. You can unlock the screenlocker and decrypt the files by entering 20faf12b60854f462c8725b18614deac. You can use StupidDecryptor to decrypts file affected by this ransomware.
G Data malware researcher Karsten Hahn discovered that someone is developing malware that incorporates both spyware and a ransomware into it.
Researchers at Trend Micro and McAfee have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.
Karsten Hahn discovered a new BTCWare variant that utilizes the .cryptowin extension.
Karsten Hahn discovered a new in-dev screenlocker. The unlock code is KUrdS12@!#.
MalwareHunterTeam discovered a new ShellShock variant called X0LZS3C. This variant appends the .x0lzs3c extension to encrypted files.
BleepingComputer discovered a new ransomware called Clouded Ransomware. This ransomware appends the .cloud extension to encrypted files.
Palo Alto Networks researcher Brad Duncan discovered a MALSPAM campaign that is pushing the GlobeImposter ransomware. The distributed variant appends the .crypt extension to encrypted files and drop a ransom note called How_to_back_files.html.
BleepingComputer discovered a new ransomware called Rans0mLocked. This ransomware appends the .owned extension to encrypted files. Communicates with the Commadn & Control server through a downloaded TOR client.
According to threat intelligence firm Recorded Future a new Ransomware-as-a-Service (RaaS) portal is being advertised on an underground hacking forum, primarily used by Russian-speaking criminals.
MalwareHunterTeam found a new variant of Jigsaw masquerading as a credit card generator. It appends the .fun extension and uses the following background.
A new ransomware was discovered by Karsten Hahn called NewHT. Could NewHT mean New HiddenTear. Will have to see. Regardless, the ransomware appends the .htrs extension to encrypted files and drops a ransom note named readme.txt. Has some rudimentary virtual machine detection.
Karsten Hahn discovered a new variant of the ZipLocker ransomware. This ransomware will zip up the targeted files into a password protected zip file that are named [original_file_name]+ locked.zip. It will also drop a ransom note named UnlockMe.txt. The current password for the zip file is Destroy.