Mostly small silly variants released this week, but we did have a few interesting stories. The bigger stories include a new variant from Crysis released,  a wiper disguised as a ransomware targeting companies in Germany, and hackers using RDP to install LockCrypt on business computers.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @struppigel, @fwosar, @hexwaxwing, @jorntvdw, @FourOctets, @PolarToffee, @malwrhunterteam, @demonslay335, @Seifreed, @campuscodi, @malwareforme, @LawrenceAbrams, Leo, Jakub Kroustek, @GDataSoftwareAG@alienvault, and @GrujaRS.

November 4th 2017

Curumim Ransomware Discovered

Karsten Hahn discovered a new Portuguese HiddenTear variant called Curumim that appends the .curumim extension to encrypted files.

New variant of the XiaoBa Ransomware Discovered

Karsten Hahn discovered a new variant of the XiaoBa ransomware that demands $37.696 in BTC and locks the screen.

Zika Ransomware Discovered

Karsten Hahn discovered a new HiddenTear variant called Zika Ransomware that is in Spanish and adds the .teamo extension to encrypted files.

Waffle Ransomware discovered

A ransomware called Waffle Ransomware has been discovered by Leo that appends the .waffle extension. 

November 6th 2017

GIBON Ransomware Being Sold on Underground Criminal Forums

Last week we posted an analysis of the GIBON Rasnsomware that was discovered being spread via malspam campaigns. Today, an anonymous source told BleepingComputer that this ransomware has been marketed on underground criminal forums since as early as May 2017.

November 7th 2017

Sigma Ransomware Discovered

Michael Gillespie discovered a new ransomware called Sigma Ransomware that was uploaded to his ID-Ransomware site. CyberSecurity later found a sample to this variant, from which the below image was generated.

November 8th 2017

Christmas Ransomware knows when your naughty

MalwareHunterTeam discovered a new ransomware being named Christmas Ransomware. This ransomware is current in-development and does not encrypt.

City of Spring Hill computer system hit by ransomware

Looks like the city of Spring Hill, Tennessee's computers were hit by a ransomware attack last week. No indication as to what ransomware they were infected by.

Officials in Spring Hill say the city was hit by a cyberattack last Friday.

City spokesman Jamie Page said an employee clicked on a ransomware email. The city’s computer servers were then taken over and encrypted.

Jhash Ransomware Discovered

MalwareHunterTeam discovered a new Spanish HiddenTear variant called Jhash. This ransomware appends the .locky extension to encrypted files.

November 9th 2017

Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany

A new ransomware strain called Ordinypt is currently active in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data.

November 10th 2017

LockCrypt Ransomware Crew Started via Satan RaaS, Now Deploying Their Own Strain

Since June this year, a group of cyber-criminals has been breaking into unsecured enterprise servers via RDP brute-force attacks and manually installing a new type of ransomware called LockCrypt.

New Cobra Crysis Ransomware Variant Released

A new variant of the Crysis ransomware has been discovered that appends the cobra extension to encrypted files. While this ransomware cannot be decrypted for free, this article will take a look at the infection and provide possible methods to try to restore files.

LOL Ransomware pretends to be a keygen

MalwareHunterTeam found a working sample of a ransomware that pretends to be a keygen and appends the .lol extension to encrypted files. This ransomware appears to be a sample of the one discovered by Jack earlier this week.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

New Brrr Dharma Ransomware Variant Released

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More