Mostly small silly variants released this week, but we did have a few interesting stories. The bigger stories include a new variant from Crysis released, a wiper disguised as a ransomware targeting companies in Germany, and hackers using RDP to install LockCrypt on business computers.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @struppigel, @fwosar, @hexwaxwing, @jorntvdw, @FourOctets, @PolarToffee, @malwrhunterteam, @demonslay335, @Seifreed, @campuscodi, @malwareforme, @LawrenceAbrams, Leo, Jakub Kroustek, @GDataSoftwareAG, @alienvault, and @GrujaRS.
Karsten Hahn discovered a new variant of the XiaoBa ransomware that demands $37.696 in BTC and locks the screen.
Karsten Hahn discovered a new HiddenTear variant called Zika Ransomware that is in Spanish and adds the .teamo extension to encrypted files.
A ransomware called Waffle Ransomware has been discovered by Leo that appends the .waffle extension.
Last week we posted an analysis of the GIBON Rasnsomware that was discovered being spread via malspam campaigns. Today, an anonymous source told BleepingComputer that this ransomware has been marketed on underground criminal forums since as early as May 2017.
Michael Gillespie discovered a new ransomware called Sigma Ransomware that was uploaded to his ID-Ransomware site. CyberSecurity later found a sample to this variant, from which the below image was generated.
MalwareHunterTeam discovered a new ransomware being named Christmas Ransomware. This ransomware is current in-development and does not encrypt.
Looks like the city of Spring Hill, Tennessee's computers were hit by a ransomware attack last week. No indication as to what ransomware they were infected by.
Officials in Spring Hill say the city was hit by a cyberattack last Friday.
City spokesman Jamie Page said an employee clicked on a ransomware email. The city’s computer servers were then taken over and encrypted.
MalwareHunterTeam discovered a new Spanish HiddenTear variant called Jhash. This ransomware appends the .locky extension to encrypted files.
A new ransomware strain called Ordinypt is currently active in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data.
Since June this year, a group of cyber-criminals has been breaking into unsecured enterprise servers via RDP brute-force attacks and manually installing a new type of ransomware called LockCrypt.
A new variant of the Crysis ransomware has been discovered that appends the cobra extension to encrypted files. While this ransomware cannot be decrypted for free, this article will take a look at the infection and provide possible methods to try to restore files.
MalwareHunterTeam found a working sample of a ransomware that pretends to be a keygen and appends the .lol extension to encrypted files. This ransomware appears to be a sample of the one discovered by Jack earlier this week.