Not much to report this week other than Necurs starting to push the Scarab Ransomware and a new office document infecting ransomware called qkG. Otherwise, it has been a week of small variants that are in various stages of development.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @malwrhunterteam, @hexwaxwing, @struppigel, @jorntvdw, @LawrenceAbrams, @PolarToffee, @campuscodi, @BleepinComputer, @FourOctets, @fwosar, @DanielGallagher, @demonslay335, @Seifreed, @leotpsc, @MarceloRivero, @TrendLabs, @FSecure, @Forcepointsec, and @dvk01uk.


November 18th 2017

Russian WannaCry Imposter Discovered

Leo discovered a Russian WannaCry Imposter. It does not currently encrypt.

November 20th 2017

New JAVA Crysis/Dharma Variant Released

Michael Gillespie discovered a new Crysis/Dharma ransomware variant that appends the .java extension to encrypted files. This variant was discovered when it was uploaded to his ID Ransomware service.

November 21st 2017

Cryakl Ransomware using the Fairytail extension

Michael Gillespie that the Cryakl Ransomware is now using the .fairytale extension. 

Locket Ransomware Discovered

Leo discovered a new ransomware called Locket Ransomware. Does not currently encrypt.

New GlobeImposter with the .Ipcrestore Extension

Marcelo Rivero discovered a new GlobeImposter variant that appends the .Ipcrestore extension to encrypted files and a ransom note named how_to_back_files.html.

November 22nd 2017

qkG Ransomware Encrypts Only Word Documents, Hides and Spreads via Macros

Trend Micro discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.

IGotYour Ransomware Discovered

Karsten Hahn discovered a new ransomware called IGotYour. This ransomware appends the  .iGotYou extension but only encrypts C:\Test as of right now.

Fake Portuguese WannaCry

Karsten Hahn discovered a new Portuguese WannaCry copycat. It currently does not encrypt and utilizes the email

November 23rd 2017

Scarab Ransomware Pushed via Massive Spam Campaign

A ransomware strain known as Scarab, and detected for the first time in June, is now being pushed to millions of users via Necurs, the Internet's largest email spam botnet.

Africa's top ransomware families revealed

Cyber security vendor Sophos has identified the top ransomware families that affected Africa in 2017. According to Sophos, the Ceber ransomware accounted for 80% of attacks in Africa, followed by WannaCry (17%), and others like Jaff (1%), Locky (1%) and Petya (0.5%).

Cryp70n1c Army's Ransomware Discovered

MalwareHunterTeam discovered a HiddenTear variant called Cryp70n1c Army's ransomware that appends the .cryp70n1c extension to encrypted files.

November 24th 2017

Joke Girlsomeware Discovered

Karsten Hahn discovered a joke ransomware called Girlsomeware that does not encrypt.


That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption