Not much to report this week other than Necurs starting to push the Scarab Ransomware and a new office document infecting ransomware called qkG. Otherwise, it has been a week of small variants that are in various stages of development.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @malwrhunterteam, @hexwaxwing, @struppigel, @jorntvdw, @LawrenceAbrams, @PolarToffee, @campuscodi, @BleepinComputer, @FourOctets, @fwosar, @DanielGallagher, @demonslay335, @Seifreed, @leotpsc, @MarceloRivero, @TrendLabs, @FSecure, @Forcepointsec, and @dvk01uk.
Leo discovered a Russian WannaCry Imposter. It does not currently encrypt.
Michael Gillespie discovered a new Crysis/Dharma ransomware variant that appends the .java extension to encrypted files. This variant was discovered when it was uploaded to his ID Ransomware service.
Michael Gillespie that the Cryakl Ransomware is now using the .fairytale extension.
Leo discovered a new ransomware called Locket Ransomware. Does not currently encrypt.
Marcelo Rivero discovered a new GlobeImposter variant that appends the .Ipcrestore extension to encrypted files and a ransom note named how_to_back_files.html.
Trend Micro discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
Karsten Hahn discovered a new ransomware called IGotYour. This ransomware appends the .iGotYou extension but only encrypts C:\Test as of right now.
Karsten Hahn discovered a new Portuguese WannaCry copycat. It currently does not encrypt and utilizes the email firstname.lastname@example.org.
A ransomware strain known as Scarab, and detected for the first time in June, is now being pushed to millions of users via Necurs, the Internet's largest email spam botnet.
Cyber security vendor Sophos has identified the top ransomware families that affected Africa in 2017. According to Sophos, the Ceber ransomware accounted for 80% of attacks in Africa, followed by WannaCry (17%), and others like Jaff (1%), Locky (1%) and Petya (0.5%).
MalwareHunterTeam discovered a HiddenTear variant called Cryp70n1c Army's ransomware that appends the .cryp70n1c extension to encrypted files.
Karsten Hahn discovered a joke ransomware called Girlsomeware that does not encrypt.