This week we saw a new RaaS called CommonRansom, a new DiskCryptor variant, and numerous Dharma variant released. Otherwise, it has been a fairly light news week for ransomware.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @demonslay335, @PolarToffee, @struppigel, @malwrhunterteam, @malwareforme, @hexwaxwing, @FourOctets, @DanielGallagher, @BleepinComputer, @fwosar, @jorntvdw, @LawrenceAbrams, @GrujaRS, @china591, @JakubKroustek, @John_Fokker, @Hath3way, and @McAfee_Labs.
Jakub Kroustek found two new Dharma variants that append the .like or .gdb extension.
A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files. The ransomware appends the [firstname.lastname@example.org].CommonRansom extension and drops a ransom note named DECRYPTING.txt.
Jakub Kroustek discovered a new variant of the Dharma Ransomware that appends the .xxxxx and drops a ransom note named FILES ENCRYPTED.txt.
Michael Gillespie discovered the Vendetta Ransomware which renames files to hex and adds the .vendetta extension. It then drops a ransom note named How to decrypt files.txt. An example file name is 6F-12-09-78-15-FF-97-A4-49-66-F5-C6-81-00-3D-42.vendetta.
MalwareHunterTeam found that Kraken Cryptor 18.104.22.168 beta was released and is demanding 1 BTC as the ransom.
Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that the malware developer had placed the ransomware, masquerading as a security solution, on the website SuperAntiSpyware, infecting systems that tried to download a legitimate version of the antispyware software.
A new ransomware has been discovered that installs DiskCryptor on the infected computer and reboots your computer. On reboot, victims will be greeted with a custom ransom note that explains that their disk has been encrypted and to contact email@example.com.
GrujaRS discovered a new ransomware called SimmyWare that appends the .SIMMYWARE extension and drops a ransom note named SIMMYWARE.txt.