Mostly small variants released this week, but we did have a new ransomware called GIBON that is interesting, and even better, decryptable. The other interesting news is about the ONI ransomware that appears to have be used as a smokescreen or wiper for an extended attack against Japanese companies.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @FourOctets, @campuscodi, @malwrhunterteam, @jorntvdw, @BleepinComputer, @LawrenceAbrams, @fwosar, @malwareforme, @struppigel, @demonslay335, @PolarToffee, @hexwaxwing, @Seifreed, @GrujaRS, @Racco42, @MarceloRivero,@leotpsc, @avman1995, @mesa_matt.
GrujaRS discovered a new Xorist variant that appends .error[id] appended to it. Contains communications with author about ransom payment.
Lawrence Abrams discovered an update to the Trick or Treat Locker that was mentioned in last week's article. This update adds a background and text to the locker.
As more and more ransomware outbreaks are discovered, the line has become blurred in whether they are being utilized as a wiper or an actual ransomware. Such is the case with a new ransomware attack called ONI that has been used in targeted month long attacks against Japanese companies.
MalwareHunterTeam discovered a ransomware called Ransware that has the interesting message of "You are so dumb to download this ware.". Currently does not encrypt and only locks the screen.
MalwareHunterTeam discovered a French HiddenTear variant that appends the .hacking extension to encrypted files. It also tells you to contact the humorous email of firstname.lastname@example.org.
MalwareHunterTeam discovered a HiddenTear variant that appends the ,.locked extension to encrypted files. It also claims to be the "most powerful Ransomware's around".
MalwareHunterTeam spotted the release of the Hermes 2.1 Ransomware. It now uses the .HRM extension for encrypted files.
Racco42 discovered a new ransomware that was identified by Marcelo Rivero as a Matrix Ransomware variant. This variant appends the _[RELOCK001@TUTA.IO].[ext] extension to encrypted files and drops a ransom note named !OoopsYourFilesLocked!.rtf.
A new ransomware was discovered by ProofPoint researcher Matthew Mesa called GIBON. This ransomware is currently being distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. A decryptor for this ransomware is here.
Leo discovered a new ransomware called Sad Ransomware. When it encrypts your files it appends the the victim's ID as the extension. It also drops a ransom note named _HELPME_DECRYPT_.html.
True Indian discovered a new variant of the Ranion ransomware that appends .ransom extension to encrypted files drops a ransom note named README_TO_DECRYPT_FILES.html. It tells victims to contact the theaccountant@Safe-mail.net email for payment instructions.