Mostly small variants released this week, but we did have a new ransomware called GIBON that is interesting, and even better, decryptable. The other interesting news is about the ONI ransomware that appears to have be used as a smokescreen or wiper for an extended attack against Japanese companies.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @FourOctets, @campuscodi, @malwrhunterteam, @jorntvdw, @BleepinComputer, @LawrenceAbrams, @fwosar, @malwareforme, @struppigel, @demonslay335, @PolarToffee, @hexwaxwing, @Seifreed, @GrujaRS, @Racco42, @MarceloRivero,@leotpsc, @avman1995, @mesa_matt.


October 28th 2017

New Xorist variant discovered

GrujaRS  discovered a new Xorist variant that appends .error[id] appended to it. Contains communications with author about ransom payment.

October 30th 2017

GlobeImposter variant using the .apk extension

Michael Gillespie discovered a GlobeImposter variant that appends the .apk extension to encrypted files.

Trick or Treat Screen Locker/Ransomware updated

Lawrence Abrams discovered an update to the Trick or Treat Locker that was mentioned in last week's article. This update adds a background and text to the locker.

October 31st 2017

ONI Ransomware Used in Month-Long Attacks Against Japanese Companies

As more and more ransomware outbreaks are discovered, the line has become blurred in whether they are being utilized as a wiper or an actual ransomware. Such is the case with a new ransomware attack called ONI that has been used in targeted month long attacks against Japanese companies.

You are so dumb to download this ware!

MalwareHunterTeam discovered a ransomware called Ransware that has the interesting message of "You are so dumb to download this ware.".  Currently does not encrypt and only locks the screen.

November 1st 2017

French HiddenTear Variant Discovered

MalwareHunterTeam discovered a French HiddenTear variant that appends the .hacking extension to encrypted files. It also tells you to contact the humorous email of 

November 2nd 2017

HiddenTear Variant that claims its the most powerful Ransomware's around!

MalwareHunterTeam discovered a HiddenTear variant that appends the ,.locked extension to encrypted files. It also claims to be the "most powerful Ransomware's  around".

New Magniber variant discovered

Michael Gillespie discovered a new variant of the Magniber ransomware with a campaign ID of U261X574T67287Bs. This variant will append the .skvtb extension to encrypted files.

New Jigsaw Ransomware variant

Michael Gillespie discovered a new Jigsaw Ransomware variant that appends the .game extension to encrypted files. Otherwise, it continues to use the same Jigsaw background.

Hermes 2.1 Released

MalwareHunterTeam spotted the release of the Hermes 2.1 Ransomware.  It now uses the .HRM extension for encrypted files.

New Matrix Ransomware variant

Racco42 discovered a new ransomware that was identified by Marcelo Rivero as a Matrix Ransomware variant.  This variant appends the _[RELOCK001@TUTA.IO].[ext] extension to encrypted files and drops a ransom note named !OoopsYourFilesLocked!.rtf.

November 3rd 2017

GIBON Ransomware Being Distributued by Malspam

A new ransomware was discovered by ProofPoint researcher Matthew Mesa called GIBON. This ransomware is currently being distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. A decryptor for this ransomware is here.

New Sad Ransomware discovered

Leo discovered a new ransomware called Sad Ransomware. When it encrypts your files it appends the the victim's ID as the extension. It also drops a ransom note named _HELPME_DECRYPT_.html.

New Ranion variant Discovered

True Indian discovered a new variant of the Ranion ransomware that appends .ransom extension to encrypted files drops a ransom note named README_TO_DECRYPT_FILES.html. It tells victims to contact the email for payment instructions.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens