There was quite a bit more ransomware activity this week compared to last week. Like usual, this week has been dominated mostly by small variants that most likely will never make it into distribute. We did, though, see a new CryptoMix and Locky variant released, that are actively distributed. The biggest news was the discovery of a new Android ransomware called DoubleLocker, which uses some new and interesting techiques.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @fwosar, @jorntvdw, @FourOctets, @hexwaxwing, @BleepinComputer, @PolarToffee, @malwareforme, @struppigel, @Seifreed, @LawrenceAbrams, @DanielGallagher, @campuscodi, @demonslay335, @dvk01uk, @LukasStefanko, @ESET, @siri_urz, @CarbonBlack_Inc .
My Online Security wrote a detailed article on how fake job application resume spam was delivering a GlobeImposter ransomware variant.
MalwareHunterTeam discovered a ransomware called LockOn. This ransomware is currently in-development, but will append the .lockon extension to encrypted files.
MalwareHunterTeam discovered a new Brazilian ransomware called BugWare. This ransomware will append the .[SLAVIC@SECMAIL.PRO].BUGWARE extension to encrypted files.
Today a new Locky Ransomware variant was released that now uses the .asasin extension for encrypted files.
MalwareHunterTeam found a new sample of a crappy "Your Windows Has Been Banned" screenlocker.
MalwareHunterTeam discovered a new HiddenTear variant called AnonCrack. This ransomware appends the .crack extension to encrypted files.
Michael Gillespie discovered a new variant of the RotorCrypt Ransomware. This variant appends the extension !_____FIDEL4000@TUTAMAIL.COM______.biz and drops an oddly named ransom note of DOCTOR.
MalwareHunterTeam found a ransomware called Atchbo Ransomware2.0v. This ransomware appends the ExoLock extension to encrypted files.
A report released today by US cyber-security firm Carbon Black highlights a 2,502% growth in the ransomware Dark Web economy, compared to the previous year.
A new variant of what appears to be BTCWare ransomware is currently targeting victims and appending the .[email]-id-id.payday extension to encrypted files. This family of ransomware targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.
MalwareHunterTeam discovered a new version of the BugWare ransomware that changes the GUI a bit and now uses the [SLAVIC@SECMAIL.PRO].CRIPTOGRAFADO extension for encrypted files. It also now only targets certain countries. Personally, I liked the original GUI better.
ESET malware researcher Lukas Stefanko discovered a new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Android's Accessibility service and reactivates itself every time the user presses the phone's Home button.
Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .x1881 extension to encrypted file names.
A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[firstname.lastname@example.org].anubi extension to encrypted files.
Karsten Hahn discovered a new screenlocker called CCord SystemLocker. The key for the screenlocker can be downloaded from jokebeatzz.lima-city.de/kws.txt. This may be part of a CTF or crackme.