This week we had our fair share of smaller variants being distributed or created, but the big news was by far the release of Magniber and the use of the Hermes ransomware as a cover to steal money from a Taiwan bank. With the release of Magniber we also see the downward spiral of Cerber, which has little or not distribution remaining at this time.
Contributors and those who provided new ransomware information and stories this week include: @campuscodi, @BleepinComputer, @jorntvdw, @LawrenceAbrams, @demonslay335, @malwrhunterteam, @DanielGallagher, @struppigel, @malwareforme, @hexwaxwing, @FourOctets, @PolarToffee, @Seifreed, @fwosar, @kafeine, @jspchc, @malc0de, @hasherezade, @Malwarebytes, @evilsocket, @xdxdxdxdoa, @ChristiaanBeek, @Raj_Samani, @bartblaze, @McAfee_Labs, @BAESystems_AI, and @jw00dbury.
Josh Woodbury discovered a new browser-based tech supprot scam that states that the visitor is infected with "WannaCry".
Threat intelligence researcher Bart wrote up a published an article on the Sage 2.2 Ransomware.
Lawrence Abrams discovered an in-dev HiddenTear variant called ViiperWare - Ransomware. This ransomware only encrypts %Desktop%\Test and appends the .viiper extension to encrypted files.
Lawrence Abrams spotted a new Eicar test sample for ransomware that can be used to test the effectiveness of security products. According to Karsten Hahn, it needs the C:\Demo\Crypt folder to properly execute.
Karsten Hahn discovered a new DUMB Ransomware variant that is written in Farsi and called Tyrant.
Karsten Hahn discovered a new screenlocker titled "Your computer is running a pirated version of Windows". This screenlocker demands Ethereum and nude pictures. Obviously a fake/joke, but the unlock code is: intelgpuisshit.
Karsten Hahn discovered the sample for the "Blind Ransomware" that Michael Gillespie was previously looking for. This ransomware appends the ..blind extension to encrypted files and drops a ransom note named How_Decrypt_Files.hta.
Karsten Hahn discovered a Italian HiddenTear variant that was created by "The Magic". This ransomware appends the defaulted .locked extension to encrypted files.
Michael Gillespie discovered a new variant of the RotorCrypt Ransomware that is appending the !____________DESKRYPT@TUTAMAIL.COM________.rar extension to encrypted files..
Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.
Great analysis of the Magniber ransomware from Malwarebytes. Anyone interested in this ransomware should take a look.
Simone, the VP of Research at mobile security compay Zimperium, created a decryptor for victims who may have been infected with the hardcoded key in Magniber. This decrypter requires you to know the key and IV that is embedded in the particular sample that you were infected in. Only victims who were infected from a non-Korean IP address or who could not connect to the Command & Control servers would have been encrypted with the hard coded key.
This decryptor easily compiles in Visual Studio, but if anyone needs it, feel free to reach out and I will provide the binary.
Security Doggo discovered a new malspam campaign that is targeting Brazilian victims. MalwareHunterTeam discovered that this malspam is also distributing a new variant of the Bugware ransomware that appends the .[MAXVISION@SECMAIL.PRO].CRIPTOGRAFADO extension to encrypted files.
Michael Gillespie discovered a new variant of the Blue Eagle Ransomware. This variant appends .SaherBlueEagleRansomware to encrypted files.
Karsten Hahn discovered an in-dev ransomware that states "I can choose the amount of the ransom since I am the author of this virus". Let's just kick a victim while they are a down. This crap appends the .XmdXtazX extension to encrypted files. It currently uses a hard coded key.
MalwareHunterTeam discovered a new Brazilian HiddenTear variant that appends the .lordofshadow extension to encrypted files and drops a note called LEIA_ME.txt.