This week we had our fair share of smaller variants being distributed or created, but the big news was by far the release of Magniber and the use of the Hermes ransomware as a cover to steal money from a Taiwan bank.  With the release of Magniber we also see the downward spiral of Cerber, which has little or not distribution remaining at this time.

Contributors and those who provided new ransomware information and stories this week include: @campuscodi, @BleepinComputer, @jorntvdw, @LawrenceAbrams, @demonslay335, @malwrhunterteam, @DanielGallagher, @struppigel, @malwareforme, @hexwaxwing, @FourOctets, @PolarToffee, @Seifreed, @fwosar, @kafeine, @jspchc, @malc0de, @hasherezade, @Malwarebytes, @evilsocket, @xdxdxdxdoa, @ChristiaanBeek, @Raj_Samani, @bartblaze, @McAfee_Labs@BAESystems_AI, and @jw00dbury.

October 14th 2017

Browser-Based Tech Support Scam States Visitor is Infected with WanaCry

Josh Woodbury discovered a new browser-based tech supprot scam that states that the visitor is infected with "WannaCry".

Notes on Sage 2.2 ransomware version

Threat intelligence researcher Bart wrote up a published an article on the Sage 2.2 Ransomware.

October 15th 2017

In-dev ViiperWare Ransomware

Lawrence Abrams discovered an in-dev HiddenTear variant called ViiperWare - Ransomware. This ransomware only encrypts %Desktop%\Test and appends the .viiper extension to encrypted files.

Eicar Ransomware Test File Released

Lawrence Abrams spotted a new Eicar test sample for ransomware that can be used to test the effectiveness of security products. According to Karsten Hahn, it needs the C:\Demo\Crypt folder to properly execute.

October 16th 2017

New DUMB Ransomware Variant called Farsi

Karsten Hahn discovered a new DUMB Ransomware variant that is written in Farsi and called Tyrant.

New Vortex Variant Released

Michael Gillespie started seeing a lot of new submissions to ID-Ransomware for Vortex that is using a new ransom note named #$# JAK-ODZYSKAC-PLIIKI.txt.

Skids are active with a new Screenlocker

Karsten Hahn discovered a new screenlocker titled "Your computer is running a pirated version of Windows". This screenlocker demands Ethereum and nude pictures. Obviously a fake/joke, but the unlock code is: intelgpuisshit.

October 17th 2017

North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist

According to  BAE Systems report and a report from McAfee, North Korean hackers used the Hermes Ransomware as a cover to steal money from a Taiwan bank.

The Blind Ransomware Sample Discovered

Karsten Hahn discovered the sample for the "Blind Ransomware" that Michael Gillespie was previously looking for. This ransomware appends the .[].blind extension to encrypted files and drops a ransom note named How_Decrypt_Files.hta.

The Magic Ransomware

Karsten Hahn discovered a Italian HiddenTear variant that was created by "The Magic". This ransomware appends the defaulted .locked extension to encrypted files.

New RotorCrypt Variant

Michael Gillespie discovered a new variant of the RotorCrypt Ransomware that is appending the !____________DESKRYPT@TUTAMAIL.COM________.rar extension to encrypted files..

October 18th 2017

Goodbye Cerber? Hello Magniber Ransomware!

Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.

Magniber ransomware: exclusively for South Koreans

Great analysis of the Magniber ransomware from Malwarebytes. Anyone interested in this ransomware should take a look.

Magniber Decrypter Created for Offline Victims

Simone, the VP of Research at mobile security compay Zimperium, created a decryptor for victims who may have been infected with the hardcoded key in Magniber. This decrypter requires you to know the key and IV that is embedded in the particular sample that you were infected in. Only victims who were infected from a non-Korean IP address or who could not connect to the Command & Control servers would have been encrypted with the hard coded key. 

This decryptor easily compiles in Visual Studio, but if anyone needs it, feel free to reach out and I will provide the binary.

October 19th 2017

New Bugware Variant being Distributed via WhatsApp MalSpam

Security Doggo discovered a new malspam campaign that is targeting Brazilian victims. MalwareHunterTeam discovered that this malspam is also distributing a new variant of the Bugware ransomware that appends the .[MAXVISION@SECMAIL.PRO].CRIPTOGRAFADO extension to encrypted files.

New Variant of the Blue Eagle Ransomware

Michael Gillespie discovered a new variant of the Blue Eagle Ransomware. This variant appends .SaherBlueEagleRansomware to encrypted files.

October 20th 2017

An A-Hole of Ransomware Developer

Karsten Hahn discovered an in-dev ransomware that states "I can choose the amount of the ransom since I am the author of this virus". Let's just kick a victim while they are a down. This crap appends the .XmdXtazX extension to encrypted files. It currently uses a hard coded key.

LordOfShadow Ransomware

MalwareHunterTeam discovered a new Brazilian HiddenTear variant that appends the .lordofshadow extension to encrypted files and drops a note called LEIA_ME.txt.


That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords