Lots of ransomware in the news this week. Of course the biggest story was the Bad Rabbit outbreak that targeted numerous countries, but mostly Russia and the Ukraine. We also had the Tyrant Ransomware, which was targeting Iranian companies. In addition to those big stories, we had a bunch of smaller variants released this week.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @DanielGallagher, @PolarToffee, @hexwaxwing, @malwareforme, @campuscodi, @Seifreed, @LawrenceAbrams, @fwosar, @jorntvdw, @FourOctets, @struppigel, @BleepinComputer, @demonslay335, @McAfee_Labs, @jiriatvirlab, @ESET, @kaspersky, @TalosSecurity, @Bitdefender, @GroupIB_GIB, @IntezerLabs, @bartblaze, @EndgameInc,, @Malwarebytes, @antonivanovm, @malwareunicorn, @craiu, @hasherezade, @jeromesegura, and @EKFiddle.
Lawrence Abrams discovered a new HiddenTear variant called Ordinal Ransomware. This ransomware will append the .Ordinal extension to encrypted files and drops a note named READ Me To Get Your Files Back.txt.Ordinal.
I missed on the previous article, but McAfee has released a Ransomware Recover tool, which allow victims to download various decryptors for the ransomware they are affected with. They also intend for this to be an open framework that can be used by other researchers to add decryption keys that they find.
ID-Ransomware achieved a milestone by being able to detect 500 different ransomware variants.
Catalin Cimpanu takes a look at the new "Controlled Folder Access" feature from the newly released Windows 10 Fall Creators Update.
Karsten Hahn discovered a new ransomware called AllCry. This ransomware appends the .allcry extension to encrypted files.
Lawrence Abrams discovered the first in-dev Halloween 2017 Ransomware called Trick or Treat. Doesn't encrypt & only shows the following screen.
Lawrence Abrams discovered a Jigsaw ransomware variant in time for Halloween that utilizes the Pennwise character from IT for its background. It is in debug/simulation mode and appends .beep to test files.
MalwareHunterTeam discovered a new HiddenTear variant that appends the .Comrade extension to encrypted files and drops a ransom note named DECRYPT_FILES.txt.
A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike.
Several security firms have come forward today with evidence that shows links connecting the Bad Rabbit ransomware outbreak that happened yesterday with the NotPetya ransomware outbreak that took place at the end of June, this year.
Reports started coming in that the Bad Rabbit Ransomware had started infecting some victims in the USA.
The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has issued a security alert about a ransomware distribution campaign currently active in the country.
The Cisco Talos Group discovered that Bad Rabbit used the NSA exploit called Eternal Romance.
MalwareHunterTeam discoverd a new ransomware called WannaBeHappy that appends the .encrypted extension to encrypted files. Currently in-development, but doesn't need much to be pushed out the door.
MalwareHunterTeam discovered a Greek RAT and ransomware called Kerkoporta. Currently only renames files and has screenlocker functionality.
Michael Gillespie is looking for a ransomware that appends the .rubina5 extension to encrypted files and drops a ransom note named HOW_TO_DECRYPT_FILES.txt.
xXToffeeXx found a sample and identified a new Nemesis/Cry36 ransomware variant that is calling itself Losers Ransomware. This is especially targeting Indonesian victims, appends the .losers extension to encrypted files, and drops a ransom note named HOWTODECRYPTFILES.html.
Michael Gillespie noticed that a ransomware group is hacking intro servers, putting files in password protected zip files, and then leaving ransom notes. These notes contain a contact email of firstname.lastname@example.org.
Malwarebytes security researcher Jérôme Segura discovered that Matrix Ransomware is now being distributed through the RIG exploit kit on hacked sites.
MalwareHunterTeam discovered a new ransomware called XiaoBa that appends extensions .XiaoBa1 through .XiaoBa34 to encrypted files.
Leo discovered a new ransomware called xRansom. This one is clearly in-dev with someone teaching themselves how to make ransomware. Only targets 4 extensions and does not append an extension. Does not display or create a ransom note.
Karsten Hahn discovered a new version of the YYTO ransomware that appends the email@example.com extension to encrypted files.
Some extremely lucky users will be able to recover files locked by the Bad Rabbit ransomware because of small operational mistakes on the part of the malware's authors.