Lots of ransomware in the news this week. Of course the biggest story was the Bad Rabbit outbreak that targeted numerous countries, but mostly Russia and the Ukraine. We also had the Tyrant Ransomware, which was targeting Iranian companies. In addition to those big stories, we had a bunch of smaller variants released this week.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @DanielGallagher, @PolarToffee, @hexwaxwing, @malwareforme, @campuscodi, @Seifreed, @LawrenceAbrams, @fwosar, @jorntvdw, @FourOctets, @struppigel, @BleepinComputer, @demonslay335, @McAfee_Labs, @jiriatvirlab, @ESET, @kaspersky, @TalosSecurity, @Bitdefender, @GroupIB_GIB, @IntezerLabs, @bartblaze, @EndgameInc,, @Malwarebytes, @antonivanovm, @malwareunicorn, @craiu, @hasherezade, @jeromesegura, and @EKFiddle.

October 21st 2017

Ordinal Ransomware Discovered

Lawrence Abrams discovered a new HiddenTear variant called Ordinal Ransomware. This ransomware will append the .Ordinal extension to encrypted files and drops a note named READ Me To Get Your Files Back.txt.Ordinal.

McAfee Ransomware Recover (Mr2)

I missed on the previous article, but McAfee has released a Ransomware Recover tool, which allow victims to download various decryptors for the ransomware they are affected with. They also intend for this to be an open framework that can be used by other researchers to add decryption keys that they find.

October 22nd 2017

ID-Ransomware can detect 500 Ransomware

ID-Ransomware achieved a milestone by being able to detect 500 different ransomware variants.

October 23rd 2017

Windows 10's "Controlled Folder Access" Anti-Ransomware Feature Is Now Live

Catalin Cimpanu takes a look at the new "Controlled Folder Access" feature from the newly released Windows 10 Fall Creators Update.

AllCry Ransomware Discovered

Karsten Hahn discovered a new ransomware called AllCry.  This ransomware appends the .allcry extension to encrypted files.

Trick or Treat Ransomware Discovered

Lawrence Abrams discovered the first in-dev Halloween 2017 Ransomware called Trick or Treat. Doesn't encrypt & only shows the following screen.

Pennywise Ransomware

Lawrence Abrams discovered a Jigsaw ransomware variant in time for Halloween that utilizes the Pennwise character from IT for its background. It is in debug/simulation mode and appends .beep to test files.

Comrade Ransomware Discovered

MalwareHunterTeam discovered a new HiddenTear variant that appends the .Comrade extension to encrypted files and drops a ransom note named DECRYPT_FILES.txt.

October 24th 2017

Bad Rabbit Ransomware Outbreak Hits Eastern Europe

A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike.

October 25th 2017

Security Firms Say Bad Rabbit Attack Carried Out by NotPetya Group

Several security firms have come forward today with evidence that shows links connecting the Bad Rabbit ransomware outbreak that happened yesterday with the NotPetya ransomware outbreak that took place at the end of June, this year.

Small Amount of Bad Rabbit Ransomware Victims Detected in the USA

Reports started coming in that the Bad Rabbit Ransomware had started infecting some victims in the USA.

Bad Rabbit Technical Analysis Round Up

I am sure I left some out, and I apologize in advance, but here are some Bad Rabbit Technical Analysis reports from End Game, Kaspersky, MalwarebytesGroup IB, and ESET.

Tyrant Ransomware Spreads in Iran Disguised as Popular VPN App

The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has issued a security alert about a ransomware distribution campaign currently active in the country.

October 26th 2017

Bad Rabbit Ransomware Outbreak Also Used NSA Exploit

The Cisco Talos Group discovered that Bad Rabbit used the NSA exploit called Eternal Romance.

WannaBeHappy Ransomware Discovered

MalwareHunterTeam discoverd a new ransomware called WannaBeHappy that appends the .encrypted extension to encrypted files. Currently in-development, but doesn't need much to be pushed out the door.

Kerkoporta Greek Rat and Ransomware

MalwareHunterTeam discovered a Greek RAT and ransomware called Kerkoporta. Currently only renames files and has screenlocker functionality.

Hunt for Rubina5 Ransomware

Michael Gillespie is looking for a ransomware that appends the .rubina5 extension to encrypted files and drops a ransom note named HOW_TO_DECRYPT_FILES.txt.

New Cry36 Losers Ransomware Variant

xXToffeeXx found a sample and identified a new Nemesis/Cry36 ransomware variant that is calling itself Losers Ransomware. This is especially targeting Indonesian victims, appends the .losers extension to encrypted files, and drops a ransom note named HOWTODECRYPTFILES.html.

Group Hacking Servers and Password Protecting Zip Files

Michael Gillespie noticed that a ransomware group is hacking intro servers, putting files in password protected zip files, and then leaving ransom notes. These notes contain a contact email of zip@email.tg.

October 27th 2017

Matrix Ransomware Being Distributed by the RIG Exploit Kit

Malwarebytes security researcher Jérôme Segura discovered that Matrix Ransomware is now being distributed through the RIG exploit kit on hacked sites.

XiaoBa Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called XiaoBa that appends extensions .XiaoBa1 through .XiaoBa34 to encrypted files.

xRansom Ransomware Discovered

Leo discovered a new ransomware called xRansom. This one is clearly in-dev with someone teaching themselves how to make ransomware. Only targets 4 extensions and does not append an extension. Does not display or create a ransom note.

New b007 YYTO Ransomware Variant

Karsten Hahn discovered a new version of the YYTO ransomware that appends the colecyrus@mail.com.b007 extension to encrypted files.

Some Bad Rabbit Victims Can Recover Files Without Paying Ransom

Some extremely lucky users will be able to recover files locked by the Bad Rabbit ransomware because of small operational mistakes on the part of the malware's authors.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection