This week has seen a big push by Locky using numerous distribution campaigns to try and claim a spot with the big boys. Other than the normal releases of small ransomware creations, we also saw the RIG exploit kit pushing the Princess Ransomware.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @jorntvdw, @malwrhunterteam, @struppigel, @campuscodi, @demonslay335, @BleepinComputer, @FourOctets, @Seifreed, @LawrenceAbrams, @malwareforme, @PolarToffee, @fwosar, @msftmmpc, @MarceloRivero , @Malwarebytes, @jeromesegura, @dvk01uk, @peterkruse, @malware_traffic, @AppRiver, @ComodoNews, & @barracuda.
A ransomware that promotes the EkoParty conference was discovered by MalwareHunterTeam. Our guess is that this is most likely being used as part of one of their courses as part of a demonstration. Based on HiddenTear and appends the .locked extension.
Lawrence Abrams discovered a program called RansomPrank that displays a ransom screen, but does not actually encrypt. Not sure if in-development or just a joke.
Lawrence Abrams discovered a new version of the Wooly Ransomware that actually encrypts now. Still buggy and crashes soon after starting. Appends the .wooly extension and now includes a picture of a polar bear as one of its resources.
A new variant of the BTCWare ransomware was discovered by ID-Ransomware's Michael Gillespie that appends the .[affiliate_email].nuclear extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim's files.
MalwareHunterTeam discovered the StrawHat Ransomware. This appears to be in-dev and renames files to a random extension. Drops ransom notes named YOUR_FILES_ARE_ENCRYPTED.html and YOUR_FILES_ARE_ENCRYPTED.txt.
MalwareHunterTeam discovered a new ransomware called MindSystem Ransomware. Provides the key so anyone can decrypt the files. Most likely really a test ransomware.
Karsten Hahn discovered the CryING ransomware. Looks to be in-development.
The Microsoft MMPC discovered a new "Troll" ransomware that uses XOR encryption when encrypting files. The problem is that it will encrypt any file, regardless of location or extension, it finds. This could lead to Windows failing.
Several hospitals part of the NHS Lanarkshire board were hit on Friday by a version of the Bit Paymer ransomware.
The Internal Revenue Service (IRS) is warning US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.
Karsten Hahn discovered a new in-development ransomware called Akira. Only encrypts the video folder. When encrypting files, it will append the .akira extension.
Security researcher Leo discovered a new variant of the Blue Eagle Ransomware. Currently broken and does not encrypt.
Michael Gillespie appeared on McAfee's podcast, Hackable, where he demonstrated how a person could get infected with ransomware.
MalwareHunterTeam discovered the KeyMaker ransomware that appends the .CryptedOpps extension to encrypted files.
MalwareHunterTeam discovered the Haze Ransomware, which tries to immitate Petya. Does not encrypt.
Leo discovered the OhNo! Ransomware, which appends the .OhNo! extension to encrypted files. Seems to be in-dev as it only encrypts a limited amount of files.
We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.
Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick.
Yesterday, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .arena extension to encrypted file names. This family of ransomware releases a new version almost every week, if not sooner, so it will be expected to see another variant released soon with a new extension.