This has been the slowest ransomware week in a long time! Thank you devs for giving me some time to do other things! For this week we have some smaller ransomware releases as well as new updates to existing ransomware. We also have the continuing saga of Fabian smacking the Stampado and Apocalypse devs around with new decryptors. Last, but not least, we have a major distribution campaign being conducted by a new Cerber affiliate.
Contributors and those who provided new ransomware info this week include: @MalwareTechBlog. @struppigel, @JakubKroustek, @fwosar, @malwrhunterteam, @PolarToffee, @DanielGallagher, @demonslay335, @JAMESWT_MHT, @Seifreed, @nyxbone, @BleepinComputer, and @Avira. If you are interested in ransomware or InfoSec, I suggest you follow all of them on Twitter.
HDDCryptor, sometimes spelled HDD Cryptor and also identified as Mamba, is a new ransomware variant discovered by Morphus Labs that rewrites a computer's MBR (Master Boot Record) boot sectors and locks users out of their PCs. While we might hurry to classify this as a Petya clone, HDDCryptor predates both Petya and Satana, being spotted on the Bleeping Computer forums at the end of January this year.
Fabian Wosar of Emsisoft has a released a decryptor for FenixLocker. This decryptor can be downloaded from Emsisoft's site.
A new variant of the Fantom Ransomware was discovered last week by MalwareHunterTeam that added some very interesting features. The new features include network share enumeration and encryption, randomly generated desktop wallpapers, and offline encryption. By far the most interesting feature, though, is the ransomware's ability to set a ransom amount and a payment email based upon the name of the file.
It is almost entertaining watching Fabian release decryptors for each version of Apocalypse and Stampado that are released as the malware devs leave him little notes in their programs. This week we had two new versions of Stampado and Fabiansomware (Apocalypse), but Fabian was able to release updated decryptors to support them. These decryptors can be found at Emsisoft's decryptor page.
Avira posted a new article where Kroll, an Avira malware specialist, stated:
Locky has stepped back from running in an offline-only mode, as Locky affiliates transition back to including Command and Control (CnC) information in their configuration, with an accompanying drop in the number of affiliates working in an offline-only mode.
According to MalwareTech, Cerber has picked up in distribution with:
Cerber ransomware group seem to have a new affiliate. Now hitting around 80,000 infections per day compared to only 6,000/day last month.
A new ransomware called Cyber SpLiTTer Vbs was discovered by GData security researcher Karsten Hahn. Currently this ransomware appears to be in development as there is no functions written to actually encrypt anything. When you run the sample, it only displays the following lock screen.
A new ransomware called UnblockUPC was reported in the BleepingComputer.com forums. When infected, it will create a ransom note called Files encrypted.txt that contains a unique ID for the victim and payment sites that a user must visit to get payment instructions. These payment sites, shown below, ask for .18 btc, or approximately 100 Euro.
Unfortunately, we have not been able to get our hand on a sample of the installer, but . For those who are infected with this ransomware, please post in the Unblockupc Ransomware Help & Support Topic so that we can try and recover a sample of the installer.