During this week, we did not see a large amount of smaller variants released compared to what we have historically seen. This is because ransomware has moved towards large network-wide breaches by variants such SamSam, BitPaymer, and Dharma over publicly exposed remote desktop services.
Due to the rise in these types of attacks, the Internet Crime Complaint Center (IC3) has released a security alert about attacks targeting exposed remote desktop services.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @fwosar, @struppigel, @malwrhunterteam, @jorntvdw, @demonslay335, @Seifreed, @hexwaxwing, @malwareforme, @PolarToffee, @BleepinComputer, @DanielGallagher, @FourOctets, @GrujaRS, @nao_sec, @siri_urz, @campuscodi, @USCERT_gov, @ValthekOn, and the @FBI .
Karsten Hahn has discovered a new HiddenTear variant called Qinynore Ransomware. This ransomware appends the .anonymous extension to encrypted files and drops a ransom note named YOU_MUST_READ_ME.rtf .
Karsten Hahn discovered a new ransomware called Bytar that appears to be in development.
GrujaRS discovered a new LockCrypt 2.0 variant that appends the .BDKR extension to encrypted files and creates a ransom note named How To Restore Files.txt.
GrujaRS discovered a ransomware appending the .xd extension to encrypted files.
Microsoft was paid $703,697 to help Pennsylvania Senate Democrats rebuild IT systems after 2017 ransomware incident.
Michael Gillespie found a new Jigsaw Ransomware targeting German victims and appending the .spaß extension to encrypted files.
GandCrab v5 has been released with a few noticeable changes. The most noticeable changes are that the ransomware now uses a random 5 character extension for encrypted files and has a HTML ransom note.
The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer. This vulnerability was recently patched by Microsoft in the September 2018 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates.
On September 25th, the Port of San Diego announced that their information technology systems had been disrupted by a cyber attack. In an announcement today, it was announced that this disruption was caused by a ransomware attack.
The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. While the most publicized attacks over RDP are related to ransomware, attackers also hack into exposed RDP services for corporate theft, installation of backdoors, or as a launching point for other attacks.