During this week, we did not see a large amount of smaller variants released compared to what we have historically seen. This is because ransomware has moved towards large network-wide breaches by variants such SamSam, BitPaymer, and Dharma over publicly exposed remote desktop services. 

Due to the rise in these types of attacks, the Internet Crime Complaint Center (IC3) has released a security alert about attacks targeting exposed remote desktop services.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @fwosar, @struppigel, @malwrhunterteam, @jorntvdw, @demonslay335, @Seifreed, @hexwaxwing, @malwareforme, @PolarToffee, @BleepinComputer, @DanielGallagher, @FourOctets@GrujaRS, @nao_sec, @siri_urz, @campuscodi, @USCERT_gov, @ValthekOn, and the @FBI .

September 22nd 2018

Qinynore Ransomware discovered

Karsten Hahn has discovered a new HiddenTear variant called Qinynore Ransomware. This ransomware appends the .anonymous extension to encrypted files and drops a ransom note named YOU_MUST_READ_ME.rtf .

Bytar Ransomware discovered

Karsten Hahn discovered a new ransomware called Bytar that appears to be in development.

September 23rd 2018

New LockCrypt 2.0 variant

GrujaRS discovered a new LockCrypt 2.0 variant that appends the .BDKR extension to encrypted files and creates a ransom note named How To Restore Files.txt.

BDKR Variant

XD Ransomware

GrujaRS discovered a ransomware appending the .xd extension to encrypted files.

September 24th 2018

Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack

Microsoft was paid $703,697 to help Pennsylvania Senate Democrats rebuild IT systems after 2017 ransomware incident.

New Jigsaw Ransomware variant

Michael Gillespie found a new Jigsaw Ransomware targeting German victims and appending the .spaß extension to encrypted files.

September 25th 2018

GandCrab V5 Released With Random Extensions and New HTML Ransom Note

GandCrab v5 has been released with a few noticeable changes. The most noticeable changes are that the ransomware now uses a random 5 character extension for encrypted files and has a HTML ransom note.

September 26th 2018

GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.  This vulnerability was recently patched by Microsoft in the September 2018 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates.

September 27th 2018

Port of San Diego Affected by a Ransomware Attack

On September 25th, the Port of San Diego announced that their information technology systems had been disrupted by a cyber attack. In an announcement today, it was announced that this disruption was caused by a ransomware attack.

September 28th 2018

IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks

The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. While the most publicized attacks over RDP are related to ransomware, attackers also hack into exposed RDP services for corporate theft, installation of backdoors, or as a launching point for other attacks.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More