Not much to report this week as we did not have a lot of releases of new variants or updated existing variants. The biggest news was the discovery of the RedBoot bootlocker ransomware and Locky continuing its mass spam campaigns.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwrhunterteam, @malwareforme, @LawrenceAbrams, @struppigel, @DanielGallagher, @Seifreed, @jorntvdw, @hexwaxwing, @FourOctets, @campuscodi, @PolarToffee, @demonslay335, @BleepinComputer, @Malware_Blocker@dvk01uk @Bitdefender, and @PhishMe.

September 23rd 2017

Locky Ransomware Authors Are Big Game of Thrones Fans

According to a recent discovery from researchers at PhishMe, the group behind the Locky ransomware are big fans of HBO's hit series, so much so that they've peppered recent scripts with names of show characters and other references.

Ransomware or Wiper? RedBoot Encrypts Files but also Modifies Partition Table

A new bootlocker ransomware was discovered by Malware Blocker called RedBoot that when executed will encrypt files on the computer, replace the MBR, or Master Boot Record, of the system drive and then then modifies the partition table in some manner.

Sample of the SuperB Ransomware Discovered

MalwareHunterTeam found a sample of the SuperB Ransomware. This ransomware python script compiled into an executable. Will create copies of files, encrypt them, and append the .enc extension. The original files will be overwritten with the ransom note.

September 24th 2017

John's Locker Discovered

Lawrence Abrams discovered a new ransomware called John's Locker. This ransomware does not encrypt and most likely a joke. You can use Alt+F4 to close.

September 25th 2017

New CryptoClone Ransomware Discovered

Karsten Hahn discovered the in-dev ransomware called CryptoClone. This ransomware appends the .crypted extension to encrypted files. It is decryptable.

New Screenlocker Discovered

Karsten Hahn discovered a new screenlocker that uses the qwerty code to unlock.

Onion Crypt v3 Ransomware Discovered

MalwareHunterTeam discovered a new HiddenTear variant called Onion Crypt v.3. This ransomware appends the .onion3cry-open-DECRYPTMYFILE extension to encrypted files. 

THTLocker Screenlocker Discovered

Karsten Hahn discovered a screenlocker called THTLocker. 

September 26th 2017

BlackMist Ransomware Discovered

Cool name, crappy implementation. BlackMist is a new in-dev ransomware discovered by Lawrence Abrams that currently only targets C:\Users\Owner. If it worked, it would append blackmist (no dot) to encrypted files.

BitDefender releases a Ransomware Recognition Tool

Bitdefender released a tool that attempts to identify the ransom a person may be infected with. I personally have not tried, but one review was not promising.

In-dev Screenlocker Discovered

MalwareHunterTeam discovered a in-dev screenlocker.

September 27th 2017

In-dev HiddenTear variant tries to send keys via email

Lawrence Abrams discovered a new in-Dev HiddenTear variant that has been modified to try and send the encryption keys via email. Appends .locked to encrypted files.


September 28th 2017

Necurs botnet spam now distributing Locky and Trickbot via same vbs file using geo-location techniques

In article by My Online Security:

The next in the never ending series of malware downloaders coming from the necurs botnet  is an email with the subject of  Emailing: Scan0253 ( random numbers)  pretending to come from sales@  your own email address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin.

Paradise Ransomware uses a HTML Ransom Note

Karsten Hahn discovered a new sample of the Paradise Ransomware that now uses a HTML note compared to its previous use of a text note. Otherwise, looks to be the same.

New Variant of the Cypher Ransomware Discovered

Karsten Hahn discovered a new variant of the Cypher Ransomware that appends the .crypt extension to encrypted files.

Builder for SurveyLocker Discovered

Karsten Hahn found the builder for SurveyScreenLocker called LaserLocker. 

September 29th 2017

Fake DMA Locker being Developed

Karsten Hahn found a sample of a in-dev ransomware where the dev is just downloading and showing a DMALocker screenshot from Malwarebytes' Blog.

New Jigsaw variant uses Anonymous Background

Lawrence Abrams discovered a new Jigsaw Ransomware variant that utilizes a Anonymous background. This variant appends the .fun extension to encrypted files.

That's it for this week! Hope everyone has a nice weekend!


Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message