Not much to report this week as we did not have a lot of releases of new variants or updated existing variants. The biggest news was the discovery of the RedBoot bootlocker ransomware and Locky continuing its mass spam campaigns.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwrhunterteam, @malwareforme, @LawrenceAbrams, @struppigel, @DanielGallagher, @Seifreed, @jorntvdw, @hexwaxwing, @FourOctets, @campuscodi, @PolarToffee, @demonslay335, @BleepinComputer, @Malware_Blocker, @dvk01uk , @Bitdefender, and @PhishMe.
According to a recent discovery from researchers at PhishMe, the group behind the Locky ransomware are big fans of HBO's hit series, so much so that they've peppered recent scripts with names of show characters and other references.
A new bootlocker ransomware was discovered by Malware Blocker called RedBoot that when executed will encrypt files on the computer, replace the MBR, or Master Boot Record, of the system drive and then then modifies the partition table in some manner.
MalwareHunterTeam found a sample of the SuperB Ransomware. This ransomware python script compiled into an executable. Will create copies of files, encrypt them, and append the .enc extension. The original files will be overwritten with the ransom note.
Lawrence Abrams discovered a new ransomware called John's Locker. This ransomware does not encrypt and most likely a joke. You can use Alt+F4 to close.
Karsten Hahn discovered the in-dev ransomware called CryptoClone. This ransomware appends the .crypted extension to encrypted files. It is decryptable.
Karsten Hahn discovered a new screenlocker that uses the qwerty code to unlock.
MalwareHunterTeam discovered a new HiddenTear variant called Onion Crypt v.3. This ransomware appends the .onion3cry-open-DECRYPTMYFILE extension to encrypted files.
Karsten Hahn discovered a screenlocker called THTLocker.
Cool name, crappy implementation. BlackMist is a new in-dev ransomware discovered by Lawrence Abrams that currently only targets C:\Users\Owner. If it worked, it would append blackmist (no dot) to encrypted files.
MalwareHunterTeam discovered a in-dev screenlocker.
In article by My Online Security:
The next in the never ending series of malware downloaders coming from the necurs botnet is an email with the subject of Emailing: Scan0253 ( random numbers) pretending to come from sales@ your own email address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin.
Karsten Hahn discovered a new variant of the Cypher Ransomware that appends the .crypt extension to encrypted files.
Karsten Hahn found the builder for SurveyScreenLocker called LaserLocker.
Karsten Hahn found a sample of a in-dev ransomware where the dev is just downloading and showing a DMALocker screenshot from Malwarebytes' Blog.
Lawrence Abrams discovered a new Jigsaw Ransomware variant that utilizes a Anonymous background. This variant appends the .fun extension to encrypted files.