This week we have 8 stories, new ransomware, scams, taunts, and decryptors. Of particular note is the Fairware Ransomware scam being installed via hacked Linux Redis server. We also have malware developers taunting security researchers, a new Cerber version, and a new ransomware that transmits quite a bit of information about a victim's configuration.
Contributors and those who provided new ransomware info this week include: @Antelox, @BleepinComputer, @fwosar, @JakubKroustek, @DanielGallagher, @nyxbone, @malwrhunterteam, @demonslay335, @PolarToffee, @JAMESWT_MHT, @Seifreed, @duosec. If you are interested in ransomware or security, I suggest you follow all of them on Twitter.
A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, they probably just upload it to a server under their control.
Fabian Wosar has been a thorn in the side of the Apocalypse Ransomware developer ever since it was released. With each new version, Fabian has been able to update his Apocalypse decryptor so that victims could get their files back for free.
Needless to say, the Apocalypse developer has not been happy and has been insulting Fabian within the internal strings of their ransomware. Fabian recently discovered, that the latest Apocalypse Ransomware has changed it's name to Fabiansomeware as a further attempt to insulting him.
A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When I tested this new sample, there was some minor outward differences between this version and the previous version.
Recently I wrote about a supposedly new ransomware called Fairware that was targeting Linux servers. When a server was hacked by Fairware, it would delete various data folders and create a ransom note in the /root folder stating that the files were encrypted and that a victim needs to pay two bitcoins to get them back. Based on a new article by Duo Security, and confirmation from Fairware victims, it appears that this is just a scam and the attackers did not archive the folders before deleting them.
Emsisoft security researcher Fabian Wosar discovered a new version of Stampado that changes the filenames for encrypted files. Filenames will now be encrypted with hex characters and the .locked extension. An example of an encrypted file's new name would be 491ED67858BF44A7514B16F7EDD294833945A913D6D649CA41619918322043118270930D.locked.
A new DetoxCrypto Ransomware variant called the Nullbyte Ransomware has been discovered by Emsisoft security researched xXToffeeXx that pretends to be the popular Pokemon Go bot application called NecroBot, When infected, the ransomware will encrypt a victim's files and then demand .1 bitcoins to decrypt the files. Thankfully, Michael Gillespie was able to create decryptor so that victims can get their files back for free.
A new ransomware was discovered by MalwareHunterTeam that I have dubbed the Central Security Treatment Organization Ransomware due to the fake organization name displayed on the payment site. When this ransomware encrypts files it will append the .cry extension to the filename. It will also create ransom notes named !Recovery_[random_chars].html.
This ransomware is interesting as it communicates with the Command & Control server via UDP. It also transmits information about the computer such as the wireless SSID and information about the computer's hardware,
More info about this ransomware will be coming out soon in a dedicated article.