This week we have 8 stories, new ransomware, scams, taunts, and decryptors. Of particular note is the Fairware Ransomware scam being installed via hacked Linux Redis server. We also have malware developers taunting security researchers, a new Cerber version, and a new ransomware that transmits quite a bit of information about a victim's configuration.

Contributors and those who provided new ransomware info this week include: @Antelox@BleepinComputer@fwosar, @JakubKroustek@DanielGallagher, @nyxbone@malwrhunterteam@demonslay335, @PolarToffee, @JAMESWT_MHT, @Seifreed@duosec. If you are interested in ransomware or security, I suggest you follow all of them on Twitter.

August 29th 2016

New FairWare Ransomware targeting Linux Computers

A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, they probably just upload it to a server under their control.

New RAA Ransomware variant Discovered

A new variant of the RAA Ransomware was discovered by Antelox that uses a new email address of raaconsult@mail2tor.com.

August 30th 2016

Apocalypse Developer changes internal program name to Fabiansomware

Fabian Wosar has been a thorn in the side of the Apocalypse Ransomware developer ever since it was released. With each new version, Fabian has been able to update his Apocalypse decryptor so that victims could get their files back for free.

Needless to say, the Apocalypse developer has not been happy and has been insulting Fabian within the internal strings of their ransomware. Fabian recently discovered, that the latest Apocalypse Ransomware has changed it's name to Fabiansomeware as a further attempt to insulting him.

August 31st 2016

Cerber Ransomware switches to .CERBER3 Extension for Encrypted Files

A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files.  When I tested this new sample, there was some minor outward differences between this version and the previous version.

Hacked Redis Servers being used to install the Fairware Ransomware Attack

Recently I wrote about a supposedly new ransomware called Fairware that was targeting Linux servers. When a server was hacked by Fairware, it would delete various data folders and create a ransom note in the /root folder stating that the files were encrypted and that a victim needs to pay two bitcoins to get them back. Based on a new article by Duo Security, and confirmation from Fairware victims, it appears that this is just a scam and the attackers did not archive the folders before deleting them.

New version of Stampado found that changes filenames

Emsisoft security researcher Fabian Wosar discovered a new version of Stampado that changes the filenames for encrypted files.  Filenames will now be encrypted with hex characters and the .locked extension. An example of an encrypted file's new name would be 491ED67858BF44A7514B16F7EDD294833945A913D6D649CA41619918322043118270930D.locked.

September 1st 2016

The Nullbyte Ransomware pretends to be the NecroBot Pokemon Go Application

A new DetoxCrypto Ransomware variant called the Nullbyte Ransomware has been discovered by Emsisoft security researched xXToffeeXx that pretends to be the popular Pokemon Go bot application called NecroBot, When infected, the ransomware will encrypt a victim's files and then demand .1 bitcoins to decrypt the files. Thankfully, Michael Gillespie was able to create decryptor so that victims can get their files back for free.

New Central Security Treatment Organization Ransomware transmits information over UDP

A new ransomware was discovered by MalwareHunterTeam that I have dubbed the Central Security Treatment Organization Ransomware due to the fake organization name displayed on the payment site. When this ransomware encrypts files it will append the .cry extension to the filename. It will also create ransom notes named !Recovery_[random_chars].html.

This ransomware is interesting as it communicates with the Command & Control server via UDP. It also transmits information about the computer such as the wireless SSID and information about the computer's hardware, 

More info about this ransomware will be coming out soon in a dedicated article.

 

Related Articles:

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message