A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.
It has been a busy ransomware week with lots of small and some bigger variants released. This week we had a new CryptoMix, a new BTCWare, and a few new malspam campaigns for GlobeImposter and Sigma. Even better, we had a few new and updated decryptors released so that people can recover their files for free.
While the week was dominated by small little ransomware creations, we did have some interesting news. First, we have had a resurgence of Locky variants, then a constant stream of GlobeImposter variants variants, and finally the SynCrypt ransomware that utilizes an interesting distribution method.
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version.
This has been a week of pure junk ransomware releases and decryptors. As most of these smaller ransomware variants never make it into actual distribution, I call this a win for the good guys. The big news this week is the release of the master decryption key for XData and updated an updated decryptor for Amnesia2.
In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017.
This week was a busy with lots of little variants discussed below and a new version of the Jaff Ransomware circulating via MALSPAM. The big news is that AES-NI decided to close shop and has starting releasing the master decryption keys so people can get their files back for free.
Users that have had their files encrypted via the BTCWare ransomware can recover their files for free after a user released the BTCWare master decryption key today on the Bleeping Computer forums.
On Satruday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released. It was named Amnesia based on the extension appended to encrypted files by the first variant.
Lots and lots of little crappy ransomware released this week with nothing new or innovative. We do have some interesting Spora stats, a story on the decline of Locky, and of course an updated decryptor by Fabian Wosar who continues to kick ransomware in the buttocks. Other than that, not really any of significance.
Another week and a lot more crappy ransomware released. Of particular interest is that Cerber no longer encrypts filenames, Emsisoft released a CryptON decryptor, and lots of really good technical writeups about ransomware.
Researchers from Palo Alto Networks have come across a new ransomware family that combines many unique features, such as political statements, public subdomain creation, and encryption tiers.
Kaspersky has tested a set of Dharma master decryption keys posted to BleepingComputer and has confirmed they are legitimate. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly!
Today, Avast released a decryptor for CryptoMix victim's that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victim's computer while there is no Internet connection or the computer cannot connect to the ransomware's Command & Control server.
Lots of small ransomware infections / screenlockers this week, but no major infections were discovered. Thankfully, security researchers were able to create a bunch of decryptors and make them available for victim's to recover their files. Of particular note was the San Francisco MTA getting hit hard by the HDDCryptor ransomware.