This week was mostly about in-dev ransomware or new variants of older ransomware being released. The biggest news was the File Spider Ransomware campaign that was targeting countries in the Balkans. The other big news is the entire California voters database being leaked on the Internet and held for ransom.
A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.
This week was mostly about small ransomware variants being released, but we did have some big stories. First, we have HC7, which is targeting entire networks through hacked remote desktop services, then we had StorageCrypt being installed on NAS devices, and finally the county computers of Mecklenburg County were hit by LockCrypt.
A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.
Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins.
It has been a busy ransomware week with lots of small and some bigger variants released. This week we had a new CryptoMix, a new BTCWare, and a few new malspam campaigns for GlobeImposter and Sigma. Even better, we had a few new and updated decryptors released so that people can recover their files for free.
A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40.
A new variant of the BTCWare ransomware was discovered by Michael Gillespie, that appends the .[email]-id-id.shadow extension to encrypted files. The BTCWare family of ransomware infections targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.
A new variant of the CryptoMix ransomware was discovered today that appends the .TEST extension to encrypted files and changes the contact emails used by the ransomware. This article will provide information what changes were made in this new version.
Not much to report this week other than Necurs starting to push the Scarab Ransomware and a new office document infecting ransomware called qkG. Otherwise, it has been a week of small variants that are in various stages of development.
A ransomware strain known as Scarab, and detected for the first time in June, is now being pushed to millions of users via Necurs, the Internet's largest email spam botnet.
Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
A new CryptoMix Ransomware variant was discovered that appends the .0000 extension to encrypted files and changes the contact emails used by the ransomware. This article will provide a brief description on the changes in this variant.
An in-development ransomware has been discovered that is targeting the high school students of the J. Sterling Morton school district in Illinois.
Mostly small silly variants released this week, but we did have a few interesting stories. The bigger stories include a new variant from Crysis released, a wiper disguised as a ransomware targeting companies in Germany, and hackers using RDP to install the LockCrypt ransomware.
A new variant of the Crysis ransomware has been discovered that appends the cobra extension to encrypted files. While this ransomware cannot be decrypted for free, this article will take a look at the infection and provide possible methods to try to restore files.
Since June this year, a group of cyber-criminals has been breaking into unsecured enterprise servers via RDP brute-force attacks and manually installing a new type of ransomware called LockCrypt.
A new ransomware strain called Ordinypt is currently active in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data.