Was a good week as not a lot of news when it comes to ransomware. Some more in-dev crap and nothing really new this week. The biggest news is that Cerber is now being distributed via MALSPAM that utilizes CVE-2017-0199 in the attached DOC files.
It was quite a slow week in the beginning with most of the news being for the most part about small ransomware variants. It finished with a bang, though, with the reappearance of Locky riding on a strong wave of SPAM emails. As you can imagine, there were quite a few articles about Locky today.
Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks.
The developer of the AES-NI ransomware claims that the recent "success" he's been enjoying is due to the NSA exploits leaked last week by the Shadow Brokers group.
A new Ransomware-as-a-Service (RaaS) named Karmen is currently being advertised and sold online on an infamous Russian-speaking underground hacking forum.
After last week, its a pleasure to have a slow week in ransomware. Nothing really big released this week other than Emsisoft releasing an updated Cry9 decryptor and the new CryptoMix variant called Mole. Otherwise, this week has been full of a lot of in development ransomware or smaller variants.
The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017.
A new ransomware called Mole was found by security researcher Brad Duncan while he was analyzing a new SPAM campaign. After examining this sample, I feel that this is probably another variant of the CryptoMix family as it has many similarities to the Revenge and CryptoShield variants.
The big news this week was the POC for a UEFI Ransomware presented at BlackHat Asia, Matrix Ransomware being distributed by RIG and having worm characteristics, and the joke ransomware called RensenWare that required a victim to get a very high score in a game to get a decryption key.
The Matrix Ransomware gears up for higher distribution by using EITest, the Rig Exploit kit, while being able to spread to other computer through malicious shortcuts.
A mini-controversy broke out this week in the infosec community after cyber-security firm CRITIFENCE led journalists and other security experts to believe that they've detected in-the-wild attacks with a new ransomware called ClearEnergy, specialized in targeting ICS/SCADA industrial equipment.
For more than a month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows.