On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.
While the distribution of ransomware has definitely decreased, it is still very much a threat as seen by the Alaskan borough of Matanuska-Susitna and the shipping company Cosco getting hit by ransomware this week. Both attacks shut down their operations and caused normal workflow to be halted.
A ransomware infection has crippled the US network of one of the world's largest shipping giants —COSCO (China Ocean Shipping Company).
Romanian antivirus firm Bitdefender released yesterday a decryption tool that can recover files encrypted by an older version of the LockCrypt ransomware, the one that locks files with the .1btc extension.
While it has been pretty slow for new ransomware this week, there was a quite a bit of ransomware related news such as the LabCorp attack being a ransomware infection, Magniber branching out, and a ransomware dev venting on Twitter.
I guess even ransomware developers do not like being called scammers as shown by a recent venting session by the King Ouroboros ransomware developer on Twitter.
After spending nine months targeting only South Korean users, the Magniber ransomware has expanded its targeting spectrum and is now also capable of infecting users who also feature a Chinese (Macau, China, Singapore) and Malay (Malaysia, Brunei) PC language setting.
This week has mostly been small variants released, with a bunch of new Scarab Ransomware variants. The most interesting ransomware news this week are the CoinVault authors being in a Netherlands court in front of a three-judge panel.
The authors of the CoinVault ransomware have had their day in court today in the Netherlands, where their case was presented in front of a three-judge panel.
Cass Regional Medical Center, a Missouri health care center, announced on their Facebook page that they have been affected by an undisclosed ransomware. This incident affected their internal communications system and their electronic health record (EHR) system.
This week we had a new version 4 of the GandCrab ransomware released with a new KRAB extension as well as a new ransomware called Nozelesn that has been heavily distributed. The Nozelesn campaign started out targeting Poland, but since then has hit numerous other countries, including the USA.
An old foe and one of the first ransomware strains is still around and making new victims, but this malware is keeping up with the times and has added a cryptocurrency-mining component that it deploys on carefully selected computers.
Over the weekend, the GandCrab V4 Ransomware was released with numerous changes. These changes include a different encryption algorithms, a new .KRAB extension, a new ransom note name, and a new TOR payment site.
A distribution campaign for a new ransomware called Nozelesn is currently underway that is targeting Poland. This campaign started July 2nd and we already have reports from victims in our forums and numerous cases have been spotted on ID Ransomware.
It has been a very slow week for ransomware, which we are always happy about. While ransomware will never go away completely, as time goes on, more people become educated, and better backup strategies are created, we continue to see ransomware slowly diminishing.
Back in February we wrote about a new ransomware called Thanatos that was encrypting victim's data, but contained flaws that would not allow the authors to decrypt a victims files even if they paid. Thankfully, the Cisco Talos Group was able to find a method to break the encryption routine.
This has been the week of the Scarab with a continuous stream of Scarab Ransomware variants being released. We also had a few decryptors and some smaller variants, but by far Scarab dominated the ransomware distribution. Thankfully, under certain conditions Scarab can be decrypted by Dr. Web,
New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.
Mostly new variants of the same ransomware this week, with little new ransomware campaigns being conducted. Of particular interest was Kaspersky temporarily withdrawing their participation in the NoMoreRansom project and the rebranding of Satan Ransomware as DBGer Ransomware.