June 30th 2017 – Week in Ransomware
It has been another crazy week when it comes to ransomware due to the NotPetya outbreak. This ransomware/destructive malware played havok all over the world, but especially the Ukraine, when it was unleashed on Tuesday. Other than that, the rest of the ransomware news was basically small variants being developed or released.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @demonslay335, @DanielGallagher, @malwareforme, @jorntvdw, @FourOctets, @campuscodi, @JAMESWT_MHT, @Seifreed, @emsisoft, @MarceloRivero, @LukasStefanko, @radware, @craiu @0xAmit, @ComaeIo, @kaspersky, @dvk01uk, @PhysicalDrive0, @Zerophage1337, @phage_nz, @VirITeXplorer, and @Malwarebytes.
June 24th 2017
New Jigsaw Ransomware Variant Appending the .Rat Extension
MalwareHunterTeam found a new Jigsaw Ransomware variant that utilizes the .rat extension for encrypted files.
MalwareHunterTeam found a new HiddenTear variant whose ransom note appears to be targeting a particular company. Joke, targeted blackmail? Who knows. This ransomware appends the .locked extension to encrypted files.
During the past week, US users visiting adult-themed sites were targeted by ads for a fake PornHub app that contained a version of the Koler ransomware.
June 26th 2017
GData security researcher Karsten Hahn first spotted a new HiddenTear variant that pretends to be the Battlefield game. This ransomware appends the .locked extension to encrypted files.
Karsten Hahn discovered a new ransomware that appends the .MMM extension to encrypted files. This ransomware appends the .0x004867 extension to encrypted files and also creates a .info file for each encrypted file that contains the encryption key. Currently in development as it only encrypts the C:UsersWorkDesktopTest folder.
Michael Gillespie found a new variant of the Samas/SamSam ransomware uploaded to ID Ransomware. This one appends the .moments2900 extension to encrypted files.
The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies.
June 27th 2017
MalwareHunterTeam discovered the Karo Ransomware. Karo appends the .ipygh extension to encrypted files and drops a ransom note named ReadMe.html.
MalwareHunterTeam discovered the ViACrypt Ransomware. This ransomware appends the .via extension to encrypted files.
Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. The entry level for this new ransomware is hilariously low, compared to similar RaaS portals we've seen in the past.
This is the first article that covers the NotPetya ransomware attach that affected a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of firstname.lastname@example.org and asks for a payment of $300 in Bitcoin.
Posteo, the email provider where the NotPetya author was hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account: email@example.com.
The NotPetya outbreak allegedly has been caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies.
Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers. Using this information Lawrence Abrams of BleepingComputer, put together a batch and executable that can be used to vaccinate a computer.
Michael Gillespie discovered a new variant of the Executioner ransomware that appends a random 6 character extension for each encrypted file. This ransomware can be decrypted. Feel free to contact Michael for help.
Kaspersky Lab wrote an interesting blog post detailing their analysis of the encryption routine of the malware used in the Petya/ExPetr attacks. Based on this analysis they have determined that the threat actor cannot decrypt victims’ disk, even if a payment was made. It appears this malware campaign was designed as a wiper pretending to be ransomware.
June 28th 2017
Last week, long before the Petya / NotPetya ransomware broke out, there was another ransomware campaign that targeted Ukrainian users with a vengeance. That ransomware's name was PSCrypt and is the third ransomware strain that has aggressively targeted Ukrainian users during the past month, after XData and NotPetya.
The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.
MusicGuy Ransomware Discovered
MalwareHunterTeam discovered a new ransomware called MusicGuy. This ransomware appends the .locked extension to encrypted files.
Random6 sample discovered by Malwarebytes researcher Marcelo Rivero. This ransomware appends a random 6-char extension to encrypted files and drops a ransom note named RESTORE-.-FILES.txt.
June 29th 2017
This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. This would protect contents of protected folder from malware such as ransomware.
Security researcher PhysicalDrive0 was the first to spot that Cerber Ransomware rebranded itself as CRBR Encryptor.
A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. This particular ransomware is a .NET WannaCry imitator that may target the M.E.Doc accounting software, or at least hide within its folder.
MalwareHunterTeam discovered a new in-development ransomware called ABCScreenLocker. Doesn't do much than display the below.
June 30th 2017
The bandwagon of cyber-security firms claiming that NotPetya was meant for destructive purposes is getting more crowded by the day, with three new additions from Cisco Talos, F-Secure, and Malwarebytes.