Jump to content


Photo
- - - - -

The Week in Ransomware - March 29th 2019 - Parking for Free!


  • You cannot start a new topic
  • Please log in to reply
No replies to this topic

#1 Scorpion

Scorpion

    Advanced Member

  • Administrators
  • 96 posts
  • LocationScorpionsMaze

Posted 29 March 2019 - 09:51 PM

This week we saw numerous new variants of existing ransomware released, with only a few new families. The one new ransomware infection that was actively distributed this week is called UNNAM3D and was distributed through spam emails to about 30 thousand people.

In other news, a parking garage in Canada got hit with the Darhma ransomware that caused them to shutdown their payment system. This let everyone who parked there to do so for free during the outage.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @FourOctets, @hexwaxwing, @LawrenceAbrams, @malwrhunterteam, @Seifreed, @demonslay335, @PolarToffee, @struppigel, @jorntvdw, @fwosar, @BleepinComputer, @malwareforme, @FSecure, @JakubKroustek, @JAMESWT_MHT, @emsisoft, and @AvastThreatLabs.

March 23rd 2019 New STOP Djvu Ransomware variants

Michael Gillespie found a new variants of the STOP Djvu Ransomware that append the .chech or .luceq extensions to encrypted files.

New .bk666 Dharma variant

Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .bk666 extension to encrypted files.

March 25th 2019 Emsisoft has Released a Decryptor for the Hacked Ransomware

A decryptor for the Hacked Ransomware was released today by Emsisoft that allows victims to recover their files for free. This ransomware was active in 2017 and targeted English, Turkish, Spanish, and Italian users.

New STOP Djvu Ransomware variant

Michael Gillespie found new variants of the STOP Djvu Ransomware that append the .proden or .drume extensions to encrypted files.

New Matrix Ransomware variant

Michael Gillespie found new Matrix Ransomware variants that append the .MDEN or .SDEN extensions and drops a ransom note named !MDEN_INFO!.rtf or !SDEN_INFO!.rtf.

Ransomware hunt for YYYYBJQOQDU

Michael Gillespie is searching for a ransomware that appends the .YYYYBJQOQDU extension and drops a ransom note named YOUR FILES ARE ENCRYPTED.TXT.

New Paradise Ransomware variant

Michael Gillespie spotted a new Paradise Ransomware variant that appends the .securityP extension and drops a ransom note named Instructions with your files.txt.

STOPDecrypter Updated

Michael Gillespie updated the STOP decrypter with offline keys for .kroput1, .charck, .kropun, .doples, .luces, .luceq, .chech, .pulsar1, .drume, .tronas, .trosak, and .grovas, and .proden.

New BigBobRoss variant

Michael Gillespie found a new BigBobRoss Ransomware variant that uses the .encryptedALL and .djvu extensions.

New Xorist variant with long extension

Michael Gillespie found a Xoris Ransomware variant with the .NEED-TO-MAKE-PAYMENT-OR-ALL-YOUR-FILLES-WILL-BE-DELETED-CRITICAL-SITUATION-URGENT-ATTENTION-24-HOURS-TO-PAY-OR-EVERYTHING-WILL-BE-PERMANENTLY-DELETED-FOREVER. This ransomware is decryptable.

Another Xorist Variant

Michael found another Xorist variant that utilizes the extension ....VeraCrypt_System_Error2019-You_need_to_make_payment_in_maxmin_24_hours_if_you_dont_the_decryptor_license_will_be_deleted_this_is_not_a_joke.

March 27th 2019 Analysis of LockerGoga Ransomware

F-Secure posted a technical analysis of the LockerGoga ransomware:

We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs).

March 28th 2019 UNNAM3D Ransomware Locks Files in Protected Archives, Demands Gift Cards

A new ransomware called Unnam3d R@nsomware is being distributed via email that will move a victim's files into password protected RAR archives.  The ransomware then demands a $50 Amazon gift card code in order to get the archive password.

Ransomware Hits Garage of Canadian Domain Registration Authority

The parking garage used by employees of the Canadian Internet Registration Authority (CIRA) allowed people to park for free after computer systems were infected by ransomware.

New Rapid Ransomware variant

MalwareHunterTeam found a new Rapid Ransomware variant that uses the .GILLETTE extension and drops a ransom note named Decrypt DATA.txt.

New Stun Dharma Ransomware variant

Michael Gillespie found a new Dharma Ransomware variant that appends the .stun extension to encrypted files.

New STOP Djvu Ransomware variants

Michael found new variants of the STOP Djvu ransomware that append the .tronas.trosak, and .grovas extensions to encrypted files.

New Swamp RAT Ransomware

Lawrence Abrams discovered a new RAT that pretends to be a ransomware called Swamp Rat. This is in-dev and quite bizarre.

March 29th 2019 New Scarab Ransomware variant

JAMESWT found a new Scarab Ransomware variant that appends the .crypt000 extension to encrypted files.

Avast updates their BigBobRoss Decryptor

Avast has updated their BigBobRoss decryptor to decrypt victims with the .encryptedALL variant.

Emsisoft updates their BigBobRoss Decryptor

Not to be outdone :), Emsisoft also updated their BigBobRoss decryptor to support the .encryptedAll variant.

New vxCrypter Ransomware

Lawrence Abrams discovered a new variant of the vxCrypter Ransomware that appends .xLck. This is in-development and deletes duplicate files on the computer.

That's it for this week! Hope everyone has a nice weekend!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users