Mostly small silly variants released this week, but we did have a few interesting stories. The bigger stories include a new variant from Crysis released, a wiper disguised as a ransomware targeting companies in Germany, and hackers using RDP to install LockCrypt on business computers.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @struppigel, @fwosar, @hexwaxwing, @jorntvdw, @FourOctets, @PolarToffee, @malwrhunterteam, @demonslay335, @Seifreed, @campuscodi, @malwareforme, @LawrenceAbrams, Leo, Jakub Kroustek, @GDataSoftwareAG, @alienvault, and @GrujaRS.
November 4th 2017
Curumim Ransomware Discovered
Karsten Hahn discovered a new Portuguese HiddenTear variant called Curumim that appends the .curumim extension to encrypted files.
New variant of the XiaoBa Ransomware Discovered
Karsten Hahn discovered a new variant of the XiaoBa ransomware that demands $37.696 in BTC and locks the screen.
Zika Ransomware Discovered
Karsten Hahn discovered a new HiddenTear variant called Zika Ransomware that is in Spanish and adds the .teamo extension to encrypted files.
Waffle Ransomware discovered
A ransomware called Waffle Ransomware has been discovered by Leo that appends the .waffle extension.
November 6th 2017
GIBON Ransomware Being Sold on Underground Criminal Forums
Last week we posted an analysis of the GIBON Rasnsomware that was discovered being spread via malspam campaigns. Today, an anonymous source told BleepingComputer that this ransomware has been marketed on underground criminal forums since as early as May 2017.
November 7th 2017
Sigma Ransomware Discovered
Michael Gillespie discovered a new ransomware called Sigma Ransomware that was uploaded to his ID-Ransomware site. CyberSecurity later found a sample to this variant, from which the below image was generated.
November 8th 2017
Christmas Ransomware knows when your naughty
MalwareHunterTeam discovered a new ransomware being named Christmas Ransomware. This ransomware is current in-development and does not encrypt.
City of Spring Hill computer system hit by ransomware
Looks like the city of Spring Hill, Tennessee's computers were hit by a ransomware attack last week. No indication as to what ransomware they were infected by.
Officials in Spring Hill say the city was hit by a cyberattack last Friday.
City spokesman Jamie Page said an employee clicked on a ransomware email. The city’s computer servers were then taken over and encrypted.
Jhash Ransomware Discovered
MalwareHunterTeam discovered a new Spanish HiddenTear variant called Jhash. This ransomware appends the .locky extension to encrypted files.
November 9th 2017
Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany
A new ransomware strain called Ordinypt is currently active in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data.
November 10th 2017
LockCrypt Ransomware Crew Started via Satan RaaS, Now Deploying Their Own Strain
Since June this year, a group of cyber-criminals has been breaking into unsecured enterprise servers via RDP brute-force attacks and manually installing a new type of ransomware called LockCrypt.
New Cobra Crysis Ransomware Variant Released
A new variant of the Crysis ransomware has been discovered that appends the cobra extension to encrypted files. While this ransomware cannot be decrypted for free, this article will take a look at the infection and provide possible methods to try to restore files.
LOL Ransomware pretends to be a keygen
MalwareHunterTeam found a working sample of a ransomware that pretends to be a keygen and appends the .lol extension to encrypted files. This ransomware appears to be a sample of the one discovered by Jack earlier this week.
That's it for this week! Hope everyone has a nice weekend!
Comments
Amigo-A - 6 years ago
A funny trend is to name encoders by the nickname (the name, initials) of them developers:
Zika - Zika Ransomvare
Jhash - Jhash Ransomvare
:))
However, this is as old as the world: Norton Antivirus, McAfee Antivirus, Dr.Solomon's Anti-Virus, Kaspersky Antivirus,
Among the viruses: Eddie, CIN, Morris worm...
Lawrence Abrams - 6 years ago
You have to name them something. Better than HelloWorld Ransomware, which was one namespaces of the ransomware you mention.
Amigo-A - 6 years ago
Yes, I basically agree.