Mostly new variants of the same ransomware this week, with little new ransomware campaigns being conducted. Of particular interest was Kaspersky temporarily withdrawing their participation in the NoMoreRansom project and the rebranding of Satan Ransomware as DBGer Ransomware.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @fwosar, @struppigel, @jorntvdw, @LawrenceAbrams, @hexwaxwing, @BleepinComputer, @campuscodi, @PolarToffee, @FourOctets, @malwareforme, @Seifreed, @demonslay335, @malwrhunterteam, @th3m4ks, @siri_urz, @Damian1338B, @alienvault, @kaspersky, and @bartblaze.

June 9th 2018

New Donut Ransomware

S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.

NemeS1S RaaS is back

Damian1338 found a new TOR site promoting the NemeS1S Ransomware RaaS, which is PadCrypt's affiliate system. 

New Paradise Ransomware variant

MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.

June 11th 2018

New RotorCrypt Ransomware variant

Michael Gillespie found a new RotorCrypt Ransomware variant that uses the extension !@#$%___________%$#@.mail

New B2DR Ransomware bariant

Michael Gillespie found a new variant of the B2DR Ransomware that uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt.

New Scarab Ransomware variant

Michael Gillespie spotted a new Scarab Ransomware variant that uses the .fastrecovery@airmail.cc and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT.

New YYTO Ransomware variant

Michael Gillespie found a new variant of the YYTO  Ransomware that uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt.

June 13th 2018

Kaspersky Halts Europol and NoMoreRansom Project Coop After EU Parliament Vote

Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament today.

Xorist variant discovered with a crazy long extension

S!Ri discovered a new variant of the Xorist ransomware that utilizes a crazy extension of ....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT.

Another Scarab Ransomware variant

Michael Gillespie found another Scarab Ransomware variant that uses a ransom note named Recover files-xmail@cock.li.TXT.

Another B2DR Ransomware variant

Michael Gillespie spotted another variant of the B2DR Ransomware that uses the extension .ssananunak1987@protonmail.com.b2fr and drops a ransom note named Readme.txt.

June 14th 2018

DBGer Ransomware Uses EternalBlue and Mimikats to Spread Across Networks

The authors of the Satan ransomware have rebranded their "product" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today.

New RotorCrypt variants

Michael Gillespie found new variants of the RotorCrypt Ransomware that appends the !@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd and !@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR extensions to encrypted files

New Ransomware uses the .qnbqw extension

Michael Gillespie spotted a new ransomware that utilizes the .qnbqw extension and drops a ransom note named Notice.txt.

Decryptor Released for the Everbe Ransomware

A decryptor for the Everbe Ransomware was released by Michael Gillespie and Maxime Meignan that allows victims to get their files back for free.  It is not known how this ransomware is currently being distributed, but as long as victims have an unencrypted version of an encrypted file, they can use them to brute force the decryption key.

June 15th 2018

New Scarab Ransomware variant discovered

Michael Gillespie spotted a new Scarab variant that uses the .leen extension for encrypted files and drops a ransom note INSTRUCTIONS FOR RESTORING FILES.TXT.

 

That's it for this week! Hope everyone has a nice weekend!

 

Related Articles:

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack

The Week in Ransomware - March 8th 2024 - Waiting for the BlackCat rebrand

The Week in Ransomware - March 1st 2024 - Healthcare under siege

UnitedHealth confirms it paid ransomware gang to stop data leak