This week we have seen a lot of CryptConsole variants, Magniber activity, and smaller variants released. Ransomware continues to decline as malware developers move toward more profitable miners and information stealing Trojans. Ransomware is not going away, but is instead moving away from mass malspam campaigns to targeted network attacks where a ransom payment may be more likely.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @campuscodi, @malwareforme, @DanielGallagher, @struppigel, @malwrhunterteam, @Seifreed, @FourOctets, @fwosar, @hexwaxwing, @BleepinComputer, @jorntvdw, @PolarToffee, @LawrenceAbrams@Damian1338B@GrujaRS@JakubKroustek @bartblaze, and @leotpsc.

June 2nd 2018

CryBrazil Ransomware Discovered

MalwareHunterTeam discovered a ransomware called CryBrazil that appends the .crybrazil extension to encrypted files. Uses a nicely designed ransom note.

CryBrazil

June 4th 2018

New Magniber campaign was underway

Michael Gillespie spotted a new Magniber Ransomware campaign targeting South Korea.

New destructive Pedcont Ransomware discovered

Leo found a new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.

New Scarab variant called DiskDoctor

Amigo-A found a new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

June 5th 2018

New XiaoBa variant uses a Hitler background

MalwareHunterTeam found a new XiaoBa Ransomware variant that uses the .AdolfHitler extension and drops a ransom note named # # DECRYPT MY FILE # #.bmp .

New CryptConsole variant

Michael Gillespie spotted another variant of the CryptConsole Ransomware that uses the xser@tutanota.com email address. Victims can contact him for decryption.

June 6th 2018

Years of Police Dashcam Video Lost in Atlanta Ransomware Incident

The Atlanta Police Department has lost years worth of police car dashcam videos following the March ransomware attack that affected most of the city's IT infrastructure.

RedEye Ransomware Discovered

Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.

The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.

RedEye Ransomware

New Aurora Ransomware variant

Michael Gillespie spotted a new Aurora variant uploaded to ID Ransomware that uses the #RECOVERY-PC#.txt ransom note.

New CryptConsole variant

ID Ransomware spotted another CryptConsole variant that uses the redbul@tutanota.com email address. Victims can contact Michael Gillespie for decryption.

June 7th 2018

New CryptConsole variant

Michael Gillespie found a new variant of the CryptConsole ransomware that uses the address heineken@tuta.io and is still decryptable.

New GlobeImposter variant

GrujaRS discovered a new variant of the GlobeImposter Ransomware that uses the extension .emilysupp.

June 8th 2018

Princess Ransomware being sold on underground sites

Damian1338 discovered the Princess Ransomware being sold on an underground criminal site.

Princess Ransomware

New PGPSnippet Variant

MalwareHunterTeam discovered a new variant of the PGPSnippet Ransomware that appends the extension .digiworldhack@tutanota.com to encrypted files. Victims can contact Michael Gillespie for decryption.

Test Spartacus Ransomware variant

Michael Gillespie found a test version of the Spartacus Ransomware that uses the emails example@gmail.com and example1@gmail.com and appends the .SF extension to encrypted files.

New Magniber Ransomware variant

A new variant of the Magniber Ransomware was uploaded to ID Ransomware that uses the .ndpyhss extension for encrypted files.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack

The Week in Ransomware - March 8th 2024 - Waiting for the BlackCat rebrand

City of Wichita breach claimed by LockBit ransomware gang

LockBit ransomware admin identified, sanctioned in US, UK, Australia