ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
It has been a busy ransomware week with lots of small and some bigger variants released. This week we had a new CryptoMix, a new BTCWare, and a few new malspam campaigns for GlobeImposter and Sigma. Even better, we had a few new and updated decryptors released so that people can recover their files for free.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @hexwaxwing, @BleepinComputer, @fwosar, @struppigel, @LawrenceAbrams, @DanielGallagher, @demonslay335, @malwareforme, @campuscodi, @FourOctets, @malwrhunterteam, @jorntvdw, @PolarToffee, @emsisoft, @leotpsc, @zscaler, @GrujaRS, @dvk01uk, @Farenain
November 25th 2017
November 27th 2017
A new ransomware being dubbed StorageCrypt is targeting WD MyCloud NAS devices as reporting in a topic at BleepingComputer.com. When encrypted, files will have the extension .locked and a ransom note will be dropped named _READ_ME_FOR_DECRYPT.txt.
Michael Gillespie discovered a new Samas/SamSam variant submitted to ID-R that appends the .areyoulovemyrans extension to encrypted files.
Michael Gillespie found another variant of the Magniber Ransomware that appends the .vpgvlkb extension and drops a ransom note named read me for decrypt.txt.
Michael Gillespie initiated a ransomware hunt for a ransomware that appends the .locked extension to encrypted files and drops a ransom note named READ_ME_FOR_ALL_YOUR_FILES.txt.
November 28th 2017
MalwareHunterTeam discovered a new variant of Crypton that is masquerading as a keygen for EaseUS Data Recovery. This ransomware appends the .encrptd extension to encrypted files. A decryptor for this ransomware was created by Fare9.
Michael Gillespie initiated a ransomware hunt for the MaxiCrypt ransomware. This ransomwar appends the extension .[firstname.lastname@example.org].maxicrypt and drops a ransom note named How to restore your data.TXT.
November 29th 2017
MalwareHunterTeam discovered a new in-development Brazilian ransomware called WannaPeace that replaces the extension with _enc+extension. So test.jpg would be renamed as test_encjpg. Currently only encrypts the c:testes folder.
GrujaRS discovered a new variant of the Crypt888 Ransomware that uses the email address email@example.com.
November 30th 2017
Michael Gillespie is looking for a sample of the hc7 Ransomware that may be appending the .GOTYA extension to encrypted files.
Based on data from ID-Ransomware, MalwareHunterTeam has noticed that there is an ongoing ACCDFISA campaign targeting Brazilian victims.
MalwareHunterTeam discovered a new ransomware that had a filename of REAL DANGEROUS RANSOMWARE.exe. Thankfully, it does not encrypt and simply is a basic screenlocker.
Derek of MyOnlineSecurity discovered that Necurs started a malspam campaign that was distributing the GlobeImposter Ransomware.
December 1st 2017
MalwareHunterTeam discovered a new variant of the CryptoMix ransomware was discovered today that appends the .TEST extension to encrypted files and changes the contact emails used by the ransomware.
Catalin Cimpanu discovered that a malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.
A new variant of the BTCWare ransomware was discovered by Michael Gillespie, that appends the .[email]-id-id.shadow extension to encrypted files. The BTCWare family of ransomware infections targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware.
Michael Gillespie discovered a new variant of the Globe 2 ransomware that utilizes the .abc extension for encrypted files. This should not be confused with the TeslaCrypt variant, which is decryptable. The good news, is that variant is decryptable as well with Emsisoft’s decryptor.
Zscaler wrote an article about the analysis of two .NET based ransomware strains using open source code repository
That’s it for this week! Hope everyone has a nice weekend!
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.