ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
This week was mostly about small ransomware variants being released, but we did have some big stories. First, we have HC7, which is targeting entire networks through hacked remote desktop services, then we had StorageCrypt being installed on NAS devices using SambaCry, and finally we have county computers of Mecklenburg County, North Carolina being infected with LockCrypt.
While malspam is still a large component of ransomware, the trend towards targeting entire networks by hacking exposed remote desktop services is definitely on the uptick. Whoever is currently using remote desktop and has it connected directly to the Internet really needs to put it behind a VPN.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @PolarToffee, @FourOctets, @Seifreed, @malwrhunterteam, @struppigel, @fwosar, @demonslay335, @hexwaxwing, @jorntvdw, @DanielGallagher, @campuscodi, @LawrenceAbrams, @BleepinComputer, @siri_urz, @myfox9, @themonsterpus, @0xec_, @JakubKroustek .
December 2nd 2017
Jakub Kroustek found a new Blind ransomware variant that appends the .napoleon extension and drops a ransom note named How_Decrypt_Files.hta.
Karsten Hahn discovered the in-dev Stupid variant called Eternity Ransomware that crashes because of a missing audio file. Appends the .eTeRnItY extension to encrypted files.
Karsten Hahn discovered a new variant of a Vietnamese JCoder ransomware that appends .MTC to encrypted files.
Leo discovered a new in-dev ransomware being dubbed “Payment”. It does not encrypt.
December 3rd 2017
Extreme Coders wrote an great writeup on their analysis of the HC6 ransomware.
Lawrence Abrams discovered a jokeware program called Handsomeware pretending to be ransomware. Does not encrypt.
Lawrence Abrams discovered a new HiddenTear variant called Crypt0 Ransomware that appends a random extension for each encrypted file. Does not currently encrypt.
Michael Gillespie noted that the Dharma/Cyrsis .java variant changed the extension so it uses curly braces instead of brackets.
Michael Gillespie discovered another Magniber variant that uses the .dxjay extension.
Lawrence Abrams discovered a new HiddenTear variant called Shadow Blood Ransomware. It is currently in-dev as it only encrypts %Userprofile%desktoptest and appends the .TEARS extension to encrypted files. Has a interesting ransom note.
December 4th 2017
Ryan wrote an interesting article on how victims can try to recover the password for the HC7 ransomware using memory forensics.
December 5th 2017
Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back.
According to Fox 9:
A Twin Cities fertility clinic says a ransomware attack may have exposed some patients’ personal and health information.
Michael Gillespie found a new variant of the BTCWare ransomware that uses the .wallet extension for encrypted files. Cannot be decrypted without a memory dump, so do not turn off your computer if you are infected and give us a ring for help.
MalwareHunterTeam discovered a new in-dev ransomware based off of CryptoJoker called ExecutionerPlus ransomware. This ransomware is also the first one we have seen using CoinHive in the ransom notes. The ransomware will append the .pluss.executioner & .destroy.executioner extensions.
December 6th 2017
A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.
December 7th 2017
This articles provides information on the status of the Mecklenburg County computer systems after being hit with the LockCrypt Ransomware.
Karsten Hahn discovered the Merry Christmas Ransomware that is just in time for the holidays!
S!Ri discovered a new Xorist Ransomware variant that appends the .CerBerSysLocked0009881 extension to encrypted files.December 8th 2017
Lawrence Abrams discovered the Santa Encryptor. Currently in-dev and does not encrypt, but looks like they are trying to implement XOR encryption.
December 8th 2017
That’s it for this week! Hope everyone has a nice weekend!
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.