The Week in Ransomware – September 1st 2017 – Locky, Exploit Kits, & More

This week has seen a big push by Locky using numerous distribution campaigns to try and claim a spot with the big boys. Other than the normal releases of small ransomware creations, we also saw the RIG exploit kit pushing the Princess Ransomware.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @jorntvdw, @malwrhunterteam, @struppigel, @campuscodi, @demonslay335, @BleepinComputer, @FourOctets, @Seifreed, @LawrenceAbrams, @malwareforme, @PolarToffee, @fwosar, @msftmmpc, @MarceloRivero , @Malwarebytes, @jeromesegura, @dvk01uk, @peterkruse, @malware_traffic, @AppRiver, @ComodoNews, & @barracuda.

August 26th 2017

EkoParty’s Conferance Ransomware

A ransomware that promotes the EkoParty conference was discovered by MalwareHunterTeam. Our guess is that this is most likely being used as part of one of their courses as part of a demonstration. Based on HiddenTear and appends the .locked extension. 

August 27th 2017

In-dev RansomPrank or Just a Prank?

Lawrence Abrams discovered a program called RansomPrank that displays a ransom screen, but does not actually encrypt. Not sure if in-development or just a joke.

New Version of the Wooly Ransomware Discovered

Lawrence Abrams discovered a new version of the Wooly Ransomware that actually encrypts now. Still buggy and crashes soon after starting. Appends the .wooly extension and now includes a picture of a polar bear as one of its resources.

August 28th 2017

New Nuclear BTCWare Ransomware Released

A new variant of the BTCWare ransomware was discovered by ID-Ransomware’s Michael Gillespie that appends the .[affiliate_email].nuclear extension to encrypted files. The BTCWare family of ransomware is distributed by the developers hacking into remote computers with weak passwords using Remote Desktop services. Once they are able to gain access to a computer, they will install the ransomware and encrypt the victim’s files.

Strawhat Ransomware Discovered

MalwareHunterTeam discovered the StrawHat Ransomware. This appears to be in-dev and renames files to a random extension. Drops ransom notes named YOUR_FILES_ARE_ENCRYPTED.html and YOUR_FILES_ARE_ENCRYPTED.txt.

Educational MindSystem Ransomware

MalwareHunterTeam discovered a new ransomware called MindSystem Ransomware. Provides the key so anyone can decrypt the files. Most likely really a test ransomware.

Crying Ransomware Discovered

Karsten Hahn discovered the CryING ransomware.  Looks to be in-development.

Troll Ransomware Encrypts Everything

The Microsoft MMPC discovered a new “Troll” ransomware that uses XOR encryption when encrypting files. The problem is that it will encrypt any file, regardless of location or extension, it finds. This could lead to Windows failing.

August 29th 2017

Bit Paymer Ransomware Hits Scottish Hospitals

Several hospitals part of the NHS Lanarkshire board were hit on Friday by a version of the Bit Paymer ransomware.

IRS Warns of Emails Spreading Ransomware

The Internal Revenue Service (IRS) is warning US citizens of a new phishing scheme that poses as official IRS communications in the hopes that victims access a link, download a file, and hopefully get infected with ransomware.

In-Dev Akira Ransomware Discovered

Karsten Hahn discovered a new in-development ransomware called Akira. Only encrypts the video folder. When encrypting files, it will append the .akira extension.

New Variant of the Blue Eagle Ransomware

Security researcher Leo discovered a new variant of the Blue Eagle Ransomware. Currently broken and does not encrypt.

Michael Gillespie Demonstrates How Ransomware Can Infect Someone

Michael Gillespie appeared on McAfee’s podcast, Hackable, where he demonstrated how a person could get infected with ransomware.

August 30th 2017

Keymaker Ransomware Discovered

MalwareHunterTeam discovered the KeyMaker ransomware that appends the .CryptedOpps extension to encrypted files.

Haze Ransomware Discovered

MalwareHunterTeam discovered the Haze Ransomware, which tries to immitate Petya. Does not encrypt.

OhNo! Ransomware Discovered

Leo discovered the OhNo! Ransomware, which appends the .OhNo! extension to encrypted files. Seems to be in-dev as it only encrypts a limited amount of files.

August 31st 2017

RIG exploit kit distributes Princess ransomware

In an article on the Malwarebytes blog, security researcher Jérôme Segura discusses how the RIG exploit kit is now pushing the Princess Ransomware.

We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.

September 1st 2017

Boobytrapped Word File Installs Locky Ransomware When You Close the Document

Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick.

New Arena CryptoMix Ransomware Variant Released

Yesterday, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .arena extension to encrypted file names. This family of ransomware releases a new version almost every week, if not sooner, so it will be expected to see another variant released soon with a new extension.

That’s it for this week! Hope everyone has a nice weekend!