We have good news for once, which is a really slow week when it comes to ransomware. While we still had our share of smaller ransomware variants being release, overall there was not a lot of activity. The biggest activity is the continued by Locky distributors to become more widespread through the use of a variety of SPAM campaigns.
Contributors and those who provided new ransomware information and stories this week include: @FourOctets, @jorntvdw, @DanielGallagher, @demonslay335, @campuscodi, @BleepinComputer, @LawrenceAbrams, @Seifreed, @malwareforme, @fwosar, @hexwaxwing, @PolarToffee, @struppigel, @malwrhunterteam, @Plazmaz, and @0xDUDE .
September 4th 2017
Dylan Katz and Victor Gevers discovered a new wave of ransom attacks on MongoDB databases rekindled last week and over the weekend with the emergence of three new groups that hijacked over 26,000 servers, with one group hijacking 22,000.
GData’s Karsten Hahn discovered a new variant of HiddenTear called Nulltica. This ransomware is a bit unique compared to other HiddenTear as it contains code to spread by sending messages to Facebook contacts. This ransomware will append the .locked extension to encrypted files.
Karsten Hahn discovered the Ultimo Ransomware, which is based off of HiddenTear. It also appends the .locked extension to encrypted files.
MalwareHunterTeam discovered a new variant of the Your Windows Has Been Banned screenlocker.
Michael Gillespie has found submissions to ID-Ransomware that are for a new GlobeImposter variant that appends the .clinTON extension and uses an email of Bill_Clinton@derpymail.org.
Michael Gillespie discovered a new ransomware based off of HiddenTear that calls itself Conficker Ransomware and appends the .Saramat extension to encrypted files. This ransomware has not affiliate with the conficker infection.
September 5th 2017
Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to victims who sought assistance in the Bleeping Computer ransomware support forums and from submissions to the ID-Ransomware service.
Karsten Hahn discovered a new screenlocker called TeamWinLockerWindows, which is quite the mouthful. Modifies the HOSTS file and displays fake kernel exception messages.
September 6th 2017
MalwareHunterTeam discovered a new ransomware called ApolloLocker that contains a Turkish ransom note and also acts as a information stealer. This ransomware appends the .locked extension to encrypted files and drops ransom notes named DOSYALARI-KURTAR [num].txt and DOSYALARI-KURTAR [num].url.
Lawrence Abrams discovered a new ransomware called Hacked. This ransomware appends the .hacked extension and includes ransom notes in Italian, Turkish, Spanish, and English.
Lawrence Abrams discovered a new in-development ransomware called FRansomware. It currently does not encrypt and only shows the ransom screen.
A new ransomware was discovered by Emsisoft security researcher xXToffeeXx that is named after the former President of Brazil. This ransomware is called DilmaLocker and appends the .__dilmaV1 extension to encrypted files and drops a ransom note named RECUPERE_SEUS_ARQUIVOS.html.
September 7th 2017
MalwareHunterTeam discovered a signed variant of GlobeImposter that appends the .f41o1 extension and drops a ransom note named READ_IT.html.
MalwareHunterTeam noticed an increase in submissions to ID-Ransomware from an Amnesia variant that is pretending to be WannaCry. This variant appends the .wncry extension to encrypted files.
MalwareHunterTeam noticed that a few hours after the previous GlobeImposter, a new variant was released with the cert revoked and appending a new extension, .4035, to encrypted files.
September 8th 2017
Karsten Hahn discovered a new in-dev ransomware that impersonates Locky and appends the .armadilo1 extension to encrypted files.
Michael Gillespie found a new SamSam/Samas Ransomware variant that appends the .disposed2017 extension to encrypted files.