Ransomware News- 

Update 15.12.2018 12:46:38

Úvod  Ransomware  Jak útočí  Klany  Techniky  Obrana  Popisky  Nástroje pro odstranění  Rescue plan  Anti-ransomware vaccine  RansomFree  Prevence  Video

 

Datum

Název

Obrázek

Popis

15.12.18Sextortion Emails now Leading to Ransomware and Info-Stealing TrojansVýsledek obrázku pro ransomwareSextortion email scams have been a very successful way of generating money for criminals. A new Sextortion campaign is now taking it to the next level by tricking recipients into installing the Azorult information-stealing Trojan, which then downloads and installs the GandCrab ransomware.
15.12.18EQ Ransomware discoveredEQ RansomwareGrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.
15.12.18New variants of the Gerber Ransomware discovered Gerber RansomwareEmmanuel_ADC-Soft discovered new variants of the Gerber Ransomware appending the .gerber5 and .FJ7QvaR9VUmi extensions.
15.12.18Santa Dharma Ransomware variantDharma Santa variantGrujaRS discovered a new variant of the Dharma Ransomware that appends the .[newsantaclaus@aol.com].santa extension to encrypted files.
15.12.18New Crypto034 Scarab Ransomware variantScarab RansomwareGrujaRS discovered a new Scarab Ransomware variant that appends the .crypted034 and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
15.12.18Mercury Ransomware huntVýsledek obrázku pro ransomwareMichael Gillespie is looking for a new ransomware that appends the .Mercury extension and drops a ransom note named !!!READ_IT!!!.txt
15.12.18New SYS CryptoMix variantCryptoMixMichael Gillespie found a new CryptoMix variant that renames encrypted files to "[16 uppercase hex].SYS" and drops a ransom note named _HELP_INSTRUCTION.TXT.
15.12.18Trojan and ransomware in the campaign impersonating InPostVýsledek obrázku pro ransomwareFrom the translated Cert Polska article:
For the last few days we have been watching an e-mail campaign in which fake senders claim to be an InPost courier company. Messages inform about the shipment ready for pickup in one of the parcel machines. The address of the parcel locker and the pin needed to collect the parcel should be available after downloading the file from the link visible in the message. So far, we have distinguished two types of threats that await users after launching downloaded files. One of them is a Trojan that allows remote access to the victim's computer, and the other software that encrypts files - ransomware.
15.12.18Fake WannaCry in circulationFake WannaCryM. Shahpasandi found a fake WannaCry ransomware that appends the .wannacry extension and drops a ransom note named Get Back FILES.txt.
15.12.18Forma RansomwareForma RansomwareGrujaRS discovered the Polish Forma Ransomware that appends the .locked extension and drops a ransom note named ODSZYFRFUJ_PLIKI_TERAZ.txt.
15.12.18Ransomware Hunt underway for Djvu RansomwareVýsledek obrázku pro ransomwareMichael Gillespie found a new ransomware called Djvu that appends the .djvu extension and drops a ransom note named _openme.txt.
15.12.18Ships infected with ransomware, USB malware, wormsVýsledek obrázku pro ransomwareFor example, in an incident detailed in the report, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship's crew.
15.12.18New Ironhead Scarab Ransomware variantVýsledek obrázku pro ransomwareMichael Gillespie found a new variant of the Scarab Ransomware that appends the .ironhead extension and drops a ransom note named How to restore encrypted files.txt.
8.12.18GandCrab v5.0.9 comes with a messageGandCrab 5.0.9Marcelo Rivero noticed that the GandCrab developers released version 5.0.9, which simply contains a message stating that "We will become back very soon! ;)"
8.12.18New RISK Dharma VariantVýsledek obrázku pro ransomwareJakub Kroustek discovered a new Dharma Ransomware variant that appends the .RISK extension to encrypted files.
8.12.18New IsraBye versionIsrabye RansomwareGrujaRS found a new version of the IsraBye ransoimware that appends the .israbye extension to encrypted files.
8.12.18Dablio Ransomware discoveredDablio RansomwareKarsten Hahn found the new Dablio Ransomware that prepends "(encrypted)" to the beginning of encrypted file's name,
8.12.18Ransomware Infects 100K PCs in China, Demands WeChat PaymentWeChat RansomwareOver 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware named UNNAMED1989 that encrypts local files and steals credentials for multiple Chinese online services. This ransomware then asked victims to pay the developer via WeChat payments.
8.12.18Company Pretends to Decrypt Ransomware But Just Pays RansomVýsledek obrázku pro ransomwareSecurity researchers from Check Point Research have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.
8.12.18Atlanta U.S. Attorney Charges Iranian nationals for City Of Atlanta ransomware attackVýsledek obrázku pro ransomwareA federal grand jury in Atlanta has returned an indictment charging Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri with committing a sophisticated ransomware attack on the City of Atlanta in March 2018 in violation of the Computer Fraud and Abuse Act.
8.12.18New bkpx Dharma Ransomware variantVýsledek obrázku pro ransomwareJakub Kroustek discovered a new Dharma Ransomware variant that appends the .bkpx extension to encrypted files.
8.12.18Chinese Police Arrest Dev Behind UNNAMED1989 WeChat RansomwareVýsledek obrázku pro ransomwareChinese law enforcement have arrested the developer of the UNNAMED1989 / WeChat Ransomware that recently took China by storm and infected over 100K users in a few days.
8.12.18Abandoned Globelmposter TOR Site Leaves Ransomware Victims Without OptionsVýsledek obrázku pro ransomwareRecent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.
8.12.18HiddenTear variant discoveredVýsledek obrázku pro ransomwareMalwareHunterTeam found a HiddenTear variant that tries to implicate a YouTuber who said he didn't make it. See the Twitter thread for more info.
8.12.18Gerber Ransomware 1.0Gerber Ransomware 1.0Petrovic discovered the Gerber Ransomware 1.0 that appends the .XY6LR extension to encrypted file's names.
8.12.18Gerber Ransomware 3.0Gerber Ransomware 3.0Soon after, GrujaRS discovered the Gerber Ransomware 3.0.
8.12.18New LOL Scarab Ransomware variantLOL Scarab RansomwareAmigo-A found a new variant of the Scarab Ransomware that appends the .lol extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
8.12.18Outsider Ransomware discoveredOutsider RansomwareGrujaRS discovered a ransomware called Outsider that appends the .protected extension.
8.12.18JungleSec Ransomware uses open source encryption toolVýsledek obrázku pro ransomwareMichael Gillespie learned from a victim that the JungleSec ransomware is utilizing the http://ccrypt.sourceforge.net/ encryption program.
1.12.18EnyBeny Nuclear Ransomware discoveredEnyBeny Nuclear Ransomware@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.
1.12.18New myjob Dharma variantVýsledek obrázku pro ransomwareJakub Kroustek discovered a new Dharma variant that appends the .myjob extension to encrypted files.
1.12.18Lucky Ransomware discoveredVýsledek obrázku pro ransomwareMichael Gillespie discovered a new ransomware that renamed encrypted files to "[[email]][original].[random].lucky" and drops a ransom note named _How_To_Decrypt_My_File_.txt.
1.12.18New Scarab Ransomware variants discoveredScarab Lolita Ransom NoteEmmanuel_ADC-Soft found a new Scarab Ransomware variant that appends the .lolita and drops a ransom note named _How to restore files.TXT and another variant that appends the .stevenseagal@airmail.cc extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
1.12.18New Dharma variant discoveredEmmanuel_ADC-Soft discovered a new Dharma variant that appends the .[cyberwars@qq.com].war and drops a ransom note named FILES ENCRYPTED.txt.
1.12.18New Dharma variantVýsledek obrázku pro ransomwareMichael Gillespie discovered a new Dharma variant that appends the .risk extension to encrypted files.
1.12.18GarrantyDecrypt DiscoveredMalwareHunterTeam found the GarrantyDecrypt Ransomware that appends the .decryptgarranty extension to encrypted files and drops a ransom note named #RECOVERY_FILES#.txt.
1.12.18New Everbe Ransomware variantVýsledek obrázku pro ransomwareMichael Gillespie found a new Everbe 2.0 Ransomware variant that appends the .[].lightning extension to encrypted files.
1.12.18New Scarab Ransomware variantEmmanuel_ADC-Soft discovered another Scarab Ransomware variant that appends the .online24files@airmail.cc extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES-online24files@airmail.cc.TXT.
1.12.18DOJ Indicts Two Iranian Hackers for SamSam Ransomware OperationVýsledek obrázku pro ransomwareThe Department of Justice announced today that a grand jury has unsealed an indictment against two Iranian hackers for conducting the hacking and ransomware operation called SamSam.
1.12.18New GusCryptor discoveredGusCryptorS!Ri found a new ransomware called GusCryptor that appends the .bip extension. Note, the bip extension was also used by a Dharma Ransomware variant.
1.12.18Making a Ransomware Payment? It May Now Violate U.S. SanctionsVýsledek obrázku pro ransomwareThinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions.
1.12.18cmdRansomware DiscoveredcmdRansomwarePetrovic found a new ransomware called cmdRansomware that utilizes a batch files and GPG to encrypt a computer. When encrypting it will append the .ransomware extension to encrypted files and drop a ransom note named cmdRansomware.txt.
1.12.18Stop Ransomware decryptor releasedMichael Gillespie released a free decryptor for the STOP Ransomware, which works on the .puma, .pumas, and .pumax variants.
1.12.18Moscow's New Cable Car System Infected with Ransomware the Day After it OpensVýsledek obrázku pro ransomwareMoscow recently opened its first cable-car service and promised free rides for the first month. Unfortunately, only two days after after the service was made available, attackers reportedly hacked into the cable car systems and infected them with ransomware.
24.11.18Vapor Ransomware discoveredVapor RansomwareMalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.
24.11.18New EnyBenyHorsuke Ransomware discoveredGrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.
24.11.18New .fire Dharma variantVýsledek obrázku pro ransomwareJakub Kroustek found a new variant of the Dharma Ransomware that appends the .fire extension to encrypted files.
24.11.18Dr. Web can reportedly decrypt the DCRTR ransomwareVýsledek obrázku pro ransomwareAccording to reports, Dr. Web can decrypt the DCRTR ransomware.
24.11.18DeLpHiMoRix ransomwarePetrovic discovered a ransomware named DeLpHiMoRix.
24.11.18New STOP Ransomware variantEmmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.
24.11.18Aurora / Zorro Ransomware Actively Being DistributedZorro RansomwareA ransomware that has been distributed since the summer of 2018 has started to pick up steam in the latest variant. This new variant is currently being called Zorro Ransomware, but has also been called Aurora Ransomware in the past.
24.11.18New CRYPTO Scarab variantScarabEmmanuel_ADC-Soft found a new Scarab Ransomware variant that appends the .CRYPTO extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
24.11.18New STOP Ransomware variantSTOPMarcelo Rivero found a new variant of the STOP Ransomware that appends the .PUMA extension to encrypted files and drops a ransom note named !readme.txt.
24.11.18New Everbe Ransomware variantEverbeMalwareHunterTeam found a new Everbe Ransomware variant that appends the .[yoursalvations@protonmail.ch].neverdies@tutanota.com extension to encrypted files and drops a ransom note named !=How_recovery_files=!.html.
24.11.18New DelphiMorix pays homage to ransomware researchersNew variants of the DelphiMorix Ransomware were spotted that use .demonslay335 and .malwarehunterteam as the extension for encrypted files.

17.11.18

XUY Ransomware discovered

XUY Ransomware

MalwareHunterTeam found a new ransomware called XUY that appends the extension .xuy to encrypted file's names.

17.11.18

Argus Ransomware discovered

Argus Ransomware

Amigo-A found a new ransomware called Argus that appends the .ARGUS extension and drops a ransom note named ARGUS-DECRYPT.html.

17.11.18

Dharma Ransomware: What It’s Teaching Us

Výsledek obrázku pro ransomware

David Maciejak and Kenny Yongjian Yang of FortiGuard Labs take a look at Dharma Ransomware:
FortiGuard Labs has been monitoring the Dharma (also named CrySiS) malware family for a few years. As we demonstrate below even though the Dharma ransomware continues to be active, the attackers are not really updating their mode of operation, but continue to rely on a proven tactic to find and infect new victims, which is to leverage badly secured RDP services to gain access to the network.

17.11.18

XUY Ransomware discovered

XUY Ransomware

MalwareHunterTeam found a new ransomware called XUY that appends the extension .xuy to encrypted file's names.

17.11.18

010001 Ransomware discovered

Výsledek obrázku pro ransomware

Michael Gillespie noticed a new ransomware, with a sample discovered by Jakub Kroustek, that appends the extension .010001 to encrypted files and drops a ransom note named tmpsfn_as.txt.

17.11.18

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

Výsledek obrázku pro ransomware

The HookAds malvertising campaign has been active lately and redirecting visitors to the Fallout Exploit Kit. Once the kit is activated, it will attempt to exploit known vulnerabilities in Windows to install different malware such as the DanaBot banking Trojan, the Nocturnal information stealer, and GlobeImposter ransomware.

17.11.18

Titan Cryptor Discovered

Výsledek obrázku pro ransomware

MalwareHunterTeam discovered a new variant of the Argus Ransomware called Titan Cryptor. This variant does not add an extension and drops a ransom note name name Titan Instructions.html.

17.11.18

New SaveFiles Ransomware variant

SaveFiles variant

MalwareHunterTeam found a new variant of the SaveFiles Ransomware called DataWait. This ransomware appends the .DATAWAIT extension and drops a ransom note named !readme.txt.

17.11.18

New Matrix variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .FASTA extension and drops a ransom note named #README_FASTA#.rtf.

17.11.18

New .Back Dharma Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .back extension to encrypted files.

17.11.18

BlackHat Ransomware discovered

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .BlackHat extension to encrypted files and drops a ransom note named ReadME-BlackHat.txt.

17.11.18

New .Bear Dharma Ransomware variant

Bear Dharma Variant

Jakub Kroustek discovered a new Dharma variant that appends the .Bear extension to encrypted files.

17.11.18

C3YPT3OR Ransomware discovered

C3YPT3OR Ransomware

MalwareHunterTeam found a new ransomware called C3YPT3OR that impersonates WannaCry.

10.11.18

M@r1a Ransomware discovered

M@r1a Ransomware

MalwareHunterTeam discovered the M@r1a ransomware that appends the .mariacbc extension to encrypted files.

10.11.18

Kraken Cryptor 2.2 spread by Fallout exploit kit

Kraken Cryptor 2.2

Marcelo Rivero found Kraken Cryptor 2.2 being distributed through the Fallout Exploit Kit. The price changed from: 0.1 BTC to $80 dollars and the wallpaper changed to a Cerber style background.

10.11.18

New ransomware prepends enc

Výsledek obrázku pro ransomware

A new ransomware was discovered by Michael Gillespie that prepends the (enc) string to encrypted file names and drops a ransom note named aboutYourFiles.txt. For example, test.jpg would be encrypted and renamed to (enc)test.jpg.

10.11.18

New Dharma Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie discovered a new Dharma Ransomware variant that appends the .adobe extension to encrypted files.

10.11.18

New Dharma Ransomware variant

Dharma

Michael Gillespie found a new Dharma Ransomware variant that appends the .tron extension to encrypted files.

10.11.18

New Dharma Variant

Výsledek obrázku pro ransomware

Jakub Kroustek found two new Dharma Ransomware variants that append either the .AUDIT or .cccmn extension to encrypted files.

10.11.18

New PyCL Ransomware variant

PyCL Ransom Note

Michael Gillespie found a new PyCL Ransomware variant that uses the .impect extension for encrypted files and drops a ransom note named how to get back you files.txt.

3.11.18

CommonRansom Ransomware Demands RDP Access to Decrypt Files

CommonRansom Ransom Note

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files. The ransomware appends the [old@nuke.africa].CommonRansom extension and drops a ransom note named DECRYPTING.txt.

3.11.18

New .XXXXX Dharma Variant

Dharma

Jakub Kroustek discovered a new variant of the Dharma Ransomware that appends the .xxxxx and drops a ransom note named FILES ENCRYPTED.txt.

3.11.18

New Vendetta Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie discovered the Vendetta Ransomware which renames files to hex and adds the .vendetta extension. It then drops a ransom note named How to decrypt files.txt. An example file name is 6F-12-09-78-15-FF-97-A4-49-66-F5-C6-81-00-3D-42.vendetta.

3.11.18

Kraken Ransomware 2.0.7 Released

Kraken 2.0.7

MalwareHunterTeam found that Kraken Cryptor 2.0.7.1 beta was released and is demanding 1 BTC as the ransom.

3.11.18

Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims

Výsledek obrázku pro ransomware

Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that the malware developer had placed the ransomware, masquerading as a security solution, on the website SuperAntiSpyware, infecting systems that tried to download a legitimate version of the antispyware software.

3.11.18

New Desktop Ransomware discovered

Desktop Ransomware

MalwareHunterTeam discovered the Desktop Ransomware, which prepends Lock. to filenames. Fly shared the pin number to unlock, which is "00114455220033669988554477++//".

3.11.18

New Ransomware using DiskCryptor With Custom Ransom Message

DiskCryptor

A new ransomware has been discovered that installs DiskCryptor on the infected computer and reboots your computer. On reboot, victims will be greeted with a custom ransom note that explains that their disk has been encrypted and to contact mcrypt18@yandex.com.

3.11.18

SimmyWare Ransomware Discovered

SimmyWare

GrujaRS discovered a new ransomware called SimmyWare that appends the .SIMMYWARE extension and drops a ransom note named SIMMYWARE.txt.

27.10.18

New .betta Dharma Ransomware variant

Výsledek obrázku pro ransomware

Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .betta extension to encrypted files.

27.10.18

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Výsledek obrázku pro ransomware

Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process. It is not known what they are trying to achieve by doing this, but it does provide BleepingComputer with insight into the amount of victims being infected by this ransomware.

27.10.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .GMPF extension to encrypted files.

27.10.18

Solo Ransomware

Solo Ransomware

Michael found a new ransomware that appends the .SOLO extension and drops a ransom note named IHRE_DATEIEN_SIND_VERSCHLUESSELT.html. Not the most sophisticated ransomware as it encrypts its own note.

27.10.18

Xorist continues with the long extensions

Xorist Variant

Michael Gillespie found another Xorist Ransomware variant that uses a crazy long extension.

27.10.18

HiddenBeer Ransomware discovered

HiddenBeer Ransomware

GrujaRS discovered a new HiddenTear variant called HiddenBeer that appends the .beer extension to encrypted files.

27.10.18

New .Vanss Dharma variant

Dharma .vanss

Jakub Kroustek found a new Dharma Ransomware variant that appends the .vanss extension and drops a ransom note named Info.html and FILES ENCRYPTED.txt.

27.10.18

Free Decrypter Available for the Latest GandCrab Ransomware Versions

GandCrab Decryptor

A newly released decryptor allows for the free recovery of files encrypted by GandCrab versions 1, 4, and 5.

27.10.18

New FilesLocker Ransomware Offered as a Ransomware as a Service

FilesLocker

A new ransomware called FilesLocker is being distributed as a Ransomware as a Service, or RaaS, that targets Chinese and English speaking victims.

27.10.18

ESET releases new decryptor for Syrian victims of GandCrab ransomware

Výsledek obrázku pro ransomware

ESET experts have created a new decryption tool that can be used by Syrian victims of the GandCrab ransomware. It is based on a set of keys recently released by the malware operators

27.10.18

New .Funny Dharma variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Dharma Ransomware variant that appends the .FUNNY extension to encrypted files.

27.10.18

New Everbe 2.0 variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Everbe 2.0 Ransomware that appends the .[everest@airmail.cc].EVEREST and drops ransom note named EVEREST LOCKER .txt and 新建文本文档.txt.

27.10.18

ID Ransomware adds extortion scam detections

Výsledek obrázku pro ransomware

Michael Gillespie added detections for extortion scam emails.

27.10.18

GandCrab 5.0.5 released that breaks free decryption

Výsledek obrázku pro ransomware

Tamas Boczan discovered that GandCrab v5.0.5 was released, which breaks the free decryption through Bitdefender's recently released decryptor.

27.10.18

New Ransomware

.Docx ransomware

S!Ri discovered a new ransomware that appends the .docx extension to encrypted files.

20.10.18

GandCrab redesigns their ransom page

GandCrab Ransom Page

Damian1338 noticed that GandCrab did a major redesign of the payment page.

20.10.18

EbolaRnsmwr discovered

EbolaRnsmwr

MalwareHunterTeam discovered a new in-dev ransomware called EbolaRnsmwr that appends the .101 extension and is based off of HiddenTear.

20.10.18

New Dharma variant

Dharma Variant

#CrySiS #Ransomware extension .[mixon.constantine@aol.com].gamma!Ransom note; all your data has been locked us You want to return? write email mixon.constantine@aol.com or mclainmelvin@aol.com https://youtu.be/Xkd4m6GqeO4

20.10.18

New Scarab variant

Výsledek obrázku pro ransomware

Amigo-A found a new variant of the Scarab Ransomware that appends the .DD extension to encrypted files and drops a ransom note named HOW TO RETURN FILES.TXT.

20.10.18

New Crypton Ransomware discovered

Výsledek obrázku pro ransomware

GrujaRS discoverd a new ransomware called Crypton that a ransom note named README.TXT.

20.10.18

New CryptoConsole Variant

Amigo-A found a new variant of the CryptConsole-3 Ransomware that does not add an extension and drops a ransom note named README.txt.

20.10.18

New District ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware that appends the .ctrlalt@cock.li.district extension to encrypted files and drops a ransom note named READ_IT.district.

20.10.18

New Scarab Ransomware variant

Amigo-A found a new Scarab Ransomware variant that appends the .yourhope@airmail.cc extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

20.10.18

New EqutionDrug variant

EquationDrug Ransomware

Michael Gillespie found a new ransomware appending the .katyusha and dropping a ransom note named _how_to_decrypt_you_files.txt. Kaspersky detects this as an "EquationDrug" variant.

20.10.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Matrix Ransomware variant that appends the .THDA extension and drops a ransom note named !README_THDA!.rtf.

20.10.18

GandCrab Devs Release Decryption Keys for Syrian Victims

Výsledek obrázku pro ransomware

In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.

20.10.18

Birbware Ransomware discovered

Birbware

MalwareHunterTeam discovered a new ransomware called Birbware that adds the .birbb extension to encrypted files and states that you can get a free decryption key by contacting the developer on Discord.

20.10.18

Ransomware masquerading as a Fortnite vBucks hack

MalwareHunterTeam discovered a fake ransomware pretending to be a Fortnite vBucks hack.

13.10.18

God Crypt Joke Ransomware

Výsledek obrázku pro ransomware

MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.

13.10.18

New Dharma Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Dharma Ransomware variant that appends the .boost extension to encrypted files uploaded to ID Ransomware.

13.10.18

New Matrix Ransomware variants

Výsledek obrázku pro ransomware

Michael Gillespie found a new Matrix Ransomware variant that appends the .GMAN and drops a ransom note named !README_GMAN!.rtf uploaded to ID Ransomware. Michael also found a variant that appends .EMAN50 and drops a note named #README_EMAN50#.rtf.

13.10.18

New Scarab Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Scarab Ransomware variant that uses the extension .[crab7765@gmx.de].crab and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

13.10.18

New Possible Scarab variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware that may be a Scarab variant that appends the .qweuirtksd extension to encrypted files and drops a ransom note named !!!ReadMeToDecrypt.txt. There are victims on BleepingComputer.

13.10.18

New DecryptFox Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.

13.10.18

Windows 10 Ransomware Protection Bypassed Using DLL Injection

Výsledek obrázku pro ransomwareVýsledek obrázku pro ransomware

At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

13.10.18

GandCrab Vaccine continues to work with version 5.0.3

Výsledek obrázku pro ransomware

Valthek's vaccine for GandCrab continues to work with the release of version 5.0.3.

13.10.18

Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

Forum post

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes).

13.10.18

Council hit by cyber attack reveals £2m cost

Výsledek obrázku pro ransomware

The BBC reports:

Copeland Borough Council has revealed that an attack on its systems in August 2017 has cost it about £2m.

The hack locked staff out of a number of council services, including payroll, planning and environmental health.

13.10.18

The ransomware with most annoying extension

RotorCrypt

Michael Gillespie found a new RotorCrypt variant that uses the most annoying extension I have ever seen. This extension is "!@#$%^&-()_+.1C" and the ransom note is INFO.txt.

13.10.18

New garrantydecrypt Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt.

13.10.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .NOBAD extension and drops a ransom note named #NOBAD_README#.rtf.

13.10.18

New Backdoor Ties NotPetya and Industroyer to TeleBots Group

Graph

Security researchers found the missing link that helps them prove that the NotPetya disk-wiping malware and the Industroyer backdoor for electric power systems are the work of the TeleBots group.

13.10.18

New Dharma Ransomware variant

Výsledek obrázku pro ransomware

Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .[Darknes@420blaze.it].waifu extension.

13.10.18

WannaCash decryptor updated with new variant

Výsledek obrázku pro ransomware

Alex Svirid updated his WannaCash decryptor for a new variant that changes the file name to "зашифровано original_name".

7.10.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie discovered a new variant of the Matrix Ransomware that appends the .EMAN extension and drops a ransom note named #README_EMAN#.rtf.

7.10.18

New Unlock92 variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Unlock92 Ransomware that appends the .@LOCKED extension and drops a ransom note named .txt.

7.10.18

New Dharma variant

Dharma BTC Variant

Jakub Kroustek found a new CrySiS/Dharma variant that appends the .btc extension and drops ransom notes named Info.hta and FILES ENCRYPTED.txt.

7.10.18

Hackers demand bitcoin ransom in cyberattack on big Canadian restaurants

Výsledek obrázku pro ransomware

A Canadian company that owns many popular restaurant chains has been told to pay ransom in bitcoin to retrieve data that hackers claim to have stolen.

7.10.18

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware

The Fallout Exploit has been distributing the GandCrab Ransomware for the past few weeks, but has now switched its payload to the Kraken Cryptor Ransomware.

7.10.18

New Dharma variant

Výsledek obrázku pro ransomware

Jakub Kroustek found a new CrySiS/Dharma variant that appends the .bgtx extension and drops ransom notes named Info.hta and FILES ENCRYPTED.txt.

29.9.18

Qinynore Ransomware discovered

Karsten Hahn has discovered a new HiddenTear variant called Qinynore Ransomware. This ransomware appends the .anonymous extension to encrypted files and drops a ransom note named YOU_MUST_READ_ME.rtf .

29.9.18

Bytar Ransomware discovered

Karsten Hahn discovered a new ransomware called Bytar that appears to be in development.

29.9.18

New LockCrypt 2.0 variant

BDKR Variant

GrujaRS discovered a new LockCrypt 2.0 variant that appends the .BDKR extension to encrypted files and creates a ransom note named How To Restore Files.txt.

29.9.18

XD Ransomware

Výsledek obrázku pro ransomware

GrujaRS discovered a ransomware appending the .xd extension to encrypted files.

29.9.18

Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack

Výsledek obrázku pro ransomware

Microsoft was paid $703,697 to help Pennsylvania Senate Democrats rebuild IT systems after 2017 ransomware incident.

29.9.18

New Jigsaw Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Jigsaw Ransomware targeting German victims and appending the .spaß extension to encrypted files.

29.9.18

GandCrab V5 Released With Random Extensions and New HTML Ransom Note

GandCrab v5 has been released with a few noticeable changes. The most noticeable changes are that the ransomware now uses a random 5 character extension for encrypted files and has a HTML ransom note.

29.9.18

GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer. This vulnerability was recently patched by Microsoft in the September 18 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates.

29.9.18

Port of San Diego Affected by a Ransomware Attack

Výsledek obrázku pro ransomware

On September 25th, the Port of San Diego announced that their information technology systems had been disrupted by a cyber attack. In an announcement today, it was announced that this disruption was caused by a ransomware attack.

29.9.18

IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks

Výsledek obrázku pro ransomware

The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. While the most publicized attacks over RDP are related to ransomware, attackers also hack into exposed RDP services for corporate theft, installation of backdoors, or as a launching point for other attacks.

22.9.18

New Brrr Dharma Ransomware Variant Released

A new variant of the Dharma Ransomware was released this week that appends the .brrr extension to encrypted files. This variant was first discovered by Jakub Kroustek who tweeted a link to the sample on VirusTotal.

22.9.18

Ransomware attack blacks out screens at Bristol Airport

Výsledek obrázku pro ransomware

Flight information screens were blacked out over the weekend at the Bristol Airport in the UK. Airport officials blamed the incident on a ransomware infection that affected the computers running the airport's in-house TV screens displaying arrival and departure flight information.

22.9.18

New IT.Books ransomware

IT.Books Ransomware

MalwareHunterTeam discovered a new HiddenTear variant called IT.Books Ransomware that looks like Jigsaw. Drops a ransom note named READ__IT.txt and extension of .f*cked.  See the tweet for the uncensored extension.

22.9.18

New Everbe 2.0 variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Everbe 2.0 Ransomware that appends the ".[].NOT_OPEN" and drops a ransom note named "!_HOW_RECOVERY_FILES_!.txt".

22.9.18

New Matrix ransomware variants

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Matrix Ransomware that renames files to "[che808@protonmail.com].-.CHE808". Michael also found another variant that renames files to "[KOK08@QQ.COM].-.CHE08".

22.9.18

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

What may very well be considered a cybercriminal's dream tool is now real and it is hunting Windows and Linux servers: a botnet with self-spreading capabilities that combines cryptomining and ransomware functions.

22.9.18

Database with 11 Million Email Records Exposed

A huge customer database containing 11 million records that include personal details, has been discovered on Monday sitting online, unprotected.

22.9.18

No personal info lost in ransomware attack, says VON Canada

Výsledek obrázku pro ransomware

CBC reported that "VON Canada is assuring clients and staff that their information is safe after the nursing organization was the target of a ransomware incident earlier this month."

22.9.18

Allscripts files a Motion to Dismiss for the ransomware related lawsuit

Výsledek obrázku pro ransomware

Allscripts was sued by customers for an outage caused by the SamSam ransomware. They have not filed a Motion to Dismiss to get the lawsuit thrown out.

22.9.18

Possible new Dcrtr Ransomware variant spotted

Výsledek obrázku pro ransomware

Michael Gillespie noticed a possible new Dcrtr variant that appends the .[].parrot extension and drops a ransom note named ReadMe_Decryptor.txt.

22.9.18

New Scarab variant

Výsledek obrázku pro ransomware

Amigo-A found a new variant of the Scarab Ransomware that appends the .skype extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

22.9.18

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Výsledek obrázku pro ransomware

A Romanian woman admitted on Thursday her participation in a ransomware distribution scheme that ended up disabling computers used by the Washington D.C. police for surveillance.

22.9.18

Gamma, Bkp, & Monro Dharma Ransomware Variants Released in One Week

Dharma Ransom Note

This week Jakub Kroustek found three new Dharma Ransomware variants that append either the .Gamma, .Bkp, & .Monro extensions to encrypted files.

22.9.18

NSA Codebreaker Challenge Started

NSA CodeBreaker Challenge

The NSA CodeBreaker Challenge started today and this year has a theme revolving around ransomware.

22.9.18

Scottish brewery recovers from ransomware attack

Výsledek obrázku pro ransomware

Staff at Arran Brewery were locked out of its computer systems this week following a ransomware attack.

The attack against the Isle of Arran-based Scottish beer maker appears to have been a targeted strike. Prior to the infection, adverts for an already filled finance post at the brewery were placed on recruitment sites worldwide. This, in turn, resulted in an influx of CVs.

15.9.18

New Brr Dharma variant

Jakub Kroustek discovered a new variant of the Dharma ransomware that appends the .brrr extension and drops a ransom note named Info.hta

15.9.18

MVP Ransomware discovered

MVP Ransomware

Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.

15.9.18

New Scarab Ransomware variant

Amigo-A found a new variant of the variant Scarab-DiskDoctor ransomware that uses the .mammon extension for encrypted files. Emmanuel_ADC-Soft shared the ransom note below. Other new Scarab variants found this week append the extensions : .omerta and .bomber.

15.9.18

Mongo Lock Attack Ransoming Deleted MongoDB Databases

Výsledek obrázku pro ransomware

An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, encrypting them, and then demanding a ransom in order to get the contents back. 

15.9.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Matrix Ransomware variant that uses appends the .ITLOCK extension to encrypted files and drops a ransom note named !ITLOCK_README!.rtf.

15.9.18

StorageCrypter still alive

Výsledek obrázku pro ransomware

Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.

15.9.18

Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program

Encrypted Files

The Kraken Cryptor Ransomware is a newer ransomware that was released in August 18. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.

15.9.18

Fallout Exploit Kit Pushing the SAVEfiles Ransomware

Ransom Note

Last week the Fallout Exploit kit was distributing the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles, for lack of a better name, through malvertising campaigns.

15.9.18

New Rektware ransomware

Rektware

GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension.

14.9.18

Kraken Ransomware

The Kraken Ransomware is a newer ransomware that was released in August 18. A new version, called Kraken 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.

12.9.18

Barack Obama's Blackmail Virus Ransomware Only Encrypts .EXE Files

Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

12.9.18

Locdoor Ransomware discovered

Locdoor

Leo discovered a new ransomware called Locdoor/DryCry. May be bugger or in development as it does not encrypt all files. When it does encrypt, it will append the .door[random number] extension to encrypted files.

12.9.18

New PyLocky variant

CyberSecurity found a new PyLocky variant that appends the .lockedfile and .lockymap extension to encrypted files and drops a ransom note named LOCKY-README.txt.

12.9.18

New Ransomware targeting servers

A new ransomware has been discovered by dave that appears to be targeting web servers. It is unknown what extension, if any, is appended to encrypted files.

12.9.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Matrix Ransomware variant that appends the .FASTBOB extension and drops a ransom note named #_#FASTBOB_README#_#.rtf. Michael discovered another variant that appends the .NEWRAR extension and drops a note named #NEWRAR_README.rtf.

12.9.18

New Shiva Ransomware variant

MalwareHunterTeam found a new Shiva variant with active victims that appends the .good extension and drops a ransom note named HOW_TO_RECOVER_FILES.txt.

12.9.18

New CryptoJoker variant

Výsledek obrázku pro ransomware

Michael Gillespie found the decrypter for a new CryptoJoker variant that uses the .partially.cryptolocker and .fully.cryptolocker.

12.9.18

YARA Rule created for Shrug2

Výsledek obrázku pro ransomware

Marc Rivero López created a new YARA rule that detects the Shrug2 ransomware based on an article from Quick Heal.

12.9.18

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs).

12.9.18

New yyy0 Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware that appends the .davilarita@mail.com.yyy0 extensio and drops a ransom note named help.txt.

12.9.18

New Bandarchor variant adds .pip

Jakub Kroustek found a new Bandarchor ransomware variant that appends the .id-%ID%-[shivamana@seznam.cz].pip extension to encrypted files.

12.9.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie saw a new Matrix Ransomware variant uploaded to ID Ransomware tha uses the .KOK08 extension and the ransom note #KOK08_README#.rtf.

12.9.18

New EOEO AutoIt ransomware

MalwareHunterTeam has found the EOEO AutoIt ransomware that appends the .eoeo extension to encrypted files.

12.9.18

New 5H311 1NJ3C706 Ransomware

Michael Gillespie found a new ransomware called 5H311 1NJ3C706 that acts more like a screenlocker, but does have encryption code that adds the extension .5H11 1NJ3C706, but does not appear to be working. . The password to the screenlocker is 666HackerThn.

12.9.18

New Suri Ransomware

MalwareHunterTeam found a new ransomware called Suri that appends the .SLAV extension. It is based on Stupid Ransomware.

4.9.18

CreamPie Ransomware discovered

Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.

4.9.18

Jeff the Ransomware

Jeff the Ransomware

Leo discovered the Jeff the Ransomware variant. Looks to be in-development as it does not encrypt.

4.9.18

New Matrix Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Matrix Ransomware variant that renames files in the format "[KOK8@protonmail.com].-.KOK8" and drops a ransom note named #KOK8_README#.rtf.

4.9.18

New Cassetto Ransomware

Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.

4.9.18

Acroware Screenlocker

Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.

4.9.18

Termite Ransomware discovered

Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.

4.9.18

New LockCrypt Variant

MalwareHunterTeam found a new LockCrypt variant that appends the .BadNews extension to encrypted files and drops a ransom note named How To Decode Files.hta.

4.9.18

CryptoNar Ransomware

MalwareHunterTeam found a new CryptoJoker variant called CryptoNar that appends either the .fully.cryptoNar or .partially.cryptoNar extension to encrypted files and drops a ransom note named CRYPTONAR RECOVERY INFORMATION.txt. Michael Gillespie created a decryptor for this variant.

4.9.18

New Pico Ransomware

S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.

4.9.18

CryptoNar Ransomware Discovered and Quickly Decrypted

This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.

29.8.18

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

Výsledek obrázku pro ransomware

Towards the end of July 18, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.

29.8.18

Beware of Spam with Fake Invoices Pushing Hermes 2.1 Ransomware and AZORult

A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.

29.8.18

New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles

A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.

29.8.18

New TorchWood Ransomware Variant

Amigo-A found a new variant of the Russian TorchWood ransomware that uses the .TRCHWD extension for encrypted files and is installed over RDP.

29.8.18

New NinjaLock Ransomware

MalwareHunterTeam found a new ransomware called NinjaLock. Jack shared the image and stated it does not encrypt.

29.8.18

New Creeper Ransomware variant

Amigo-A found a new variant of the Creeper Ransomware variant that appends the .crypton extension and drops a ransom note named DECRIPT_FILES.txt.

29.8.18

New Jigsaw variant with new background

Michael Gillespie found a new Jigsaw Ransomware variant that uses the .fun extension and the following background image.

29.8.18

New Scarab Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Scarab Ransomware variant that utilizes the .CYBERGOD extension and another that uses the .rent extension.

29.8.18

Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge

A new ransomware strain named Ryuk is making the rounds, and, according to current reports, the group behind it has already made over $640,000 worth of Bitcoin.

29.8.18

New RotorCrypt Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !@#$_(decryp in the EMail)____nautilus369alarm@gmail.com____$#@..AlfaBlock extension to encrypted files.

29.8.18

New Rapid Ransomware v1 Variant

MalwareHunterTeam found a new Rapid v1 Ransomware variant that now uses the .no_more_ransom extension on encrypted files.

29.8.18

New Xorist variant discovered

Michael Gillespie found a new Xorist Ransomware variant that uses the extensions .PrOtOnIs and .PrOtOnIs.VaNdElIs.

29.8.18

New n1n1n1 ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie noticed a new n1n1n1 variant uploaded to ID Ransomware that uses the "jpa." prefix on files and drops a ransom note named why files renamed jpa..txt.

29.8.18

New Why Ransomware discovered

Výsledek obrázku pro ransomware

Michael Gillespie noticed a new ransomware variant uploaded to ID Ransomware that uses the .WHY extension and drops a ransom note named !!!WHY_MY_FILES_NOT_OPEN!!!.txt.

29.8.18

New TotalWipeOut ransomware

MalwareHunterTeam found a new ransomware called TotalWipeOut.

29.8.18

New PyLocky variant

MalwareHunterTeam found a new PyLocky variant that appends the .lockedfile extension to encrypted files.

29.8.18

New Oni Ransomware variant

MalwareHunterTeam found a new Oni Ransomware variant that drops ransom notes named RESTORE_ONI_FILES.txt and renamed files to the "%original file name (incl. extension) converted to hex%.ONI" format.

29.8.18

New Jigsaw Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Polish Jigsaw Ransomware variant that appends the extension .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#.

23.8.18

Ryuk Ransomware

Ryuk ransomware

At least three organizations in the United States and worldwide have been severely affected, the attackers are estimated to have already netted over $640,000 to date. The malicious code used in the attack was tracked as Ryuk ransomware, it appears connected to Hermes malware that was associated with the notorious Lazarus APT group. “Curiously, our research lead us to connect the nature of Ryuk’s campaign and some of its inner-workings to the HERMES ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks.”

22.8.18

Bunch of Jigsaw Ransomware variants released.

Výsledek obrázku pro ransomware

Michael Gillespie discovered a bunch of new Jigsaw Ransomware variant released this week. These variants add the .hacked.by.Snaiparul, .lockedgood, and .pleaseCallQQ. He also noticed a .fun variant that asks for amazon gift cards as a payment.

22.8.18

New FSociety Themed Ransomware

MalwareHunterTeam discovered a new ransomware with a Fsociety theme that appends the .ShutUpAndDance extension to encrypted files.

22.8.18

Wise Ransomware discovered

MalwareHunterTeam discovered a ransomware named Wise Ransomware that does not encrypt anything, but rather deletes the files.

22.8.18

New SARansom Ransomware discovered

MalwareHunterTeam discovered a new in-dev ransomware called SARansom ransomware. Asks for a very aggressive amount of bitcoins. "For the low fee of 5 bitcoin"

22.8.18

Princess Evolution Ransomware is a RaaS With a Slick Payment Site

A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums.

22.8.18

Former Microsoft Engineer Gets 18 Months in Prison for Role in Ransomware Scheme

On Monday, a Florida judge sentenced a former Microsoft network engineer to 18 months in prison for his role in helping launder money obtained from victims of the Reveton ransomware.

22.8.18

New Jobcrypter variant

French Jobcrypter

MalwareHunterTeam discovered a new JobCrypter ransomware variant that continues to target French victims, but now asks for $1000€.

22.8.18

Hermes 2.1 RaaS promoted on underground forums

Hermes RaaS being promoted on underground forums

Damian1338 found Hermes 2.1 Ransomware RaaS being promoted on underground criminal forums.

22.8.18

MAFIA ransomware targeting users in Korea

Mafia Ransomware Note

A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

22.8.18

Golden Ransomware discovered

Golden Ransomware

Bart found a new ransomware called Golden Ransomware. Appears to be in-dev and doesn't actually encrypt.

22.8.18

New Cmb Dharma Ransomware Variant Released

On Thursday a new variant of the Dharma Ransomware was discovered that appends the .cmb extension to encrypted files.

10.8.18

PooleZoor ransomware discovered

Výsledek obrázku pro ransomware

MalwareHunterTeam found a new in-development Hidden Tear variant called PooleZoor ransomware that appends the .poolezoor extension to encrypted files.

10.8.18

New KeyPass Ransomware Campaign Underway

A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

9.8.18

New CMB Dharma Variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .id-.[].cmb extension to encrypted files.

9.8.18

Zoldon Crypter discovered

Zoldon Ransomware

MalwareHunterTeam found a new ransomware called ZOLDON Crypter V3.0.

8.8.18

The PGA Possibly Infected With the BitPaymer Ransomware

Výsledek obrázku pro ransomware

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

8.8.18

RansomWarrior Ransomware discovered

RansomWarrior

MalwareHunterTeam found a new ransomware named RansomWarrior 1.0 that renames encrypted files to the format "Encrypted%# of file%.THBEC".

7.8.18

New Dat Jigsaw Ransomware variant

Michael Gillespie found a Jigsaw Ransomware variant that appends the .dat extension to encrypted files and uses the following background.

7.8.18

Rapid Ransomware sold on underground forums

Damian1338 saw Rapid Ransomware RaaS being sold on underground Russian forums.

6.8.18

New RewyWare Ransomware

S!Ri discovered a new ransomware named RetwyWare that appends the .killrabbit extension to encrypted files.

6.8.18

Strange GandCrab Vaccine program discovered

Jawe found a modified version of GandCrab v4.3 that has a version of 4.4 set. According to Jawe, all it does it set the Global\885BDEB9D36E550F587C.lock mutex and then sleeps. While we are not 100% sure if it was released by the GandCrab group, knowing their sense of humor it wouldn't surprise us.

3.8.18

New Everbe 2.0 variant

Výsledek obrázku pro ransomware

Michael Gillespie discovered a new Everbe 2.0 Ransomware variant that uses the .[].divine extension and drops a ransom note named !=How_to_decrypt_files=!.txt.

3.8.18

New Paradise Ransomware variant

Výsledek obrázku pro ransomware

Michael Gillespie found a new Paradise Ransomware variant that appends the [id-].[yourencrypter@protonmail.ch].b29extension to encrypted files.

3.8.18

WannacryV2 Ransomware

MalwareHunterTeam found a new AutoIt ransomware called wannacryV2 that appends the .wannacryv2 extension to encrypted files and provides a decryptor.

2.8.18

GandCrab Ransomware Author Bitter After Security Vendor Releases Vaccine App

Výsledek obrázku pro ransomware

The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware. Due to this they decided to include an alleged zero-day for the AhnLab v3 Lite antivirus in their recent builds.

2.8.18

New Scarab Ransomware variant

Michael Gillespie f found a new Scarab Ransomware variant that uses the same email from a Animus attacker. This variant appends the .anonimus.mr@yahoo.com extension to encrypted files.

28.7.18

WannaCash Ransomware discovered

Amigo-A discovered a new Russian ransomware called WannaCash that renamed files into the pattern "encrypted(file_name.file_extension)". A decrypter is available from Alex Svirid.

28.7.18

New Animus/Aurora variant

Michael Gillespie found a new variant of the Animus/Aurora ransomware that appends the .desu extension to encrypted files. It will also rename the original file name to its hex equivalent. It is still decryptable.

28.7.18

GandCrab added additional languages to payment page

Damian1338 noticed that the GandCrab team added more languages to their payment page. 

28.7.18

Locky

Brad found a new ransomware calling itself Locky. This is not a new variant of the old ransomware of the same name, but an imposter. else been seeing this?

28.7.18

SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments

Výsledek obrázku pro ransomware

The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam's activity, containing information since the ransomware's launch in late 2015 and up to attacks that have happened earlier this month.

28.7.18

BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week

Výsledek obrázku pro ransomware

On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.

28.7.18

Liviu Dragnea Ransomware discovered

MalwareHunterTeam found a new in-development ransomware that is based on Stupid Ransomware. This ransomware contains an image of Liviu Dragnea as its background. The sample does not currently encrypt, but if it did, it would use the .dragnea extension. 

28.7.18

New Ann Ransomware

S!Ri discovered a new ransomware called Ann that renames files to the ""[AskHelp@protonmail.com]..ANN" " pattern. 

28.7.18

RECOVERYOURFILES Ransomware

Výsledek obrázku pro ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .RECOVERYOURFILES extension and drops a ransom note named INSTRUCTIONS_RECOVER_FILES.txt.

28.7.18

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware uploaded to ID Ransomware that renames files to "[BatHelp@protonmail.com].-.CORE" and drops a ransom note named #CORE_README#.rtf.

Srpen 16

New RektLocker Ransomware Discovered

Rektlocker

A new ransomware called RektLocker was discovered by Michael Gillespie that is based on the HiddenTear source code released by Utku Sen. When installed it will encrypt files using AES encryption and then append the .rekt extension to them. It will also create a ransom note called Readme.txt that contains the bitcoin address that a payment should be sent to. Strangely, there is no method to contact the developer after payment is made. Victim's can use Michael's Hidden Tear Brute Forcer to try and get the decryption key for their files.

Srpen 16

Ransomware on Thermostats is just the Tip of the Iceberg

This past weekend at the IoT Village in the DEF CON security conference, Pen Test Partners set to out to demonstrate the sad state of security when it comes to IoT devices. They did this buy showing how they could easily hack a smart thermostat so that ransomware could be installed on it.

Srpen 16

With the looming threat of Ransomware, should companies stockpile Bitcoins?

Výsledek obrázku pro ransomware

With the threat of ransomware hanging over every company's head, does it make sense for companies to stockpile a few bitcoins in the event of a ransomware attack? Getting bitcoins is not the easiest of tasks and with the a ransomware timer counting down, does it make sense to have some on hand?

Srpen 16

Smrss32 Ransomware that pretends to be CryptoWall Discovered

Ransom Note

A ransomware that has been out for a while, but only yesterday was a sample provided by a victim on the forums. This ransomware creates an incredibly lengthy ransom note that states it is CryptoWall and then tells you to pay 1 bitcoin to a specified bitcoin address. You are then prompted to email helprecover@mail.ru after payment to get a decryption key. Encrypted files will have the .encrypted extension appended to them and then ransom note is named _HOW_TO_Decrypt.bmp. This ransomware appears to be installed manually via Remote Desktop and as part of a kit of multiple files. It may be possible to decrypt this ransomware, so if you have been affected by this, please do not pay the ransom.

Srpen 16

BloodDolly Releases a Decryptor for the PizzaCrypt/Juicylemon Ransomwares

Výsledek obrázku pro ransomware

BloodDolly has released a decryptor for the PizzaCrypt and Juicylemon ransomware infections. For those who are infected with it, you can download the decryptor from the following URL: http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip This decryptor will decrypt files that have the following extensions:

.id-{number}_
.id-{number}_sos@juicylemon.biz
.id-{number}_*@juicylemon.biz*protonmail.com*
.id-{number}_*@juicylemon.biz_BitMessage_*
.id-{number}_maestro@pizzacrypts.info
Support for this ransomware can be found in this topic.

Srpen 16

PokemonGo Ransomware installs Backdoor Account and Spreads to other Drives

Michael Gillespie discovered a new ransomware that pretends to be PokemonGo. This ransomware is currently in development as it uses a Command & Control server on a private IP address and has a static AES encryption password. When it encrypts files it will append the .locked extension to encrypted files. It will also create a Arabic ransom note on the Desktop called هام جدا.txt.

Mosh has posted further analysis of this ransomware in Spanish.

The icon used by the program is of Pikachu:

Srpen 16

Development version of the Hitler-Ransomware Discovered

Hitler-Ransomware Lock Screen

It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers. This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware, that has been discovered by AVG malware analyst Jakub Kroustek. This ransomware shows a lock screen displaying Hitler and then states that your files were encrypted. It then prompts you enter a cash code for a 25 Euro Vodafone Card as a ransom payment to decrypt your files. In the current version this ransomware does encrypt your files, but rather just removes the extension. On reboot, it deletes all of the files under the %UserProfile% folder.

Červenec 16Side-by-side comparisons of the CrypMIC and CryptXXX Ransomware InfectionsTrendMicro has discovered that there is a new family of ransomware called CrypMIC that appears very similar to the CryptXXX ransom family. At this time it is unknown if this is just a new ransomware trying to benefit from CryptXXX success or if its a split in the CryptXXX development tree. This article shows side-by-side differences between the two ransomware families.
Červenec 16New Simple_Encoder Ransomware DiscoveredThe Simple_Encoder, or Tilde Ransomware, is a ransomware discovered by Michael Gillespie that will encrypt your data using AES encryption and then adds a tilde, or .~ extension, to encrypted files. For each folder that a file is encrypted, it will create a _RECOVER_INSTRUCTIONS.ini ransom note, which is shown below. If you are affected by this ransomware, please post in the Simple_Encoder Ransomware Help & Support Topic as we may be able to help.
Červenec 16The NoMoreRansom Project goes PublicVýsledek obrázku pro ransomwareA new project called NoMoreRansom was created by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab, and Intel Security was developed and announced to help victims of ransomware. This site contains info about ransomware, some decryptors, and a way of identifying what ransomware has infected you.
Červenec 16Chimera Ransomware Decryption Keys Released by Petya DevsThe devs behind the Mischa and Petya ransomware have leaked approximately 3500 RSA decryption keys for the Chimera Ransomware. These keys are in hex format, but can be converted back to their normal format and used within a decryptor by a security company or professional.
Červenec 16Petya and Mischa Ransomware Affiliate System Publicly ReleasedToday, the Petya and Mischa Ransomware devs have made their Ransomware as a Service, or RaaS, open to the public. For the past few months, the Petya & Mischa RaaS has been been in testing with a limited amount of supposed high volume distributors. As of today, any would-be criminal can signup and become an official distributor. Unfortunately, this will most likely lead to a greater amount of distribution campaigns for this ransomware.
Červenec 16New Jager Ransomware DiscoveredA new ransomware was discovered by AVG malware analyst Jakub Kroustek called Jager Ransomware. The command & control server for the ransomware was disabled fairly quickly, so it does not appear that this ransomware very widespread.
Červenec 16Turkish Ransomware called Uyari DiscoveredThis was posted a while back, but hadn't heard about it so adding it to this weeks article. The Uyari Ransomware is a ransomware discovered by Michael Gillespie whose ransom notes are written in Turkish and demands 2 bitcoins as a ransom. When encrypting files it will append the .locked extension to encrypted files and create a ransom note called DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html on the desktop. Further analysis of this ransomware was done by Mosh. This ransomware can be decrypted and any victim's should ask for help in the Uyari Ransomware Help & Support Topic.
Červenec 16We Are Anonymous Jigsaw Ransomware Variant DiscoveredA new variant of the Jigsaw Ransomware has been discovered by Michael Gillespie that uses a new Anonymous themed background for the ransom note. Though there has been a previous variant of Jigsaw that included a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware. The ransom screen's background now states "We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.". The good news is that Jigsaw continues to be easily decrypted and Michael's Jigsaw Decryptor has been updated to decrypt this variant.
Červenec 16Kaspersky rakhnidecryptor.exe to decrypt the Chimera RansomwareVýsledek obrázku pro ransomwareKaspersky has updated their RakhniDecryptor tool to include support for decrypting the Chimera Ransomware. This tool only supports the 3,500 keys that were leaked by the Petya Devs.
Prosinec 16PadCrypt 3.1.2 ReleasedMalwareHunterTeam discovered that PadCrypt has been upgraded to version 3.1.2. No significant changes were made.
Prosinec 16Ransomware Author "Pornopoker" Arrested in RussiaVýsledek obrázku pro ransomwareRussian authorities have arrested a man suspected of writing and distributing ransomware. The suspect, whose name hasn't been released yet, goes by the nickname of Pornopoker.
Prosinec 16Emsisoft released a decryptor for the latest Nemucod variantVýsledek obrázku pro ransomwareFabian Wosar of Emsisoft has released a decryptor for the latest Nemucod campaign that is underway. The decryptor can be downloaded from here.
Prosinec 16New version of the Apocalypse Ransomware ReleasedVýsledek obrázku pro ransomwareEmsisoft security researcher xXToffeeXx discovered a new version of the Apocalypse Ransomware that uses ransom note named [md5].txt and files will be encrypted as [filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]
Prosinec 16New Globe ransomware released that uses the .lovewindows extensionVýsledek obrázku pro ransomwareSecurity researcher Michael Gillespie discovered a new variant of the Globe Ransomware that apppends the .lovewindows extension to encrypted files. It also uses the email address bahij2@india.com as a point of contact.
Prosinec 16Kelihos Botnet Delivering Shade (Troldesh) Ransomware with No_More_Ransom ExtensionOver the last two weeks, the Kelihos spam botnet has been busy spreading the latest version of the Shade ransomware (also known as Troldesh), which now appends the ".no_more_ransom" extension at the end of each encrypted file. Their gesture is a sign of irony, as the NoMoreRansom project has released a free decrypter over the summer that can help victims unlock files encrypted by this threat.
Prosinec 16New screenlocker with File Encryption DiscoveredGData malware analyst Karsten Hahn has discovered a new screen locker that also encrypts files. Appears to be buggy as it does not appear to encrypt anything, but does contain an decryption routine. It is supposed to encrypt files and append the .encrypted extension to encrypted files.
Prosinec 16Locky Ransomware switches to Egyptian Mythology with the Osiris ExtensionOnce again, the developers of the Locky Ransomware have decided to change the extension of encrypted files. This time, the ransomware developers moved away from Norse gods and into Egyptian mythology by using the .osiris extension for encrypted files.
Prosinec 16Petya Ransomware Returns with GoldenEye Version, Continuing James Bond ThemeThe author of the Petya-Mischa ransomware combo has returned with a new version that uses the name GoldenEye Ransomware, continuing the malware's James Bond theme. Malwarebytes' researcher hasherezade has also posted some analysis.
Prosinec 16New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption KeyYesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.
Prosinec 16New HACKED Jigsaw Ransomware Variant DiscoveredSecurity researcher Michael Gillespie discovered a new Jigsaw Ransomware variant called HACKED. You can use Michael's Jigsaw Decryptor to get decrypt your files for free.
Prosinec 16New SamSam Ransomware variant DiscoveredSecurity researcher Michael Gillespie discovered a new variant of the SamSam Ransomware. This variant uses the .VforVendetta extension for encrypted files and a ransom note called 000-PLEASE-READ-WE-HELP.html.
Prosinec 16Modified EDA2/Hidden-Tear Ransomware For SaleSecurity researcher Jiri Kropac discovered a modified version of the EDA2/HiddenTear Ransomware for sale on underground criminal sites.
Prosinec 16"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker FamiliesA new open-source ransomware project called CryptoWire was uploaded on GitHub as a "proof of concept," has now spawned three new ransomware families that are infecting users in real-life.
Prosinec 16New CryptoWire-based UltraLocker DiscoveredGData malware analyst Karsten Hahn discovered a new variant of the open-source AutoIT ransomware CryptoWire ransomware was discovered called UltraLocker.
Prosinec 16CyberSplitter Ransomware 2.0 ReleasedGData malware analyst Karsten Hahn discovered version 2.0 of the CyberSplitter ransomware. This ransomware is based off of the Hidden-Tear open source ransomware.
Prosinec 16New Locked-In Ransomware DiscoveredGData malware analyst Karsten Hahn is on fire with the discovery of the new Locked-In ransomware. This ransomware will encrypt your files and create ransom notes called RESTORE_CORUPTED_FILES.HTML. Personally I think the devs screwed up when they made this ransomware as it prob should have been called Locked-Out.