The Week in Ransomware – April 3rd 2020
Over the past two week, we have seen an increase in warnings from law enforcement agencies stating that healthcare organizations need to be on high alert for attacks by ransomware operators and other attackers who are looking to capitalize on the Coronavirus pandemic.
In addition, we continue to see new variants released from the common ransomware families such as STOP, Dharma, and others.
Finally, the Wall Street Journal broke the news this week that Travelex paid a $2.3 million ransom to REvil to get their company back up and running.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @Seifreed, @malwareforme, @struppigel, @LawrenceAbrams, @FourOctets, @BleepinComputer, @demonslay335, @fwosar, @malwrhunterteam, @serghei, @DanielGallagher, @Ionut_Ilascu, @VK_Intel, @jorntvdw, @fbgwls245, @emsisoft, @JAMESWT_MHT, @Intel471Inc, @thyrex2002, @GrujaRS, @siri_urz, @quickheal, @FaLconIntel, @Amigo_A_, @ceostroff, and @INTERPOL_HQ.
March 28th 2020
New Mado STOP Ransomware variant
Michael Gillespie found a new variant of the STOP Ransomware that appends the .mado extension to encrypted files.
March 30th 2020
New Jigsaw Ransomware
JAMESWT found a new Jigsaw Ransomware variant targeted Italian users and appending the .math extension to encrypted files.
March 31st 2020
ILELECTION2020 Ransomware discovered
MalwareHunterTeam found a new Stupid Ransomware variant called ILELECTION2020 that targets Israelis and appends the .likud extension to encrypted files.
New BB Ransomware
dnwls0719 found the BB Ransomware that appends the .encryptedbyBB extension to encrypted files.
Aurora Ransomware decrypted updated
Emsisoft updated their Aurora decryptor to support the .CoronaLock extension.
Nephilim Ransomware fixes spelling mistake
dnwls0719 spotted the Nephilim ransomware, which was previously using a different and uncommon spelling of Nefilim in the past. This variant uses the .NEPHILIM extension and drops a ransom note named NEPHILIM-DECRYPT.txt.
REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
April 1st 2020
Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks
Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.
New WannaCash variant utilizes a COVID-19 theme
Alex Svirid found a new variant of the WannaCash Ransomware that appends the COVID-19 themed extension of .WANNACASH NCOV v310320.
New Rogue Ransomware
GrujaRS found the new HiddenTear ransomware named Rogue Ransomware that appends the .rogue extension and impersonates
April 2nd 2020
New Boruta Ouroboros Ransomware variant
Michael Gillespie found a new Boruta Ouroboros Ransomware variant that appends the .Boruta extension.
April 3rd 2020
New MrDec Ransomware
S!Ri found the MrDec Ransomware that appends the .[ID]_RSA extension.
New MSPLT Dharma Ransomware variant
dnwls0719 found a new Dharma Ransomware variant that appends the .MSPLT extension to encrypted files.
April 4th 2020
New Jope STOP Ransomware variant
Michael Gillespie found new STOP Ransomware variant that appends the .jope extension to encrypted files.
April 6th 2020
Interpol: Ransomware attacks on hospitals are increasing
The INTERPOL (International Criminal Police Organisation) warns that cybercriminals are increasingly attempting to lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the currently ongoing COVID-19 outbreak.
New BlackOrchid Ransomware variant
GrujaRS found anew BlackOrchid Ransomware variant that appends the .shinya extension to encrypted files.
April 7th 2020
New Revon Phobos variant
dnwls0719 found a new Phobos Ransomware variant that appends the .revon extension and drops ransom notes named info.txt and info.hta.
April 8th 2020
New Corona Virus IQ Ransomware
MalwareHunterTeam found a new "Corona Virus IQ" Ransomware from Iraqthat appends the .corona extension to encrypted files.
New Joke (?) Ransomware decrypts if you win a game
S!Ri found a new ransomware that states it will decrypt your files if you win a game.
New Gibberish variant spread through RIG-EK
FaLcon Intelligence found that a new variant of the Gibberish Ransomware is being spread through the RIG exploit kit.
April 9th 2020
Dharma Ransomware Variant Malspam Targeting COVID-19
One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.
New Jope Mpaj Ransomware variant
Michael Gillespie found new STOP Ransomware variant that appends the .mpaj extension to encrypted files.
Travelex Reportedly Paid $2.3 Million Ransom to Restore Operations
Travelex reportedly paid a $2.3 million ransom payment to get their systems back online after being encrypted by a Sodinokibi ransomware attack.
April 10th 2020
New BearCrypt Ransomware
GrujaRS found a new ransomware called BearCrypt that only targets .jpg and .png files. When encrypted it appends the .crypt extension and drops a ransom note named Readme.txt. Appears to be in-dev.
NewAurora Ransomware variant
GrujaRS found a new Aurora Ransomware variant that appends the .bukyak extension.
Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online.
Gloss