The Week in Ransomware – March 27th 2020
This two-week edition covers a lot of new ransomware variants, including attackers utilizing Coronavirus-themes for their phishing scams and ransomware variants.
With the Coronavirus outbreak having a worldwide effect on people, businesses, and governments, some ransomware operators have stated that they will not encrypt health care organizations.
It remains to be seen whether these actors will keep their promises as there are indications some may be going back on their word.
Other actors, though, see this as an opportunity to increase their chances of generating large ransom payments from healthcare knowing that organizations are already stressed to the breaking point.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @BleepinComputer, @malwareforme, @jorntvdw, @FourOctets, @PolarToffee, @demonslay335, @malwrhunterteam, @DanielGallagher, @struppigel, @fwosar, @Ionut_Ilascu, @LawrenceAbrams, @Seifreed, @VK_Intel, @emsisoft, @coveware, @FireEye, @AuCyble, @AltShiftPrtScn, @bad_packets, @Viss, @GroupIB_GIB, @campuscodi, @f0wlsec, @siri_urz, @DomainTools, @LukasStefanko, @Amigo_A_, @JakubKroustek, @Jirehlov, and @fbgwls245.
March 14th 2020
New IPM Dharma Ransomware variant
Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .IPM extension to encrypted files.
March 15th 2020
New REMK STOP Ransomware variant
Michael Gillespie found a new variant of the STOP Ransomware that appends the .remk extension.
JungleSec starts threatening to leak stolen data
Michael Gillespie found a JungleSec ransom note where they have begun to threaten to release stolen data.
March 16th 2020
CovidLock Update: Deeper Analysis of Coronavirus Android Ransomware
The DomainTools Security Research Team, in the course of monitoring newly registered Coronavirus and COVID labeled domain names, discovered a website luring users into downloading an Android application under the guise of a COVID-19 heat map. Analysis on the application showed that the APK contained ransomware. SSL certificates of the malicious domain (coronavirusapp[.]site) link the site to another domain (dating4sex[.]us) which is also serving the malicious application. The linked site has registration information pointing to an individual in Morocco.
New Clinux (GoldenEye mod) Ransomware
S!Ri found a new ransomware called Clinix that appears to a modified version of GoldenEye.
March 17th 2020
New Nefilim Ransomware Threatens to Release Victims' Data
A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data.
March 18th 2020
Emsisoft, Coveware Offer Free Ransomware Help During Coronavirus Outbreak
Emsisoft and Coveware have announced that they will be offering their ransomware decryption and negotiation services for free to healthcare providers during the Coronavirus outbreak.
Ransomware Gangs to Stop Attacking Health Orgs During Pandemic
Some Ransomware operators have stated that they will no longer target health and medical organizations during the Coronavirus (COVID-19) pandemic.
Most Ransomware Gets Executed Three Days After Initial Breach
Ransomware gets deployed three days after an organization's network gets infiltrated in the vast majority of attacks, with post-compromise deployment taking as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019.
Why would you even bother?! - JavaLocker
Today we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly and is therefore not for the faint of heart.
March 19th 2020
Sodinokibi Ransomware Data Leaks Now Sold on Hacker Forums
Ransomware victims who do not pay a ransom and have their stolen files leaked are now facing a bigger nightmare as other hackers and criminals sell and distribute the released files on hacker forums.
France warns of new ransomware gang targeting local governments
France's cyber-security agency issued an alert this week warning about a new ransomware gang that's been recently seen targeting the networks of local government authorities.
New Velar Gibberish Ransomware variant
S!Ri found a new variant of the Gibberish Ransomware variant called Velar.
New LX Dharma Ransomware variant
Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .LX extension to encrypted files.
March 20th 2020
PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware
PwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created.
UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers
Finastra, a leading financial technology provider from the UK, announced that it had to take several servers offline following a ransomware attack detected earlier today.
New NPSK STOP Ransomware variant
Michael Gillespie found a new variant of the STOP Ransomware that appends the .npsk extension.
March 21st 2020
Netwalker Ransomware Infecting Users via Coronavirus Phishing
As if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing emails that install ransomware.
New VHD Ransomware
Jirehlov Solace found a new ransomware that appends the .vhd extension to encrypted files and drops a ransom note named HowToDecrypt.txt.
March 22nd 2020
New C-VIR Dharma Ransomware variant
Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .C-VIR extension to encrypted files.
New Waldo Ransomware
dnwls0719 found a new ransomware calling itself 'Waldo Ransomware' that does not utilize an extension for encrypted files.
March 23rd 2020
New Ransomware hunt
Michael Gillespie found a two new variants of the same unknown ransomware that utilize the extensions .yakuza or .teslarvng and drop a ransom note named How To Recover.txt.
New Makop ransomware variant
Michael Gillespie found a new variant of the Makop Ransomware that appends the .shootlock extension to encrypted files.
March 24th 2020
Three More Ransomware Families Create Sites to Leak Stolen Data
Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches.
New n2019cov Ransomware
MalwareHunterTeam has seen a new n2019cov Ransomware that appends the .P4WN3D and drops a ransom note named Checks if ThreeLetterISOLanguageName is "spa" before writing note. But it will be hidden... The names used...
March 25th 2020
Cyberattack: the EssilorLuxottica group struck by ransomware
Since Saturday March 21, the optical specialist Essilor has suffered a major computer attack. The attackers demand a ransom to unblock the situation.
New OPQZ STOP Ransomware variant
Michael Gillespie found a new variant of the STOP Ransomware that appends the .opqz extension.
March 26th 2020
Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack
Cyber insurer giant Chubb is allegedly the latest ransomware victim according to the operators of the Maze Ransomware who claim to have encrypted the company in March 2020.
Ryuk Ransomware Keeps Targeting Hospitals During the Pandemic
The Ryuk Ransomware operators to continue to target hospitals even as these organizations are overwhelmed during the Coronavirus pandemic.
New Rubly Trojan MBR Locker
Karsten Hahn found a new MBR Locker called 'Rubly Trojan' that utilizes the same code as Coronavirus ransomware to lock the MBR and shows an Annabelle picture in the locker.
March 27th 2020
Russian-Speaking Hackers Attack Pharma, Manufacturing Companies in Europe
Malware belonging to Russian-speaking threat actors was used in attacks in late January against at least two European companies in the pharmaceutical and manufacturing industries.
New 2020 Dharma Ransomware variant
Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .2020 extension to encrypted files.
Ransomware using COVID-19 lures
MalwareHunterTeam found a ransomware being spread as 'Covid-19 cure update.exe'. Asks the victim to contact them via WhatsApp.
Gloss