While the distribution of ransomware has definitely decreased, it is still very much a threat as seen by the Alaskan borough of Matanuska-Susitna and the shipping company Cosco getting hit by ransomware this week. Both attacks shut down their operations and caused normal workflow to be halted.
The good news, though, is that decryptors continue to be created for some ransomware families, which will allow victims to get their files back for free.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @PolarToffee, @FourOctets, @jorntvdw, @malwareforme, @struppigel, @campuscodi, @DanielGallagher, @malwrhunterteam, @fwosar, @demonslay335, @LawrenceAbrams, @BleepinComputer, @hexwaxwing, @Amigo_A_, @Bitdefender, @benkow_, @leotpsc, @GrujaRS, @r0ny_123, @Unit42_Intel, @PaloAltoNtwks, and @siri_urz.
July 21st 2018
If your files have been encrypted by the njRat .Lime extension, you can contact Michael Gillespie for free decryption.
Marcelo Rivero noticed that GandCrab was upgraded to an internal version number of 4.2 and contains two messages that link images, mixed in the code of strings, with messages for @hasherezade and AhnLab.
July 23rd 2018
Leo found a new ransomware called Armage that destroys windows explorer shortcuts and adds the .armage extension to encrypted files.
Michael Gillespie found a new variant of the Dharma ransomware that appends the .id-..comboextension.
Michael Gillespie spotted another Yyto Ransomware variant that uses the extension .firstname.lastname@example.org.
Michael Gillespie found a new Jigsaw Ransomware variant that appends the .black007 extension to encrypted files/
Benkøw discovered a fake GandCrab builder.
July 24th 2018
Romanian antivirus firm Bitdefender released yesterday a decryption tool that can recover files encrypted by an older version of the LockCrypt ransomware, the one that locks files with the .1btc extension.
Amigo-A found a new variant of the Scarab Bin Ransomware that uses the extension .bin2 for encrypted files, drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT, and uses the emails email@example.com and firstname.lastname@example.org.
If anyone is ]infected with Animus, Aurora, or Desu Ransomware (extensions “.animus”, “.Aurora”, or “.desu”), you can contact Michael Gillespie for help.
July 25th 2018
A ransomware infection has crippled the US network of one of the world’s largest shipping giants —COSCO (China Ocean Shipping Company).
The Alaskan borough of Matanuska-Susitna was hit with an unnamed ransomware, which required them to start using typewriters while their computers are being cleaned.
Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that uses the .like extension and drops a ransom note named infoinfo.txt.
Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that renames files to “.FileEncrypted”, with the base64 being the original filename and drops a ransom note named READ_TO_DECRYPT.html and “FILES_ENCRYPTED.html.
Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that uses the .cryptes and drops a ransom note named HOW TO DECRYPT ALL MY FILES.txt.
GrujaRS found the in development DDE Ransomware that appends the .encrypted extension to files in the Downloads folder.
July 26th 2018
A Dutch court sentenced the two brothers behind the CoinVault ransomware to 240 hours of community service. Judges also ordered the two to pay restitution to their victims for the ransom payments they collected.
Rony found a new Xiaoba 2.0 Ransomware variant that uses a ransom note named HELP_SOS.htaand the . [email@example.com]Encrypted_(random id).XIAOBA extension.
July 27th 2018
Palo Alto Networks Unit 42 describes how they cracked the LockCrypt ransomnware:
In this blog post we will describe our analysis of the home-made encryption that the malware used, how we broke it, and how the encryption key can be recovered in case you have at least 25KB of known plaintext. This scenario is very realistic, since LockCrypt encrypts all of the files it can find, including application files like DLLs which can be easily recovered by installing the same software version on a different computer. Scripts and instructions for recovering files are included in the final section of the report.
S!Ri discovered the Xlockr ransomware.
Michael Gillespie found a new Scarab Ransomware variant renaming files and adding .BARRACUDA extension and dropping a ransom note named BARRACUDA RECOVERY INFORMATION.TXT.