While the distribution of ransomware has definitely decreased, it is still very much a threat as seen by the Alaskan borough of Matanuska-Susitna and the shipping company Cosco getting hit by ransomware this week. Both attacks shut down their operations and caused normal workflow to be halted.

The good news, though, is that decryptors continue to be created for some ransomware families, which will allow victims to get their files back for free.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed@PolarToffee@FourOctets@jorntvdw@malwareforme@struppigel@campuscodi@DanielGallagher@malwrhunterteam@fwosar@demonslay335@LawrenceAbrams@BleepinComputer@hexwaxwing@Amigo_A_@Bitdefender@benkow_@leotpsc@GrujaRS@r0ny_123@Unit42_Intel@PaloAltoNtwks, and @siri_urz.

July 21st 2018

njRat victims can get free decryption

If your files have been encrypted by the njRat .Lime extension, you can contact Michael Gillespie for free decryption.

GandCrab 4.2 released with messages for security researchers

Marcelo Rivero noticed that GandCrab was upgraded to an internal version number of 4.2 and contains two messages that link images, mixed in the code of strings, with messages for @hasherezade and AhnLab.

Dilicw9WAAEGw2D[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

July 23rd 2018

Armage Ransomware discovered

Leo found a new ransomware called Armage that destroys windows explorer shortcuts and adds the .armage extension to encrypted files.

DiyJpA3X0AELhpf[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Combo Dharma variant

Michael Gillespie found a new variant of the Dharma ransomware that appends the .id-.[].comboextension.

New Yyto Ransomware variant

Michael Gillespie spotted another Yyto Ransomware variant that uses the extension .adapaterson@mail.com.mkmk.

New Jigsaw Ransomware variant

Michael Gillespie found a new Jigsaw Ransomware variant that appends the .black007 extension to encrypted files/

Fake GandCrab builder

Benkøw discovered a fake GandCrab builder.

DiydrqqXcAIPbAe[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

July 24th 2018

Bitdefender Releases Decryption Tool for Older Version of LockCrypt Ransomware

Romanian antivirus firm Bitdefender released yesterday a decryption tool that can recover files encrypted by an older version of the LockCrypt ransomware, the one that locks files with the .1btc extension.

LockCrypt-decryptor The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Scarab Ransomware Bin variant

Amigo-A found a new variant of the Scarab Bin Ransomware that uses the extension .bin2 for encrypted files, drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT, and uses the emails mrbin775@gmx.de and mrbin775@protonmail.com.

Di5AaT2X0AMYQTT[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

Animus, Aurora, and Desu can be decrypted

If anyone is ]infected with Animus, Aurora, or Desu Ransomware (extensions “.animus”, “.Aurora”, or “.desu”), you can contact Michael Gillespie for help.

July 25th 2018

Ransomware Infection Cripples Shipping Giant COSCO’s American Network

A ransomware infection has crippled the US network of one of the world’s largest shipping giants —COSCO (China Ocean Shipping Company).

Matanuska-Susitna Borough in Alaska hit with ransomware

The Alaskan borough of Matanuska-Susitna was hit with an unnamed ransomware, which required them to start using typewriters while their computers are being cleaned.

New Ukrain version of Scarab Ransonware

Amigo-A found a new variant of the Scarab Ransomware that uses the extension .ukrain and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

Di8AyjuXoAAzJii[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Like Ransomware

Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that uses the .like extension and drops a ransom note named infoinfo.txt.

New Ransomware spotted

Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that renames files to “.FileEncrypted”, with the base64 being the original filename and drops a ransom note named READ_TO_DECRYPT.html and “FILES_ENCRYPTED.html.

New Cryptes Ransomware

Michael Gillespie noticed a new ransomware uploaded to ID Ransomware that uses the .cryptes and drops a ransom note named HOW TO DECRYPT ALL MY FILES.txt.

New DDE Ransomware

GrujaRS found the in development DDE Ransomware that appends the .encrypted extension to files in the Downloads folder.

dde-ransomware The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

July 26th 2018

CoinVault ransomware authors sentence

A Dutch court sentenced the two brothers behind the CoinVault ransomware to 240 hours of community service. Judges also ordered the two to pay restitution to their victims for the ransom payments they collected.

New Xiaoba  Ransomware variant

Rony found a new Xiaoba 2.0 Ransomware variant that uses a ransom note named HELP_SOS.htaand the . [xiaoba_666@163.com]Encrypted_(random id).XIAOBA extension.

DjAm_TGUUAA5aYi[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Scarab Ransomware variant

Amigo-A found a new variant of the Scarab Ransomware that uses the .amnesia extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

DjDbdmkXsAUIKiL[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Scarab Ransomware variant

Amigo-A found a new variant of the Scarab Ransomware that uses the .bomber extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

DjDcRp5X0AIgbTl[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

July 27th 2018

Decrypting the LockCrypt Ransomware

Palo Alto Networks Unit 42 describes how they cracked the LockCrypt ransomnware:

In this blog post we will describe our analysis of the home-made encryption that the malware used, how we broke it, and how the encryption key can be recovered in case you have at least 25KB of known plaintext. This scenario is very realistic, since LockCrypt encrypts all of the files it can find, including application files like DLLs which can be easily recovered by installing the same software version on a different computer. Scripts and instructions for recovering files are included in the final section of the report.

Xlockr Ransomware discovered

S!Ri discovered the Xlockr ransomware.

DjGsWAQXsAEJEkp[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

New Scarab Ransomware variant

Michael Gillespie found a new Scarab Ransomware variant renaming files and adding .BARRACUDA extension and dropping a ransom note named BARRACUDA RECOVERY INFORMATION.TXT.

DjIJlaSXoAAt8Fs[1] The Week in Ransomware - July 27th 2018 - Ransomware Still a Threat

That’s it for this week! Hope everyone has a nice weekend!

via The Week in Ransomware – July 27th 2018 – Ransomware Still a Threat

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This