The Week in Ransomware – April 20th 2018

This week was mostly small variants released, but we did have some interesting news. First we had a Microsoft engineer facing federal charges for involvement in the Reveton Ransomware, we then had a decryptor released for Vortex, the Magnitude exploit kit is now pushing GandCrab, and a ransomware is trying to make money off of Syrian Refugees.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @BleepinComputer, @Seifreed, @campuscodi, @fwosar, @malwrhunterteam, @LawrenceAbrams, @struppigel, @jorntvdw, @DanielGallagher, @hexwaxwing, @malwareforme, @PolarToffee, @FourOctets, @BBCNews, @bartblaze, @MarceloRivero, @Damian1338, @JakubKroustek, @jeromesegura, @Malwarebytes, @CERT_Polska, @GrujaRS@TrendMicro.

April 14th 2018

Microsoft Engineer Charged in Reveton Ransomware Case

A Microsoft network engineer is facing federal charges in Florida for allegedly helping launder money obtained from victims of the Reveton ransomware.

Maktub ransomware: possibly rebranded as Iron

Bart updated his article on Iron Ransomware:

In this post, we’ll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Tron ransomware discovered

MalwareHunterTeam discovered a new ransomware called Tron that appends the extension .tron to encrypted files.

April 15th 2018

This is Spartacus: new ransomware on the block

Bart blogged about a new ransomware called Spartacus that appends the .[[email protected]].Spartacus extension.

New variant of the NM4 ransomware

GrujaRS discovered a new variant of the NM4 ransomware that appends the .NMCRYPT! extension to encrypted files.

April 16th 2018

GandCrab sends another shoutout to security researchers

Marcelo Rivero, who has been tracking GandCrab, found a new variant of the GandCrab ransomware that sends a little alert that states “Hello, Marcelo :)”. released a Vortex Ransomware decryptor

CERT Polska released a decryptor for the Vortex Ransomware/Polski Ransomware through Nomoreransom.

April 17th 2018

XiaoBa Ransomware Retooled as Coinminer But Manages to Ruin Your Files Anyway

The authors of the XiaoBa ransomware have retooled their malware’s code into a cryptocurrency miner (coinminer). Unfortunately, despite not encrypting files anymore, the XiaoBa coinminer still destroys users’ data thanks to a series of bugs that primarily corrupt a user’s executable files.

NHS ransomware attack response criticised

According to the BBC:

The government and NHS bodies have been criticised by MPs for failing to implement measures to improve cyber-security nearly a year after a major ransomware attack on the service.

Magnitude exploit kit switches to GandCrab ransomware

In an article in Malwarebytes blog, Jérôme Segura details how on April 16, they discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.

GlobeImposter continues to include pluses in their extensions

Michael Gillespie noted that the GlobeImposter distributors continue to add the “+” symbol to their extensions.

New Jigsaw variant called Apophis

Karsten Hahn found a new Jigsaw Ransomware variant called Apophis.

April 18th 2018

Minecraft & CS:GO Ransomware Strive For Media Attention

When ransomware developers achieve huge media buzz like we saw with the PUBG Ransomware, it is not surprising to see other developers creating copycats. This is the case with two new in-development ransomware programs discovered by MalwareHunterTeam for both Minecraft and Counter-Strike: Global Offensive (CS: GO).

Meine_ransomware_PGP_DANGEROUS Ransomware

Jakub Kroustek discovered a new ransomware called “Meine_ransomware_PGP_DANGEROUS” that may be a Test/PoC written in Python. It appends the .enc extension to encrypted files and drops a note named ENCRYPTION_DETAILS.txt.

Satyr Ransomware discovered

Michael Gillespie discovered the Satyr Ransomware, which appends the .Satyr extension to encrypted files. 

April 19th 2018

RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis

A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims.

GandCrab’s payment site starts accepting promo codes?

Damian started accepting promotion codes on their payment site. No idea what those are for. According to Marcelo Rivero, this was added a week or so ago.


April 20th 2018

Krakatowis Ransomware discovered

Karsten Hahn discovered a new ransomware/screenlocker called Krakatowis.

That’s it for this week! Hope everyone has a nice weekend!


Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top