This was a pretty quiet week with mostly small variants, one new active release, and a large organization getting hit.
The first big story this week is the PGA of America’s computers getting hit with what appears to be the BitPaymer ransomware. This ransomware accesses networks by brute forcing the passwords to computers running Remote Desktop Services and being connected to the Internet.
The other big news is the release of the KeyPass Ransomware, which has seen a large distribution campaign starting on the 8th.
Contributors and those who provided new ransomware information and stories this week include: @hexwaxwing, @DanielGallagher, @FourOctets, @BleepinComputer, @fwosar, @Amigo_A_, @jorntvdw, @LawrenceAbrams, @malwareforme, @demonslay335, @campuscodi, @PolarToffee, @malwrhunterteam, @struppigel, @Seifreed, @Damian1338B, @siri_urz, and @zsawei.
August 6th 2018
New RewyWare Ransomware
S!Ri discovered a new ransomware named RetwyWare that appends the .killrabbit extension to encrypted files.
Jawe found a modified version of GandCrab v4.3 that has a version of 4.4 set. According to Jawe, all it does it set the Global885BDEB9D36E550F587C.lock mutex and then sleeps. While we are not 100% sure if it was released by the GandCrab group, knowing their sense of humor it wouldn’t surprise us.
August 7th 2018
Michael Gillespie found a Jigsaw Ransomware variant that appends the .dat extension to encrypted files and uses the following background.
Damian1338 saw Rapid Ransomware RaaS being sold on underground Russian forums.
August 8th 2018
According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.
MalwareHunterTeam found a new ransomware named RansomWarrior 1.0 that renames encrypted files to the format “Encrypted%# of file%.THBEC“.
August 9th 2018
Michael Gillespie found a new variant of the Dharma Ransomware that appends the .id-..cmb extension to encrypted files.
MalwareHunterTeam found a new ransomware called ZOLDON Crypter V3.0.
August 10th 2018
A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.
MalwareHunterTeam found a new in-development Hidden Tear variant called PooleZoor ransomware that appends the .poolezoor extension to encrypted files.