The Week in Ransomware – August 10th 2018

This was a pretty quiet week with mostly small variants, one new active release, and a large organization getting hit.

The first big story this week is the PGA of America’s computers getting hit with what appears to be the BitPaymer ransomware. This ransomware accesses networks by brute forcing the passwords to computers running Remote Desktop Services and being connected to the Internet.

The other big news is the release of the KeyPass Ransomware, which has seen a large distribution campaign starting on the 8th.

Contributors and those who provided new ransomware information and stories this week include: @hexwaxwing, @DanielGallagher, @FourOctets, @BleepinComputer, @fwosar, @Amigo_A_@jorntvdw, @LawrenceAbrams, @malwareforme, @demonslay335, @campuscodi, @PolarToffee, @malwrhunterteam, @struppigel, @Seifreed@Damian1338B@siri_urz, and @zsawei.

August 6th 2018

New RewyWare Ransomware

S!Ri discovered a new ransomware named RetwyWare that appends the .killrabbit extension to encrypted files.

Strange GandCrab Vaccine program discovered

Jawe found a modified version of GandCrab v4.3 that has a version of 4.4 set. According to Jawe, all it does it set the Global885BDEB9D36E550F587C.lock mutex and then sleeps. While we are not 100% sure if it was released by the GandCrab group, knowing their sense of humor it wouldn’t surprise us.

August 7th 2018

New Dat Jigsaw Ransomware variant

Michael Gillespie found a Jigsaw Ransomware variant that appends the .dat extension to encrypted files and uses the following background.

Rapid Ransomware sold on underground forums

Damian1338 saw Rapid Ransomware RaaS being sold on underground Russian forums.

August 8th 2018

The PGA Possibly Infected With the BitPaymer Ransomware

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

RansomWarrior Ransomware discovered

MalwareHunterTeam found a new ransomware named RansomWarrior 1.0 that renames encrypted files to the format “Encrypted%# of file%.THBEC“.


August 9th 2018

New CMB Dharma Variant

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .id-.[].cmb extension to encrypted files.

Zoldon Crypter discovered

MalwareHunterTeam found a new ransomware called ZOLDON Crypter V3.0.

Zoldon Ransomware

August 10th 2018

New KeyPass Ransomware Campaign Underway

A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

PooleZoor ransomware discovered

MalwareHunterTeam found a new in-development Hidden Tear variant called PooleZoor ransomware that appends the .poolezoor extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top