This week was mostly small variants, but we did have some interesting news. First we had a in-depth look at the SamSam ransomware by Sophos that details the staggering amount of money they are generating. The other interesting story is the developers of the GandCrab ransomware getting revenge on AhnLab for creating a vaccine for their ransomware. In their attempt at revenge, the GandCrab developers included code that could possibly DDOS AhnLab Lite v3.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Seifreed, @jorntvdw, @hexwaxwing, @demonslay335, @fwosar, @BleepinComputer, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @struppigel, @FourOctets, @malwareforme, @campuscodi, @AltShiftPrtScn, @thyrex2002, @Amigo_A_, @Damian1338B, @malware_traffic, @siri_urz, @MarceloRivero, and @SophosLabs.
July 28th 2018
July 30th 2018
Michael Gillespie found a new variant of the Animus/Aurora ransomware that appends the .desu extension to encrypted files. It will also rename the original file name to its hex equivalent. It is still decryptable.
Damian1338 noticed that the GandCrab team added more languages to their payment page.
Brad found a new ransomware calling itself Locky. This is not a new variant of the old ransomware of the same name, but an imposter. else been seeing this?
July 31st 2018
The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam’s activity, containing information since the ransomware’s launch in late 2015 and up to attacks that have happened earlier this month.
On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.
MalwareHunterTeam found a new in-development ransomware that is based on Stupid Ransomware. This ransomware contains an image of Liviu Dragnea as its background. The sample does not currently encrypt, but if it did, it would use the .dragnea extension.
Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .RECOVERYOURFILES extension and drops a ransom note named INSTRUCTIONS_RECOVER_FILES.txt.
August 2nd 2018
August 3rd 2018
The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware. Due to this they decided to include an alleged zero-day for the AhnLab v3 Lite antivirus in their recent builds.
MalwareHunterTeam found a new AutoIt ransomware called wannacryV2 that appends the .wannacryv2 extension to encrypted files and provides a decryptor.