The Week in Ransomware – August 3rd 2018

This week was mostly small variants, but we did have some interesting news. First we had a in-depth look at the SamSam ransomware by Sophos that details the staggering amount of money they are generating. The other interesting story is the developers of the GandCrab ransomware getting revenge on AhnLab for creating a vaccine for their ransomware. In their attempt at revenge, the GandCrab developers included code that could possibly DDOS AhnLab Lite v3. 

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Seifreed, @jorntvdw, @hexwaxwing, @demonslay335, @fwosar, @BleepinComputer, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @struppigel, @FourOctets, @malwareforme, @campuscodi, @AltShiftPrtScn, @thyrex2002, @Amigo_A_, @Damian1338B, @malware_traffic, @siri_urz, @MarceloRivero, and @SophosLabs.

July 28th 2018

WannaCash Ransomware discovered

Amigo-A discovered a new Russian ransomware called WannaCash that renamed files into the pattern “encrypted(file_name.file_extension)”. A decrypter is available from Alex Svirid.

July 30th 2018

New Animus/Aurora variant

Michael Gillespie found a new variant of the Animus/Aurora ransomware that appends the .desu extension to encrypted files. It will also rename the original file name to its hex equivalent. It is still decryptable.

GandCrab added additional languages to payment page


Damian1338 noticed that the GandCrab team added more languages to their payment page. 

Locky impersonator found

Brad found a new ransomware calling itself Locky. This is not a new variant of the old ransomware of the same name, but an imposter. else been seeing this?

July 31st 2018

SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments

The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam’s activity, containing information since the ransomware’s launch in late 2015 and up to attacks that have happened earlier this month.

BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week

On Monday, officials from Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Statistical Area, said they are still recovering from a ransomware infection that took place last week, on July 24.

Liviu Dragnea Ransomware discovered

MalwareHunterTeam found a new in-development ransomware that is based on Stupid Ransomware. This ransomware contains an image of Liviu Dragnea as its background. The sample does not currently encrypt, but if it did, it would use the .dragnea extension. 

New Ann Ransomware

S!Ri discovered a new ransomware called Ann that renames files to the “”[[email protected]]..ANN” ” pattern. 


Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .RECOVERYOURFILES extension and drops a ransom note named INSTRUCTIONS_RECOVER_FILES.txt.

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware uploaded to ID Ransomware that renames files to “[[email protected]].-.CORE” and drops a ransom note named #CORE_README#.rtf.

August 2nd 2018

New Scarab Ransomware variant

Michael Gillespie f found a new Scarab Ransomware variant that uses the same email from a Animus attacker. This variant appends the [email protected] extension to encrypted files.

August 3rd 2018

GandCrab Ransomware Author Bitter After Security Vendor Releases Vaccine App

The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware. Due to this they decided to include an alleged zero-day for the AhnLab v3 Lite antivirus in their recent builds.

WannacryV2 Ransomware

MalwareHunterTeam found a new AutoIt ransomware called wannacryV2 that appends the .wannacryv2 extension to encrypted files and provides a decryptor.

New Everbe 2.0 variant

Michael Gillespie discovered a new Everbe 2.0 Ransomware variant that uses the .[].divine extension and drops a ransom note named !=How_to_decrypt_files=!.txt.

New Paradise Ransomware variant

Michael Gillespie found a new Paradise Ransomware variant that appends the [id-].[[email protected]].b29 extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top