The Week in Ransomware – December 7th 2018

This was a pretty interesting week for ransomware. An attacker out of China managed to infected over 100,000 victims with a poorly-written ransomware that asked victims to pay the ransom via WeChat. Thankfully, the ransomware was easily decrypted by numerous companies and the developer was arrested a few days later.

Other big news is research from Check Point where showed how an “Ransomware Decryption” company stated that they could decrypt numerous ransomware families, but just tacked on a fee and paid the ransomware developers instead.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @FourOctets, @struppigel, @BleepinComputer, @malwrhunterteam, @demonslay335, @fwosar, @hexwaxwing, @Ionut_Ilascu@Seifreed@GrujaRS@JakubKroustek@MarceloRivero@petrovic082, and @_CPResearch_.

December 3rd 2018

GandCrab v5.0.9 comes with a message

Marcelo Rivero noticed that the GandCrab developers released version 5.0.9, which simply contains a message stating that “We will become back very soon! ;)”

GandCrab 5.0.9
GandCrab 5.0.9

December 4th 2018

New RISK Dharma Variant

Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .RISK extension to encrypted files.

New IsraBye version

GrujaRS found a new version of the IsraBye ransoimware that appends the .israbye extension to encrypted files.

Israbye Ransomware

Dablio Ransomware discovered

Karsten Hahn found the new Dablio Ransomware that prepends “(encrypted)” to the beginning of encrypted file’s name,

Dablio Ransomware

December 5th 2018

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware named UNNAMED1989 that encrypts local files and steals credentials for multiple Chinese online services. This ransomware then asked victims to pay the developer via WeChat payments.

WeChat Ransomware

Company Pretends to Decrypt Ransomware But Just Pays Ransom

Security researchers from Check Point Research have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.

Atlanta U.S. Attorney Charges Iranian nationals for City Of Atlanta ransomware attack

A federal grand jury in Atlanta has returned an indictment charging Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri with committing a sophisticated ransomware attack on the City of Atlanta in March 2018 in violation of the Computer Fraud and Abuse Act.

New bkpx Dharma Ransomware variant

Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .bkpx extension to encrypted files.

December 6th 2018

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Chinese law enforcement have arrested the developer of the UNNAMED1989 / WeChat Ransomware that recently took China by storm and infected over 100K users in a few days.

Abandoned Globelmposter TOR Site Leaves Ransomware Victims Without Options

Recent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.

December 7th 2018

HiddenTear variant discovered

MalwareHunterTeam found a HiddenTear variant that tries to implicate a YouTuber who said he didn’t make it. See the Twitter thread for more info.

Gerber Ransomware 1.0

Petrovic discovered the Gerber Ransomware 1.0 that appends the .XY6LR extension to encrypted file’s names.

Gerber Ransomware 1.0

Gerber Ransomware 3.0

Soon after, GrujaRS discovered the Gerber Ransomware 3.0.

Gerber Ransomware 3.0

New LOL Scarab Ransomware variant

Amigo-A found a new variant of the Scarab Ransomware that appends the .lol extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

LOL Scarab Ransomware

Outsider Ransomware discovered

GrujaRS discovered a ransomware called Outsider that appends the .protected extension.

Outsider Ransomware

JungleSec Ransomware uses open source encryption tool

Michael Gillespie learned from a victim that the JungleSec ransomware is utilizing the encryption program.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top