This was a pretty interesting week for ransomware. An attacker out of China managed to infected over 100,000 victims with a poorly-written ransomware that asked victims to pay the ransom via WeChat. Thankfully, the ransomware was easily decrypted by numerous companies and the developer was arrested a few days later.
Other big news is research from Check Point where showed how an “Ransomware Decryption” company stated that they could decrypt numerous ransomware families, but just tacked on a fee and paid the ransomware developers instead.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @FourOctets, @struppigel, @BleepinComputer, @malwrhunterteam, @demonslay335, @fwosar, @hexwaxwing, @Ionut_Ilascu, @Seifreed, @GrujaRS, @JakubKroustek, @MarceloRivero, @petrovic082, and @_CPResearch_.
December 3rd 2018
Marcelo Rivero noticed that the GandCrab developers released version 5.0.9, which simply contains a message stating that “We will become back very soon! ;)”
December 4th 2018
Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .RISK extension to encrypted files.
GrujaRS found a new version of the IsraBye ransoimware that appends the .israbye extension to encrypted files.
Karsten Hahn found the new Dablio Ransomware that prepends “(encrypted)” to the beginning of encrypted file’s name,
December 5th 2018
Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware named UNNAMED1989 that encrypts local files and steals credentials for multiple Chinese online services. This ransomware then asked victims to pay the developer via WeChat payments.
Security researchers from Check Point Research have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.
A federal grand jury in Atlanta has returned an indictment charging Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri with committing a sophisticated ransomware attack on the City of Atlanta in March 2018 in violation of the Computer Fraud and Abuse Act.
Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .bkpx extension to encrypted files.
December 6th 2018
Chinese law enforcement have arrested the developer of the UNNAMED1989 / WeChat Ransomware that recently took China by storm and infected over 100K users in a few days.
Recent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.
December 7th 2018
MalwareHunterTeam found a HiddenTear variant that tries to implicate a YouTuber who said he didn’t make it. See the Twitter thread for more info.
Petrovic discovered the Gerber Ransomware 1.0 that appends the .XY6LR extension to encrypted file’s names.
Soon after, GrujaRS discovered the Gerber Ransomware 3.0.
Amigo-A found a new variant of the Scarab Ransomware that appends the .lol extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
GrujaRS discovered a ransomware called Outsider that appends the .protected extension.