For the most part it has been a slow this week in terms of new ransomware variants being released. On the other hand, there has been quite a bit of interesting information that was released about Ryuk.
Researchers from FireEye and CrowdStrike released reports this week that explain how Ryuk partnered with TrickBot in an access-as-a-service in order to gain access to infected networks. Other reports also came out that lead researchers to believe that the attackers behind Ryuk are Russian, rather than North Korean.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @struppigel, @Seifreed, @fwosar, @jorntvdw, @malwareforme, @malwrhunterteam, @FourOctets, @BleepinComputer, @PolarToffee, @LawrenceAbrams, @ChristiaanBeek, @John_Fokker, @cglyer, @ItsReallyNick, @CrowdStrike, @FireEye, @McAfee_Labs, and @BBC.
January 5th 2019
MalwareHunterTeam discovered a very simply ransomware that is a batch file called Encoder.bat and uses WinRar to add files to a password protected archive.
January 7th 2019
Cybercriminals behind GandCrab have added the infostealer Vidar in the process for distributing the ransomware piece, which helps increase their profits by pilfering sensitive information before encrypting the computer files.
January 8th 2019
The Connecticut Post reports:
The city school district’s computer network was attacked Friday by a virus caused by an outside entity that intended to hold district data hostage for ransom, district officials say.
January 9th 2019
With people becoming more aware of ransomware, criminals are coming up with some pretty low life schemes in order to coerce victims into paying ransomware. Such is the case with a CryptoMix ransomware, who pretends to represent a sick children’s charity and is asking for a ransom payment as if it was a charitable donation.
The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.
The BBC reports about the Ransomware attack that took out a town in Alaska.
In 2018, a remote Alaskan community’s infrastructure was hit by a malware attack which forced it offline. It was only then they realised how much they depended on computers.
MalwareHunterTeam found the Ahihi ransomware does not change the extension.
MalwareHunterTeam found a new ransom note that also attempts to steal PayPal account credentials through a phishing page.
January 10th 2019
Michael Gillespie is searching for a new Ransomware that appends the .pdff extension and drops a note named _openme.txt.
January 11th 2019
The City Hall of Del Rio, Texas was hit by a ransomware attack on Thursday, which led to multiple computers on the network being turned off and disconnected from the Internet to contain and analyze the malware.
New research now indicates that the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.
Michael Gillespie noticed two new STOP variant that was uploaded to ID Ransomware and appends the .tfude or the .tro extensions to encrypted file names.