This week we have seen a lot of CryptConsole variants, Magniber activity, and smaller variants released. Ransomware continues to decline as malware developers move toward more profitable miners and information stealing Trojans. Ransomware is not going away, but is instead moving away from mass malspam campaigns to targeted network attacks where a ransom payment may be more likely.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @campuscodi, @malwareforme, @DanielGallagher, @struppigel, @malwrhunterteam, @Seifreed, @FourOctets, @fwosar, @hexwaxwing, @BleepinComputer, @jorntvdw, @PolarToffee, @LawrenceAbrams, @Damian1338B, @GrujaRS, @JakubKroustek , @bartblaze, and @leotpsc.
June 2nd 2018
MalwareHunterTeam discovered a ransomware called CryBrazil that appends the .crybrazil extension to encrypted files. Uses a nicely designed ransom note.
June 3rd 2018
GrujaRS discovered the Amba Ransomware that appends the .UPS-[a random number] to encrypted files and drops a ransom note named Dont_Worry.txt.
June 4th 2018
Leo found a new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.
Amigo-A found a new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
June 5th 2018
MalwareHunterTeam found a new XiaoBa Ransomware variant that uses the .AdolfHitler extension and drops a ransom note named # # DECRYPT MY FILE # #.bmp .
June 6th 2018
The Atlanta Police Department has lost years worth of police car dashcam videos following the March ransomware attack that affected most of the city’s IT infrastructure.
Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.
The ransomware author contacted internetnewsblog and told us that this ransomware was never intended for distribution and was created just for fun.
Michael Gillespie spotted a new Aurora variant uploaded to ID Ransomware that uses the
#RECOVERY-PC#.txt ransom note.
June 7th 2018
GrujaRS discovered a new variant of the GlobeImposter Ransomware that uses the extension .emilysupp.
June 8th 2018
Damian1338 discovered the Princess Ransomware being sold on an underground criminal site.
A new variant of the Magniber Ransomware was uploaded to ID Ransomware that uses the .ndpyhss extension for encrypted files.