This week we have seen a new decryptor released by both Emsisoft and Avast for the BigBobRoss ransomware. We also saw a lot of new variants released for existing ransomware, expecially the STOP Ransomware.
The STOP ransomware continues to be a major problem with its distribution through adware bundles disguised as cracks. To make matters worse, it was discovered that the STOP Ransomware is installing the Azorult information stealing Trojan as well on its victims.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwareforme, @jorntvdw, @demonslay335, @fwosar, @malwrhunterteam, @FourOctets, @PolarToffee, @BleepinComputer, @Seifreed, @LawrenceAbrams, @arealshadow, @Amigo_A_, @JakubKroustek, and @AvastThreatLabs.
March 9th 2019
A ransomware attack hit the computers of Jackson County, Georgia, reducing government activity to a crawl until officials decided to pay cybercriminals $400,000 in exchange for the file decryption key.
Emsisoft has released a decryptor for the BigBobRoss ransomware. It uses AES-128 ECB to encrypt files, and adds the extension “.obfuscated”. Some variants also prepend the victim ID to the filename. The ransom note “Read Me.txt” asks the victim to contact “[email protected]”.
Avast Threat Labs released a decryptor for BigBobRoss as well today.
Michael Gillespie found new variants of the STOP Ransomware that append the .promorad2 or .kroput extensions to encrypted files.
March 10th 2019
In addition to encrypting a victim’s files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim’s computer to steal account credentials, cryptocurrency wallets, desktop files, and more.
March 11th 2019
Jakub Kroustek found a new Dharma Ransomware variant that appends the .NWA extension to encrypted files.
March 12th 2019
A new Ransomware-as-a-Service called Yatron is being promoted on Twitter that plans on using the EternalBlue and DoublePulsar exploits to spread to other computer on a network. This ransomware will also attempt to delete encrypted files if a payment has not been made in 72 hours.
Michael Gillespie found a new ransomware that appends the .bRcrypT extension and drops a ransom note named FILES ENCRYPTED.txt.
Michael Gillespie updated his STOPDecrypter to have more offline encryption keys. This one is for OFFLINE ID “0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDosJ24DmXt1” (.promorad2).
Michael Gillespie found a new ransomware that appends the .GILLETTE extension and drops a ransom note named Decrypt DATA.txt.
Michael Gillespie found a new Matrix ransomware that appends the .SCR extension to encrypted files.
Michael Gillespie is search for a sample of the ransomware that appends the .yum extension and drops a ransom note named !!!READ_IT!!!.txt.
March 13th 2019
Jakub Kroustek found a new Dharma Ransomware variant that appends the .com extension to encrypted files.
Michael Gillespie updated his STOPDecrypter to have more offline encryption keys. This one is for OFFLINE ID “upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1” (.kroput).
March 14th 2019
MalwareHunterTeam found a new ransomware called MegaLocker Virus that appends the .crypted extension to encrypted files and drops a ransom note named !DECRYPT INSTRUCTION.TXT. Appears to have encrypted a web server in the image.
Amigo-A discovered a new variant of the 0kilobypt Ransomware that appends the .crypt extension to encrypted files.
Michael Gillespie found new STOP ransomware variants that append the .kroput1, .pulsar1 or .charck extensions to encrypted files.
Michael Gillespie is looking for a new ransomware that appends the .Scorpion extension and drops a ransom note named About .Scorpion V4.0 unlocking instructions.txt.
Michael Gillespie is looking for a new ransomware that appends the .jamper extension and drops a ransom note named —README—.TXT.
March 15th 2019
Michael Gillespie found new STOP Ransomware variants that append the .kropun or .klope extensions to encrypted file’s names.