Latest

The Week in Ransomware – March 15th 2019


This week we have seen a new decryptor released by both Emsisoft and Avast for the BigBobRoss ransomware. We also saw a lot of new variants released for existing ransomware, expecially the STOP Ransomware.

The STOP ransomware continues to be a major problem with its distribution through adware bundles disguised as cracks. To make matters worse, it was discovered that the STOP Ransomware is installing the Azorult information stealing Trojan as well on its victims.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwareforme, @jorntvdw, @demonslay335, @fwosar, @malwrhunterteam, @FourOctets, @PolarToffee, @BleepinComputer, @Seifreed, @LawrenceAbrams, @arealshadow, @Amigo_A_, @JakubKroustek, and @AvastThreatLabs.

March 9th 2019

Ransomware Attack on Jackson County Gets Cybercriminals $400,000

A ransomware attack hit the computers of Jackson County, Georgia, reducing government activity to a crawl until officials decided to pay cybercriminals $400,000 in exchange for the file decryption key.

Emsisoft Decrypter for BigBobRoss

Emsisoft has released a decryptor for the BigBobRoss ransomware. It uses AES-128 ECB to encrypt files, and adds the extension “.obfuscated”. Some variants also prepend the victim ID to the filename. The ransom note “Read Me.txt” asks the victim to contact “[email protected]”.

Avast releases a decryptor for BigBobRoss as well

Avast Threat Labs released a decryptor for BigBobRoss as well today.

New STOP Ransomware variant

Michael Gillespie found new variants of the STOP Ransomware that append the .promorad2 or .kroput extensions to encrypted files.

March 10th 2019

STOP Ransomware Installing Password Stealing Trojans on Victims

In addition to encrypting a victim’s files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim’s computer to steal account credentials, cryptocurrency wallets, desktop files, and more.

March 11th 2019

New Dharma variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .NWA extension to encrypted files.

March 12th 2019

Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits

A new Ransomware-as-a-Service called Yatron is being promoted on Twitter that plans on using the EternalBlue and DoublePulsar exploits to spread to other computer on a network. This ransomware will also attempt to delete encrypted files if a payment has not been made in 72 hours.

Yatron Ransomware

New bRcrypT Ransomware

Michael Gillespie found a new ransomware that appends the .bRcrypT extension and drops a ransom note named FILES ENCRYPTED.txt.

New RotorCrypt Ransomware

Michael Gillespie found a new RotorCrypt Ransomware variant that appends the [email protected]__.a800 extension and drops a ransom note named recovery.instruction.txt.

Updated STOPDecrypter

Michael Gillespie updated his STOPDecrypter to have more offline encryption keys. This one is for OFFLINE ID “0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDosJ24DmXt1” (.promorad2).

New GILLETTE Ransomware variant

Michael Gillespie found a new ransomware that appends the .GILLETTE extension and drops a ransom note named Decrypt DATA.txt.

New Matrix Ransomware variant

Michael Gillespie found a new Matrix ransomware that appends the .SCR extension to encrypted files.

New ransomware hunt

Michael Gillespie is search for a sample of the ransomware that appends the .yum extension and drops a ransom note named !!!READ_IT!!!.txt.

March 13th 2019

New Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .com extension to encrypted files.

Updated STOPDecrypter

Michael Gillespie updated his STOPDecrypter to have more offline encryption keys. This one is for OFFLINE ID “upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1” (.kroput).

March 14th 2019

New Scarab variant pretends to be GandCrab

Amigo-A found a new variant of the Scarab Ransomware that pretends to be GandCrab by using the .[[email protected]].gdcb and dropping a ransom note named GDCB-DECRYPT.TXT.

MegaLocker Virus discovered

MalwareHunterTeam found a new ransomware called MegaLocker Virus that appends the .crypted extension to encrypted files and drops a ransom note named !DECRYPT INSTRUCTION.TXT. Appears to have encrypted a web server in the image.

MegaLocker

New 0kilobypt Ransomware variant

Amigo-A discovered a new variant of the 0kilobypt Ransomware that appends the .crypt extension to encrypted files.

New STOP Ransomware variants

Michael Gillespie found new STOP ransomware variants that append the .kroput1.pulsar1 or .charck extensions to encrypted files.

New Ransomware hunt for Scorpion Ransomware

Michael Gillespie is looking for a new ransomware that appends the .Scorpion extension and drops a ransom note named About .Scorpion V4.0 unlocking instructions.txt.

Scorpion Ransomware

New Ransomware hunt

Michael Gillespie is looking for a new ransomware that appends the .[[email protected]].zq extension.

New Paradise Ransomware variant

Michael Gillespie found a new Paradise Ransomware variant that appends the _[id]_{[email protected]}.p3rf0rm4 and drops a ransom note named Instructions with your files.txt.

New Jamper Ransomware

Michael Gillespie is looking for a new ransomware that appends the .jamper extension and drops a ransom note named —README—.TXT.

March 15th 2019

New RotorCrypt variant

Michael Gillespie  found a new RotorCrypt variant that appends the [email protected]#$%^&-().1c and drops a ransom note named INFO.txt.

New STOP Ransomware variants

Michael Gillespie found new STOP Ransomware variants that append the .kropun or .klope extensions to encrypted file’s names.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top