Lots of Scarab, Matrix, and Dharma variants this week as well as some good writeups on the GandCrab ransomware. Also of interest is the report published by ESET that ties NotPetya and Industroyer to the TeleBots Group.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @FourOctets, @demonslay335, @DanielGallagher, @LawrenceAbrams, @Seifreed, @malwrhunterteam, @hexwaxwing, @PolarToffee, @fwosar, @BleepinComputer, @struppigel, @jorntvdw, @ValthekOn, @John_Fokker, @fr0gger_, @ESET , @cherepanov74, @Robert_Lipovsky, @BBC, @thyrex2002, and @JakubKroustek.
October 6th 2018
MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.
October 8th 2018
Michael Gillespie found a new Dharma Ransomware variant that appends the .boost extension to encrypted files uploaded to ID Ransomware.
Michael Gillespie found a new Matrix Ransomware variant that appends the .GMAN and drops a ransom note named !README_GMAN!.rtf uploaded to ID Ransomware. Michael also found a variant that appends .EMAN50 and drops a note named #README_EMAN50#.rtf.
Michael Gillespie found a new ransomware that may be a Scarab variant that appends the .qweuirtksd extension to encrypted files and drops a ransom note named !!!ReadMeToDecrypt.txt. There are victims on internetnewsblog.
Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.
October 9th 2018
At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.
October 10th 2018
Valthek’s vaccine for GandCrab continues to work with the release of version 5.0.3.
In an article from McAfee:
The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes).
The BBC reports:
Copeland Borough Council has revealed that an attack on its systems in August 2017 has cost it about £2m.
The hack locked staff out of a number of council services, including payroll, planning and environmental health.
Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt.
Michael Gillespie found a new variant of the Matrix Ransomware that appends the .NOBAD extension and drops a ransom note named #NOBAD_README#.rtf.
October 11th 2018
Security researchers found the missing link that helps them prove that the NotPetya disk-wiping malware and the Industroyer backdoor for electric power systems are the work of the TeleBots group.
October 12th 2018
Alex Svirid updated his WannaCash decryptor for a new variant that changes the file name to “зашифровано original_name“.