The Week in Ransomware – October 12th 2018

Lots of Scarab, Matrix, and Dharma variants this week as well as some good writeups on the GandCrab ransomware. Also of interest is the report published by ESET that ties NotPetya and Industroyer to the TeleBots Group.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @FourOctets, @demonslay335, @DanielGallagher, @LawrenceAbrams, @Seifreed, @malwrhunterteam, @hexwaxwing, @PolarToffee, @fwosar, @BleepinComputer, @struppigel, @jorntvdw, @ValthekOn, @John_Fokker, @fr0gger_, @ESET , @cherepanov74, @Robert_Lipovsky@BBC, @thyrex2002, and @JakubKroustek.

October 6th 2018

God Crypt Joke Ransomware

MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.

October 8th 2018

New Dharma Ransomware variant

Michael Gillespie found a new Dharma Ransomware variant that appends the .boost extension to encrypted files uploaded to ID Ransomware.

New Matrix Ransomware variants

Michael Gillespie found a new Matrix Ransomware variant that appends the .GMAN and drops a ransom note named !README_GMAN!.rtf uploaded to ID Ransomware. Michael also found a variant that appends .EMAN50 and drops a note named #README_EMAN50#.rtf.

New Scarab Ransomware variant

Michael Gillespie found a new Scarab Ransomware variant that uses the extension .[[email protected]].crab and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

New Possible Scarab variant

Michael Gillespie found a new ransomware that may be a Scarab variant that appends the .qweuirtksd extension to encrypted files and drops a ransom note named !!!ReadMeToDecrypt.txt. There are victims on internetnewsblog.

New DecryptFox Ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.

October 9th 2018

Windows 10 Ransomware Protection Bypassed Using DLL Injection

At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

October 10th 2018

GandCrab Vaccine continues to work with version 5.0.3

Valthek’s vaccine for GandCrab continues to work with the release of version 5.0.3.

Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

In an article from McAfee:

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). 

Forum post

Council hit by cyber attack reveals £2m cost

The BBC reports:

Copeland Borough Council has revealed that an attack on its systems in August 2017 has cost it about £2m.

The hack locked staff out of a number of council services, including payroll, planning and environmental health.

The ransomware with most annoying extension

Michael Gillespie found a new RotorCrypt variant that uses the most annoying extension I have ever seen. This extension is “[email protected]#$%^&-()_+.1C” and the ransom note is INFO.txt.


New garrantydecrypt Ransomware

Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt.

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .NOBAD extension and drops a ransom note named #NOBAD_README#.rtf.

October 11th 2018

New Backdoor Ties NotPetya and Industroyer to TeleBots Group

Security researchers found the missing link that helps them prove that the NotPetya disk-wiping malware and the Industroyer backdoor for electric power systems are the work of the TeleBots group.


New Dharma Ransomware variant

Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .[[email protected]].waifu extension.

October 12th 2018

WannaCash decryptor updated with new variant

Alex Svirid updated his WannaCash decryptor for a new variant that changes the file name to “зашифровано original_name“.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top