April 26, 2017

It was quite a slow week in the beginning with most of the news being for the most part about small ransomware variants. It finished with a bang, though, with the reappearance of Locky riding on a strong wave of SPAM emails. As you can imagine, there were quite a few articles about Locky today.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @fwosar, @BleepinComputer, @malwrhunterteam, @PolarToffee, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher , @campuscodi, @jiriatvirlab, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @RecordedFuture, @MarceloRivero, @dvk01uk, @siri_urz, @SenseCyBlog, and @TalosSecurity.

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

April 14th 2017

HiddenTear Variant That uses Random Extensions Being Developed

This one is a bit unique as its a HiddenTear variant that actually does something a bit different. MalwareHunterTeam discovered this variant, which I am dubbing Black-Rose based on the email address, which randomly selects one of four extension to append to an encrypted file. The four possible extensions are .ranranranran, .okokokokok, .loveyouisreal, & .whatthefuck. Drops a ransom note named READ_IT_FOR_GET_YOUR_FILE.txt.

pyCL Being Distributed Through Malicious Word Docs
Our resident polar bearess xXToffeeXx discovered that the pyCL ransomware is now being distributed via malicious Word documents.

Dharma Started Using a New Extension
Michael Gillespie noted that someone uploaded some Dharma Ransomware encrypted files to ID-Ransomware that use the .onion extension for encrypted files.

April 15th 2017
New Screenlocker using the Jigsaw Character
MalwareHunterTeam discovered a new screenlocker that utilizes the Jigsaw character. To unlock you can use the codes HaltStopp! or 12344321.


Autoit-Based Ransomware called Schwerer Discovered

ESET researcher Jiri Kropa discovered a new ransomware developer in autoit called Schwerer. The ransomware is decryptable, so if you are infected do not pay the ransom and contact us.

C9dSXjwXgAAjtR 1

April 16th 2017
Troldesh Goes Insane with the Dexter Extension

Jakub Kroustek discovered a sample of Troldesh that is using the .Dexter extension for encrypted files.


Ransomware Called Conficker Discovered
Emsisoft security researcher xXToffeeXx found a new ransomware named after Conficker. Go Figure. Adds .conficker extension to encrypted files and leaves a ransom note named Decrypt.txt.


Malabu Ransomware Discovered
BleepingComputer discovered Malabu Ransomware that uses a static key.


April 17th 2017
SnakeEye Ransomware Being Developed
MalwareHunterTeam found a sample of the in-developer SnakeEye Ransomware being developer by the SNAKE EYE SQUAD. Open source crapola.

Destructive Turkish "Ransomware" Discovered
MalwareHunterTeam found a sample where a Turkish developer is creating a ransomware that doesn't encrypt, but rather just destroys your files.


April 18th 2017

New Karmen Ransomware-as-a-Service Advertised on Hacking Forums
According to threat intelligence firm Recorded Future, work on a new RaaS started late last year that utilizes the HiddenTear variant called Karmen Ransomware. Can't believe there is a RaaS utilizing HiddenTear. Sad.
Karmen RaaS 4

Atlas Ransomware Discovered
Malwarebytes malware researcher Marcelo Rivero discovered the Atlas Ransomware. This ransomware appends the .ATLAS extension to encrypted files and drops a ransom note named ATLAS_FILES.txt.

C9tw bV0AApOtX1

April 19th 2017
LOLI RanSomeWare Discovered
MalwareHunterTeam discovered that someone called "세원" created "LOLI RanSomeWare", apparently in January. It uses the .LOLI for encrypted files.

April 20th 2017
Jigsaw Ransomware with a Joker Background Discovered
MalwareHunterTeam discovered a new Jigsaw ransomware variant utilizes a background featuring the Joker and Batman. Appends the .fun extension to encrypte files.

Karmen Ransomware Rebrands Itself as Mordor
Cyber Intelligence Blog SenseCy discovered a rebranded version of Karmen Ransomware being sold as Mordor Ransomware. This ransomware is being sold on Russian underground sites.


Why Won't HiddenTear Just Die Already
BleepingComputer found an in-development HiddenTear variant that appends the .locked extension to encrypted files. Only tries to encrypt the Desktop, but crashes due to bug.
hidden tear variant

April 21st 2017

AES-NI Ransomware Dev Claims He's Using Shadow Brokers Exploits
The developer of the AES-NI ransomware claims that the recent "success" he's been enjoying is due to the NSA exploits leaked last week by the Shadow Brokers group. In a series of tweets he posted online, the AES-NI author alleges he successfully used ETERNALBLUE, an exploit targeting the SMBv2 protocol, to infect Windows servers across the globe and then install his home-made ransomware.

AES NI ransom note

The return of Locky ransomware with fake receipts malspam
My Online Security writes about how after a several week break we have the return of Locky ransomware with an email with the subject of Payment Receipt 2724 or something similar pretending to come from random companies with a pdf attachment containing an embedded malicious word macro enabled doc which will download an encrypted txt file that is transformed into the Locky ransomware file redchip2.exe.

Editors Note: While My Online Security had problems getting the samples to encrypt due to their VM detection, Malwarebytes researcher S!Ri confirmed, and I later confirmed, that Redchip2.exe is indeed Locky.

Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs
Cisco's Talos Group observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

The Locky Ransomware is Back and Still Adding OSIRIS to Encrypted Files
After a long hiatus, Locky is back with a fresh wave of SPAM emails containing malicious docs. While it is not known what caused Locky's hiatus, if they plan on pushing the ransomware like they previously did, then we all need to pay close attention.

ransom note

News Courtesy :