News

The Week in Ransomware - February 17th 2017 - Live Hermes Reversing, & SCADA POC Ransomware

February 20, 2017

It was a very slow week when it comes to ransomware, which is a great thing. Hopefully it will stay that way.

The biggest news this week is the POC ransomware targeting ICS/SCADA that was demonstrated at RSA this week and the live streaming by Fabian Wosar of him reversing and cracking a a new ransomware called Hermes. Otherwise it was just a bunch of little variants released this week.

Contributors and those who provided new ransomware information and stories this week include:  @malwrhunterteam, @demonslay335, @PolarToffee, @fwosar, @DanielGallagher, @campuscodi, @BleepinComputer, @struppigel, @malwareforme, @jorntvdw, @FourOctets, @JAMESWT_MHT, @Seifreed, @nyxbone, Marcelo Rivero, @rbeyah, @emsisoft, @GeorgiaTech, @kaspersky, and @TrendMicro.

February 11th 2017

Ultranationalist Developer Behind SerbRansom Ransomware
An ultranationalist developer from Serbia is behind a series of malware strains, including a new ransomware family named SerbRansom, discovered yesterday by security researcher MalwareHunter.
SerbRansom builderNew Ransomware adding Victim's Files to Password-Protected RAR Archives

Michael Gillespie initiated a ransomware hunt for a ransomware associated with a note submitted to ID-Ransomware. This ransomware will use WinRar to put a victim's files into password protected RAR files and then demands .35 bitcoins to get the password.

C4bdprDWAAAsVzW1

February 13th 2017

New Samas Ransomware Variant Discovered

Michael Gillespie discovered a new sample of the Samas/SamSam ransomware that is adding the .encryptedyourfiles extension to encrypted files and leaving a ransom note named 001-READ-FOR-DECRYPT-FILES.html.

A New CyberSplitter Ransomware Variant Discovered

Karsten Hahn discovered a new variant of the CyberSplitter Ransomware that pretends to be from the FBI and saying "Your Computer has been locked!".

C4hisGVXAAEh6qS1

February 14th 2017

Researchers Create PoC Ransomware That Targets ICS/SCADA Systems

Researchers from the Georgia TechVerified account (GIT) have created a proof-of-concept ransomware strain that can alter programmable logic controller (PLC) parameters. The research team presented their work yesterday, at the RSA cyber-security conference in San Francisco.

75% of All Ransomware Developed by Russian-Speaking Criminals

Out of the 62 ransomware families found active in 2016, security firm Kaspersky Lab says that 47 of these strains contained artifacts that allowed attribution to Russian-speaking criminals. That means that 75% of all the ransomware families active during the past year were developed by a Russian-speaking coder, most likely hiding in one of the former Soviet states.

Two More CyberSplitter Ransomware Variants Discovered

Karsten Hahn discovered two more variants of the CyberSplitter Ransomware. One example, shown below, will state that the victim has been Crypted by Saher Blue Eagle.

C4nDkcLWIAErwDx1

New Variant of JobCrypter using New Contact Emails

A new variant of the JobCrypter Ransowmare was discovered by MalwareHunterTeam that uses new contact email addresses.

February 15th 2017

Cerber Ransomware Doesn't Encrypt Files Belonging to Security Products

Trend Micro has spotted a new variant of the Cerber ransomware that contains a function that searches for locally-installed security products and avoids encrypting their files, so firewalls, antivirus or antispyware products can continue working even after Cerber has locked the computer.

cerber code

N1N1N1 Ransomware Changed its Filemarker in Encrypted Files

Michael Gillespie noticed that the N1N1N1 Ransomware switched to using 333333333333 as the filemarker found in encrypted files.

February 16th 2017

Hermes Ransomware Decrypted in Live Video by Emsisoft's Fabian Wosar

Emsisoft CTO and Malware Researcher Fabian Wosar has stated in the past that he wanted to perform an educational live stream about reversing malware. Today, after GData security researcher Karsten Hahn discovered a new ransomware called Hermes, Fabian decided to use it as the sample for his first live streaming session.

ransom note

PrincessLocker Starts Using a new name for the Ransom Note

Michael Gillespie discovered that PrincessLocker switched to using a new ransom note name of @_USE_TO_FIX_JJnY.txt.

Kasiski Ransomware Discovered

Malwarebytes malware researcher Marcelo Rivero has discovered the new Kasiski Ransomware. Uses a ransom note named INSTRUCCIONES.txt prepends [KASISKI] to the beginning of encrypted files.

C4zukmeUEAAtd3U1
News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/