News

The Week in Ransomware - March 10th 2017 - Spora, Cerber, and Technical Writeups

March 13, 2017

Another week and a lot more crappy ransomware released. Of particular interest is that Cerber no longer encrypts filenames, Emsisoft released a CryptON decryptor, and lots of really good technical writeups about ransomware.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @BleepinComputer, @PolarToffee, @fwosar, @malwareforme, @jorntvdw, @FourOctets, DanielGallagher, @campuscodi, @struppigel, @JAMESWT_MHT, @Seifreed, @jiriatvirlab, @mesa_matt, @SwiftOnSecurity, Kevin Douglas, @ESET, @Malwarebytes, @kaspersky, @RSAsecurity, @PaloAltoNtwks, @TalosSecurity, @CheckPointSW, and @JavelinNetworks.

March 5th 2017

Jigsaw 4.6 Ransomware Discovered

I discovered a new variant of the Jigsaw Ransomware which labels itself as version 4.6. This version includes a new lock screen, speech, and message box alerts. It does not currently encrypt anything.
C6KtrLeWQAEoYjA1

March 6th 2017

Ransomware Hits Pennsylvania Senate Democrats

A ransomware infection shut down the computer network of the Pennsylvania Senate Democratic Caucus on Friday morning, officials said in a statement issued to the local press.

New Fadesoft Variant Discovered

Emsisoft researcher xXToffeeXx found a new variant of the FadeSoft Ransomware that utilizes a new ransom note.
C6OpBaiXQAASqfP1

CryptoJacky Ransomware Encrypts Files Using Aescrypt.exe

ESET security researcher Jiri Kropac discovered a new Spanish ransomware called CryptoJacky. This ransomware is bundled with a program called Aescrypt.exe that is used to perform the actual encryption.
C6PxAFSVMAALNL61

March 7th 2017

Shamoon Disk-Wiping Malware Upgraded with Ransomware Module

Kaspersky has discovered that the Shamoon disk-wiping malware has received a major upgrade during the past few months, and now features a ransomware module, along with support for both 32-bit and 64-bit architectures.

New Enjey Ransomware Discovered

MalwareHunterTeam discovered a new ransomware called Enjey, which is based off of RemindMe.
C6TLeXbXQAA O X1

Unlock92 Changes the Name of it's Ransom Note

MalwareHunterTeam found a new sample of Unlock92 that uses a new ransom note name. The new name is READ_ME_!.txt.

Nhtnwcuf Ransomware Discovered

Michael Gillespie found a new ransomware called Nhtnwcuf that does not encrypt your files, but just messes them up. File are destroyed. Uses ransom notes named !_RECOVERY_HELP_!.txt or HELP_ME_PLEASE.txt.

March 8th 2017

Someone Named Paul Working on a HiddenTear Ransomware

MalwareHunterTeam found an in-dev ransomware based on HiddenTear being created by someone named "Paul" from France. Hi Paul!

C6aSJsBWUAUEHi01

Emsisoft Releases a Decryptor for the CryptON Ransomware

Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable.

decryption finished

Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

The Cisco Talos Group published a in-depth article about Crypt0L0cker, or TorrentLocker, and its resurgence. We also covered this last week, though not as deeply, last week.

New CryptoLocker 1.0.0 Targeting Turkish Users

MalwareHunterTeam discovered a new ransomware targeting Turkish victims called CryptoLocker 1.0.0.
C6dgL98WgAAvfov1

March 9th 2017

New RanRan Ransomware Uses Encryption Tiers, Political Message

Researchers from Palo Alto Networks have come across a new ransomware family that combines many unique features, such as political statements, public subdomain creation, and encryption tiers.

RanRan ransom note

New Cerber Ransomware Variant Released That Keeps Original Filename

Emsisoft researcher Sarah, otherwise known as xXToffeeXx, and SwiftOnSecurity found a new sample of Cerber that leaves the original filename the same and only appends a random extension as shown below.

encrypted files

New Vortex Ransomware Discovered

Karsten Hahn discovered a new Polish ransomware called Vortex. This ransomware appends the .aes extension to the names of encrypted files.

C6d b42WMAA1QwM1

New VapeLauncher Ransomware Discovered

You know vaping has become too popular when a ransomware is named after it. Karsten Hahn has discovered a new CryptoWire variant called VapeLauncher.

C6d3aNeWgAA55mD1

Spora Ransomware: Understanding the HTA Infection Vector

Kevin Douglas a Senior Manager Engineering at RSA Security wrote a really detailed into Spora Ransomware and its use of the HTA infection vector. Good read for those who are interested in Spora or how ransomware utilizes different attack vectors.

March 9th 2017

PadCrypt Reached Version 3.4.0

MalwareHunterTeam found a sample of PadCrypt stating that it is now version 3.4.0.

SAMAS RansomWorm: The Next-Gen Ransomware That Stole $450,000

An interesting article by Javelin Networks explaining how the Samas/SamSam ransomware spreads throughout a network.

March 10th 2017

Explained: Spora ransomware

Malwarebytes posted an technical analysis into the Spora Ransomware. Good read for those interested in Spora.

Distributors of Sage also Spread the August Stealer

A twitter conversation between ProofPoint researcher Matthew Mesa and MalwareHunterTeam about how the distributors of Sage are also known for distributing the file and information stealer called August Stealer.

Android Adware and Ransomware Found Preinstalled on High-End Smartphones

Two companies have discovered that someone had covertly installed malware on 38 devices used by their employees. Check Point Software has states that they've identified two malware families on the infected phonesas Loki adware/infostealer and Slocker mobile ransomware.

News Courtesy : https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/