This has been an interesting week in ransomware news. We had the GandCrab ransomware being released and distributed by exploit kits, TOR gateways stealing ransom payments from ransomware devs, and a bunch of towns getting hit with ransomware.
Contributors and those who provided new ransomware information and stories this week include: @hexwaxwing, @demonslay335, @Seifreed, @campuscodi, @LawrenceAbrams, @malwareforme, @PolarToffee, @struppigel, @malwrhunterteam, @BleepinComputer, @jorntvdw, @fwosar, @DanielGallagher, @FourOctets, @proofpoint, @CryptoInsane, @Malwarebytes, @thedailyherald, @wcnc, @BBCWorld, @CryptoInsane.
January 29th 2018
A new ransomware was discovered by David Montenegro called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.
Proofpoint discovered that the operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site’s operators.
According to NBC Charlotte, the Chester County school district was affected by a ransomware.
Chester County School District posted on its Facebook page Monday that ransomware hit the district’s servers over the weekend. The post went on to say that no data has been taken or breached, and it has a specialist on site to assist the district.
Michael Gillespie discovered a new variant of Dharma/Crysis uploaded to ID-Ransomware that utilizes the .write.
January 30th 2018
According to the The Daily Herald, the Spring Hill, Tennessee city computers were hit with an undisclosed ransomware.
According to the Herald-Journal, the Spartanburg County Public Libraries in South Carolina was hit with an undisclosed ransomware.
According to the BBC:
Mansplaining, ransomware and hangry are among more than 1,000 words that have been added to the latest Oxford English Dictionary (OED).
January 31st 2018
MalwareHunterTeam discovered a new ransomware called MindLost that encrypts users files and redirects users to an online page to pay the ransom via credit/debit card.
Michael Gillespie discovered a new variant of Globe Imposter uploaded to ID-Ransomware that appends the .DREAM extension to encrypted files.
February 1st 2018
The US Federal Bureau of Investigation (FBI) announced on Tuesday that it would be awarding the FBI Director’s Community Leadership Award to Michael Gillespie for his efforts in combating ransomware and helping users who fell victims to this threat.
David Montenegro discovered that GandCrab is being promoted as a RaaS on underground criminal forums.
February 2nd 2018
Malwarebytes discovered a new version of the Scarab ransomware has been spotted in the wild, but instead of being distributed via email spam campaigns, crooks are brute-forcing computers with weakly-secured RDP connections and are installing the ransomware manually on each system.
Michael Gillespie discovered a new Cryptomix variant uploaded to ID-Ransomware this week. Today, I was able to find a sample so we can see what has changed. For the most part, it is the same as previous variants except it now appends the .SYSTEM extension to encrypted files and changes the contact emails used by the ransomware.
Lawrence Abrams discovered a new variant of InfiniteTear called InfiniteTear V3. It still uses Telegram to send your details to the developer. It also appends the .Infinite extension to encrypted files, drops a ransom note named #How_Decrypt_Files.txt, and has [email protected] as the contact info.