The Week in Ransomware – February 2nd 2018 – TOR Sites Stealing Ransom Payments & GandCrab

This has been an interesting week in ransomware news. We had the GandCrab ransomware being released and distributed by exploit kits, TOR gateways stealing ransom payments from ransomware devs, and a bunch of towns getting hit with ransomware.

Contributors and those who provided new ransomware information and stories this week include: @hexwaxwing, @demonslay335, @Seifreed, @campuscodi, @LawrenceAbrams, @malwareforme, @PolarToffee, @struppigel, @malwrhunterteam, @BleepinComputer, @jorntvdw, @fwosar, @DanielGallagher, @FourOctets, @proofpoint, @CryptoInsane, @Malwarebytes, @thedailyherald, @wcnc, @BBCWorld, @CryptoInsane.

January 29th 2018

GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension

A new ransomware was discovered by David Montenegro called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.


Tor-to-Web Proxy Caught Replacing Bitcoin Addresses on Ransomware Payment Sites

Proofpoint discovered that the operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site’s operators.

SC school district latest victim to ransomware

According to NBC Charlotte, the Chester County school district was affected by a ransomware.

Chester County School District posted on its Facebook page Monday that ransomware hit the district’s servers over the weekend. The post went on to say that no data has been taken or breached, and it has a specialist on site to assist the district.

New Dharma/Crysis variant

Michael Gillespie discovered a new variant of Dharma/Crysis uploaded to ID-Ransomware that utilizes the .write.

January 30th 2018

Utility payments back online following ransomware

According to the The Daily Herald, the Spring Hill, Tennessee city computers were hit with an undisclosed ransomware.

Spartanburg public library computer system hit by ransomware

According to the Herald-Journal, the Spartanburg County Public Libraries in South Carolina was hit with an undisclosed ransomware.

Hangry and ransomware added to Oxford English Dictionary

According to the BBC:

Mansplaining, ransomware and hangry are among more than 1,000 words that have been added to the latest Oxford English Dictionary (OED).

January 31st 2018

MindLost Ransomware Is a Piece of Junk That Wants to Collect Credit Card Details

MalwareHunterTeam discovered a new ransomware called MindLost that encrypts users files and redirects users to an online page to pay the ransom via credit/debit card.


New GlobeImposter variant discovered

Michael Gillespie discovered a new variant of Globe Imposter uploaded to ID-Ransomware that appends the .DREAM extension to encrypted files.


February 1st 2018

Ransomware Hero to Receive FBI Award

The US Federal Bureau of Investigation (FBI) announced on Tuesday that it would be awarding the FBI Director’s Community Leadership Award to Michael Gillespie for his efforts in combating ransomware and helping users who fell victims to this threat.

GandCrab Ransomware being sold as a Ransomware as a Service (RaaS)

David Montenegro discovered that GandCrab is being promoted as a RaaS on underground criminal forums.

February 2nd 2018

Scarabey Ransomware – A Scarab Version Targeting Enterprises

Malwarebytes discovered a new version of the Scarab ransomware has been spotted in the wild, but instead of being distributed via email spam campaigns, crooks are brute-forcing computers with weakly-secured RDP connections and are installing the ransomware manually on each system.

System Cryptomix Ransomware Variant Released

Michael Gillespie discovered a new Cryptomix variant uploaded to ID-Ransomware this week. Today, I was able to find a sample so we can see what has changed. For the most part, it is the same as previous variants except it now appends the .SYSTEM extension to encrypted files and changes the contact emails used by the ransomware.


New Tear Dr0p v2 Ransomware discovered

MalwareHunterTeam discovered a new ransomware caled Tear Dr0p v1. This ransomware taunts you via speech from the computer’s speakers. It is decryptable.


InfiniteTear V3 released

Lawrence Abrams discovered a new variant of InfiniteTear called InfiniteTear V3. It still uses Telegram to send your details to the developer. It also appends the .Infinite extension to encrypted files, drops a ransom note named #How_Decrypt_Files.txt, and has [email protected] as the contact info.


That’s it for this week! Hope everyone has a nice weekend!