Jump to content
Login new information ×
Login new information

The Week in Ransomware - March 31st 2017 - Sanctions, Android, and Creepy Skulls

CrAKeN

By CrAKeN
in Security & Privacy News

Recommended Posts

CrAKeN

CrAKeN

Posted
Posted

Lots of Android ransomware news this week even though Google feels they are pretty rare. Also some updates to tools created by Michael Gillespie (CryptoSearch & ID-Ransomware), a new RaaS, a new PyCL ransomware being distributed via RIG, and ransomware asking for 6 bitcoin ransoms while making fun of USA sanctions on Russia.

 

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @malwrhunterteam, @BleepinComputer, @struppigel, @demonslay335,  @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @kafeine, @FreeBSDfan, @rommeljoven17, @BroadAnalysis, @nyxbone, @Malwarebytes, @Google, @zscaler, and @Lookout

 

If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter.

 

 

March 25th 2017

 

CryptoSearch Updated to Support Files Encrypted by Spora

 

Michael Gillespie has updated CryptoSearch so that it now supports files encrypted by Spora Ransomware.

 

C7zsywUXkAAwrHJ%5B1%5D.jpg

 

New Ransomware called WannaCry

 

GData security researcher Karsten Hahn found a new ransomware called WannaCry.

 

C77YGlJXwAAfjLc%5B1%5D.jpg

 

Spanish Ransomware Pretends to be a Windows Update

 

Karsten Hahn found a Spanish ransomware that uses Smart Install Maker and bunch of .vbs scripts to encrypt a computer. When run it pretends to be Windows Update.

 

In-Dev MemeLocker Discovered

 

Karsten Hahn keeps pumping out the new ransomware infections with MemeLocker. This ransomware is in development, but based on its name, I hope we wont see pictures of cats everywhere.

 

C752cAeW0AAmgMA%5B1%5D.jpg

 

 

March 28th 2017

 

Unskilled Group Behind Many Junk Ransomware Strains

 

A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware.

 

KimcilWare%5B1%5D.jpg

 

Yesterday's iOS 10.3 Update Bring Safari Ransomware Campaign to an End

 

According to Lookout, the iOS 10.3 update, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards.

 

Safari-ransomware.png

 

PyCL Ransomware Delivered via RIG EK in Distribution Test

 

This past Saturday security researchers KafeineMalwareHunterteamBroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run.

 

pycl.jpg

 

R Ransomware Discovered

 

R is for Ransomware according to the new ransomware discovered by MalwareHunterTeam. Not sure what the big S is for at the bottom of the ransom page.

 

C8AXxElXgAAA2Yv%5B1%5D.jpg

 

Skulls are Creepy According to the AnDROid Ransomware

 

MalwareHunterTeam discovered another ransomware today called AnDROid. This ransomware appends the .android extension to encrypted files. Even cooler the skull is animated. Such skillz!!

 

PeqnDDA.gif

 

Ransom Hunt Underway for pr0tect Ransomware

 

Michael Gillespie initiated a ransomware hunt for that uses the .pr0tect and drops a ransom note called READ ME ABOUT DECRYPTION.txt.

 

 

March 29th 2017

 

Explained: Sage ransomware

 

Malwarebytes explains how Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product.

 

sage22%5B1%5D.png

 

HappyDayzz Sample Found

 

MalwareHunterTeam found a sample of the HappyDayzz Ransomware. What is interesting about this ransomware is that it uses different encryption algorithms depending on the response from the C2 server.

 

C8GMvEwWsAE2Nkw%5B1%5D.jpg

 

DoNotChange Ransomware Discovered

 

MalwareHunterTeam found a sample of the DoNotChange Ransomware.

 

C8HCjltXUAAAOtb%5B1%5D.jpg

 

New RaaS called File Frozr Discovered

 

Rommel Joven discovered a new RaaS called File Frozr.

 

C8EMXVdW0AEqi84%5B1%5D.jpg

 

 

March 30th 2017

 

Decryptor for the DoNotChange Ransomware Released

 

Michael Gillespie released a decryptor for the DoNotChange Ransomware. Instructions can be found here.

 

C8LkbTTUwAEJDnB%5B1%5D.jpg

 

Google: Ransomware on Android Is Exceedingly Rare

 

Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at @Google.

 

CryptoSearch Updated to Support Files Encrypted by FadeSoft

 

Michael Gillespie released an updated version of CryptoSearch that supports files encrypted by FadeSoft.

 

ID-Ransomware can now Identify Files Encrypted by FadeSoft

 

Michael Gillespie added support for FadeSoft identification to ID-Ransomware.

 

C8NOUvRUQAAIlu8%5B1%5D.jpg

 

 

March 31st 2017

 

New Android Ransomware Evades All Mobile Antivirus Solutions

 

Zscaler has spotted a new strain of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery. Currently targeting Russian-speaking users, this ransomware lacks basic decryption functionality. This means that users infected with this ransomware version cannot unlock their phones and regain access to their data, even if they pay the ransom.

 

Android-Ransomware.jpg

 

Introducing the Ugly LanRan Ransomware

 

Don't ransomware developers have any pride anymore? This is obviously not apparent with the LanRan ransomware discovered by Karsten Hahn. This ransomware appears to be in-dev as it just sets the background and displays an ugly ransom lock screen. The contact email for this crapsomware is [email protected].

 

lanran.jpg

 

New Variant of the Fantom Ransomware

 

MalwareHunterTeam discovered a new variant of the Fantom Ransomware. When I took a look, its quite different then its predecessors. This variant will encrypt files and rename them to a base64 encoded filename with an extension that is based on the time the ransomware started. The extension format is .. An example is Ny5wbmc=.11232323. The ransom note is named in a similar manner with a name like RESTORE-FILES..11232323.hta. 

 

It logs the status of the infection process by retrieving one of these two images hxxp://iplogger.ru/1qzM6.gif or hxxp://iplogger.ru/1wzM6.gif. If its detects the user is from Russia, it terminates the process and deletes the infection from the computer.

 

lock-screen.png

 

New version of CrypVault Found

 

Karsten Hahn found a new version of CrypVault. This variant tells victims to contact [email protected].

 

C8PyKd0XcAEWS0D%5B1%5D.jpg

 

Ransom Hunt Underway for Cradle Ransomware

 

Michael Gillespie initiated a ransomware hunt for that uses the extension .cradle and drops a ransom note called _HOW_TO_UNLOCK_FILES_.html.

 

C8RWD0cXYAA5zjP%5B1%5D.jpg

 

Sanctions Ransomware Makes Fun of USA Sanctions Against Russia

 

If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia.

 

header.jpg

 

Source

Link to comment
Share on other sites
  • Views 1.4k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...