Locker

This was not a very busy week, with mostly new variants of STOP Djvu and Dharma being released.

The bad news is that the RIG exploit kit was discovered distributing the GetCrypt Ransomware through PopCash malvertising campaigns. The good news is that Emsisoft was quickly able to come up with a decryptor for that ransomware and also released a decryptor for JSWorm 2.0.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @BleepinComputer, @PolarToffee, @fwosar, @jorntvdw, @demonslay335, @hexwaxwing, @LawrenceAbrams, @FourOctets, @struppigel, @DanielGallagher, @malwrhunterteam, @Seifreed, @nao_sec, @VK_Intel, @Emsisoft, @NirajC, @WDRBNews, @x42x5a, @GrujaRS, @bartblaze, and @HONKONE_K.

May 18th 2019

New ransomware discovered

Michael Gillespie found a new ransomware that appends the .[epta.mcold@gmail.com] and drops a ransom note named !INSTRUCTI0NS!.TXT,

New in-dev EZDZ Ransomware

MalwareHunterTeam found a new in-dev ransomware called EZDZ that utilizes the .EZDZ extension and drops a ransom note named HELP_PC.EZDZ-REMOVE.txt.

New Radman STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .radman extension.

May 20th 2019

New Ferosas STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .ferosas extension.

New TOR13 Dharma variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .TOR13 extension to encrypted files.

Cryptocurrent scam pushing ransomware

Frost found an Ether scam distributing a new ransomware. 

May 21st 2019

JSWorm 2.0 Ransomware Decryptor Gets Your Files Back For Free

A decryptor for the JSWorm 2.0 Ransomware has been released by Emsisoft this week that allows victims to decrypt their files for free. If you become infected with JSWorm 2.0, do not pay the ransom and instead follow the instructions below.

JSWorm Decryptor

Louisville Regional Airport Authority hit by 'ransomware' attack

WDRB reports: "The Louisville Regional Airport Authority said it fell victim to ransomware Monday morning."

May 22nd 2019

GetCrypt Ransomware Brute Forces Credentials, Decryptor Released

A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit.  Once installed, GetCrypt will encrypt all of the files on a computer and then demand a ransom payment to decrypt the files.

GetCrypt

Hackers Are Holding Baltimore Hostage: How They Struck and What’s Next

A NY Times article by Niraj Chokshi covering Baltimore being hit by the RobbinHood ransomware. Also includes a quote from your favorite ransomware information site :)

New Rectot STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .rectot extension.

New Les Scarab Ransomware variant

Michael Gillespie found a new Scarab Ransomware variant that appends the .les# extension and drops a ransom note named как расшифровать файлы les#.TXT.

Wiper disguised as ransomware distributed via email

honkone found an email pushing a malicious executable. Bart analyzed and determined it was a ransomware, but Michael Gillespie stated it was actually a wiper. The fun of malware.

May 23rd 2019

STOP Djvu Decryptor updated

Michael Gillespie updated the STOP Djvu decryptor to support the offline IDs for .ferosas,  .rectot, and .INFOWAIT variants.

Sodinokibi Ransomware Poised to Impact Larger Enterprises

Coveware states:

"Given the sophisticated attack vector and the investment the developers of Sodinokibi have made to their payment TOR site, this variant seems to be poised to become a popular choice among ransomware distributors."

New Good Dharma variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .GOOD extension to encrypted files.

NordFox Ransomware discovered

GrujaRS discovered the NordFox Ransomware, which appends the .legacy extension to encrypted files and drops a ransom note named READ_ME.txt.

Nordfox

May 24th 2019

New Skymap STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .skymap extension.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - May 12th 2023 - New Gangs Emerge

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack