CrAKeN Posted April 2, 2017 Share Posted April 2, 2017 Lots of Android ransomware news this week even though Google feels they are pretty rare. Also some updates to tools created by Michael Gillespie (CryptoSearch & ID-Ransomware), a new RaaS, a new PyCL ransomware being distributed via RIG, and ransomware asking for 6 bitcoin ransoms while making fun of USA sanctions on Russia. Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @malwrhunterteam, @BleepinComputer, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @kafeine, @FreeBSDfan, @rommeljoven17, @BroadAnalysis, @nyxbone, @Malwarebytes, @Google, @zscaler, and @Lookout. If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter. March 25th 2017 CryptoSearch Updated to Support Files Encrypted by Spora Michael Gillespie has updated CryptoSearch so that it now supports files encrypted by Spora Ransomware. New Ransomware called WannaCry GData security researcher Karsten Hahn found a new ransomware called WannaCry. Spanish Ransomware Pretends to be a Windows Update Karsten Hahn found a Spanish ransomware that uses Smart Install Maker and bunch of .vbs scripts to encrypt a computer. When run it pretends to be Windows Update. In-Dev MemeLocker Discovered Karsten Hahn keeps pumping out the new ransomware infections with MemeLocker. This ransomware is in development, but based on its name, I hope we wont see pictures of cats everywhere. March 28th 2017 Unskilled Group Behind Many Junk Ransomware Strains A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware. Yesterday's iOS 10.3 Update Bring Safari Ransomware Campaign to an End According to Lookout, the iOS 10.3 update, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards. PyCL Ransomware Delivered via RIG EK in Distribution Test This past Saturday security researchers Kafeine, MalwareHunterteam, BroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run. R Ransomware Discovered R is for Ransomware according to the new ransomware discovered by MalwareHunterTeam. Not sure what the big S is for at the bottom of the ransom page. Skulls are Creepy According to the AnDROid Ransomware MalwareHunterTeam discovered another ransomware today called AnDROid. This ransomware appends the .android extension to encrypted files. Even cooler the skull is animated. Such skillz!! Ransom Hunt Underway for pr0tect Ransomware Michael Gillespie initiated a ransomware hunt for that uses the .pr0tect and drops a ransom note called READ ME ABOUT DECRYPTION.txt. March 29th 2017 Explained: Sage ransomware Malwarebytes explains how Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product. HappyDayzz Sample Found MalwareHunterTeam found a sample of the HappyDayzz Ransomware. What is interesting about this ransomware is that it uses different encryption algorithms depending on the response from the C2 server. DoNotChange Ransomware Discovered MalwareHunterTeam found a sample of the DoNotChange Ransomware. New RaaS called File Frozr Discovered Rommel Joven discovered a new RaaS called File Frozr. March 30th 2017 Decryptor for the DoNotChange Ransomware Released Michael Gillespie released a decryptor for the DoNotChange Ransomware. Instructions can be found here. Google: Ransomware on Android Is Exceedingly Rare Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at @Google. CryptoSearch Updated to Support Files Encrypted by FadeSoft Michael Gillespie released an updated version of CryptoSearch that supports files encrypted by FadeSoft. ID-Ransomware can now Identify Files Encrypted by FadeSoft Michael Gillespie added support for FadeSoft identification to ID-Ransomware. March 31st 2017 New Android Ransomware Evades All Mobile Antivirus Solutions Zscaler has spotted a new strain of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery. Currently targeting Russian-speaking users, this ransomware lacks basic decryption functionality. This means that users infected with this ransomware version cannot unlock their phones and regain access to their data, even if they pay the ransom. Introducing the Ugly LanRan Ransomware Don't ransomware developers have any pride anymore? This is obviously not apparent with the LanRan ransomware discovered by Karsten Hahn. This ransomware appears to be in-dev as it just sets the background and displays an ugly ransom lock screen. The contact email for this crapsomware is [email protected]. New Variant of the Fantom Ransomware MalwareHunterTeam discovered a new variant of the Fantom Ransomware. When I took a look, its quite different then its predecessors. This variant will encrypt files and rename them to a base64 encoded filename with an extension that is based on the time the ransomware started. The extension format is .. An example is Ny5wbmc=.11232323. The ransom note is named in a similar manner with a name like RESTORE-FILES..11232323.hta. It logs the status of the infection process by retrieving one of these two images hxxp://iplogger.ru/1qzM6.gif or hxxp://iplogger.ru/1wzM6.gif. If its detects the user is from Russia, it terminates the process and deletes the infection from the computer. New version of CrypVault Found Karsten Hahn found a new version of CrypVault. This variant tells victims to contact [email protected]. Ransom Hunt Underway for Cradle Ransomware Michael Gillespie initiated a ransomware hunt for that uses the extension .cradle and drops a ransom note called _HOW_TO_UNLOCK_FILES_.html. Sanctions Ransomware Makes Fun of USA Sanctions Against Russia If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.