Cyber Lock

This week's ransomware news was dominated by the release of the GandCrab 5.2 decryptor, the Sodinokibi Ransomware taking off, and a new ransomware called LooCipher spreading via spam.

The best news is that BitDefender was able to release a decryptor for GandCrab. The bad news is that Sodinokibi is poised to fill the hole left by GandCrab shutting down.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @malwareforme, @demonslay335, @LawrenceAbrams, @struppigel, @fwosar, @malwrhunterteam, @PolarToffee, @Seifreed, @jorntvdw, @FourOctets, @DanielGallagher, @VirITeXplorer, @KyleHanslovan, @HuntressLabs, @proofpoint, @VK_Intel, @Europol, @Bitdefender, @petrovic082, @JakubKroustek, @thyrex2002, @Amigo_A_, @M_Shahpasandi@_CPResearch_, and @campuscodi,

Below is the ransomware news this week.

June 15th 2019

New [Locked] Ransomware

Michael Gillespie is looking for a new ransomware that appends the [LOCKED] extension and drops a ransom note named UNLOCK INSTRUCTIONS.txt.

New Hack Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .HACK extension to encrypted files.

New 0day Dharma Ransomware variant

Michael Gillespie found a new Dharma Ransomware variant that appends the .0Day extension to encrypted files.

Stop Decryptor updated

Michael Gillespie updated his Stop Decryptor to support the offline key for the .vesad extension variant.

June 17th 2019

Release of GandCrab 5.2 Decryptor Ends a Bad Ransomware Story

In collaboration with law enforcement agencies around the world, Bitdefender has released an updated decryptor for the GandCrab Ransomware that can decrypt files encrypted by versions 1, 4, and 5 through 5.2.

GandCrab Decryptor

New Horon STOP Djvu variant

Michael Gillespie found a new variant of STOP Djvu ransomware that appends the .horon extension to encrypted files.

New Orion version of Major Ransomware

Amigo-A found a new variant of the Major Ransomware that appends the .orion extension on encrypted files and drops a ransom note named READ_ME.orion.

Orion Major Ransomware

June 18th 2019

WannaCash Decryptor updated

Alex Svirid updated his WannaCash Decryptor to support new variants.

New Middleman Ransomware

Michael Gillespie is looking for a new ransomware that appends the .middleman2020 extension and drops a ransom note named !INSTRUCTI0NS!.TXT.

New Copan DCRTR Ransomware

Amigo-A found a new variant of the DCRTR Ransomware that appends the .COPAN extension and drops ransom notes named HOW TO DECRYPT FILES.txt and HOW TO DECRYPT FILES.hta.

DCRTR

June 19th 2019

Ryuk Ransomware Adds IP and Computer Name Blacklisting

A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted.

Ryuk Ransom Note

New Neras STOP Djvu variant

Michael Gillespie found a new variant of STOP Djvu ransomware that appends the .neras extension to encrypted files.

New Adage Phobos Ransomware variant

M. Shahpasandi  found a new variant of the Phobos Ransomware that appends the .id[********-****].[helpteam38@protonmail.com].adage exemsion to encrypted files.

Florida city pays $600,000 to ransomware gang to have its data back

The city council for Riviera Beach, Florida, voted this week to pay more than $600,000 to a ransomware gang so city officials could recover data that has been locked and encrypted more than three weeks ago.

June 20th 2019

DanaBot Banking Trojan Upgraded with 'Non Ransomware' Module

A new malicious campaign is distributing an upgraded variant of DanaBot that comes with a new ransomware module used to target potential victims from Italy and Poland via phishing emails which deliver malware droppers. Checkpoint also released a decryptor for this ransomware.

Non Ransomware

Stop Decryptor updated

Michael Gillespie updated his Stop Decryptor to support the offline key for the .horon extension variant.

New Ransomnix Ransomware variant

Amigo-A found a new variant of the Ransomnix Ransomware that appends the .dmo extension and drops a ransom note named HOW_TO_RETURN_FILES.txt.

Ransomnix

June 21st 2019

Sodinokibi Ransomware Spreads Wide via Hacked MSPs, Sites, and Spam

With the GandCrab Ransomware operation shutting down, affiliates are looking to fill the hole left behind with other ransomware. Such is the case with the Sodinokibi Ransomware, whose affiliates are using a wide range of tactics to distribute the ransomware and earn a commission.

Sodinokibi Ransom Note

New LooCipher Ransomware Spreads Its Evil Through Spam

A new ransomware called LooCipher has been discovered that is actively being used in the wild to infect users. While it is not known exactly how this ransomware is being distributed, based on some of the files that were found, we believe it is through a spam campaign.

LooCipher

New Truke STOP Djvu variant

Michael Gillespie found a new variant of STOP Djvu ransomware that appends the .truke extension to encrypted files.

New Bitch Ransomware

MalwareHunterTeam found a new ransomware that calls itself "Bitch Ransomware". Nuff said.

Bitch Ransomware

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack

StopCrypt: Most widely distributed ransomware evolves to evade detection

The Week in Ransomware - March 8th 2024 - Waiting for the BlackCat rebrand

The Week in Ransomware - March 1st 2024 - Healthcare under siege