The Week in Ransomware – December 22nd 2017 – WannaCry, Arrests, & More

The holidays are upon us and that means even ransomware developers are taking some time off. This showed this week with very few ransomware infections being released and for the most part we have only seen new variants of existing infections.

The biggest news is the U.S. government officially attributing the WannaCry Ransomware to North Korea. Other big news are various arrests associated with affiliates of Cerber and CTB-Locker.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @Seifreed, @BleepinComputer, @FourOctets, @malwrhunterteam, @malwareforme, @fwosar, @campuscodi, @PolarToffee, @demonslay335, @hexwaxwing, @jorntvdw, @LawrenceAbrams, @struppigel, @sdkhere, @Amigo_A_, @FortiGuardLabs, @TomBossert45, @WSJ, @ITSimplifie.

December 18th 2017

New variant of the RSAUtil Ransomware

Amigo-A discovered a new variant of the RSAUtil Ransomware that uses the extension .ID.GORILLA and drops a ransom note named How_return_files.txt.

Satan Cryptor Ransomware 2.0 discovered

Jack discovered the Satan Cryptor 2.0 Ransomware that appends the .satan extension and tries to spread via SMB.

Fake bitcoin multiplier installs ransomware

SDK discovered a fake bitcoin multipler that installs ransomware.

December 19th 2017

White House Officially Blames North Korea for WannaCry Ransomware Outbreak

In an op-ed in the Wall Street Journal, President Trump’s Homeland Security Adviser Thomas Bossert has officially blamed North Korea for the WannaCry ransomware incident that devasted hundreds of thousands of computers worldwide in May this year.

GlobeImposter with the .wallet extension

Michael Gillespie discovered a new GlobeImposter ransomware variant that appends the .wallet extension.

Retis Ransomware Discovered

SDK discovered the Retis Ransomware that appends the .crypted extension to encrypted files.

Another RSAUtil variant discovered

Amigo-A discovered another RSAUtil Ranssomware variant. This one appends the extension .ID.VENDETTA.

December 20th 2017

Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware

Romanian authorities have arrested five people on accusations of spreading email spam that infected users with the CTB-Locker and Cerber ransomware families.

December 21st 2017

Hackers Used DC Police Surveillance System to Distribute Cerber Ransomware

A Romanian man and woman are accused of hacking into the outdoor surveillance system deployed by Washington DC police, which they used to distribute ransomware.

VenusLocker Ransomware Gang Switches to Monero Mining

FortiGuard Labs released research about how the criminal group behind previous campaigns that have spread the VenusLocker ransomware have now switched their focus to delivering a Monero cryptocurrency miner instead.

GlobeImposter variant being spread via malspam

Eric Taylor discovered that a GlobeImposter variant that appends .doc is being spread via malspam with JS downloaders.

Security Brief: The French Retis Ransomware Appends .Crypted

The Retis Ransomware was discovered by security researcher SDK on December 19th 2017.  This is a .NET ransomware, so its source code is easily accessible. When started it will first target the victim’s Desktop, Documents, and Pictures folder for encryption. After encrypting those folder, it will target the rest of the drives on the computer.

File-Locker Ransomware Targets Korean Victims and asks for 50K Won

This is a quick analysis of a ransomware discovered by Lawrence Abrams called File-Locker. This brief will contain technical information related to how it infects a computer, how it is distributed, and whether it can be decrypted or not.[…]

To read the original articlehttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-22nd-2017-wannacry-arrests-and-more/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *