The Week in Ransomware – April 17th 2020

There was not a lot of new ransomware variants released this week, but some pretty interesting news about operations changing their tactics to remain more profitable and to evade law enforcement.

Sodinokibi/REvil is phasing out support for Bitcoin ransom payments in favor of Monero to make it harder for law enforcement to trace them.

Finally, Nemty Ransomware is moving from a public ransomware-as-a-service to a private one to become more exclusive and entice more experienced affiliates to join their organization.

We also have Ragnar Locker getting a name for itself after it was discovered they encrypted Portugal’s Energias de Portugal (EDP) and allegedly stole 10TB of data.

Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @FourOctets, @demonslay335, @DanielGallagher, @malwrhunterteam, @struppigel, @BleepinComputer, @fwosar, @VK_Intel, @Seifreed, @serghei, @jorntvdw, @LawrenceAbrams, @malwareforme, @PolarToffee, @siri_urz, @fbgwls245, @emsisoft, @RedDrip7, @Jirehlov, @JakubKrouste, @Amigo_A_, and @GrujaRS.

April 11th 2020

Sodinokibi Ransomware to stop taking Bitcoin to hide money trail

The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future.

Reports Say Epiq Has Laid Off Some 200 Employees In Wake Of Ransomware Attack

The international e-discovery and managed services company Epiq Global has laid off some 200 employees, with more layoffs yet to come, according to several sources familiar with the situation.

April 12th 2020

New Wiper Malware impersonates security researchers as prank

A malware distributor has decided to play a nasty prank by locking victim’s computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.


Ransomware writer issues an apology

The author of the KokoCrypt ransomware issued an apology after a ransomware he made got leaked into the wild.


New Golang Ransomware variant

Jirehlov and RedDrip found a new ransomware that that appends the .bug extension and drops a ransom note named Read_Bug.html.

April 13th 2020

New ransomware hunt

Michael Gillespie found a new ransomware that appends the .SARS-CoV-2 extension and drops a ransom note named RECOVER MY ENCRYPTED FILES.TXT.

New DOP Dharma variant

dnwls0719 found a new variant of the Dharma Ransomware that appends the .dop extension to encrypted files.

April 14th 2020

RagnarLocker ransomware hits EDP energy giant, asks for €10M

Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M).

EDP ransom note

New Creepy Ransomware

S!Ri found a new Creepy Ransomware that appends the .creepy extension to encrypted files.


New Lalo STOP Ransomware variant

Michael Gillespie found a new variant of the STOP Ransomware that appends the .lalo extension to encrypted files.

Emsisoft’s Aurora decryptor updated

Emsisoft updated their Aurora decryptor to support the .bukyak and .serpom extensions.

Emsisoft releases KokoCrypt decryptor

Emsisoft has released a decryptor for the KokoCrypt ransomware.

April 15th 2020

Nemty Ransomware shuts down public RaaS operation, goes private

The Nemty Ransomware is shutting down its public Ransomware-as-a-Service (RaaS) operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise.

New Nemty variant has messages for researchers

MalwareHunterTeam found a new Nemty 3.1 ransomware variant that has messages for Michael Gillespie, MalwareHunterTeam, and Amigo_A.


New DEC Dharma Ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .dec extension to encrypted files.

April 16th 2020

New Balaclava Ransomware variant

GrujaRS found a new variant of the Balaclava Ransomware that appends the .KEY0004 extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.

April 17th 2020

Leading accounting firm MNP hit with cyberattack

A leading accounting firm in Canada forced a company-wide shutdown of their systems after getting hit with a cyberattack last weekend, BleepingComputer has learned.

New Fidesz ransomware

MalwareHunterTeam found a new in-development ransomware from Hungary called Fidesz ransomware.


That’s it for this week! Hope everyone has a nice weekend!


Next Post

To tame testing chaos, NIH and firms join forces to streamline coronavirus vaccine and drug efforts | Science

Sat Apr 18 , 2020
National Institutes of Health Director Francis Collins Tom Williams/CQ Roll Call via AP Images By Jocelyn KaiserApr. 17, 2020 , 7:45 PM Science‘s COVID-19 reporting is supported by the Pulitzer Center. More than 100  treatments and vaccines are in development to stem the COVID-19 pandemic, and some onlookers have worried that […]