There was not a lot of new ransomware variants released this week, but some pretty interesting news about operations changing their tactics to remain more profitable and to evade law enforcement.
Sodinokibi/REvil is phasing out support for Bitcoin ransom payments in favor of Monero to make it harder for law enforcement to trace them.
Finally, Nemty Ransomware is moving from a public ransomware-as-a-service to a private one to become more exclusive and entice more experienced affiliates to join their organization.
We also have Ragnar Locker getting a name for itself after it was discovered they encrypted Portugal’s Energias de Portugal (EDP) and allegedly stole 10TB of data.
Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @FourOctets, @demonslay335, @DanielGallagher, @malwrhunterteam, @struppigel, @BleepinComputer, @fwosar, @VK_Intel, @Seifreed, @serghei, @jorntvdw, @LawrenceAbrams, @malwareforme, @PolarToffee, @siri_urz, @fbgwls245, @emsisoft, @RedDrip7, @Jirehlov, @JakubKrouste, @Amigo_A_, and @GrujaRS.
April 11th 2020
The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future.
The international e-discovery and managed services company Epiq Global has laid off some 200 employees, with more layoffs yet to come, according to several sources familiar with the situation.
April 12th 2020
A malware distributor has decided to play a nasty prank by locking victim’s computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.
The author of the KokoCrypt ransomware issued an apology after a ransomware he made got leaked into the wild.
April 13th 2020
Michael Gillespie found a new ransomware that appends the .SARS-CoV-2 extension and drops a ransom note named RECOVER MY ENCRYPTED FILES.TXT.
dnwls0719 found a new variant of the Dharma Ransomware that appends the .dop extension to encrypted files.
April 14th 2020
Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M).
S!Ri found a new Creepy Ransomware that appends the .creepy extension to encrypted files.
Michael Gillespie found a new variant of the STOP Ransomware that appends the .lalo extension to encrypted files.
Emsisoft updated their Aurora decryptor to support the .bukyak and .serpom extensions.
Emsisoft has released a decryptor for the KokoCrypt ransomware.
April 15th 2020
The Nemty Ransomware is shutting down its public Ransomware-as-a-Service (RaaS) operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise.
MalwareHunterTeam found a new Nemty 3.1 ransomware variant that has messages for Michael Gillespie, MalwareHunterTeam, and Amigo_A.
Jakub Kroustek found a new Dharma Ransomware variant that appends the .dec extension to encrypted files.
April 16th 2020
GrujaRS found a new variant of the Balaclava Ransomware that appends the .KEY0004 extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.
April 17th 2020
A leading accounting firm in Canada forced a company-wide shutdown of their systems after getting hit with a cyberattack last weekend, BleepingComputer has learned.
MalwareHunterTeam found a new in-development ransomware from Hungary called Fidesz ransomware.