The Week in Ransomware – April 3rd 2020

Over the past two week, we have seen an increase in warnings from law enforcement agencies stating that healthcare organizations need to be on high alert for attacks by ransomware operators and other attackers who are looking to capitalize on the Coronavirus pandemic.

In addition, we continue to see new variants released from the common ransomware families such as STOP, Dharma, and others.

Finally, the Wall Street Journal broke the news this week that Travelex paid a $2.3 million ransom to REvil to get their company back up and running.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @Seifreed, @malwareforme, @struppigel, @LawrenceAbrams, @FourOctets, @BleepinComputer, @demonslay335, @fwosar, @malwrhunterteam, @serghei, @DanielGallagher, @Ionut_Ilascu, @VK_Intel, @jorntvdw, @fbgwls245, @emsisoft, @JAMESWT_MHT, @Intel471Inc, @thyrex2002, @GrujaRS, @siri_urz, @quickheal, @FaLconIntel, @Amigo_A_, @ceostroff, and @INTERPOL_HQ.

March 28th 2020

New Mado STOP Ransomware variant

Michael Gillespie found a new variant of the STOP Ransomware that appends the .mado extension to encrypted files.

March 30th 2020

New Jigsaw Ransomware

JAMESWT found a new Jigsaw Ransomware variant targeted Italian users and appending the .math extension to encrypted files.


March 31st 2020

ILELECTION2020 Ransomware discovered

MalwareHunterTeam found a new Stupid Ransomware variant called ILELECTION2020 that targets Israelis and appends the .likud extension to encrypted files.


New BB Ransomware

dnwls0719 found the BB Ransomware that appends the .encryptedbyBB extension to encrypted files.


Aurora Ransomware decrypted updated

Emsisoft updated their Aurora decryptor to support the .CoronaLock extension.

Nephilim Ransomware fixes spelling mistake

dnwls0719 spotted the Nephilim ransomware, which was previously using a different and uncommon spelling of Nefilim in the past. This variant uses the .NEPHILIM extension and drops a ransom note named NEPHILIM-DECRYPT.txt.

REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation

REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.

April 1st 2020

Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks

Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.

New WannaCash variant utilizes a COVID-19 theme

Alex Svirid found a new variant of the WannaCash Ransomware that appends the COVID-19 themed extension of .WANNACASH NCOV v310320.

New Rogue Ransomware

GrujaRS found the new HiddenTear ransomware named Rogue Ransomware that appends the .rogue extension and impersonates 


April 2nd 2020

New Boruta Ouroboros Ransomware variant

Michael Gillespie found a new Boruta Ouroboros Ransomware variant that appends the .Boruta extension.

April 3rd 2020

New MrDec Ransomware

S!Ri found the MrDec Ransomware that appends the .[ID]_RSA extension.


New MSPLT Dharma Ransomware variant

dnwls0719 found a new Dharma Ransomware variant that appends the .MSPLT extension to encrypted files.

April 4th 2020

New Jope STOP Ransomware variant

Michael Gillespie found new STOP Ransomware variant that appends the .jope extension to encrypted files.

April 6th 2020

Interpol: Ransomware attacks on hospitals are increasing

The INTERPOL (International Criminal Police Organisation) warns that cybercriminals are increasingly attempting to lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the currently ongoing COVID-19 outbreak.

New BlackOrchid Ransomware variant

GrujaRS found anew BlackOrchid Ransomware variant that appends the .shinya extension to encrypted files.

April 7th 2020

New Revon Phobos variant

dnwls0719 found a new Phobos Ransomware variant that appends the .revon extension and drops ransom notes named info.txt and info.hta.

April 8th 2020

New Corona Virus IQ Ransomware

MalwareHunterTeam found a new “Corona Virus IQ” Ransomware from Iraqthat appends the .corona extension to encrypted files.

Corona Virus IQ

New Joke (?) Ransomware decrypts if you win a game

S!Ri found a new ransomware that states it will decrypt your files if you win a game.

New Gibberish variant spread through RIG-EK

FaLcon Intelligence found that a new variant of the Gibberish Ransomware is being spread through the RIG exploit kit.


April 9th 2020

Dharma Ransomware Variant Malspam Targeting COVID-19

One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.

New Jope Mpaj Ransomware variant

Michael Gillespie found new STOP Ransomware variant that appends the .mpaj extension to encrypted files.

Travelex Reportedly Paid $2.3 Million Ransom to Restore Operations

Travelex reportedly paid a $2.3 million ransom payment to get their systems back online after being encrypted by a Sodinokibi ransomware attack.

April 10th 2020

New BearCrypt Ransomware

GrujaRS found a new ransomware called BearCrypt that only targets .jpg and .png files. When encrypted it appends the .crypt extension and drops a ransom note named Readme.txt.  Appears to be in-dev.

NewAurora Ransomware variant

GrujaRS found a new Aurora Ransomware variant that appends the .bukyak extension.

Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay

Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online.

That’s it for this week! Hope everyone has a nice weekend!


Next Post

Would-be coronavirus drugs are cheap to make | Science

Sat Apr 11 , 2020
Most drugs in clinical trials against COVID-19, such as chloroquine phosphate, can be made cheaply. FeatureChina/AP Images By Robert F. ServiceApr. 10, 2020 , 6:50 PM Science‘s COVID-19 reporting is supported by the Pulitzer Center. With a vaccine for the novel coronavirus still likely a year or more away, the first […]