Over the past two week, we have seen an increase in warnings from law enforcement agencies stating that healthcare organizations need to be on high alert for attacks by ransomware operators and other attackers who are looking to capitalize on the Coronavirus pandemic.
In addition, we continue to see new variants released from the common ransomware families such as STOP, Dharma, and others.
Finally, the Wall Street Journal broke the news this week that Travelex paid a $2.3 million ransom to REvil to get their company back up and running.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @Seifreed, @malwareforme, @struppigel, @LawrenceAbrams, @FourOctets, @BleepinComputer, @demonslay335, @fwosar, @malwrhunterteam, @serghei, @DanielGallagher, @Ionut_Ilascu, @VK_Intel, @jorntvdw, @fbgwls245, @emsisoft, @JAMESWT_MHT, @Intel471Inc, @thyrex2002, @GrujaRS, @siri_urz, @quickheal, @FaLconIntel, @Amigo_A_, @ceostroff, and @INTERPOL_HQ.
March 28th 2020
Michael Gillespie found a new variant of the STOP Ransomware that appends the .mado extension to encrypted files.
March 30th 2020
JAMESWT found a new Jigsaw Ransomware variant targeted Italian users and appending the .math extension to encrypted files.
March 31st 2020
MalwareHunterTeam found a new Stupid Ransomware variant called ILELECTION2020 that targets Israelis and appends the .likud extension to encrypted files.
dnwls0719 found the BB Ransomware that appends the .encryptedbyBB extension to encrypted files.
Emsisoft updated their Aurora decryptor to support the .CoronaLock extension.
dnwls0719 spotted the Nephilim ransomware, which was previously using a different and uncommon spelling of Nefilim in the past. This variant uses the .NEPHILIM extension and drops a ransom note named NEPHILIM-DECRYPT.txt.
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
April 1st 2020
Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network.
Alex Svirid found a new variant of the WannaCash Ransomware that appends the COVID-19 themed extension of .WANNACASH NCOV v310320.
GrujaRS found the new HiddenTear ransomware named Rogue Ransomware that appends the .rogue extension and impersonates
April 2nd 2020
Michael Gillespie found a new Boruta Ouroboros Ransomware variant that appends the .Boruta extension.
April 3rd 2020
S!Ri found the MrDec Ransomware that appends the .[ID]_RSA extension.
dnwls0719 found a new Dharma Ransomware variant that appends the .MSPLT extension to encrypted files.
April 4th 2020
Michael Gillespie found new STOP Ransomware variant that appends the .jope extension to encrypted files.
April 6th 2020
The INTERPOL (International Criminal Police Organisation) warns that cybercriminals are increasingly attempting to lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the currently ongoing COVID-19 outbreak.
GrujaRS found anew BlackOrchid Ransomware variant that appends the .shinya extension to encrypted files.
April 7th 2020
dnwls0719 found a new Phobos Ransomware variant that appends the .revon extension and drops ransom notes named info.txt and info.hta.
April 8th 2020
MalwareHunterTeam found a new “Corona Virus IQ” Ransomware from Iraqthat appends the .corona extension to encrypted files.
S!Ri found a new ransomware that states it will decrypt your files if you win a game.
FaLcon Intelligence found that a new variant of the Gibberish Ransomware is being spread through the RIG exploit kit.
April 9th 2020
One such spear-phishing campaign is being used by the Dharma ransomware variant (Crysis). First noted in 2016, Dharma ransomware has been around for almost five years now and keeps popping out with a new variant, periodically. The threat actors want to leverage every scenario to escape detection and deliver the payload.
Michael Gillespie found new STOP Ransomware variant that appends the .mpaj extension to encrypted files.
Travelex reportedly paid a $2.3 million ransom payment to get their systems back online after being encrypted by a Sodinokibi ransomware attack.
April 10th 2020
GrujaRS found a new ransomware called BearCrypt that only targets .jpg and .png files. When encrypted it appends the .crypt extension and drops a ransom note named Readme.txt. Appears to be in-dev.
GrujaRS found a new Aurora Ransomware variant that appends the .bukyak extension.
Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online.