For the most part, it has been a quiet week with new variants of existing ransomware families being released. We also did not see too many large victims being disclosed and mostly updates of existing victims.
Of particular note is the Black Kingdom ransomware attempting to exploit Pulse VPN flaws to install ransomware. If you are using Pulse VPNs, be sure to install any applicable patches.
Another interesting story was the discovery by GData’s Karsten Hahn of a new Java-based remote access trojan called STRRAT that contains ransomware functionality.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @struppigel, @PolarToffee, @VK_Intel, @malwareforme, @LawrenceAbrams, @BleepinComputer, @jorntvdw, @Ionut_Ilascu, @serghei, @FourOctets, @malwrhunterteam, @fwosar, @demonslay335, @Seifreed, @CERTNZ, @campuscodi, @fbgwls245, @Amigo_A_, and @siri_urz.
June 13th 2020
Operators of Black Kingdom ransomware are targeting enterprises with unpatched Pulse Secure VPN software or initial access on the network, security researchers have found.
Amigo-A found a new MedusaLocker variant that appends the .EG extension and drops a ransom note named Recovery_Instructions.html.
June 14th 2020
Scammers are targeting website owners with blackmail messages asking them to pay ransoms between $1,500 and $3,000 in bitcoins to avoid having their sites’ databases leaked and their reputation destroyed.
June 15th 2020
Michael Gillespie found a new variant of the Dharma Ransomware that appends the .r3f5s extension to encrypted files.
Michael Gillespie found two new variants of the STOP Ransomware that append the .usam or .tabe extensions to encrypted files.
June 16th 2020
U.S. system-on-chip (SOC) maker company MaxLinear disclosed that some of its computing systems were encrypted by Maze Ransomware operators last month, after an initial breach that took place around April 15.
Michael Gillespie is looking for a ransomware that appends the .20dfs and drops a ransom note named DECODING_FILES.txt.
In a Form S-1 filed with the SEC today, DraftKings disclosed that SBTech, who they merged with in April, was hit by a ransomware attack at the end of March 2020.
We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.
Cosmetics giant Avon is recovering from a mysterious cyber-security incident that took place last week, on June 8, sources have told ZDNet.
I am an active member of the forum MalwareTips.com. A member of this forum, upnorth, shared a sample to be used for testing Antivirus products. This sample caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).
dnwls0719 found a new ransomware that appends the .Badboy extension and drops a ransom note named ReadME-BadboyEncryption.txt.
dnwls0719 found a new ransomware called CobraLocker that appends the .Cobra extension to encrypted files.
June 17th 2020
Michael Gillespie found a new ransomware that appends the .[dungeon]-0_0 extension and drops ransom note named HOW TO DECRYPT FILES.txt.
Michael Gillespie found a new Matrix ransomware variant that appends the .EG83 extension and drops a ransom note named !EG83_INFO!.rtf.
S!Ri found a ransomware named JSUS pretending to be a PUBG hack that appends the .jsus extension to encrypted files.
dnwls0719 found a new Dharma Ransomware variant that appends the .base extension and drops a ransom note named FILES ENCRYPTED.txt.
Michael Gillespie found a new STOP Ransomware variant that appends the .vawe extension to encrypted files.
Michael Gillespie found the VashSorena Ransomware, which appends the .zip extension to encrypted files.
June 18th 2020
Michael Gillespie found a new variant of the Xorist Ransomware that appends the .CroNi.ZoNe extension.