The Week in Ransomware – June 19th 2020

For the most part, it has been a quiet week with new variants of existing ransomware families being released. We also did not see too many large victims being disclosed and mostly updates of existing victims.

Of particular note is the Black Kingdom ransomware attempting to exploit Pulse VPN flaws to install ransomware. If you are using Pulse VPNs, be sure to install any applicable patches.

Another interesting story was the discovery by GData’s Karsten Hahn of a new Java-based remote access trojan called STRRAT that contains ransomware functionality.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @struppigel, @PolarToffee, @VK_Intel, @malwareforme, @LawrenceAbrams, @BleepinComputer, @jorntvdw, @Ionut_Ilascu, @serghei, @FourOctets, @malwrhunterteam, @fwosar, @demonslay335, @Seifreed, @CERTNZ, @campuscodi, @fbgwls245, @Amigo_A_, and @siri_urz.

June 13th 2020

Black Kingdom ransomware hacks networks with Pulse VPN flaws

Operators of Black Kingdom ransomware are targeting enterprises with unpatched Pulse Secure VPN software or initial access on the network, security researchers have found.

Black Kingdom

New MedusaLocker variant

Amigo-A found a new MedusaLocker variant that appends the .EG extension and drops a ransom note named Recovery_Instructions.html.

Medusa Locker

June 14th 2020

Extortionists threaten to destroy sites in fake ransom attacks

Scammers are targeting website owners with blackmail messages asking them to pay ransoms between $1,500 and $3,000 in bitcoins to avoid having their sites’ databases leaked and their reputation destroyed.

New Yogynicof Ransomware

dnwls0719 found a new ransomwar that drops ransom notes named Read-me! 0 .html and Read-me! 1 .html. Amigo-A has named it Yogynicof after the email addresses in the ransom note.

June 15th 2020

New r3f5s Dharma Ransomware variant

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .r3f5s extension to encrypted files.

New STOP Ransomware variants

Michael Gillespie found two new variants of the STOP Ransomware that append the .usam or .tabe extensions to encrypted files.

June 16th 2020

Chipmaker MaxLinear reports data breach after Maze Ransomware attack

U.S. system-on-chip (SOC) maker company MaxLinear disclosed that some of its computing systems were encrypted by Maze Ransomware operators last month, after an initial breach that took place around April 15.

New 20dfs Ransomware

Michael Gillespie is looking for a ransomware that appends the .20dfs and drops a ransom note named DECODING_FILES.txt.

DraftKings discloses SBTech ransomware attack in SEC filing

In a Form S-1 filed with the SEC today, DraftKings disclosed that SBTech, who they merged with in April, was hit by a ransomware attack at the end of March 2020.

Active ransomware campaign leveraging remote access technologies

We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.

Avon recovering after mysterious cyber-security incident

Cosmetics giant Avon is recovering from a mysterious cyber-security incident that took place last week, on June 8, sources have told ZDNet.

New Java STRRAT ships with .crimson ransomware module

I am an active member of the forum A member of this forum, upnorth, shared a sample[2] to be used for testing Antivirus products. This sample[2] caught my attention. It was a Java archive but described as WSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong. This sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime Environment (JRE).

New BadBoy Ransomware

dnwls0719 found a new ransomware that appends the .Badboy extension and drops a ransom note named ReadME-BadboyEncryption.txt.


New CobraLocker

dnwls0719 found a new ransomware called CobraLocker that appends the .Cobra extension to encrypted files.


June 17th 2020

New Dungeon Ransomware

Michael Gillespie found a new ransomware that appends the .[dungeon]-0_0 extension and drops ransom note named HOW TO DECRYPT FILES.txt.

New Matrix Ransomware variant

Michael Gillespie found a new Matrix ransomware variant that appends the .EG83 extension and drops a ransom note named !EG83_INFO!.rtf.

JSUS Ransomware disguised as a PUBG hack

S!Ri found a ransomware named JSUS pretending to be a PUBG hack that appends the .jsus extension to encrypted files.

New Base Dharma Ransomware variant

dnwls0719 found a new Dharma Ransomware variant that appends the .base extension and drops a ransom note named FILES ENCRYPTED.txt.

New Vawe STOP Ransomware variant

Michael Gillespie found a new STOP Ransomware variant that appends the .vawe extension to encrypted files.

New VashSorena Ransomware

Michael Gillespie found the VashSorena Ransomware, which appends the .zip extension to encrypted files.

June 18th 2020

New Xorist Ransomware variant

Michael Gillespie found a new variant of the Xorist Ransomware that appends the .CroNi.ZoNe extension.

That’s it for this week! Hope everyone has a nice weekend!


Next Post

European physicists boldly take small step toward 100-kilometer-long atom smasher | Science

Sat Jun 20 , 2020
Dig, if you will, a tunnel. A mammoth new collider would dwarf an existing machine at the CERN physics laboratory in Europe. © CERN By Adrian ChoJun. 19, 2020 , 12:30 PM It is a truth universally acknowledged that a physics laboratory with a world-leading scientific facility must have a […]