Ragnar Locker is deploying Windows XP virtual machines to encrypt victim's files while evading detecting from security software installed on the host.

Michael Gillespie found a new variant of the STOP Ransomware that appends the .covm ransomware.

Emsisoft has released a decryptor for the JavaLocker Ransomware that appends the .javalocker extension.

Hackers tried to exploit a zero-day in the Sophos XG firewall to distribute ransomware to Windows machines but were blocked by a hotfix issued by Sophos.

Jakub Kroustek found anew variant of the Dharma Ransomware that appends the .bang extension to encrypted files.

An immediate warning: It seems that cyber criminals has obtained an old (orphaned) Amazon AWS S3 bucked used some times ago to host a Cookie Consent solution. Now the Cookie Consent logo delivered from the Amazon CDN contains a malware/ransomware script. It seems, that thousands of website, using old code, are shipping now this malicious content. Probably it’s a ransomware attack. Here is what I’ve found out so far.

Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website.

A hacker has been taking justice into their own hands by targeting "scam" companies with ransomware and denial of service attacks.

NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.

Emsisoft has updated their Jigsaw Ransomware decryptor to support the DragonCyber (.dc) variant.

The REvil ransomware group claims to have buyers ready for documents containing damaging information about US‌ President Donald Trump and is preparing to auction data on international celebrity Madonna.

A new ransomware attack is affecting the Texas government. This time, hackers got into the network of the state’s Department of Transportation (TxDOT).

Multiple actors in the ransomware business saw the new coronavirus pandemic as the perfect opportunity to focus on an already overburdened healthcare sector. ProLock is yet another threat to the list.

@Amigo_A found a new variant of the STOP Ransomware that appends the .koti extension to encrypted files.

M. Shahpasandi found new Scarab Ransomware variants that append the .rbs or .cov19 extensions to encrypted files.

GrujaRS found a new variant of the Jigsaw Ransomware that calls itself DragonCyber and appends the .dc extension to encrypted files.

17.5.20

Ransomware recruits affiliates with huge payouts, automated leaks

The Netwalker ransomware operation is recruiting potential affiliates with the possibility of million-dollar payouts and an auto-publishing data leak blog to help drive successful ransom payments.

17.5.20

The ransom demand for the secret files of a cyber-attacked lawyer to A-list stars has doubled to $42 million — as the hackers now threaten to reveal “dirty laundry” on President Donald Trump in just a week if they are not paid in full.

17.5.20

dnwls0719 found a new ransomware targets people in Turkey that appends the .zeronine extension.

17.5.20

ProLock is a relatively new malware on the ransomware scene but has quickly attracted attention by targeting businesses and local governments and demanding huge ransoms for file decryption.

17.5.20

S!Ri found a new ransomware called Blackmoon that appends the .cxk extension to encrypted files.

17.5.20

A ransomware family has begun a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom not to publish files stolen in an attack.

17.5.20

dnwls0719 found a new STOP Ransomware variant that appends the .mzlq extension to encrypted files.

17.5.20

MalwareHunterTeam found a new ransomware that is being spread with a COVID-19 lure. When encrypting files it appends the .dodged extension.

17.5.20

Healthcare giant Magellan Health hit by ransomware attack

Fortune 500 company Magellan Health Inc announced today that it was the victim of a ransomware attack on April 11, 2020, which led to the theft of personal information from one of its corporate servers.

17.5.20

The Texas court system was hit by ransomware on Friday night, May 8th, which led to the branch network including websites and servers being disabled to block the malware from spreading to other systems.

17.5.20

Maze ransomware fails to encrypt Pitney Bowes, steals files

Global business services company Pitney Bowes recently stopped an attack from Maze ransomware operators before the encryption routine could be deployed but the actor still managed to steal some data.

17.5.20

The Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt more of a victim's files, even those that are opened and locked by another process.

17.5.20

MalwareHunterTeam found a new ransomware called Kupidon that appends the .kupidon extension to encrypted files and drops a ransom note named !KUPIDON_DECRYPT.txt.

17.5.20

Benkøw discovered that the GuLoader Trojan is distributing the HakBit ransomware.

17.5.20

Alex Svirid released a decryptor for the CryLock (ex-Cryakl) 1.9.0.0 ransomware.

9.5.20

dnwls0719 found a new Dharma Ransomware variant that appends the .net extension to encrypted files.

9.5.20

The Sodinokibi ransomware group threatens to release hundreds of gigabytes of legal documents from a prominent entertainment and law firm that counts dozens of international stars as their clients.

9.5.20

We secured forensics evidence data in the form of disk images of VPS servers used by cybercriminals behind Sodinokibi / REvil ransomware (we also found Maze ransomware there):

9.5.20

Jakub Kroustek found a new Dharma Ransomware variant that appends the .PHP extension to encrypted files.

9.5.20

Michael Gillespie found a new variant of the STOP Ransomware that appends the .sqpc extension to encrypted files.

9.5.20

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

9.5.20

Anti-malware vigilante found a new spam campaign targeting people in South Korea and bundling the Vidar password-stealing along with it.

9.5.20

A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption.

9.5.20

The operators of the Snake Ransomware have launched a worldwide campaign of cyberattacks that have infected numerous businesses and at least one health care organization over the last few days.

9.5.20

Jakub Kroustek found a new Dharma Ransomware variant that appends the .0day0 extension to encrypted files.

9.5.20

The Toll Group has suffered its second ransomware cyberattack in three months, with the latest one conducted by the operators of the Nefilim Ransomware.

9.5.20

The REvil ransomware-as-a-service (RaaS) operation continues to impact businesses worldwide. The threat actors responsible for developing and maintaining the malware have released an updated ransomware, namely version 2.2. In this short blog post, we will cover the significant changes from the previous version, which we covered in detail in an earlier blog post.

9.5.20

A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders.

9.5.20

A feature of the LockBit ransomware allows threat actors to breach a corporate network and deploy their ransomware to encrypt hundreds of devices in just a few hours.

9.5.20

BitDefender has released a decryptor for the Shade/Troldesh Ransomware after the ransomware operators released all of the decryption keys.

9.5.20

The first quarter of the year recorded an increase in the average amount ransomware operators demand from their victims. Compared to the previous quarter, a 33% swell was noted, driven by the Sodinokibi and Ryuk ransomware operators.

Michael Gillespie found a new variant of the STOP ransomware that appends the .mpal extension to encrypted files.

2.5.20

Emsisoft released an updated decryptor to support the .zemblax extension described in the previous article.

2.5.20

A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.

2.5.20

We believe there is real opportunity to learn from incident response cases and previous attacks, hence why this blog is dubbed ‘tales from the trenches’. In collaboration with Northwave, this article describes a real-life case of a targeted ransomware attack. During one of their recent incident responses, Northwave encountered a relatively new family of ransomware called LockBit performing a targeted attack.

Kaspersky has released an updated decryptor for the Shade Ransomware (Troldesh) that allows all victims who have their files encrypted to recover them for free.

2.5.20

Clop ransomware leaked files stolen from U.S pharmaceutical company ExecuPharm after ransom negotiations allegedly failed.

2.5.20

The Coveware ransomware marketplace report aggregates observed trends from enterprise ransomware incidents in Q1 of 2020. During the first quarter of 2020 ransomware threat actors took advantage of the economic and workplace disruption caused by the COVID-19 outbreak. Spam attacks related to the outbreak surged and seldom used ‘work-from-home’ network configurations led to increased ransomware attacks across the board. Some threat actor groups continued attacking healthcare organizations, while others refused to target them. Our report shows victim demographics and resolution metrics based on actual ransomware cases handled by the Coveware Incident Response team.

The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims.

2.5.20

dnwls0719 found a new variant of the STOP ransomware that appends the the .qewe extension to encrypted files.

2.5.20

MalwareHunterTeam found a COVID-19 themed Android ransomware infection that appends the .encrypted extension to encrypted files.