Ransomware operators continue to leak data for their victims and develop new ways to infect victims without being detected by security software.
Many think, though, that this was nothing more than a PR stunt or never had the data in the first place.
In addition, we saw an interesting technique used by the Ragnar Lock ransomware, where they encrypt victims using virtual machines to evade security software.
Contributors and those who provided new ransomware information and stories this week include: @serghei, @struppigel, @fwosar, @FourOctets, @demonslay335, @malwrhunterteam, @PolarToffee, @LawrenceAbrams, @jorntvdw, @BleepinComputer, @Seifreed, @DanielGallagher, @VK_Intel, @malwareforme, @Ionut_Ilascu, @markloman, @SophosLabs, @IntelAdvanced, @y_advintel, @GrujaRS, @Amigo_A_, @M_Shahpasandi, @emsisoft, @JakubKroustek, and @etguenni.
May 16th 2020
GrujaRS found a new variant of the Jigsaw Ransomware that calls itself DragonCyber and appends the .dc extension to encrypted files.
M. Shahpasandi found new Scarab Ransomware variants that append the .rbs or .cov19 extensions to encrypted files.
May 17th 2020
@Amigo_A found a new variant of the STOP Ransomware that appends the .koti extension to encrypted files.
May 18th 2020
Multiple actors in the ransomware business saw the new coronavirus pandemic as the perfect opportunity to focus on an already overburdened healthcare sector. ProLock is yet another threat to the list.
A new ransomware attack is affecting the Texas government. This time, hackers got into the network of the state’s Department of Transportation (TxDOT).
The REvil ransomware group claims to have buyers ready for documents containing damaging information about US President Donald Trump and is preparing to auction data on international celebrity Madonna.
Emsisoft has updated their Jigsaw Ransomware decryptor to support the DragonCyber (.dc) variant.
May 19th 2020
NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.
May 20th 2020
A hacker has been taking justice into their own hands by targeting “scam” companies with ransomware and denial of service attacks.
Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website.
An immediate warning: It seems that cyber criminals has obtained an old (orphaned) Amazon AWS S3 bucked used some times ago to host a Cookie Consent solution. Now the Cookie Consent logo delivered from the Amazon CDN contains a malware/ransomware script. It seems, that thousands of website, using old code, are shipping now this malicious content. Probably it’s a ransomware attack. Here is what I’ve found out so far.
Jakub Kroustek found anew variant of the Dharma Ransomware that appends the .bang extension to encrypted files.
May 21st 2020
Hackers tried to exploit a zero-day in the Sophos XG firewall to distribute ransomware to Windows machines but were blocked by a hotfix issued by Sophos.
Emsisoft has released a decryptor for the JavaLocker Ransomware that appends the .javalocker extension.
Michael Gillespie found a new variant of the STOP Ransomware that appends the .covm ransomware.
May 22nd 2020
Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while evading detecting from security software installed on the host.