Ransomware operators continue to leak data for their victims and develop new ways to infect victims without being detected by security software.

This week, we saw Snake ransomware leak data from Fresenius Medical Care, and REvil claims to have a buyer for the alleged data on President Trump.

Many think, though, that this was nothing more than a PR stunt or never had the data in the first place.

In addition, we saw an interesting technique used by the Ragnar Lock ransomware, where they encrypt victims using virtual machines to evade security software.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @struppigel, @fwosar, @FourOctets, @demonslay335, @malwrhunterteam, @PolarToffee, @LawrenceAbrams, @jorntvdw, @BleepinComputer, @Seifreed, @DanielGallagher, @VK_Intel, @malwareforme, @Ionut_Ilascu, @markloman, @SophosLabs, @IntelAdvanced, @y_advintel, @GrujaRS, @Amigo_A_, @M_Shahpasandi, @emsisoft, @JakubKroustek, and @etguenni.

May 16th 2020

New DragonCyberRansomware Jigsaw variant

GrujaRS found a new variant of the Jigsaw Ransomware that calls itself DragonCyber and appends the .dc extension to encrypted files.

New Scarab Ransomware variants discovered

M. Shahpasandi found new Scarab Ransomware variants that append the .rbs or .cov19 extensions to encrypted files.

Scarab ransomware ransom note

May 17th 2020

New Koti STOP Ransomware variant

@Amigo_A found a new variant of the STOP Ransomware that appends the .koti extension to encrypted files.

May 18th 2020

FBI warns of ProLock ransomware decryptor not working properly

Multiple actors in the ransomware business saw the new coronavirus pandemic as the perfect opportunity to focus on an already overburdened healthcare sector. ProLock is yet another threat to the list.

Ransomware attack impacts Texas Department of Transportation

A new ransomware attack is affecting the Texas government. This time, hackers got into the network of the state’s Department of Transportation (TxDOT).

REvil Ransomware found buyer for Trump data, now targeting Madonna

The REvil ransomware group claims to have buyers ready for documents containing damaging information about US‌ President Donald Trump and is preparing to auction data on international celebrity Madonna.

Jigsaw Ransomware decryptor updated

Emsisoft has updated their Jigsaw Ransomware decryptor to support the DragonCyber (.dc) variant.

May 19th 2020

NetWalker adjusts ransomware operation to only target enterprise

NetWalker ransomware group is moving away from phishing for malware distribution and has adopted a network-intrusion model focusing on huge businesses only.

May 20th 2020

Vigilante hackers target ‘scammers’ with ransomware, DDoS attacks

A hacker has been taking justice into their own hands by targeting “scam” companies with ransomware and denial of service attacks.

MilkmanVictory ransom note

Snake ransomware leaks patient data from Fresenius Medical Care

Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website.

Warning: Infected Cookie Consent logo delivers Ransomware

An immediate warning: It seems that cyber criminals has obtained an old (orphaned) Amazon AWS S3 bucked used some times ago to host a Cookie Consent solution. Now the Cookie Consent logo delivered from the Amazon CDN contains a malware/ransomware script. It seems, that thousands of website, using old code, are shipping now this malicious content. Probably it’s a ransomware attack. Here is what I’ve found out so far.

New Bang Dharma ransomware variant

Jakub Kroustek found anew variant of the Dharma Ransomware that appends the .bang extension to encrypted files.

May 21st 2020

Hackers tried to use Sophos Firewall zero-day to deploy Ransomware

Hackers tried to exploit a zero-day in the Sophos XG firewall to distribute ransomware to Windows machines but were blocked by a hotfix issued by Sophos.

Decryptor for JavaLocker released

Emsisoft has released a decryptor for the JavaLocker Ransomware that appends the .javalocker extension.

New Covm STOP Ransomware variant

Michael Gillespie found a new variant of the STOP Ransomware that appends the .covm ransomware.

May 22nd 2020

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while evading detecting from security software installed on the host.

That’s it for this week! Hope everyone has a nice weekend!

Source link