Ransomware News, Articles and Updates

Two Cryptomix variants spotted in under a week

MalwareHunterTeam researchers discovered a second variant this week of the CryptoMix ransomware appending the .0000 extension to encrypted files.

RDP brute force attacks used to spread LockCrypt ransomware

Hackers have been breaking into corporate servers via RDP brute-force attacks and manually infecting them with a new variant of ransomware called LockCrypt.

Ordinypt wiper ransomware targets German businesses

Another wiper malware posing as a ransomware is targeting German businesses under the guise of fake job applicants inquiring about openings.

GIBON Ransomware sold for $500 in Russian dark web forum

The GIBON Ransomware variant was reportedly seen for sale in a dark web criminal forum with a $500 (£380) price tag in a Russian advertisement.

WannaCry, Cerber most used ransomware types, hospitals most hit sector

WannaCry and Cerber has totally dominated the ransomware landscape so far this year comprising almost all the attacks that have taken place, while other big names such as Locky were barely a blip on the radar.

BitPaymer malware - ransomware with sophisticated obfuscation

Julia Sowells explains how the BitPaymer malware initially executes itself, makes a copy of itself and runs in two ADS. It hides in empty files; deletes its older executable file and transfers control of the malware to the newly created files.

Your money or more strife? It never pays to negotiate with cyber-criminals

Paying cyber-criminals to unleash your data from their grip is, ultimately, a futile exercise which breeds opportunities for them to expand, and gain a further advantage over innocent and unsuspecting victims says Daren Oliver.

ONI ransomware used to cover track in long-term attacks against Japanese firms

A new strain of ransomware has been used to attack Japanese firms and delete evidence, according to security researchers. Hackers made significant attempts to hide covert operations.

RIG EK used to spread Matrix ransomware via malvertising

Matrix ransomware is now being distributed via the RIG exploit kit on various sites displaying malvertising.

NSA hacking tool EternalRomance found in BadRabbit

BadRabbit evidence is multiplying, like well rabbits, with the latest revelation being the malware used another stolen NSA tool to help it move laterally through networks.

Group IB shows even tighter ties between BadRabbit and NotPetya

A new report on the BadRabbit ransomware campaign that sprang up earlier this week has revealed that BadRabbit is most likely derived from NotPetya, based on clues in the code and other evidence.

DUMB ransomware attacks Iranian targets via compromised VPN

Maher, Iran's Computer Emergency Response Team Coordination Center (CERTCC), has warned that 'Tyrant' ransomware is being distributed in the country via a compromised VPN app, undermines trust in IT dept.

BadRabbit's slow international spread, like Petya/NotPetya but blockable

Less than 24 hours after BadRabbit hopped out of its hole the malware is still spreading, albeit slowly, with US CERT having received reports of infections; researchers say this worm-like ransomware may have ties to Petya/NotPetya.

LokiBot Android Banking Trojan turns into ransomware in last ditch effort

An Android banking trojan dubbed LokiBot turns into a ransomware when users try to remove its admin privileges in a last ditch effort to extort the user.

Update: Further details on BadRabbit's spread, vaccine posted

Update: Several Russian news agencies and additional targets in the Ukraine have reportedly being hit with cyber-attacks, which the security firm GroupIB believes to be based on a new variant of Petya called BadRabbit.

BadRabbit 'NotPetya-style' attack hits Russian press & Ukraine targets

BadRabbit ransomware has hit at least three Russian media companies including Russian business newswire Interfax which became unable to deliver some of its news services, and Ukrainian infrastructure has also been hit.

Not good: Ransomware is cheap to buy and developers are well paid

This fact rarely comes out on Law & Order, but for some crime pays. And pretty well. Developers of ransomware well paid and malware cheap to buy.

Phishing campaigns used victim's location to determine whether to deliver Locky or Trickbot

Researchers at PhishMe recently detected two email-based phishing campaigns that infected users with either Lockyransomware or the Trickbot banking trojan based on the victim's geographical location.

Ykcol and Asasin Locky variants released within short time frame

At least two new Locky ransomware variants have been released within less than a month of each other although one of the variants is broken for the time being due to a malformed spam campaign.

Ransomware - no excuse for sticking your head in the sand!

Ransomware: "what are your IT team and 3rd party suppliers doing about it?" asks Ken Gilmour. Do they have back-up processes that isolates business critical data for fast recovery? Are they responsive when it comes to patching?

WannaCry spotted for just £40 on underground Arabic forum

WannaCry ransomware was seen in an advertisement on the Middle Eastern and North African Arabic-speaking underground forums for £40 just two days after the malware's outbreak caused nearly £3 billion in damage.

Ransomware & ind control systems: never the twain shall meet - until now!

If ransomware infects and encrypts a device you might swap it out for another device, but Andrew Cooke explains, if HMI devices get infected, unplugging equipment isn't always feasible, so the critical thing has to be prevention.

Europol: the response to unprecedented cyber-attacks "not good enough"

The global scale, impact and rate of spread of cyber-attacks over the past year is unprecedented reports Europol's 2017 Internet Organised Crime Threat Assessment (IOCTA).

Remotely locked Apple devices being held for ransom

Some Apple product owners have found themselves on the receiving end of a new ransom attack that has someone locking their device most likely using stolen iCloud credentials and initiating the Find My iPhone remote lock feature.

Redboot malware leaves researchers wondering if its a ransomware or wiper

A new bootlocker malware is leaving researchers scratching their heads on whether to identify the malware as a poorly coded ransomware or a cleverly designed wiper.

EternalBlue exploit used in Swiss campaigns by Retefe malware

Trojan uses NSA EtneralBlue exploit to hijack computers for new ransomware campaign targeting unpatched systems.

Hacker asks for nude photos of victim instead of money to unlock computer

MalwarHunterTeam tweeted out news of a screenlocker posing as ransomware where the bad guys request nude photos of the victim instead of money.

20% of Manchester police computers at risk of ransomware - using XP

Some 20 percent of Greater Manchester Police's computers are at risk of a ransomware hack due to still running Windows XP, according to research from Top10VPN.com

Doubling Down: Locky & FakeGlobe ransomware pushed in dual spam campaigns

Cyber-criminals kicked off a spam campaign earlier this month capable of delivering either Locky or FakeGlobe ransomware creating a situation where a single person could be victimised twice in the same attack.

Financial attractiveness of ransomware ensures it remains growing threat

Mobile devices under increasing attack from malware, including ransomware, which has seen a 122 percent increase in variants as it becomes an increasingly attractive option for criminals.