What a week. Every day we see a new city, police station, college, government agency, or company being affected by a ransomware attack. To make matters worse, they are getting hit with targeted ransomware that asks for a hefty price to get a decryptor.
This week we also saw the first real analysis of the MegaCortex Ransomware when a sample was found by MalwareHunterTeam. Along with this sample, though, came a wave of attacks that affected many organizations.
All I can say is: Backup, backup, backup! If you have working backups, ransomware is ineffective and you can shrug it off. Make sure your backups work and that you have a good policy in place.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @malwareforme, @fwosar, @hexwaxwing, @LawrenceAbrams, @BleepinComputer, @jorntvdw, @FourOctets, @DanielGallagher, @Seifreed, @struppigel, @PolarToffee, @demonslay335, @VK_Intel, @coveware, @FBI, @CrowdStrike, @PortSwigger, @emsisoft, @avast_antivirus, @petrovic082, @M_Shahpasandi, @serghei, @Ionut_Ilascu, @pushecx, and @GrujaRS.
July 13th 2019
Emsisoft releases imS00rry decryptor
Emsisoft released a decryptor for imS00rry Ransomware.
SkyStars Ransomware discovered
Petrovic found a new ransomware called SkyStars.
New Matrix Ransomware variant
Amigo-A found a new Matrix Ransomware variant that appends the .[Kromber@tutanota.com] extension and drops a ransom note named #_#ReadMe#_#.rtf.
July 14th 2019
La Porte County Pays $130,000 Ransom To Ryuk Ransomware
Another public administration in the U.S. surrenders cybercriminal demands as La Porte County, Indiana, pays $130,000 to recover data on computer systems impacted by ransomware.
New 1BTC Dharma variant
Jakub Kroustek found a new Dharma Ransomware variant that appends the .1BTC extension to encrypted files.
July 15th 2019
New DoppelPaymer Ransomware Emerges from BitPaymer’s Code
Malware researchers have discovered a new file-encrypting malware they dubbed DoppelPaymer that has been making victims since at least mid-June, asking hundreds of thousands of US dollars in ransom.
July 16th 2019
Ryuk, Sodinokibi Ransomware Responsible for Higher Average Ransoms
The average payment demand following a ransomware attack has almost doubled in the second quarter of the year and victims have Ryuk and Sodinokibi to blame.
FBI Releases Master Decryption Keys for GandCrab Ransomware
In an FBI Flash Alert, the FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.
New Budak and Herad STOP DJvu variants
Michael Gillespie found a new variants of the STOP DJvu Ransomware that append the .budak or .herad extension to encrypted files.
New Nemesis Ransomware variant
M. Shahpasandi found a new variant of the Cry36/Nemesis Ransomware that appends the .id_**********_.YOUR_LAST_CHANCE extension to encrypted file names.
Onondaga Libraries hit by ransomware attack, locations open but some services affected
Libraries across Onondaga County continue to deal with service issues caused by a cyber attack discovered last Friday.
July 17th 2019
Lessons learned from ransomware authors’ crypto mistakes
Some ransomware authors get the cryptography right, but make web security mistakes that leave their command and control (C2) infrastructure vulnerable to attacks.
New Berosuce STOP DJvu variant
Michael Gillespie found a new variant of the STOP DJvu Ransomware that appends the .berosuce extension to encrypted files.
STOP Decryptor updated
Michael Gillespie updated his STOP DJvu Ransomware decryptor to support the offline keys for the .godes, .budak, .heran, and .berosuce extensions.
Sodinokibi Spam campaign attacking Germany
Karsten Hahn reported that a spam wave targeting Germany was distributing the Sodinokibi Ransomware.
Radio station WMNF victim of ransomware cyberattack
Tampa-based community radio station WMNF 88.5-FM is stepping up cybersecurity after its computer systems were hobbled by ransom-seeking hackers last month.
New Phobos Ransomware variant
GrujaRS found a new variant of the Phobos ransomware that appends the .id[XXXXXX-2224].[zoye1596@msgden.net].actor extension and drops a ransom note named info.txt.
New Ouroboros Ransomware
GrujaRS found a new variant of the Ouroboros Ransomware that appends the .[id=xxxxxxx][mail=BackFileHelp@protonmail.com].limbo extension and drops a ransom note named Read-Me-Now.txt.
July 18th 2019
Avast Releases a GandCrab Decryptor
Avast Software has released their own decryptor for the GandCrab Ransomware.
New Gusau STOP DJvu variants
Michael Gillespie found new variants of the STOP DJvu Ransomware that appends the .gusau, .vusad, .madek, or .gehad extensions to encrypted files.
STOP Decryptor updated
Michael Gillespie updated his STOP DJvu Ransomware decryptor to support the offline keys for the .gehad extensions.
Ransomware attack impacting Collierville, officials say
City officials said the attack disrupted the town’s information technology systems. They first received reports of the disruption Thursday morning and have determined it is the Ryuk ransomware virus.
July 19th 2019
Elusive MegaCortex Ransomware Found – Here is What We Know
A sample of the ransomware called MegaCortex that is known to target the enterprise in targeted attacks has been found and analyzed. In this article, we will provide a brief look at the MegaCortex Ransomware and how it encrypts a computer.
Ransomware Attacks Grow Rampant, Paying Still Not a Good Option
A flurry of ransomware attacks has been reported this week affecting entities in US states of Georgia, New York, Tennessee, and Florida.
iNSYNQ Cloud Hosting Provider Hit by Ransomware Attack
Cloud computing provider iNSYNQ experienced a ransomware attack which forced the company to shut down some of its servers to contain the malware infection from spreading and affecting more customer data.
Lawrenceville police latest victims of cyberattack
Lawrenceville police confirmed the FBI and private security experts have been called in to help with the cyberattack that has hijacked the department’s body camera file footage and other department files. It is also the same ransomware that attacked Henry County police, sources say.
New Maoloa Ransomware variant
GrujaRS found a new variant of the Maoloa Ransomware that appends .Persephone666 extension to encrypted files.