The Week in Ransomware – January 11th 2019 – Access-as-a-Service – BleepingComputer
For the most part it has been a slow this week in terms of new ransomware variants being released. On the other hand, there has been quite a bit of interesting information that was released about Ryuk.
Researchers from FireEye and CrowdStrike released reports this week that explain how Ryuk partnered with TrickBot in an access-as-a-service in order to gain access to infected networks. Other reports also came out that lead researchers to believe that the attackers behind Ryuk are Russian, rather than North Korean.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @struppigel, @Seifreed, @fwosar, @jorntvdw, @malwareforme, @malwrhunterteam, @FourOctets, @BleepinComputer, @PolarToffee, @LawrenceAbrams, @ChristiaanBeek, @John_Fokker, @cglyer, @ItsReallyNick, @CrowdStrike, @FireEye, @McAfee_Labs, and @BBC.
January 5th 2019
Batch file ransomware discovered
MalwareHunterTeam discovered a very simply ransomware that is a batch file called Encoder.bat and uses WinRar to add files to a password protected archive.
January 7th 2019
GandCrab Operators Use Vidar Infostealer as a Forerunner
Cybercriminals behind GandCrab have added the infostealer Vidar in the process for distributing the ransomware piece, which helps increase their profits by pilfering sensitive information before encrypting the computer files.
January 8th 2019
Bridgeport Schools computer network falls victim to cyberattack
The Connecticut Post reports:
The city school district’s computer network was attacked Friday by a virus caused by an outside entity that intended to hold district data hostage for ransom, district officials say.
January 9th 2019
CryptoMix Ransomware Exploits Sick Children to Coerce Payments
With people becoming more aware of ransomware, criminals are coming up with some pretty low life schemes in order to coerce victims into paying ransomware. Such is the case with a CryptoMix ransomware, who pretends to represent a sick children’s charity and is asking for a ransom payment as if it was a charitable donation.
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
In an article by John Fokker and Christiaan Beek of McAfee:
The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.
The cyber-attack that sent an Alaskan community back in time
The BBC reports about the Ransomware attack that took out a town in Alaska.
In 2018, a remote Alaskan community’s infrastructure was hit by a malware attack which forced it offline. It was only then they realised how much they depended on computers.
Ahihi Ransomware discovered
MalwareHunterTeam found the Ahihi ransomware does not change the extension.
Ransomware ransom note tries to phish PayPal account
MalwareHunterTeam found a new ransom note that also attempts to steal PayPal account credentials through a phishing page.
January 10th 2019
Possible new STOP/Djvu variant
Michael Gillespie is searching for a new Ransomware that appends the .pdff extension and drops a note named _openme.txt.
January 11th 2019
Del Rio City Hall Forced to Use Paper After Ransomware Attack
The City Hall of Del Rio, Texas was hit by a ransomware attack on Thursday, which led to multiple computers on the network being turned off and disconnected from the Internet to contain and analyze the malware.
Ryuk Ransomware Partners with TrickBot to Gain Access to Infected Networks
New research now indicates that the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.
New STOP variants
Michael Gillespie noticed two new STOP variant that was uploaded to ID Ransomware and appends the .tfude or the .tro extensions to encrypted file names.