The Week in Ransomware – October 26th 2018

GandCrab Decryptor

We have had quite a bit of interesting news this week regarding ransomware. First we had the Kraken Cryptor deciding to connect to during different stages of the encryption process, then we had a decryptor released by Bitdefender for GandCrab v1, v4, and v5, and finally a new FilesLocker rasnomware as a service.

Unfortunately, today the GandCrab developers released a new variant that breaks the current Bitdefender decryptor.

Other than that, its mostly been releases of new variants of existing ransomware such as Dharma and Matrix.

Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @malwareforme, @Seifreed, @struppigel, @LawrenceAbrams, @demonslay335, @DanielGallagher, @PolarToffee, @malwrhunterteam, @fwosar, @BleepinComputer, @FourOctets, @hexwaxwing, @nao_sec, @kafeine, @0x009AD6_810, @Bitdefender, @ESET@GrujaRS, @JakubKroustek. @tamas_boczan. and @siri_urz.

October 20th 2018

New .betta Dharma Ransomware variant

Jakub Kroustek found a new variant of the Dharma Ransomware that appends the .betta extension to encrypted files.

October 21st 2018

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process. It is not known what they are trying to achieve by doing this, but it does provide BleepingComputer with insight into the amount of victims being infected by this ransomware.

October 22nd 2018

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .GMPF extension to encrypted files.

Solo Ransomware

Michael found a new ransomware that appends the .SOLO extension and drops a ransom note named IHRE_DATEIEN_SIND_VERSCHLUESSELT.html. Not the most sophisticated ransomware as it encrypts its own note.

October 23rd 2018

Xorist continues with the long extensions

Michael Gillespie found another Xorist Ransomware variant that uses a crazy long extension.

Xorist Variant

HiddenBeer Ransomware discovered

GrujaRS discovered a new HiddenTear variant called HiddenBeer that appends the .beer extension to encrypted files.

HiddenBeer Ransomware

October 24th 2018

New .Vanss Dharma variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .vanss extension and drops a ransom note named Info.html and FILES ENCRYPTED.txt.

Dharma .vanss

October 25th 2018

Free Decrypter Available for the Latest GandCrab Ransomware Versions

A newly released decryptor allows for the free recovery of files encrypted by GandCrab versions 1, 4,  and 5.

GandCrab Decryptor

New FilesLocker Ransomware Offered as a Ransomware as a Service

A new ransomware called FilesLocker is being distributed as a Ransomware as a Service, or RaaS, that targets Chinese and English speaking victims.


ESET releases new decryptor for Syrian victims of GandCrab ransomware

ESET experts have created a new decryption tool that can be used by Syrian victims of the GandCrab ransomware. It is based on a set of keys recently released by the malware operators

New .Funny Dharma variant

Michael Gillespie found a new Dharma Ransomware variant that appends the .FUNNY extension to encrypted files.

New Everbe 2.0 variant

Michael Gillespie found a new variant of the Everbe 2.0 Ransomware that appends the .[[email protected]].EVEREST and drops ransom note named EVEREST LOCKER .txt and 新建文本文档.txt.

ID Ransomware adds extortion scam detections

Michael Gillespie added detections for extortion scam emails.

October 26th 2018

GandCrab 5.0.5 released that breaks free decryption

Tamas Boczan discovered that GandCrab v5.0.5 was released, which breaks the free decryption through Bitdefender’s recently released decryptor.

New Ransomware

S!Ri discovered a new ransomware that appends the .docx extension to encrypted files.

.Docx ransomware

That’s it for this week! Hope everyone has a nice weekend!