This has been a slow week in terms of new variants, but we continue to see enterprise-targeting ransomware operators threatening to release data for non-paying victims.
With Coronavirus on everyone’s minds, malware developers have turned to campaigns utilizing COVID-19 themed phishing scams or malware to take advantage of the panic and anxiety induced by the outbreak.
Of particular interest, are two ransomware infections called CoronaVirus Ransomware and CovidLock that use the outbreak as a theme for their infections.
Stay safe out there!
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @BleepinComputer, @serghei, @FourOctets, @struppigel, @jorntvdw, @demonslay335, @DanielGallagher, @LawrenceAbrams, @Ionut_Ilascu, @malwrhunterteam, @Seifreed, @PolarToffee, @VK_Intel, @DomainTools, and @LastlineLabs.
March 7th 2020
Michael Gillespie found a new variant of the STOP Ransomware that appends the .lokd extension to encrypted files.
Ransomware Threatens to Reveal Company’s ‘Dirty’ Secrets
The operators of the Sodinokibi Ransomware are threatening to publicly share a company’s “dirty” financial secrets because they refused to pay the demanded ransom.
March 8th 2020
Ryuk Ransomware Behind Durham, North Carolina Cyberattack
The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend.
Michael Gillespie found a new variant of the STOP Ransomware that appends the .foop extension to encrypted files.
March 10th 2020
Paradise Ransomware Distributed via Uncommon Spam Attachment
Attackers have started to send Excel Web Query attachments in phishing campaigns to download and install the Paradise Ransomware on unsuspecting victims.
March 12th 2020
New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer
A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.
March 13th 2020
MalwareHunterTeam found that the Nemty Ransomware has rebranded as NEFILIM. Drops a ransom note named NEFILIM-DECRYPT.txt and appends the extension .NEFILIM.
CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware
In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.