MAFIA ransomware targeting users in Korea

MAFIA ransomware targeting users in Korea

A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.Another interesting (and new to ... Read More
RedEye ransomware: there's more than meets the eye

RedEye ransomware: there’s more than meets the eye

A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.AnalysisThis ransomware is named "RedEye" ... Read More
PSCrypt ransomware: back in business

PSCrypt ransomware: back in business

PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malwareIn this ... Read More
Vietnamese ransomware wants you to add credit to a mobile phone

Vietnamese ransomware wants you to add credit to a mobile phone

In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.Update: 2018-05-06, scroll down for the update, added to the conclusion.AnalysisThis ransomware is named "BKRansomware" based on the file name and debug path. Properties:MD5: 892da86e60236c5aaf26e5025af02513SHA1: 6f36c02161a83a3683921fc73319474157f4fb92SHA256: c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305fCompilation timestamp: 2018-05-03 ... Read More
Ransomnix ransomware variant encrypts websites

Ransomnix ransomware variant encrypts websites

| | Ransomnix, Ransomware
Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomwareIn this blog post, we'll discuss a ... Read More
Satan ransomware adds EternalBlue exploit

Satan ransomware adds EternalBlue exploit

Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit ... Read More
This is Spartacus: new ransomware on the block

This is Spartacus: new ransomware on the block

In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.AnalysisThis instance of Spartacus ransomware has the following properties:MD5; 25dee2e70c931f3fa832a5b189117ce8SHA1; a01294ffd541229718948e17f791694efb596123SHA256; ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3Compilation timestamp: 2018-01-19 20:36:44VirusTotal report:ef25bdbcf05fa478df3ddc5f4f717c070e443da04cfc590d44409c815f237cb3Figure 1 - Spartacus ransomware messageThe message reads:All your files have been encrypted due to a security problem with ... Read More
CryptoWire ransomware not dead

CryptoWire ransomware not dead

| | .encrypted., cryptowire, Ransomware
CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker FamiliesI already encountered a CryptoWire variant last year, when it was used to target users ... Read More
Maktub ransomware: possibly rebranded as Iron

Maktub ransomware: possibly rebranded as Iron

| | DMA locker, satan, Satan ransomware, st_v2
In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn ... Read More
Fake Steam Desktop Authenticator steals account details

Fake Steam Desktop Authenticator steals account details

In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam ... Read More
Loading...