There was not a lot of new ransomware variants released this week, but some pretty interesting news about operations changing their tactics to remain more profitable and to evade law enforcement.
Sodinokibi/REvil is phasing out support for Bitcoin ransom payments in favor of Monero to make it harder for law enforcement to trace them.
Finally, Nemty Ransomware is moving from a public ransomware-as-a-service to a private one to become more exclusive and entice more experienced affiliates to join their organization.
We also have Ragnar Locker getting a name for itself after it was discovered they encrypted Portugal’s Energias de Portugal (EDP) and allegedly stole 10TB of data.
Contributors and those who provided new ransomware information and stories this week include: @Ionut_Ilascu, @FourOctets, @demonslay335, @DanielGallagher, @malwrhunterteam, @struppigel, @BleepinComputer, @fwosar, @VK_Intel, @Seifreed, @serghei, @jorntvdw, @LawrenceAbrams, @malwareforme, @PolarToffee, @siri_urz, @fbgwls245, @emsisoft, @RedDrip7, @Jirehlov, @JakubKrouste, @Amigo_A_, and @GrujaRS.
April 11th 2020
Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
The Sodinokibi Ransomware has started to accept the Monero cryptocurrency to make it harder for law enforcement to track ransom payments and plans to stop allowing bitcoin payments in the future.
Reports Say Epiq Has Laid Off Some 200 Employees In Wake Of Ransomware Attack
The international e-discovery and managed services company Epiq Global has laid off some 200 employees, with more layoffs yet to come, according to several sources familiar with the situation.
April 12th 2020
New Wiper Malware impersonates security researchers as prank
A malware distributor has decided to play a nasty prank by locking victim’s computers before they can start Windows and then blaming the infection on two well-known and respected security researchers.
Ransomware writer issues an apology
The author of the KokoCrypt ransomware issued an apology after a ransomware he made got leaked into the wild.
New Golang Ransomware variant
Jirehlov and RedDrip found a new ransomware that that appends the .bug extension and drops a ransom note named Read_Bug.html.
April 13th 2020
New ransomware hunt
Michael Gillespie found a new ransomware that appends the .SARS-CoV-2 extension and drops a ransom note named RECOVER MY ENCRYPTED FILES.TXT.
New DOP Dharma variant
dnwls0719 found a new variant of the Dharma Ransomware that appends the .dop extension to encrypted files.
April 14th 2020
RagnarLocker ransomware hits EDP energy giant, asks for €10M
Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M).
.png)
New Creepy Ransomware
S!Ri found a new Creepy Ransomware that appends the .creepy extension to encrypted files.
New Lalo STOP Ransomware variant
Michael Gillespie found a new variant of the STOP Ransomware that appends the .lalo extension to encrypted files.
Emsisoft’s Aurora decryptor updated
Emsisoft updated their Aurora decryptor to support the .bukyak and .serpom extensions.
Emsisoft releases KokoCrypt decryptor
Emsisoft has released a decryptor for the KokoCrypt ransomware.
April 15th 2020
Nemty Ransomware shuts down public RaaS operation, goes private
The Nemty Ransomware is shutting down its public Ransomware-as-a-Service (RaaS) operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise.
New Nemty variant has messages for researchers
MalwareHunterTeam found a new Nemty 3.1 ransomware variant that has messages for Michael Gillespie, MalwareHunterTeam, and Amigo_A.
New DEC Dharma Ransomware variant
Jakub Kroustek found a new Dharma Ransomware variant that appends the .dec extension to encrypted files.
April 16th 2020
New Balaclava Ransomware variant
GrujaRS found a new variant of the Balaclava Ransomware that appends the .KEY0004 extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.
April 17th 2020
Leading accounting firm MNP hit with cyberattack
A leading accounting firm in Canada forced a company-wide shutdown of their systems after getting hit with a cyberattack last weekend, BleepingComputer has learned.
New Fidesz ransomware
MalwareHunterTeam found a new in-development ransomware from Hungary called Fidesz ransomware.
