The Week in Ransomware – May 15th 2020 – REvil targets Trump – BleepingComputer

This week, we saw some interesting news about ransomware features being added and continued attackers against high profile victims.

The biggest news is REvil's continued threats againstGrubman Shire Meiselas & Sacks (GSMLaw) after demanding a $21 million ransom. They have now increased the ransom to $42 million and have begun releasing emails that they state are damaging to President Trump.

From what was shared with BleepingComputer, it appears that theransomware operators are bluffing.

On the feature side, Netwalker created a auto-publishing data leak blog to be used by affiliates. REvil also added new code that will automatically terminates processes keeping a file open that they are trying to encrypt.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @PolarToffee, @VK_Intel, @fwosar, @FourOctets, @demonslay335, @malwareforme, @Ionut_Ilascu, @DanielGallagher, @jorntvdw, @struppigel, @Seifreed, @malwrhunterteam, @LawrenceAbrams, @serghei, @GroupIB_GIB, @y_advintel, @IntelAdvanced, @Intel471Inc, @thyrex2002, @benkow_, @fbgwls245, @siri_urz, @PageSixEmily, and @Amigo_A_.

Alex Svirid released a decryptor for the CryLock (ex-Cryakl) 1.9.0.0 ransomware.

Benkw discovered that the GuLoader Trojan is distributing the HakBit ransomware.

MalwareHunterTeam found a new ransomware called Kupidon that appends the .kupidon extension to encrypted files and drops a ransom note named !KUPIDON_DECRYPT.txt.

The Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt more of a victim's files, even those that are opened and locked by another process.

Global business services company Pitney Bowes recently stopped an attack from Maze ransomware operators before the encryption routine could be deployed but the actor still managed to steal some data.

The Texas court system was hit by ransomware on Friday night, May 8th, which led to the branch network including websites and servers being disabled to block the malware from spreading to other systems.

Fortune 500 company Magellan Health Inc announced today that it was the victim of a ransomware attack on April 11, 2020, which led to the theft of personal information from one of its corporate servers.

MalwareHunterTeam found a new ransomware that is being spread with a COVID-19 lure. When encrypting files it appends the .dodged extension.

dnwls0719 found a new STOP Ransomware variant that appends the .mzlq extension to encrypted files.

A ransomware family has begun a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom not to publish files stolen in an attack.

S!Ri found a new ransomware called Blackmoon that appends the .cxk extension to encrypted files.

ProLock is a relatively new malware on the ransomware scene but has quickly attracted attention by targeting businesses and local governments and demanding huge ransoms for file decryption.

dnwls0719 found a new ransomware targets people in Turkey that appends the .zeronine extension.

The ransom demand for the secret files of a cyber-attacked lawyer to A-list stars has doubled to $42million as the hackers now threaten to reveal dirty laundry on President Donald Trump in just a week if they are not paid in full.

The Netwalker ransomware operation is recruiting potential affiliates with the possibility of million-dollar payouts and an auto-publishing data leak blog to help drive successful ransom payments.

See the original post here:
The Week in Ransomware - May 15th 2020 - REvil targets Trump - BleepingComputer