It has been an busy week in terms of ransomware*between a new variant of MegaCortex*that performs something a bit different and MSP attacks against Everis in Spain.
This week a new MegaCortex variant was discovered that threatens to steal your data and publish it if you do not pay the ransom. In addition it states that your credentials have changed, which is not an idle threat as it does indeed change the victim's Windows password.
In addition, we had a major attack targeting Spain with victims including the MSP Everis and SER, Spain's largest radio station network. It is not known if Everis was infected first and used to infect other clients or if they are different attacks. Either way it was a big mess for all involved.
Other than that, we had new variants released as well as new distribution methods discovered.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @FourOctets, @BleepinComputer, @struppigel, @fwosar, @PolarToffee, @malwrhunterteam, @DanielGallagher, @Seifreed, @demonslay335, @LawrenceAbrams, @malwareforme, @ArnauEstebanell, @symantec, @VK_Intel, @Amigo_A_, @GrujaRS, @EC3Europol, @Tesorion_NL, @JakubKroustek, @fbgwls245, @ValthekOn, @coveware, @emsisoft, @raby_mr, and @thyrex2002.
November 3rd 2019

New Jamper Ransomware variant

Amigo-A*found a new of the Jamper Ransomware that appends the .SONIC extension and drops a ransom note named ---README---.TXT ID: XXXXXXXXXX {10 char.}.

New VIRUS Dharma Ransomware variant

Jakub Kroustek*found a new variant of the Dharma Ransomware that appends the .VIRUS extension to encrypted files.
New Java-based Ransomware

dnwls0719*found a new ransomware coded in JAVA that appends the .encrypted extension and drops a ransom note named*HOWTODECRYPT.txt.
November 4th 2019

Ransomware Attacks Hit Everis and Spain's Largest Radio Network

Everis?, an NTT DATA company and one of Spain's largest*managed service providers (MSP), had its computer systems encrypted today in a ransomware attack,*just as it happened to*Spain's largest radio station Cadena SER (Sociedad Española de Radiodifusión).
Nemty Ransomware Now Spreads via Trik Botnet

The operators of Nemty ransomware have found a new distributor for their file-encrypting malware, which now spreads via Trik, a botnet that pushes all sorts of threats.
Norsk Hydro Breach: Update on Insurance Coverage

So far, Norweigan aluminum company Norsk Hydro has received just $3.6 million from its cyber insurer to cover expenses related to the LockerGoga ransomware attack it suffered in March that led to losses of $50 million to $71 million, the company revealed in its*third quarter*report.
New Toec STOP Ransomware variant

Amigo-A*found a new STOP DJvu Ransomware variant that appends the .toec extension to encrypted files.

GrujaRS*found the new Cyborg Ransomware that appends the .petra extension and drops a ransom note named Cyborg_DECRYPT.txt.
New HakBit variant

GrujaRS found a new Hakbit Ransomware variant that uses the .crypted extension.
New Meka STOP Djvu Ransomware variant

Michael Gillespie*found a new variant of the STOP Djvu*Ransomware that appends .meka.
November 5th 2019

New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data

A new version of the MegaCortex Ransomware has been discovered that not only encrypts your files, but now changes the logged in user's password and threatens to publish the victim's files if they do not pay the ransom.

Brooklyn Hospital Loses Patient Data In Ransomware Attack

A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient's data.
Tesorian*added to the No More Ransom Project

Tesorion*has been added a contributing partner to the No More Ransom Project for their Nemty Ransomware decryptor.
Government of Nunavut returns to paper records and phone calls following ransomware attack

This past weekend’s ransomware attack on the Government of Nunavut has had far-reaching consequences, having*frozen the government’s communications and operating systems*and revived the use of telephone calls, paper record-taking and faxes for communication among the territory’s departments.
New Paradise Ransomware variant

GrujaRS found a new Paradise Ransomware variant that appends the .for extension and drops a ransom note named*---==%$$$OPEN_ME_UP$$$==---.txt.
New GodLock Ransomware

GrujaRS found a new FreeMe Ransomware variant that appends the*.GodLock*extension and drops a ransom note named*.GodLock.README.TXT.

Buran Ransomware; the Evolution of VegaLocker

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.
Ransomware Payments Rise as Public Sector is Targeted, New Variants Enter the Market

The total cost of a ransomware attack is a function of direct and indirect costs. Direct costs include the immediate remediation of the event, including the ransom if it must be paid. The indirect costs are the costs of business interruption associated with the attack. Business interruption costs are often 5-10x higher than direct costs. Lost revenue and long term brand damage are factors that weigh heavily on victims of ransomware who are not able to recover quickly.*
November 6th 2019

New RSA Dharma Ransomware variant

Jakub Kroustek*found a new variant of the Dharma Ransomware that appends the .rsa extension (lowercase variant) to encrypted files.
New MOSK*STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Ransomware*variant that appends the .mosk extension to encrypted files.
Inside the FBI's quiet 'ransomware summit'

To help stem the tide of file-locking attacks, the FBI quietly convened the country’s top ransomware experts in an unprecedented, closed-door conference in September. The briefings, which occurred over two days, were a recognition by law enforcement officials that their ability to better investigate and prosecute ransomware cases hinges on the private sector sharing more data with them.
Seasonal ransomware highlights the need for better reporting and information sharing

It appears, however, that we may have been mistaken about the reason for the decrease. Data collected by the*EPSRC EMPHASIS Ransomware project*and shared with us by Professor David Wall of the University of Leeds shows mid-year spikes in previous years too.
November 7th 2019

New LOKF STOP Djvu Ransomware variant

Michael Gillespie found a new STOP Ransomware*variant that appends the .lokf extension to encrypted files.
New Octopus Phobos Ransomware variant

Amigo-A found a new variant of the Phobos Ransomware that appendages (get it?) the .octopus extension to encrypted files and drops a ransom note named info.txt.

New Rooster Maoloa variant

Raby*found a new variant of the Maoloa ???????Ransomware that appends the*.Rooster865qq extension and drops a ransom note named HOW TO BACK YOUR FILES.exe.
New Major Ransomware variant

GujaRS found a new Major Ransomware variant that appends the .AIR*extension and drops a ransom note named TRY_TO_READ.html.

November 8th 2019

QuikSilver and Billabong Affected by Ransomware Attack

Action sports giant Boardriders was hit by a ransomware attack that affected*some of its subsidiaries, including QuikSilver and Billabong, and forced the company to shut down computing systems all over the world.
New WannaCash variant

Alex Svirid*found a new variant of the WannaCash ransomware that changes the file name to*???? ?????????? [original_name].wannacash.zip.
That's it for this week! Hope everyone has a nice weekend!