Many macOS users, including my family and friends, have been under the impression that Macs are not affected by malware and therefore do not need security software. After this week, I hope the point is clear; That assumption is wrong, and Macs need antivirus software.
This week a new ransomware called ThiefQuest was discovered that was distributed via pirated software on Torrent sites. With numerous features, including a keylogger, reverse shell, and spyware capabilities, ThiefQuest hit macOS like a mallet.
Further investigation by BleepingComputer showed that this malware would also steal numerous files including certificates, documents, text files, source code, and cryptocurrency wallets. We also believe that the ransomware component is actually a cleaner, as it does not provide contact information to retrieve a decryptor and use the same bitcoin address for all victims.
When we saw a lack of contact information and a static bitcoin address in the past, the ransomware was in development or intended to be a cleaner to cover other malicious activities.
In this case, the other malicious activity is stealing unencrypted files before encrypting them.
Another big news this week includes massive WastedLocker campaigns targeting the U.S. media and UCSF’s announcement that they paid $ 1.14 million to Netwalker for a decryptor.
Contributors and those who provided new information and ransomware stories this week include: @VK_Intel, @struppigel, @jorntvdw, @malwareforme, @DanielGallagher, @BleepinComputer, @fwosar, @malwrhunterteam, @LawrenceAbrams, @onututu_, @onlarutoffee, @onlarutoffee, @onutout Ionut_Ionut @serghei, @FourOctets, @ demonslay335, @joetidy, @campuscodi, @ dineshdina04, @patrickwardle, @thomasareed, @Malwarebytes, @objective_see, @threatintel, @MsftSecIntel, @ 0xDUDm, @ 0xDUDm, @ 0xDUDm, @ 0xDUDm, @ 0xDUD_ _aaaaaaaaaaa and @ xiaopao80087499.
June 27, 2020
New variants of Dharma Ransomware
Jakub Kroustek has found two new variants of Dharma Ransomware that include .lxhlp or the .HOW extensions to encrypted files.
June 29, 2020
UC San Francisco pays $ 1.14 million for ransomware decryptor
The University of California, San Francisco (UCSF) says it paid $ 1.14 million to Netwalker ransomware operators who successfully breached the UCSF School of Medicine IT network, stealing data and encrypting systems.
How hackers extorted $ 1.14m from the University of California, San Francisco
A major medical research institution working on a cure for Covid-19 admitted that it paid hackers a ransom of $ 1.14 million (£ 910,000) after a covert negotiation witnessed by BBC News.
A gang of hackers is cleaning Lenovo NAS devices and asking for ransoms
A group of hackers by the name of ‘Cl0ud SecuritY’ is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, deleting files and leaving ransom notes asking owners to pay between $ 200 and $ 275 to get your data back.
New variant Zida STOP Ransomware
Michael Gillespie found a new variant of STOP ransomware that adds .zida extension.
New Lolkek Ransomware discovered
Xiaopao found the Lolkek ransomware that adds .lolkek extension to encrypted files. According to Amigo_A_, it may still be in development.
June 30, 2020
Business giant Xerox reportedly suffers from Maze Ransomware attack
Maze ransomware operators have updated their victim list by adding Xerox Corporation to the list. It appears that the encryption routine was completed on June 25.
ThiefQuest ransomware is a file-stealing Mac cleaner in disguise
A new data cleaner and information thief called ThiefQuest is using ransomware as a decoy to steal files from macOS users. Victims become infected after downloading Trojan horse installers of popular torrent tracker applications.
VinDizelPux MedusaLocker variant
Ravi found a variant of the MedusaLocker Ransomware that adds the .VinDizelPux extension.
Rabbit Ransomware jumps onto the scene
dnwls0719 found Rabbit Ransomware adding .RABBIT extension to encrypted files.
July 1, 2020
Dozens of American news sites hacked into WastedLocker ransomware attacks
The Evil Corp gang hacked dozens of company-owned US newspaper websites to infect employees of more than 30 major private US companies using bogus software update alerts displayed by the JavaScript-based malicious framework SocGholish.
July 2, 2020
MongoDB wave of rescue attacks uses GDPR as extortion lever
An avalanche of attacks targets unsafe MongoDB servers and erases their databases. Notes are left demanding a ransom payment, or the data will leak, and the owners reported violations of the GDPR.
New variants of Dharma Ransomware
Jakub Kroustek has found two new variants of Dharma Ransomware that include .NHLP or the .gyga extensions to encrypted files.
New Pojie Ransomware
Yes! Ri found the new Pojie ransomware which adds .52pojie extension to encrypted files.
July 3, 2020
Try2Cry: Ransomware tries worm
A big part of my job as a malware analyst at G Data is writing detection signatures for our product. One of those firms is looking for a USB worm component that I have seen in certain .NET based RAT variants like njRAT and BlackNet RAT. When this worm signature hits an unidentified sample[1]I have curiosities. It was a .NET ransomware that seemed strangely familiar to me. I still couldn’t point it out.
