The Week in Ransomware – January 22nd 2021


Ransomware news is slow this week, with mostly small ransomware variants being released and a small number of attacks reported.

This week’s biggest news is threat actors hacking the IObit forums to host malware for an IObit phishing scam that infected numerous people with the DeroHE ransomware.

This week’s other interesting news is a new threat actor utilizing Windows BitLocker and Diskcryptor to encrypt organization’s file and backup servers. A known attack by this group encrypted 40 servers in an attack on the CHwapi Hospital in Belgium, which disrupted medical care.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @DanielGallagher, @LawrenceAbrams, @malwrhunterteam, @serghei, @struppigel, @demonslay335, @VK_Intel, @jorntvdw, @FourOctets, @fwosar, @PolarToffee, @Ionut_Ilascu, @malwareforme, @Seifreed, @GrujaRS, @JakubKroustek, @ffforward, @chum1ng0, @gcluley, @ValeryMarchive, @ExtendedRaavan, @0x4143, @siri_urz, and @Amigo_A_.

January 16th 2021

New FCorp Ransomware

GrujaRS found a new HiddenTear variant that appends the .fcorp extension and drops a ransom note named READ_IT.txt.


January 17th 2021

New DeroHE ransomware

A new ransomware was distributed via a IObit forums hack that appends the .DeroHE extension and drops a ransom note named READ_TO_DECRYPT.html.

DeroHE ransomware

New DIS Dharma ransomware variant

Jakub Kroustek found a new Dharma ransomware variant that appends the .dis extension to encrypted files.

January 18th 2021

IObit forums hacked to spread ransomware to its members

Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

DeCovid19Bot ransomware discovered

S!ri found a new ransomware that appends the .locked extension and drops a ransom note named ATTENTION!!!!0.txt.

Swanky Wentworth golf club hacked, details of 4000 members stolen in ransomware attack

Members of one of England’s most exclusive golf clubs has warned its 4000 members that their personal details may have fallen into the hands of hackers following a ransomware attack.

The city of Angers in turn bears the brunt of a cyberattack by…


The Week in Ransomware – January 15th 2021


It has been another quiet week for ransomware, though we did have some interesting stories come out this week.

By far, the most interesting is the news about ChastityLocker – ransomware that exploits vulnerabilities in men’s chastity belts (not joking) so that they can’t unlock them.

Other interesting news is Intel’s announcement that their new vPro chips will have built-in hardware ransomware detection and BitDefender released a decryptor for the DarkSide ransomware.

Unfortunately, after the decryptor was released, the DarkSide operation announced that they fixed the weakness allowing the decryptor to work.

DarkSide message

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @Ionut_Ilascu, @VK_Intel, @BleepinComputer, @FourOctets, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @DanielGallagher, @fwosar, @malwareforme, @jorntvdw, @PolarToffee, @LawrenceAbrams, @Telekom_group, @LukasStefanko, @GrujaRS, @Bitdefender, @vxunderground, @JakubKroustek, @M_Shahpasandi, @Kangxiaopao, @ExtendedRaavan, and @Amigo_A_.

January 9th 2021

Hacker used ransomware to lock victims in their IoT chastity belt

The source code for the ChastityLock ransomware that targeted male users of a specific adult toy is now publicly available for research purposes.

January 10th 2021

Three new Dharma ransomware variants

Jakub Kroustek found three new Dharma ransomware variants that append the .hub, .aol, or .14x extension to encrypted files.

January 11th 2021

Intel adds hardware-based ransomware detection to 11th gen CPUs

Intel announced today at CES 2021 that they have added hardware-based ransomware detection to their newly announced 11th generation Core vPro business-class processors.

DarkSide ransomware decryptor recovers victims’ files for free

Romanian cybersecurity firm Bitdefender has released a free decryptor for the DarkSide ransomware to allow victims to recover their files without paying a ransom.

New STOP ransomware variant

Raavan Extended found a new STOP Ransomware variant that appends the .qlkm extension.

New STOP ransomware variant

Amigo-A found a new STOP Ransomware variant that appends the .coos extension.

New Flamingo ransomware…


Butler County Sheriff’s Office discovered malware activity on its emergency communications system a week ago

“Maybe a slight inconvenience, but not an operational failure.”

Dispatchers were using paper and looking at charts to know here to send emergency units.

“CAD is a computer system,” he said. “All computer systems can fail and we have a plan in place as back up. It is planned for. Now is it difficult, yes. Anytime we do a CAD update where there is a loss of functionality for a while and there is a plan to continue to function. Operations don’t just stop.”

The paper-and-maps system for dispatching brought back memories for Oxford Police Chief John Jones.

“I started as a dispatcher that’s how we stared we did things on paper cards,” he said. “It still works.

“Here at OPD, luckily we had some fall back because we used to be our own dispatch center. We still employ dispatch clerk. We were still able to access (a law enforcement information system) and run license plates and IDs when just had to switch to a different channel for the information.”

Jones said the department entered warrants and stolen car data for agencies and brought in extra personnel to help out.

The department uses the same reporting system as BCSO, so officers used printouts of forms to write report. They will be have to enter them into the system when it is fully functional.

“Fortunately, it is a slow time of year. I think we take for granted that infrastructure and how critical the security of it is,” Jones said. “Certainly impacted the agencies.”

Ross Twp. Police Chief Burt Roberts said his department has its own new record management system, so report taking and entering were not impacted. Roberts said there were other options they used to access law enforcement information systems.

“Law enforcement didn’t just shut down,” he said. “Believe it or not we actually did police work before computers came along.”

All along, law enforcement leaders stressed, the work was still being done.

“Technological issues are anticipate and we all have a back up plan,” said Fairfield Twp. Police Department Chief Robert Chabali. “The safety of the community and the officers remained intact.”


The Week in Ransomware – January 1st 2021


This holiday edition cover the latest ransomware news from the past two weeks, including known ransomware attacks and law enforcement takedowns.

Over the past two weeks, we have seen ransomware attacks on scent and flavor designed Symrise, FreePBX developer Sangoma, trucking giant Air Forward, and home appliance maker Whirlpool, 

Of particular interest is the Air Forward attack as it was done by the new Hades ransomware operation that began operating last month and has been busy racking up victims.

This week’s other big news is the law enforcement takedown of the Safe-Inet and Insorg VPN and proxy services known for catering to cybercriminal activity.

According to Europol, threat actors using these services included ransomware operations, skimming attacks, and more.

“Active for over a decade, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, E-skimming breaches and other forms of serious cybercrime,” Europol stated in a press release about the operation.

Contributors and those who provided new ransomware information and stories this week include @FourOctets, @PolarToffee, @DanielGallagher, @malwrhunterteam, @LawrenceAbrams, @struppigel, @fwosar, @VK_Intel, @jorntvdw, @serghei, @demonslay335, @malwareforme, @Ionut_Ilascu, @Seifreed, @BleepinComputer, @AhnLab_SecuInfo, @chum1ng0, @siri_urz, @Kangxiaopao, @Jirehlov, @fbgwls245, @M_Shahpasandi, and @S2Wlab.

December 19th 2020

New ANCrypted Ransomware

M. Shahpasandi found a new ransomware called ANCrypted.


December 20th 2020

Flavors designer Symrise halts production after Clop ransomware attack

Flavor and fragrance developer Symrise has suffered a Clop ransomware attack where the attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1,000 devices.

December 21st 2020

Trucking giant Forward Air hit by new Hades ransomware gang

Trucking and freight logistics company Forward Air has suffered a ransomware attack by a new ransomware gang that has impacted the company’s business operations.

The Institute for Security and Technology (IST) Launches Multi-Sector Ransomware Task Force (RTF)

The Institute for Security and…