Security researchers have discovered more ransomware under development, namely one paying homage to Voldemort and another featuring Donald Trump, as well as one variant currently targeting servers and yet a different ransomware hitting government agencies and education institutions.
Let’s start with the ransomware that has moved past development into actively locking up computers.
DXXD ransomware targeting servers
On Bleeping Computer forums, there were reports of servers being hit with DXXD ransomware. After a file has been encrypted, “dxxd” is added to the end of a filename such as myimportantfile.jpgdxxd.
The vector of infection is currently unknown, but victims typically get the following ransom note via a ReadMe:
Dear owner, bad news!!!! Your SERVER [hacked], and file's [ENCRYPTED]!
Victims wanting their files back, and tips on how to protect files and the server in the future, are encouraged to contact one of the two secure and encrypted email addresses at Tutanota and ProtonMail or to reach out via Jabber.
A different victim of the DXXD ransomware reportedly saw the following message on the login screen: “Dear Administrator, YOUR server is attacked by hackers.”
Then there is the ransomware targeting local and state governments as well as K-12 educational institutions. It was dubbed MarsJoke by Proofpoint researchers after they found the string “HelloWorldItsJokeFromMars” in the code. Although they had seen MarsJoke back in August, they detected the first large-scale email MarsJoke campaign on September 22.
The researchers believe MarsJoke is being delivered via the Kelihos botnet. The malicious emails include stolen branding and are designed to look like they came from a “major national air carrier” or shipping company. If an unfortunate soul is fooled by the lure, then a file is downloaded that installs MarsJoke and encrypts files.
The victim’s desktop background changes to a ransom note, demanding 0.7 bitcoin before 96 hours are up or the files are deleted. At the time of publishing, .7 bitcoin was equal to $422.16.
Besides state and local government agencies and educational institutions, some healthcare, telecommunications and insurance industries have also been hit, as the attackers are looking for “easy target” organizations that likely do not have strong defensive resources or robust backup procedures.
Donald Trump ransomware
Bleeping Computer’s Lawrence Abrams found Donald Trump ransomware that is currently under development but will likely never be actively distributed. The ransomware has functions to encrypt files using AES, but it doesn’t encrypt anything in its current form. Nevertheless, Abrams urged users to be very cautious about opening election news email attachments.
Ransomware named after Lord Voldemort’s pet snake
A malware author who is apparently also a fan of Harry Potter novels is developing ransomware that pays tribute to the villain Voldemort. The ransomware discovered by Michael Gillespie is named after Voldemort’s pet snake Nagini.
“What is interesting, is that instead of asking for a ransom payment in bitcoins, it is asking for users to enter a credit card number instead,” wrote Lawrence Abrams on Bleeping Computer.
Right now, the Nagini ransomware works only on a test system and targets only a handful of file extensions listed in folders of ransomware developer “Colosseum.”
Unlike the Donald Trump ransomware, Abrams did not predict development on Nagini ransomware will stop, nor did he suggest it will not be distributed. With Halloween just right around corner, who knows if there will be an uptick of ransomware referencing scary or villainous pop culture icons on lock screens?