This was a pretty interesting week for ransomware. An attacker out of China managed to infected over 100,000 victims with a poorly-written ransomware*that asked victims to pay the ransom via WeChat. Thankfully, the ransomware was easily decrypted by numerous companies and the developer was arrested a few days later.
Other big news is research from Check Point where showed how an "Ransomware*Decryption" company stated that they could decrypt numerous ransomware families, but just tacked on a fee and paid the ransomware developers instead.
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @FourOctets, @struppigel, @BleepinComputer, @malwrhunterteam, @demonslay335, @fwosar, @hexwaxwing, @Ionut_Ilascu,*@Seifreed,*@GrujaRS,*@JakubKroustek ,*@MarceloRivero,*@petrovic082, and*@_CPResearch_.
*
December 3rd 2018

GandCrab*v5.0.9 comes with a message

Marcelo Rivero*noticed that the GandCrab developers released version 5.0.9, which simply contains a message stating that "We will become back very soon! ;)"
GandCrab 5.0.9
December 4th 2018

New RISK Dharma Variant

Jakub Kroustek*discovered a new Dharma Ransomware variant that appends the .RISK extension to encrypted files.
New IsraBye version

GrujaRS*found a new version of the IsraBye ransoimware that appends the .israbye*extension to encrypted files.

Dablio Ransomware discovered

Karsten Hahn*found the new Dablio Ransomware that prepends "(encrypted)" to the beginning of encrypted file's name,

December 5th 2018

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware*named UNNAMED1989*that encrypts local files and steals credentials for multiple Chinese online services. This ransomware then asked victims to pay the developer via WeChat payments.

Company Pretends to Decrypt Ransomware But Just Pays Ransom

Security researchers from Check Point Research*have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.
Atlanta U.S. Attorney Charges Iranian nationals for City Of Atlanta ransomware attack

A federal grand jury in Atlanta has returned an indictment charging Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri with committing a sophisticated ransomware attack on the City of Atlanta in March 2018 in violation of the Computer Fraud and Abuse Act.
New bkpx Dharma Ransomware variant

Jakub Kroustek*discovered a new Dharma Ransomware variant that appends the*.bkpx*extension to encrypted files.
December 6th 2018

Chinese Police Arrest Dev Behind UNNAMED1989*WeChat Ransomware

Chinese law enforcement have arrested the developer*of the*UNNAMED1989*/ WeChat*Ransomware that recently took China by storm and infected over 100K users in a few days.
Abandoned Globelmposter TOR Site Leaves Ransomware Victims Without Options

Recent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.
December 7th 2018

HiddenTear variant discovered

MalwareHunterTeam*found a HiddenTear variant that tries to implicate a YouTuber who said he didn't make it. See the Twitter thread for more info.
Gerber Ransomware 1.0

Petrovic*discovered the Gerber Ransomware 1.0 that appends the .XY6LR extension to encrypted file's names.

Gerber Ransomware*3.0

Soon after,*GrujaRS*discovered the Gerber Ransomware*3.0.

New LOL Scarab Ransomware variant

Amigo-A*found a new variant of the Scarab Ransomware that appends the .lol extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

Outsider Ransomware*discovered

GrujaRS*discovered a ransomware called Outsider that appends the .protected extension.

JungleSec Ransomware uses open source encryption tool

Michael Gillespie*learned from a victim that the JungleSec ransomware is utilizing the*http://ccrypt.sourceforge.net/*encryption program.
That's it for this week! Hope everyone has a nice weekend!