Latest

The Week in Ransomware – January 18th 2019


The ransomware developers must be back from vacation as there were a lot of new releases this week. In addition to new variants of existing ransomware such as Dharma, Scarab, Matrix, and more, we also had a few new variants pop up.

As for news, we learned that BlackRouter is a RaaS, and interesting ransom note was discovered, and a new variant of the STOP ransomware is picking up steam.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @demonslay335, @malwareforme, @fwosar, @LawrenceAbrams, @malwrhunterteam, @jorntvdw, @BleepinComputer, @PolarToffee, @FourOctets, @struppigel, @arealshadow, @petrovic082, @GrujaRS, @leotpsc, @Amigo_A@JakubKroustek,@ValthekOn@Emm_ADC_Soft, and @coveware.

January 12th 2019

New Krab Scarab Ransomware variant

Amigo-A found a new variant of of the Scarab Ransomware that appends the .Krab extension to encrypted files and drops a ransom note named !!! RETURN YOUR FILES !!!.TXT.

Krab Scarab

January 14th 2019

New .zzzzzzzz Scarab Ransomware variant

Emmanuel_ADC-Soft found a new sleepy variant of the Scarab Ransomware that appends the .zzzzzzzz extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

New PPAM GlobeImposter 2 variant

Petrovic found a new variant of the GlobeImposter2 that appends the .ppam extension to encrypted file names.

New ransomware appends mdk4y

Leo found a new ransomware that appends the .mdk4y extension to encrypted file names.

Unknown Ransomware

New French Jigsaw Ransomware variant

Michael Gillespie found a new French Jigsaw Ransomware variant that appends the .data extension.

New Matrix Ransomware variant

Michael Gillespie found a new Matrix Ransomware variant that appends the .GRHAN extension and drops a ransom note named !README_GRHAN!.rtf.

New TrumpHead Ransomware

MalwareHunterTeam found a new ransomware called TrumpHead that contains text that sounds like, well, Trump. 

TrumpHead

January 15th 2019

Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles

In December 2018, a new ransomware called Djvu, which could be a variant of STOP,  was released that has been heavily promoted through crack downloads and adware bundles. Originally, this ransomware would append a variation of the .djvu string as an extension to encrypted files, but a recent variant has switched to the .tro extension.

Djvu Ransomware

New Ransomware Bundles PayPal Phishing Into Its Ransom Note

A new in-development ransomware has been discovered that not only encrypts your files, but also tries to steal your credit card information with an included PayPal phishing page.

Ransom Note

New IsraBye is repeating itself

MalwareHunterTeam found a new IsraByte variant that seems to be repeating itself with the extension.

IsraBye

New Paradise Ransomware variant

MalwareHunterTeam found a new Paradise ransomware variant that drops a ransom note named Instructions with your files.txt and uses the extension _%ID%_{[email protected]}.xyz,

New JobCrypter Ransomware variant

MalwareHunterTeam found a new JobCrypter variant.

JobCrypter

Looking for the Obfuscated Ransomware

Michael Gillespie is looking for a new ransomware that appends the .obfuscated extension and drops a ransom note named Read Me.txt.

January 16th 2019

New Anatova ransomware discovered

Valthek discovered a new ransomware called Anatova that asks for a ransom payment in Dash.

Anatova

New ransomware variant

Petrovic found a new ransomware variant that appends the [email protected]!! extension to encrypted files and drops a ransom note named Help to decrypt.txt.

January 17th 2019

BlackRouter Ransomware Promoted as a RaaS by Iranian Developer

A ransomware called BlackRouter has been discovered being promoted as a Ransomware-as-a-Service on Telegram by an Iranian developer. This same actor previousl distributed another ransomware called Blackheart and promotes other infections such as a RAT.

BlackRouter

New 7Zip Ransomware variant

Amigo-A found a new variant of the 7Zip Ransomware that appends the .aes extension to encrypted files and drops a ransom note named INFORMATION.hta.

7-zip ransomware

Xcry Ransomware discovered

MalwareHunterTeam discovered a new ransomware called Xcry that was programmed in Nim. Xcry Ransomware will append the .xcry7684 extension to encrypted files and drop a ransom note named HOW_TO_DECRYPT_FILES.html.

Xcry Ransomware

Oscar Venom Ransomware discovered

MalwareHunterTeam discovered a new Jigsaw Ransomware variant called Oscar Venom that appends the .venom extension to encrypted files.

Oscar Venom

Fake Jigsaw variants

MalwareHunterTeam discovered some new fake Jigsaw Ransomware variants that do not encrypt and have a password of “1212”. They then display the “RUSSIAN FEDERATION ATTACKING YOU!” message when closing the program.

Jigsaw Mesasage

Jigsaw Ransomware has a loooong extension

Michael Gillespie found a new Jigsaw Ransomware sample that uses a very looooong extension.

Jigsaw Extension

New GIF Dharma variant

Jakub Kroustek found a new Dharma variant that appends the .gif extension to encrypted files.

StopDecryptor updated to support offline Djvu variants

Michael Gillespie updated his StopDecryptor to support newer .djvu variants.

StopDecryptor

January 18th 2019

Fallout Exploit Kit is Back with New Vulnerabilities and Payloads

The Fallout exploit kit is back in business after a short downtime, with new tools under its belt such as a new Flash exploit, HTTPS support, a new landing page format and the capability to deliver payloads using Powershell.  One of its payloads is GandCrab.

New BitPaymer variant

GrujaRS found a new variant of BitPaymer that appends the .locked extension and drops a ransom note named [file_name].readme_txt

Bitpaymer

RickRoll Locker discovered

MalwareHunterTeam discovered anew ransomware called RICKROLL LOCKER  that appends the .cryptoid extension and drops ransom notes named CRYPTOID_BLOCKED.txt, CRYPTOID_HELP.txt, and CRYPTOID_MESSAGE.txt. Appears to be a Aurora offline variant.

RickRoll Locker Ransom Note

New James Ransomware

Leo found a new ransomware that appends the .James extension to encrypted files.

James Ransomware

FileCryptor Ransomware discovered

Michael Gillespie found a new ransomware that drops a ransom note named HOW TO DECRYPT FILES.txt.

FileCryptor

New Phobos Dharma variant

Coveware found a new variant of the Dharma ransomware that appends the .phobos extension to encrypted files.

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top