The ransomware developers must be back from vacation as there were a lot of new releases this week. In addition to new variants of existing ransomware such as Dharma, Scarab, Matrix, and more, we also had a few new variants pop up.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @demonslay335, @malwareforme, @fwosar, @LawrenceAbrams, @malwrhunterteam, @jorntvdw, @BleepinComputer, @PolarToffee, @FourOctets, @struppigel, @arealshadow, @petrovic082, @GrujaRS, @leotpsc, @Amigo_A, @JakubKroustek,@ValthekOn, @Emm_ADC_Soft, and @coveware.
January 12th 2019
Amigo-A found a new variant of of the Scarab Ransomware that appends the .Krab extension to encrypted files and drops a ransom note named !!! RETURN YOUR FILES !!!.TXT.
January 14th 2019
Emmanuel_ADC-Soft found a new sleepy variant of the Scarab Ransomware that appends the .zzzzzzzz extension to encrypted files and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
Petrovic found a new variant of the GlobeImposter2 that appends the .ppam extension to encrypted file names.
Leo found a new ransomware that appends the .mdk4y extension to encrypted file names.
Michael Gillespie found a new French Jigsaw Ransomware variant that appends the .data extension.
Michael Gillespie found a new Matrix Ransomware variant that appends the .GRHAN extension and drops a ransom note named !README_GRHAN!.rtf.
MalwareHunterTeam found a new ransomware called TrumpHead that contains text that sounds like, well, Trump.
January 15th 2019
In December 2018, a new ransomware called Djvu, which could be a variant of STOP, was released that has been heavily promoted through crack downloads and adware bundles. Originally, this ransomware would append a variation of the .djvu string as an extension to encrypted files, but a recent variant has switched to the .tro extension.
A new in-development ransomware has been discovered that not only encrypts your files, but also tries to steal your credit card information with an included PayPal phishing page.
MalwareHunterTeam found a new IsraByte variant that seems to be repeating itself with the extension.
MalwareHunterTeam found a new JobCrypter variant.
Michael Gillespie is looking for a new ransomware that appends the .obfuscated extension and drops a ransom note named Read Me.txt.
January 16th 2019
Valthek discovered a new ransomware called Anatova that asks for a ransom payment in Dash.
January 17th 2019
A ransomware called BlackRouter has been discovered being promoted as a Ransomware-as-a-Service on Telegram by an Iranian developer. This same actor previousl distributed another ransomware called Blackheart and promotes other infections such as a RAT.
Amigo-A found a new variant of the 7Zip Ransomware that appends the .aes extension to encrypted files and drops a ransom note named INFORMATION.hta.
MalwareHunterTeam discovered a new ransomware called Xcry that was programmed in Nim. Xcry Ransomware will append the .xcry7684 extension to encrypted files and drop a ransom note named HOW_TO_DECRYPT_FILES.html.
MalwareHunterTeam discovered a new Jigsaw Ransomware variant called Oscar Venom that appends the .venom extension to encrypted files.
MalwareHunterTeam discovered some new fake Jigsaw Ransomware variants that do not encrypt and have a password of “1212”. They then display the “RUSSIAN FEDERATION ATTACKING YOU!” message when closing the program.
Michael Gillespie found a new Jigsaw Ransomware sample that uses a very looooong extension.
Jakub Kroustek found a new Dharma variant that appends the .gif extension to encrypted files.
Michael Gillespie updated his StopDecryptor to support newer .djvu variants.
January 18th 2019
The Fallout exploit kit is back in business after a short downtime, with new tools under its belt such as a new Flash exploit, HTTPS support, a new landing page format and the capability to deliver payloads using Powershell. One of its payloads is GandCrab.
GrujaRS found a new variant of BitPaymer that appends the .locked extension and drops a ransom note named [file_name].readme_txt
MalwareHunterTeam discovered anew ransomware called RICKROLL LOCKER that appends the .cryptoid extension and drops ransom notes named CRYPTOID_BLOCKED.txt, CRYPTOID_HELP.txt, and CRYPTOID_MESSAGE.txt. Appears to be a Aurora offline variant.
Leo found a new ransomware that appends the .James extension to encrypted files.
Michael Gillespie found a new ransomware that drops a ransom note named HOW TO DECRYPT FILES.txt.
Coveware found a new variant of the Dharma ransomware that appends the .phobos extension to encrypted files.