The Week in Ransomware – January 25th 2019

This week we see STOP Ransomware becoming the most widespread ransomware targeting consumers and the enterprise that we have seen in a long time. This is due to a constant stream of variants being released, with a large amount of victims being infected through adware bundles promoted through crack sites.

Otherwise, it’s your standard Dharma, Matrix, and in-development ransomware that will never be released.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwareforme, @Seifreed, @malwrhunterteam, @FourOctets, @demonslay335, @LawrenceAbrams, @fwosar, @PolarToffee, @BleepinComputer, @jorntvdw, @serghei@dvk01uk, @ValthekOn@McAfee_Labs@JoshStein_, @jasonsaine, @JakubKroustek, @campuscodi, @coveware, @petrovic082, @Damian1338B, and @luc4m.

January 19th 2019

New AUF Dharma variant

Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .AUF extension to encrypted files. 

January 21st 2019

Ransomware Attacks May Soon Require Disclosure in North Carolina

North Carolina’s Attorney General Josh Stein and Rep. Jason Saine proposed legislation designed to strengthen the state’s identity theft protection law, targeting prevention and consumer protection boost in the face of breaches.

New Rumba STOP Ransomware Being Installed by Software Cracks

The STOP ransomware has seen very heavy distribution over the last month using adware installers disguised as cracks. This campaign continues with a new variant released over the past few days that appends the .rumba extension to the names of encrypted files. Michael Gillespie also reported finding a variant utilizing the .shadow extension.

Rumba Stop Ransomware

STOP Ransomware decryptor updated for offline DJVU variants

Michael Gillespie updated his STOP Decryptor to decrypt the offline versions of the DJVU variants.

STOP Decryptor

January 22nd 2019

New Dharma variants discovered

Jakub Kroustek discovered two more Dharma variants that utilize the .USA, .xwx, and .best extensions for encrypted files.

New variant of Ryuk using project name of Cryptor 2.0

MalwareHunterTeam found a new Ryuk variant that uses an internal project name of “Cryptor 2.0”.

New Matrix Ransomware variant

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .GMBN extension and drops a ransom note named !README_GMBN!.rtf. Michael found another variant that uses the .SPCT extension.

New .heets Dharma variant

Coveware found a new Dharma variant that is appending the .heets extension to encrypted files.

January 23rd 2019

New Anatova Ransomware Supports Modules for Extra Functionality

A new ransomware family called Anatova has popped on the radar of analysts, who see it as a serious threat created by skilled authors that can turn it into a multifunctional piece of malware.


STOP Ransomware variant uses .adobe

Michael Gillespie found a new variant of the STOP Ransomware that utilizes the .adobe variant. This extension was previously used by the Dharma ransomware.

New BSS Hidden Tear variant

MalwareHunterTeam found someone named Dennis playing with a Hidden Tear variant named “Ransomware by BSS”. 

New ransomware strain is locking up Bitcoin mining rigs in China

A new strain of ransomware has been observed targeting Bitcoin mining rigs. At the time of writing, most of the infections have been reported in China, the country where most of the world’s cryptocurrency mining farms are located.

New JSWorm Ransomware

MalwareHunterTeam found the JSWorm Ransomware that appends the .JSWORM extension and drops a ransom note named JSWORM-DECRYPT.html.


January 24th 2019

Beware of Exit Map Spam Pushing GandCrab v5.1 Ransomware

A new malspam campaign pretending to be the current emergency exit map for the recipient’s building is being used to install the GandCrab Ransomware. These spam emails contain malicious Word documents that download and install the infection from a remote computer.

New Xorist variant

Petrovic found a new Xorist variant that appends the .vaca etension to encrypted files.

January 25th 2019

New Cyspt ransomware

MalwareHunterTeam found the Cyspt ransomware that appends the .OOFNIK extension to encrypted files.


New Scarab Ransomware variant

found a new Scarab Ransomware variant that appends the .GEFEST extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.


GandCrab is not a RaaS

Damian has stated that according to a post at, the developers behind GandCrab have denied being part of a RaaS.

Forum Post


New ransomware variant

A new unknown ransomware was discovered by lc4m that appends the .locked extension and drops a ransom note named README-NOW.txt.

Unknown Ransomware

That’s it for this week! Hope everyone has a nice weekend!

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top