This week we see STOP Ransomware becoming the most widespread ransomware targeting consumers and the enterprise that we have seen in a long time. This is due to a constant stream of variants being released, with a large amount of victims being infected through adware bundles promoted through crack sites.
Otherwise, it’s your standard Dharma, Matrix, and in-development ransomware that will never be released.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwareforme, @Seifreed, @malwrhunterteam, @FourOctets, @demonslay335, @LawrenceAbrams, @fwosar, @PolarToffee, @BleepinComputer, @jorntvdw, @serghei, @dvk01uk, @ValthekOn, @McAfee_Labs, @JoshStein_, @jasonsaine, @JakubKroustek, @campuscodi, @coveware, @petrovic082, @Damian1338B, and @luc4m.
January 19th 2019
Jakub Kroustek discovered a new Dharma Ransomware variant that appends the .AUF extension to encrypted files.
January 21st 2019
North Carolina’s Attorney General Josh Stein and Rep. Jason Saine proposed legislation designed to strengthen the state’s identity theft protection law, targeting prevention and consumer protection boost in the face of breaches.
The STOP ransomware has seen very heavy distribution over the last month using adware installers disguised as cracks. This campaign continues with a new variant released over the past few days that appends the .rumba extension to the names of encrypted files. Michael Gillespie also reported finding a variant utilizing the .shadow extension.
Michael Gillespie updated his STOP Decryptor to decrypt the offline versions of the DJVU variants.
January 22nd 2019
Jakub Kroustek discovered two more Dharma variants that utilize the .USA, .xwx, and .best extensions for encrypted files.
MalwareHunterTeam found a new Ryuk variant that uses an internal project name of “Cryptor 2.0”.
Michael Gillespie found a new variant of the Matrix Ransomware that appends the .GMBN extension and drops a ransom note named !README_GMBN!.rtf. Michael found another variant that uses the .SPCT extension.
Coveware found a new Dharma variant that is appending the .heets extension to encrypted files.
January 23rd 2019
A new ransomware family called Anatova has popped on the radar of analysts, who see it as a serious threat created by skilled authors that can turn it into a multifunctional piece of malware.
MalwareHunterTeam found someone named Dennis playing with a Hidden Tear variant named “Ransomware by BSS”.
A new strain of ransomware has been observed targeting Bitcoin mining rigs. At the time of writing, most of the infections have been reported in China, the country where most of the world’s cryptocurrency mining farms are located.
MalwareHunterTeam found the JSWorm Ransomware that appends the .JSWORM extension and drops a ransom note named JSWORM-DECRYPT.html.
January 24th 2019
A new malspam campaign pretending to be the current emergency exit map for the recipient’s building is being used to install the GandCrab Ransomware. These spam emails contain malicious Word documents that download and install the infection from a remote computer.
Petrovic found a new Xorist variant that appends the .vaca etension to encrypted files.
January 25th 2019
MalwareHunterTeam found the Cyspt ransomware that appends the .OOFNIK extension to encrypted files.
found a new Scarab Ransomware variant that appends the .GEFEST extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.
Damian has stated that according to a post at Exploit.in, the developers behind GandCrab have denied being part of a RaaS.
A new unknown ransomware was discovered by lc4m that appends the .locked extension and drops a ransom note named README-NOW.txt.