In addition to new variants of existing ransomware, we also had the Fallout exploit kit distributing a new ransomware payload and a spam campaign pushing ransomware in Germany.

The Maze Ransomware was dicovered being distributed via the Fallout Exploit kit and stating that it will charge a different ransom amount depending on the type of computer that is infected. We also saw the Sodinokibi Ransomware being distributed through spam pretending to be foreclosure noticies.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @PolarToffee, @struppigel, @FourOctets, @jorntvdw, @malwrhunterteam, @LawrenceAbrams, @Seifreed, @DanielGallagher, @demonslay335, @BleepinComputer, @JakubKroustek, @datalossguru, @sculabs, @jeromesegura, @MarceloRivero, and @GrujaRS.

May 25th 2019

In-dev GottaCry Ransomware

MalwareHunterTeam found a new ransomware called GottaCry that is in-development.

SysFrog Ransomware discovered

Michael Gillespie spotted a ransomware that appends the .sysfrog extension to encrypted files and drops a ransom note named how_to_decrypt.txt.

New QBX Dharma Ransomware variant

Michael Gillespie spotted a new Dharma Ransomware variant that appends the .qbx extension to encrypted files.

May 27th 2019

New Mogera STOP Djvu variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .mogera extension to encrypted files.

May 28th 2019

New ZOH Dharma Ransomware variant

Michael Gillespie spotted a new Dharma Ransomware variant that appends the .zoh extension to encrypted files.

New BEETS Dharma Ransomware variant

Jakub Kroustek spotted a new Dharma Ransomware variant that appends the .beets extension to encrypted files.

New Rezuc STOP Djvu variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .rezuc extension to encrypted files.

New Eric Ransomware

Michael Gillespie spotted a new ransomware that appends the .ERIS extension and drops a ransom note named @ READ ME TO RECOVER FILES @.txt.

New GlobeImposter variant

GrujaRS found a new GlobeImposter variant that appends the .LotR extension and drops a ransom note named NEW_WAVE.html.

May 29th 2019

MBR-based NMoreira Boot Ransomware

Dave Logue found a variant of the NMoreira Ransomware that appears to be targeting the MBR.

May 30th 2019

Fake WannaCry Ransomware

MalwareHunterTeam found a fake WannaCry Ransomware that looks like it was made a joke, school assignment, or for “fun”.

New Harma Dharma Ransomware variant

Michael Gillespie spotted a new Dharma Ransomware variant that appends the .harma extension to encrypted files.

STOP Ransomware Decryptor updated

Michael Gillespie updated his STOP Djvu Ransomware decryptor to support the offline keys for the .skymap, .mogera, and .rezuc variants.

New Buran Ransomware spotted

Michael Gillespie spotted a new ransomware on ID-Ransomware that utilizes what looks like a GUID for the extension. For example, .3674AD9F-5958-4F2A-5CB7-F0F56A8885EA. It also drops a ransom note named !!! YOUR FILES ARE ENCRYPTED !!!.TXT.

May 31st 2019

Sodinokibi Ransomware Pushed via Foreclosure Warning Spam

A malspam campaign targeting potential German victims is actively distributing Sodinokibi ransomware via spam emails disguised as foreclosure notifications with malicious attachments which pose as foreclosure notifications.

Maze Ransomware Says Computer Type Determines Ransom Amount

A variant of the Maze Ransomware, otherwise known as the ChaCha Ransomware, has been spotted being distributed by the Fallout exploit kit. An interesting feature of this ransomware is that it says the ransom amount will be different depending on whether the victim is a home computer, server, or workstation.

New Stone STOP Djvu variant

Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .stone extension to encrypted files.

New RotorCrypt Ransomware variant

Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !__prontos@cumallover.me__.bak extension.

That’s it for this week! Hope everyone has a nice weekend!