In addition to new variants of existing ransomware, we also had the Fallout exploit kit distributing a new ransomware payload and a spam campaign pushing ransomware in Germany.
The Maze Ransomware was dicovered being distributed via the Fallout Exploit kit and stating that it will charge a different ransom amount depending on the type of computer that is infected. We also saw the Sodinokibi Ransomware being distributed through spam pretending to be foreclosure noticies.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwareforme, @PolarToffee, @struppigel, @FourOctets, @jorntvdw, @malwrhunterteam, @LawrenceAbrams, @Seifreed, @DanielGallagher, @demonslay335, @BleepinComputer, @JakubKroustek, @datalossguru, @sculabs, @jeromesegura, @MarceloRivero, and @GrujaRS.
May 25th 2019
In-dev GottaCry Ransomware
MalwareHunterTeam found a new ransomware called GottaCry that is in-development.
SysFrog Ransomware discovered
Michael Gillespie spotted a ransomware that appends the .sysfrog extension to encrypted files and drops a ransom note named how_to_decrypt.txt.
New QBX Dharma Ransomware variant
Michael Gillespie spotted a new Dharma Ransomware variant that appends the .qbx extension to encrypted files.
May 27th 2019
New Mogera STOP Djvu variant
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .mogera extension to encrypted files.
May 28th 2019
New ZOH Dharma Ransomware variant
Michael Gillespie spotted a new Dharma Ransomware variant that appends the .zoh extension to encrypted files.
New BEETS Dharma Ransomware variant
Jakub Kroustek spotted a new Dharma Ransomware variant that appends the .beets extension to encrypted files.
New Rezuc STOP Djvu variant
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .rezuc extension to encrypted files.
New Eric Ransomware
Michael Gillespie spotted a new ransomware that appends the .ERIS extension and drops a ransom note named @ READ ME TO RECOVER FILES @.txt.
New GlobeImposter variant
GrujaRS found a new GlobeImposter variant that appends the .LotR extension and drops a ransom note named NEW_WAVE.html.
May 29th 2019
MBR-based NMoreira Boot Ransomware
Dave Logue found a variant of the NMoreira Ransomware that appears to be targeting the MBR.
May 30th 2019
Fake WannaCry Ransomware
MalwareHunterTeam found a fake WannaCry Ransomware that looks like it was made a joke, school assignment, or for “fun”.
New Harma Dharma Ransomware variant
Michael Gillespie spotted a new Dharma Ransomware variant that appends the .harma extension to encrypted files.
STOP Ransomware Decryptor updated
Michael Gillespie updated his STOP Djvu Ransomware decryptor to support the offline keys for the .skymap, .mogera, and .rezuc variants.
New Buran Ransomware spotted
Michael Gillespie spotted a new ransomware on ID-Ransomware that utilizes what looks like a GUID for the extension. For example, .3674AD9F-5958-4F2A-5CB7-F0F56A8885EA. It also drops a ransom note named !!! YOUR FILES ARE ENCRYPTED !!!.TXT.
May 31st 2019
Sodinokibi Ransomware Pushed via Foreclosure Warning Spam
A malspam campaign targeting potential German victims is actively distributing Sodinokibi ransomware via spam emails disguised as foreclosure notifications with malicious attachments which pose as foreclosure notifications.
Maze Ransomware Says Computer Type Determines Ransom Amount
A variant of the Maze Ransomware, otherwise known as the ChaCha Ransomware, has been spotted being distributed by the Fallout exploit kit. An interesting feature of this ransomware is that it says the ransom amount will be different depending on whether the victim is a home computer, server, or workstation.
New Stone STOP Djvu variant
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .stone extension to encrypted files.
New RotorCrypt Ransomware variant
Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !__prontos@cumallover.me__.bak extension.
That’s it for this week! Hope everyone has a nice weekend!
Related Articles:
The Week in Ransomware – May 24th 2019 – Smacking ‘Em Down With Decryptors
The Week in Ransomware – May 17th 2019 – BTW, It’s NOT Dead
The Week in Ransomware – May 10th 2019 – MegaCortex, Jokeroo, and More
The Week in Ransomware – May 3rd 2019 – Hello Dear Friend!
The Week in Ransomware – April 26th 2019 – Targeting the Enterprise