This week we had seen quite a few campaigns that had widespread distribution. These campaigns are either being installed over accessible Remote Desktop Services or malspam. The biggest news is a variant of the Hermes ransomware called Ryuk that has generated over 600k USD for the developers.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @Seifreed, @malwrhunterteam, @jorntvdw, @struppigel, @fwosar, @demonslay335, @FourOctets, @BleepinComputer, @campuscodi, @LawrenceAbrams, @PolarToffee, @Amigo_A_, @malwareforme, @vishuwerehere, @yvesago, @Jan0fficial, and @CheckPointSW.

August 18th 2018

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

Towards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.

August 20th 2018

Beware of Spam with Fake Invoices Pushing Hermes 2.1 Ransomware and AZORult

A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.

New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles

A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.

New TorchWood Ransomware Variant

Amigo-A found a new variant of the Russian TorchWood ransomware that uses the .TRCHWD extension for encrypted files and is installed over RDP.

New NinjaLock Ransomware

MalwareHunterTeam found a new ransomware called NinjaLock. Jack shared the image and stated it does not encrypt.

New Creeper Ransomware variant

Amigo-A found a new variant of the Creeper Ransomware variant that appends the .crypton extension and drops a ransom note named DECRIPT_FILES.txt.

New Jigsaw variant with new background

Michael Gillespie found a new Jigsaw Ransomware variant that uses the .fun extension and the following background image.

New Scarab Ransomware variant

Michael Gillespie found a new Scarab Ransomware variant that utilizes the .CYBERGOD extension and another that uses the .rent extension.

August 21st 2018

Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge

A new ransomware strain named Ryuk is making the rounds, and, according to current reports, the group behind it has already made over $640,000 worth of Bitcoin.

New RotorCrypt Ransomware

Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !@#$_(decryp in the EMail)____nautilus369alarm@gmail.com____$#@..AlfaBlock extension to encrypted files.

New Rapid Ransomware v1 Variant

MalwareHunterTeam found a new Rapid v1 Ransomware variant that now uses the .no_more_ransom extension on encrypted files.

New Xorist variant discovered

Michael Gillespie found a new Xorist Ransomware variant that uses the extensions .PrOtOnIs and .PrOtOnIs.VaNdElIs.

New n1n1n1  ransomware variant

Michael Gillespie noticed a new n1n1n1 variant uploaded to ID Ransomware that uses the "jpa." prefix on files and drops a ransom note named why files renamed jpa..txt.

New Why Ransomware discovered

Michael Gillespie noticed a new ransomware variant uploaded to ID Ransomware that uses the .WHY extension and drops a ransom note named !!!WHY_MY_FILES_NOT_OPEN!!!.txt.

August 23rd 2018

New TotalWipeOut ransomware

MalwareHunterTeam found a new ransomware called TotalWipeOut. 

New PyLocky variant

MalwareHunterTeam found a new PyLocky variant that appends the .lockedfile extension to encrypted files.

New Oni Ransomware variant

MalwareHunterTeam found a new Oni Ransomware variant that drops ransom notes named RESTORE_ONI_FILES.txt and renamed files to the "%original file name (incl. extension) converted to hex%.ONI" format.

New Jigsaw Ransomware variant

Michael Gillespie found a new Polish Jigsaw Ransomware variant that appends the extension .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files