This week we had seen quite a few campaigns that had widespread distribution. These campaigns are either being installed over accessible Remote Desktop Services or malspam. The biggest news is a variant of the Hermes ransomware called Ryuk that has generated over 600k USD for the developers.
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @Seifreed, @malwrhunterteam, @jorntvdw, @struppigel, @fwosar, @demonslay335, @FourOctets, @BleepinComputer, @campuscodi, @LawrenceAbrams, @PolarToffee, @Amigo_A_, @malwareforme, @vishuwerehere, @yvesago, @Jan0fficial, and @CheckPointSW.
Towards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.
A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.
A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.
Michael Gillespie found a new Jigsaw Ransomware variant that uses the .fun extension and the following background image.
A new ransomware strain named Ryuk is making the rounds, and, according to current reports, the group behind it has already made over $640,000 worth of Bitcoin.
Michael Gillespie found a new RotorCrypt Ransomware variant that appends the !@#$_(decryp in the EMail)firstname.lastname@example.org____$#@..AlfaBlock extension to encrypted files.
MalwareHunterTeam found a new Rapid v1 Ransomware variant that now uses the .no_more_ransom extension on encrypted files.
Michael Gillespie found a new Xorist Ransomware variant that uses the extensions .PrOtOnIs and .PrOtOnIs.VaNdElIs.
MalwareHunterTeam found a new ransomware called TotalWipeOut.
MalwareHunterTeam found a new PyLocky variant that appends the .lockedfile extension to encrypted files.
MalwareHunterTeam found a new Oni Ransomware variant that drops ransom notes named RESTORE_ONI_FILES.txt and renamed files to the "%original file name (incl. extension) converted to hex%.ONI" format.