
This week we saw victims continuing to use the legal system to target ransomware operators' assets and services as well as a new ransomware targeting vulnerabilities.
The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous Southwire lawsuit against Maze and this week with a UK judge freezing the ransomware wallet for Bitpaymer.
Also of interest, we saw actors exploiting the Citrix ADC vulnerability to install the Ragnarok Ransomware on compromised networks.
Other than that, we continue to see new variants of existing ransomware such as Dharma, LockBit, and STOP.
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @PolarToffee, @DanielGallagher, @demonslay335, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @struppigel, @jorntvdw, @FourOctets, @malwrhunterteam, @Seifreed, @malwareforme, @emsisoft, @campuscodi, @albertzsigovits, @VK_Intel, @Amigo_A_, @KPN, and @rikvduijn.
January 25th 2020
DoppelPaymer finally gets its own extension
MalwareHunterTeam noticed that DoppelPaymer has finally switched to its own extension of .doppled and now ends their ransom notes with .how2decrypt.txt.
Strawberry Fields Crypto Locker discovered
MalwareHunterTeam discovered a new ransomware called "Strawberry Fields Crypto Locker" that does not encrypt. Looks like a joke ransomware.

January 26th 2020
New CryptLive Dharma Ransomware variant
Amigo-A found a new Dharma Ransomware variant that appends the .LIVE and drops the ransom notes Info.hta and FILES ENCRYPTED.txt. Appears to call itself CryptLive.

January 27th 2020
New 2NEW Dharma Ransomware variant
Michael Gillespie found a new Dharma Ransomware variant that appends the .2NEW extension to encrypted files.
January 28th 2020
Ransomware Bitcoin Wallet Frozen by UK Court to Recover Ransom
A victim's insurance company convinced the UK courts to freeze a bitcoin wallet containing over $800K worth of a ransomware payment.
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit.
Maze Ransomware pokes at security researchers
Vitali Kremez has noticed that the Maze Ransomware operators are taunting and having some fun with security researchers.

Tracking REvil
After the message GandCrab quit, a hole was left in the scene. It was time for a new contender. In the last few months REvil/Sodinokibi seems to have filled that gap. There already have been multiple blogs describing the similarities between GandCrab and REvil affiliates. We’ll stay clear of the similarities in this blog and focus on the usage statistics of the ransomware family by looking at samples, infection rates and ransom demands.
New CryptoPatronum Ransomware Discovered
Amigo_A found the new CryptoPatronum Ransomware that appends the .cryptopatronum@protonmail.com.enc and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.txt.

January 29th 2020
New BTOS STOP Djvu Ransomware
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .btos extension to encrypted files.
New NPSG STOP Djvu Ransomware
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .npsg extension to encrypted files.
January 30th 2020
Ransomware predicted to target U.S. 2020 election – and local governments are not prepared
We now feel it necessary to issue a similar warning in relation to the threat ransomware presents to the 2020 election and again call on governments to act immediately to improve their security.
New LockBit variant
Albert Zsigovits found a new variant of the LockBit ransomware that appends the .lockbit extension.

January 31st 2020
New REPP STOP Djvu Ransomware
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .repp extension to encrypted files.
Ransomware hits TV & radio news monitoring service TVEyes
A ransomware infection has brought down TVEyes, a company that manages a popular platform for monitoring TV and radio news broadcasts, broadly used by newsrooms and PR agencies across the globe.
New ALKA STOP Djvu Ransomware
Michael Gillespie found a new STOP Djvu Ransomware variant that appends the .alka extension to encrypted files.
Comments
Amigo-A - 3 days ago
This Week in Ransomware is #180!