This week we had some new variants of common ransomware infections such as Dharma and Matrix. Otherwise, it has predominantly been small variants that were either created as a test or have minimal distribution.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @LawrenceAbrams, @DanielGallagher, @hexwaxwing, @BleepinComputer, @fwosar, @FourOctets, @malwareforme, @PolarToffee, @struppigel, @jorntvdw, @demonslay335, @Seifreed, @davidmaciejak, @JakubKroustek, and @Amigo_A_.
 

November 10th 2018

XUY Ransomware discovered

MalwareHunterTeam found a new ransomware called XUY that appends the extension .xuy to encrypted file's names. 

XUY Ransomware

November 11th 2018

Argus Ransomware discovered

Amigo-A found a new ransomware called Argus that appends the .ARGUS extension and drops a ransom note named ARGUS-DECRYPT.html.

Argus Ransomware

November 12th 2018

Dharma Ransomware: What It’s Teaching Us

David Maciejak and Kenny Yongjian Yang of FortiGuard Labs take a look at Dharma Ransomware:

FortiGuard Labs has been monitoring the Dharma (also named CrySiS) malware family for a few years. As we demonstrate below even though the Dharma ransomware continues to be active, the attackers are not really updating their mode of operation, but continue to rely on a proven tactic to find and infect new victims, which is to leverage badly secured RDP services to gain access to the network.

XUY Ransomware discovered

MalwareHunterTeam found a new ransomware called XUY that appends the extension .xuy to encrypted file's names. 

XUY Ransomware

010001 Ransomware discovered

Michael Gillespie noticed a new ransomware, with a sample discovered by Jakub Kroustek, that appends the extension .010001 to encrypted files and drops a ransom note named tmpsfn_as.txt.

November 13th 2018

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

The HookAds malvertising campaign has been active lately and redirecting visitors to the Fallout Exploit Kit. Once the kit is activated, it will attempt to exploit known vulnerabilities in Windows to install different malware such as the DanaBot banking Trojan, the Nocturnal information stealer, and GlobeImposter ransomware.

Titan Cryptor Discovered

MalwareHunterTeam discovered a new variant of the Argus Ransomware called Titan Cryptor. This variant does not add an extension and drops a ransom note name name Titan Instructions.html.

New SaveFiles Ransomware variant

MalwareHunterTeam found a new variant of the SaveFiles Ransomware called DataWait. This ransomware appends the .DATAWAIT extension and drops a ransom note named !readme.txt.

SaveFiles variant

November 14th 2018

New Matrix variant

Michael Gillespie found a new variant of the Matrix Ransomware that appends the .FASTA extension and drops a ransom note named #README_FASTA#.rtf.

New .Back Dharma Ransomware variant

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .back extension to encrypted files.

BlackHat Ransomware discovered

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .BlackHat extension to encrypted files and drops a ransom note named ReadME-BlackHat.txt.

November 15th 2018

New .Bear Dharma Ransomware variant

Jakub Kroustek discovered a new Dharma variant that appends the .Bear extension to encrypted files.

Bear Dharma Variant

November 16th 2018

C3YPT3OR Ransomware discovered

MalwareHunterTeam found a new ransomware called C3YPT3OR that impersonates WannaCry.

C3YPT3OR Ransomware

New Defray Ransomware variant

Michael Gillespie found a possible new Defray Ransomware variant targeting the MD industry. This ransomware is highly targeted with mentions of the victim in the ransom note and extension and email address are tailored to the victim. The ransom note is !!!_Read_Me_How_To_DeCrypt_Files_!!!.tXt.
 

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More