Was a quiet week for new variants, but a bunch of long-running ransomware infections released new variants this week. We had a few from Scarab, a new Dharma variant, and a new Matrix ransomware variant.
While ransomware is slowing down, it is not going away. So stay vigilant, make sure you perform backups, and get remote desktop off of public ip addresses!
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @malwrhunterteam, @jorntvdw, @LawrenceAbrams, @hexwaxwing, @DanielGallagher, @malwareforme, @PolarToffee, @fwosar, @FourOctets, @BleepinComputer, @Seifreed, @demonslay335, @siri_urz, @Amigo_A_, @TeillardD, @kafeine, @JakubKroustek, and @GrujaRS.
Jakub Kroustek discovered a new variant of the Dharma ransomware that appends the .brrr extension and drops a ransom note named Info.hta
Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.
Amigo-A found a new variant of the variant Scarab-DiskDoctor ransomware that uses the .mammon extension for encrypted files. Emmanuel_ADC-Soft shared the ransom note below. Other new Scarab variants found this week append the extensions : .omerta and .bomber.
An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, encrypting them, and then demanding a ransom in order to get the contents back.
Michael Gillespie found a new Matrix Ransomware variant that uses appends the .ITLOCK extension to encrypted files and drops a ransom note named !ITLOCK_README!.rtf.
Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.
The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.
Last week the Fallout Exploit kit was distributing the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles, for lack of a better name, through malvertising campaigns.
GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension.