It has been a quiet week with just small variants and new variants of existing ones such as Matrix. As much as we would like to see ransomware die off altogether, it is hear to stay.

Dharma is still going strong, targeting businesses via open Remote Desktop services. Therefore, make sure that you have any computers running remote desktop services behind a firewall and only accessible via a VPN.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @FourOctets, @hexwaxwing, @campuscodi, @BleepinComputer, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Seifreed, @malwareforme, @fwosar, @jorntvdw@JakubKroustek@dave_daves@leotpsc, and @GrujaRS.

September 2nd 2018

Barack Obama's Blackmail Virus Ransomware Only Encrypts .EXE Files

Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

Locdoor Ransomware discovered

Leo discovered a new ransomware called Locdoor/DryCry. May be bugger or in development as it does not encrypt all files. When it does encrypt, it will append the .door[random number] extension to encrypted files.


New PyLocky variant

CyberSecurity found a new PyLocky variant that appends the .lockedfile and .lockymap extension to encrypted files and drops a ransom note named LOCKY-README.txt.

September 3rd 2018

New Ransomware targeting servers

A new ransomware has been discovered by dave that appears to be targeting web servers. It is unknown what extension, if any, is appended to encrypted files.

September 4th 2018

New Matrix Ransomware variant

Michael Gillespie found a new Matrix Ransomware variant that appends the .FASTBOB extension and drops a ransom note named #_#FASTBOB_README#_#.rtf. Michael discovered another variant that appends the .NEWRAR extension and drops a note named #NEWRAR_README.rtf.

September 5th 2018

New Shiva Ransomware variant

MalwareHunterTeam found a new Shiva variant with active victims that appends the .good extension and drops a ransom note named HOW_TO_RECOVER_FILES.txt.

New CryptoJoker variant

Michael Gillespie found the decrypter for a new CryptoJoker variant that uses the .partially.cryptolocker and .fully.cryptolocker.

YARA Rule created for Shrug2

Marc Rivero López created a new YARA rule that detects the Shrug2 ransomware based on an article from Quick Heal.

September 6th 2018

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs). 

New yyy0 Ransomware

Michael Gillespie found a new ransomware that appends the extensio and drops a ransom note named help.txt.

New Bandarchor variant adds .pip

Jakub Kroustek found a new Bandarchor ransomware variant that appends the .id-%ID%-[].pip extension to encrypted files.

New Matrix Ransomware variant

Michael Gillespie saw a new Matrix Ransomware variant uploaded to ID Ransomware tha uses the .KOK08 extension and the ransom note #KOK08_README#.rtf.

New EOEO AutoIt ransomware

MalwareHunterTeam has found the EOEO AutoIt ransomware that appends the .eoeo extension to encrypted files. 

September 7th 2018

New 5H311 1NJ3C706 Ransomware

Michael Gillespie found a new ransomware called 5H311 1NJ3C706 that acts more like a screenlocker, but does have encryption code that adds the extension .5H11 1NJ3C706, but does not appear to be working. . The password to the screenlocker is 666HackerThn.

New Suri Ransomware

MalwareHunterTeam found a new ransomware called Suri that appends the .SLAV extension. It is based on Stupid Ransomware.

That's it for this week! Hope everyone has a nice weekend!

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

The Week in Ransomware - November 16th 2018 - Mostly Small Variants Released