It has been a quiet week with just small variants and new variants of existing ones such as Matrix. As much as we would like to see ransomware die off altogether, it is hear to stay.
Dharma is still going strong, targeting businesses via open Remote Desktop services. Therefore, make sure that you have any computers running remote desktop services behind a firewall and only accessible via a VPN.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @FourOctets, @hexwaxwing, @campuscodi, @BleepinComputer, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Seifreed, @malwareforme, @fwosar, @jorntvdw, @JakubKroustek, @dave_daves, @leotpsc, and @GrujaRS.
Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.
Leo discovered a new ransomware called Locdoor/DryCry. May be bugger or in development as it does not encrypt all files. When it does encrypt, it will append the .door[random number] extension to encrypted files.
CyberSecurity found a new PyLocky variant that appends the .lockedfile and .lockymap extension to encrypted files and drops a ransom note named LOCKY-README.txt.
A new ransomware has been discovered by dave that appears to be targeting web servers. It is unknown what extension, if any, is appended to encrypted files.
Michael Gillespie found a new Matrix Ransomware variant that appends the .FASTBOB extension and drops a ransom note named #_#FASTBOB_README#_#.rtf. Michael discovered another variant that appends the .NEWRAR extension and drops a note named
MalwareHunterTeam found a new Shiva variant with active victims that appends the .good extension and drops a ransom note named HOW_TO_RECOVER_FILES.txt.
A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs).
Michael Gillespie found a new ransomware that appends the .firstname.lastname@example.org extensio and drops a ransom note named help.txt.
Jakub Kroustek found a new Bandarchor ransomware variant that appends the .id-%ID%-[email@example.com].pip extension to encrypted files.
MalwareHunterTeam has found the EOEO AutoIt ransomware that appends the .eoeo extension to encrypted files.
Michael Gillespie found a new ransomware called 5H311 1NJ3C706 that acts more like a screenlocker, but does have encryption code that adds the extension .5H11 1NJ3C706, but does not appear to be working. . The password to the screenlocker is 666HackerThn.
MalwareHunterTeam found a new ransomware called Suri that appends the .SLAV extension. It is based on Stupid Ransomware.