As far as ransomware goes, there are new types always popping up; however, some of the old variants are still going strong: Dharma, which targets businesses via open remote desktop services, is a nasty variant. Therefore, make sure that you have a firewall and VPN securing any devices that are accessible via remote desktop. In continuation to that, it appears that ransomware is here to stay:

  1. Locdoor Ransomware
  2. New Shiva Ransomware Variant
  3. New Matrix Ransomware Variant
  4. New CryptoJoker Variant
  5. YARA Rule Created for Shrug2
  6. New Fallout Exploit Kit Drops GandCab Ransomware or Redirects to PUPs
  7. New yyy0 Ransomware
  8. New PyLocky Variant
  9. New Variant Targeting Servers
  10. New Bandarchor Variant Adds .pip
  11. Barack Obama’s Blackmail Virus Ransomware (.exe Encryption)
  12. New Matrix Ransomware Variant
  13. New EOEO AutoIT Ransomware
  14. New Suri Ransomware
  15. New 5H311 1NJ3C706 Ransomware

Locdoor Ransomware:

A new ransomware called Locdoor/DryCry has been discovered. This may be buggy or still in development as it does not encrypt all files; however, when it does, it will append the .door[random number] extension to the encrypted files. There is no evidence that the files can be decrypted.



New Shiva Ransomware Variant:

A new Shiva variant has been discovered with active victims. This appends the .good extension and drops a ransom note entitled “HOW_TO_RECOVER_FILES” in a text document.


New Matrix Ransomware Variant:

A new Matrix variant was discovered that appends the .FASTBOB extension and drops a random note entitled “#_#FASTBOB_README#_#” in an rtf file. There is another variant that appends the .NEWRAR extension as well and drops a file named “#NEWRAR_README” in rtf format.

New CryptoJoker Variant:

A decrypter was found for the new CryptoJoker variant that uses the .partially.cryptolocker and .fully.cryptojoker. This was identified by security researcher Michael Gillespie.

YARA Rule Created for Shrug2:

Marc Rivero Lopez, a security researcher, created a new YARA rule that detects the Shrug2 ransomware based on an article from Quick Heal.

New Fallout Exploit Kit Drops GandCab Ransomware or Redirects to PUPs:

A new exploit kit called Fallout is now being used to distribute the GandCrab ransomware, which has been devastating so far. This also distributes malware downloading trojans, and other potentially unwanted and undesired programs (PUPs).

New yyy0 Ransomware:

Michael Gillespie, a security researcher, has found a new ransomware that appends the [email protected] extension and drops a ransom note simply entitled “help.txt”.

New PyLocky Variant:

A new PyLocky variant was discovered that appends the .lockedfile and .lockymap extension to encrypted files and drops a ransom note entitled “LOCKY-README” in a text document.

New Variant Targeting Servers:

A new ransomware has been discovered that is seemingly targeting web servers and app servers. The extension of this variant is currently unknown, if it has any, and is appended to encrypted files.

New Bandarchor Variant Adds .pip:

Jakub Kroustek, a security researcher, found a new Bandarchor ransomware variant that appears to append the .id-%ID%-[[email protected]].pip extension to any files it encrypts.

Barack Obama’s Blackmail Virus Ransomware (.exe Encryption):

This is a different type of malware and is seemingly new, but is apparently spreading rapidly. This ransomware only encrypts .exe files on a computer, and then displays a screen with a picture of President Obama that shows a tip for decrypting files. When it comes to ransomware, only encrypting .exe files is strange; however, most of a computer’s functionality is essentially eliminated once .exe files are blocked. This means your normal documents and spreadsheets would normally be safe; however, this does mean retrieving those could prove to be difficult as the Windows services that are used to extract data are blocked, since they run as executable files.

New Matrix Ransomware Variant:

Another new Matrix Ransomware variant was uploaded to ID Ransomware that uses the .KOKo8 extension and there is a ransom note left entitled “#KOK08_README#” in rtf format.

New EOEO AutoIT Ransomware:

The MalwareHunterTeam found the EOEO AutoIT ransomware that seems to append the .eoeo extension to any encrypted files.

New Suri Ransomware:

The MalwareHunterTeam also discovered a new ransomware called Siru. This variant appends the .SLAV extension, and seems to be based on Stupid Ransomware.

New 5H311 1NJ3C706 Ransomware:

Michael Gillespie, a security researcher, found a new ransomware called 5H311 1NJ3C706 that acts more like a screenlocker. This does, however, have encryption code and it does add the extension .5H311 1NJ3C706 to files. This does not appear to be working at this time, but could in the future. The password to the screenlocker is “666HackerThn”.


The majority of these are seemingly foreign variants. The best way to avoid ransomware is continual patching and upgrading, running anti-ransomware software, and maintaining proper firewall and VPN setups. Ransomware can be defeated, and it can be completely blocked out. It is not often advised to pay to decrypt files, unless a security company suggests otherwise. Please contact TriVault if you have any questions or concerns regarding ransomware.