This past week we saw a lot of new variants of the same existing ransomware out in the wild. While TriVault is able to prevent and mitigate ransomware, stopping it in its tracks isn’t always easy for other cyber security companies. With the number of variants out there still on a steady increase, this goes to show that there are still victims in troves.

New variants of STOP, Dharma, and Jigsaw ransomware were introduced this past week. According to, there was also a ransomware downloader created from “pixels of images and shady data recovery companies partnering with GandCrab to make extra profits.”

Credits to all those who contributed to the findings below include: @fwosar@malwrhunterteam@Seifreed@PolarToffee@demonslay335@struppigel@LawrenceAbrams@malwareforme@FourOctets@jorntvdw@BleepinComputer@disabdillah,@petrovic082@JakubKroustek@_CPResearch_@coveware@dvk01uk, and @bromium.

Credits to for the information below.

New PayDay Ransomware variant

MalwareHunterTeam found a new variant of the PayDay Ransomware that uses a ransom note named HOW_TO_DECRYPT_MY_FILES.txt.

PayDay Ransomware

New variant of the STOP Ransomware

dis found a new variant of the STOP Ransomware that uses the .blower extension.

New RotorCrypt variant

Michael Gillespie found a new variant of the RotorCrypt Ransomware that appends the “[email protected]” extension.

New Dharma variant 

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .888 extension.

New PennyWise Jigsaw Ransomware variant

MalwareHunterTeam found a new Jigsaw Ransomware that uses the .PennyWise extension for encrypted files.

PennyWise Jigsaw variant

Crypted Pony Ransomware found

Petrovic found a new ransomware that appends the .crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx extension to encrypted files.

Cryptojacking Overtakes Ransomware, Malware-as-a-Service on the Rise

Cryptominers infected roughly ten times more organizations during 2018 than ransomware did, however only one in five security professionals knew that their company’s systems have been impacted by a malware attack as reported by Check Point Research.

GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs

The GandCrab ransomware TOR site allows shady data recovery companies to hide the actual ransom cost from victims and it is currently being disseminated through a large assortment of distribution channels according to a Coveware report.

Russian ransomware with a valid cert

MalwareHunterTeam found a Russian ransomware sample that drops a ransom note named Your files are now encrypted.txt but does not use an extension.  Uses a valid certificate.

Russian Ransomware

New Ransomware appends FileSlack

Michael Gillespie found a new Ransomware that appends the .FileSlack extension and drops a ransom note named Readme_Restore_Files.txt.

Looking for a sample of Pluto Ransomware

Michael Gillespie is looking for a ransomware sample that appends the .pluto extension and drops a ransom note named !!!READ_IT!!!.txt.

LOLSEC Jigsaw Ransomware variant

Michael Gillespie found a new Jigsaw Ransomware variant that appends .paycoin to encrypted files and uses the following background.


New Dharma variant found

Jakub Kroustek found new Dharma variants that appends the .amber or .frend extension.

Mail Attachment Builds Ransomware Downloader from Super Mario Image

A malicious spreadsheet has been discovered that builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install malware such as the GandCrab Ransomware and other malware.

New Clop Ransomware

Michael Gillespie found a new ransomware that appends the .Clop extension to encrypted file names and drops a ransom note named ClopReadMe.txt.

Gandcrab via fake invoice using password protected zip files

My Online Security reports:

It’s Friday afternoon at the end of a busy week for many people and we get yet another Gandcrab ransomware campaign. This campaign is slightly different to previous versions that I have seen. We generally see Gandcrab delivered via Office ( normally Word)  documents, either Macros or possibly Equation editor or other embedded ole object exploits. Today’s version is the first time that I have seen a js file inside a zip that was password protected as the initial vector. You need the password “invoice123” to be able to open the zip file.