This past week we saw a lot of new variants of the same existing ransomware out in the wild. While TriVault is able to prevent and mitigate ransomware, stopping it in its tracks isn’t always easy for other cyber security companies. With the number of variants out there still on a steady increase, this goes to show that there are still victims in troves.
New variants of STOP, Dharma, and Jigsaw ransomware were introduced this past week. According to Bleepingcomputer.com, there was also a ransomware downloader created from “pixels of images and shady data recovery companies partnering with GandCrab to make extra profits.”
Credits to all those who contributed to the findings below include: @fwosar, @malwrhunterteam, @Seifreed, @PolarToffee, @demonslay335, @struppigel, @LawrenceAbrams, @malwareforme, @FourOctets, @jorntvdw, @BleepinComputer, @disabdillah,@petrovic082, @JakubKroustek, @_CPResearch_, @coveware, @dvk01uk, and @bromium.
Credits to Bleepingcomputer.com for the information below.
MalwareHunterTeam found a new variant of the PayDay Ransomware that uses a ransom note named HOW_TO_DECRYPT_MY_FILES.txt.
dis found a new variant of the STOP Ransomware that uses the .blower extension.
Michael Gillespie found a new variant of the Dharma Ransomware that appends the .888 extension.
MalwareHunterTeam found a new Jigsaw Ransomware that uses the .PennyWise extension for encrypted files.
Petrovic found a new ransomware that appends the .crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx extension to encrypted files.
Cryptominers infected roughly ten times more organizations during 2018 than ransomware did, however only one in five security professionals knew that their company’s systems have been impacted by a malware attack as reported by Check Point Research.
The GandCrab ransomware TOR site allows shady data recovery companies to hide the actual ransom cost from victims and it is currently being disseminated through a large assortment of distribution channels according to a Coveware report.
MalwareHunterTeam found a Russian ransomware sample that drops a ransom note named Your files are now encrypted.txt but does not use an extension. Uses a valid certificate.
Michael Gillespie found a new Ransomware that appends the .FileSlack extension and drops a ransom note named Readme_Restore_Files.txt.
Michael Gillespie is looking for a ransomware sample that appends the .pluto extension and drops a ransom note named !!!READ_IT!!!.txt.
Michael Gillespie found a new Jigsaw Ransomware variant that appends .paycoin to encrypted files and uses the following background.
Jakub Kroustek found new Dharma variants that appends the .amber or .frend extension.
A malicious spreadsheet has been discovered that builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install malware such as the GandCrab Ransomware and other malware.
Michael Gillespie found a new ransomware that appends the .Clop extension to encrypted file names and drops a ransom note named ClopReadMe.txt.
My Online Security reports:
It’s Friday afternoon at the end of a busy week for many people and we get yet another Gandcrab ransomware campaign. This campaign is slightly different to previous versions that I have seen. We generally see Gandcrab delivered via Office ( normally Word) documents, either Macros or possibly Equation editor or other embedded ole object exploits. Today’s version is the first time that I have seen a js file inside a zip that was password protected as the initial vector. You need the password “invoice123” to be able to open the zip file.