Been a pretty interesting week when it comes to ransomware. First, we*had two Iranians who were indicted by the U.S. government for their involvement in the SamSam*operation. Then, the U.S. government, for the first time, attributed two Iran-based individuals for their involvement in converting ransomware payments to fiat currency on behalf of the SamSam group. As these individuals were added to the U.S. sanction list, any company that pay a ransomware payment to them will essentially be violating sanctions.
In other news, we had a bunch of Scarab and Dharma Ransomware variants released as well as a variety of other smaller ransomware variants.
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @PolarToffee, @jorntvdw, @demonslay335, @struppigel, @LawrenceAbrams, @malwareforme, @fwosar, @malwrhunterteam, @Seifreed, @hexwaxwing, @FourOctets, @BleepinComputer,*@GrujaRS, @JakubKroustek, @Emm_ADC_Soft, @siri_urz, and*@petrovic082.
November 25th 2018

EnyBeny Nuclear Ransomware discovered

@GrujaRS*discovered a new in-dev ransomware called EnyBeny*Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.

New myjob*Dharma variant

Jakub Kroustek*discovered a new Dharma variant that appends the .myjob*extension to encrypted files.
November 26th 2018

Lucky Ransomware discovered

Michael Gillespie*discovered a new ransomware that renamed encrypted files to "[[email]][original].[random].lucky" and drops a ransom note named _How_To_Decrypt_My_File_.txt.
New Scarab Ransomware variants discovered

Emmanuel_ADC-Soft*found a new Scarab Ransomware variant that appends the .lolita*and drops a ransom note named _How to restore files.TXT and another variant that appends the*.stevenseagal@airmail.cc extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT.

November 27th 2018

New Dharma variant discovered

Emmanuel_ADC-Soft*discovered a new Dharma variant that appends the .[cyberwars@qq.com].war and drops a ransom note named FILES ENCRYPTED.txt.

November 28th 2018

New Dharma variant

Michael Gillespie*discovered a new Dharma variant that appends the .risk extension to encrypted files.
GarrantyDecrypt*Discovered

MalwareHunterTeam*found the GarrantyDecrypt Ransomware that appends the*.decryptgarranty*extension to encrypted files and drops a ransom note named #RECOVERY_FILES#.txt.

New Everbe Ransomware variant

Michael Gillespie*found a new Everbe 2.0 Ransomware variant that appends the*.[].lightning*extension to encrypted files.
New Scarab Ransomware variant

Emmanuel_ADC-Soft*discovered another Scarab Ransomware variant that appends the .online24files@airmail.cc extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES-online24files@airmail.cc.TXT.

November 29th 2018

DOJ Indicts Two Iranian Hackers for SamSam Ransomware Operation

The Department of Justice announced today that a grand jury has unsealed an indictment against two Iranian hackers for conducting the hacking and ransomware operation called SamSam.
New GusCryptor discovered

S!Ri*found a new ransomware called GusCryptor*that appends the .bip extension. Note, the bip extension was also used by a Dharma Ransomware variant.

November 30th 2018

Making a Ransomware Payment? It May Now Violate U.S. Sanctions

Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions.
cmdRansomware*Discovered

Petrovic*found a new ransomware called cmdRansomware that utilizes a batch files and GPG to encrypt a computer. When encrypting it will append the .ransomware extension to encrypted files and drop a ransom note named cmdRansomware.txt.

Stop Ransomware decryptor released

Michael Gillespie*released a free decryptor for the STOP Ransomware, which works on the .puma, .pumas, and .pumax*variants.

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens

Moscow recently opened its first cable-car service and promised free rides for the first month. Unfortunately, only two days after after the service was made available, attackers reportedly hacked into the cable car systems and infected them with ransomware.
That's it for this week! Hope everyone has a nice weekend!