This week was mostly filled with new variants of existing ransomware such as STOP, Dharma, and Jigsaw ransomware. We did though have some interesting news, such as a ransomware*downloader being created from the pixels of images*and shady data recovery companies partnering with GandCrab*to make extra profits.
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @malwrhunterteam, @Seifreed, @PolarToffee, @demonslay335, @struppigel, @LawrenceAbrams, @malwareforme, @FourOctets, @jorntvdw, @BleepinComputer, @disabdillah,@petrovic082, @JakubKroustek, @_CPResearch_, @coveware, @dvk01uk, and @bromium.
February 2nd 2019

New PayDay Ransomware variant

MalwareHunterTeam*found a new variant of the PayDay Ransomware that uses a ransom note named HOW_TO_DECRYPT_MY_FILES.txt.

February 4th 2019

New variant of the STOP Ransomware

dis*found a new variant of the STOP Ransomware that uses the .blower extension.
New RotorCrypt*variant

Michael Gillespie*found a new variant of the RotorCrypt*Ransomware that appends the "!ymayka-email@yahoo.com.cryptotes" extension.
New Dharma variant*

Michael Gillespie found a new variant of the Dharma Ransomware that appends the .888 extension.
New PennyWise Jigsaw Ransomware variant

MalwareHunterTeam found a new Jigsaw Ransomware*that uses the .PennyWise*extension for encrypted files.

February 5th 2019

Crypted Pony Ransomware found

Petrovic*found a new ransomware that appends the .crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx extension to encrypted files.
February 6th 2019

Cryptojacking Overtakes Ransomware, Malware-as-a-Service on the Rise

Cryptominers infected roughly ten times more organizations during 2018 than ransomware did, however only one in five security professionals knew that their company's systems have been impacted by a malware attack as reported by Check Point Research.
GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs

The GandCrab ransomware TOR site allows shady data recovery companies to hide the actual ransom cost from victims and it is currently being disseminated through a large assortment of distribution channels*according to a*Coveware report.
Russian ransomware with a valid cert

MalwareHunterTeam found a Russian ransomware sample that drops a ransom note named Your files are now encrypted.txt but does not use an extension.* Uses a valid certificate.

February 7th 2019

New Ransomware appends FileSlack

Michael Gillespie*found a new Ransomware that appends the*.FileSlack*extension and drops a ransom note named Readme_Restore_Files.txt.
Looknig for a sample of Pluto Ransomware

Michael Gillespie*is looking for a ransomware*sample that appends the*.pluto*extension and drops a ransom note named !!!READ_IT!!!.txt.
LOLSEC Jigsaw Ransomware variant

Michael Gillespie*found a new Jigsaw Ransomware variant that appends .paycoin*to encrypted files and uses the following background.

New Dharma variant found

Jakub Kroustek*found new Dharma variants that appends the .amber or*.frend extension.
February 8th 2019

Mail Attachment Builds Ransomware Downloader from Super Mario Image

A malicious spreadsheet has been discovered that builds a PowerShell*command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install*malware such as the*GandCrab Ransomware*and other malware.
New Clop Ransomware

Michael Gillespie*found a new ransomware*that appends the*.Clop*extension to encrypted file names and drops a ransom note named ClopReadMe.txt.
Gandcrab via fake invoice using password protected zip files

My Online Security reports:
It’s Friday afternoon at the end of a busy week for many people and we get yet another Gandcrab ransomware campaign. This campaign is slightly different to previous versions that I have seen. We generally see Gandcrab delivered via Office ( normally Word)* documents, either Macros or possibly Equation editor or other embedded ole object exploits. Today’s version is the first time that I have seen a js file inside a zip that was password protected as the initial vector. You need the password “invoice123” to be able to open the zip file.
That's it for this week! Hope everyone has a nice weekend!