STOP, Dharma, Phobos, and GlobeImposter 2.0 Ransomware Spread Further In Q2 And Q3 2019

• STOP ransomware accounted for 56 percent of all ransomware samples detected between April and September 2019.
• The Dharma ransomware variant that appends the .cezar extension to encrypted files grabbed 12 percent of all ransomware samples detected.

Ransomware attacks have become more focused and sophisticated in Q2 and Q3 2019. While Ryuk played a dominant role in crippling dozens of public entities across the US, other RaaS services like Sodinokibi and GandCrab enabled ransomware operators to generate millions.

However, there were reports of four other major ransomware strains that were equally involved in attacks against government, education and healthcare entities.

STOP ransomware

The ransomware accounted for 56 percent of all ransomware samples detected between April and September 2019.

STOP was first spotted in late 2018 and has grown to include dozens of variants. Often distributed via torrent sites or cracked software, STOP primarily targets home users.

Once executed, the malware encrypts files with AES-256 algorithm. Later it instructs the victim to pay a ransom of $490 worth of Bitcoin in exchange for decryptor software. The ransom amount doubles after 72 hours.

Dharma ransomware (.cezar family)

The Dharma ransomware variant that appends the .cezar extension to encrypted files accounted for 12 percent of all ransomware samples detected.

The Dharma ransomware, which has been active in one form or another since 2016, primarily targets businesses. Unlike other ransomware, Dharma’s .cezar family does not specify a ransom amount. Instead, it instructs victims to contact the ransomware distributors via email to negotiate the ransomware. The ransom amount tends to be higher for larger companies.

Phobos ransomware

Phobos was responsible for 8.9 percent of ID ransomware submissions between April and September 2019.

The malware closely resembles the Dharma ransomware family and had first appeared in early 2019. It primarily spreads by exploiting open or poorly secured RDP ports. Just like Darma, Phobos asks the victims to email the attackers to discuss the price of decryption.

GlobeImposter 2.0 ransomware

GlobeImposter 2.0 accounted for 6.5 percent of ID ransomware submissions during Q2 and Q3 2019. The ransomware uses the AES-256 algorithm to encrypt a victim’s files and demands a ransom that ranges between one and 10 Bitcoin.