CradleCore, also known as Cradle Ransomware, is a Ransomware-as-a-Service (RaaS) kit currently being sold as source code on the Dark Web for a starting price of 0.35 Bitcoin. It is written in C++ and includes PHP server scripts and a payment panel.
Matrix, first discovered in March 2017, targets Windows OS and is distributed via the RIG EK by the EITest campaign. When a victim visits a compromised website that has had EITest scripts injected into the site's code, the EITest scripts load a RIG iframe that attempts to exploit vulnerable software on the victim's computer in order to install the Matrix ransomware variant.
PyCL targets Windows OS and is distributed via an EITest Flash-based redirection that leads to the RIG EK. The security researchers who discovered this variant observed that it was only distributed for one day and noted that it does not securely encrypt files, leading them to believe that this indicated a "test-run" conducted by the malware authors.
CryptON, also known as Nemesis or X3M, targets servers running Windows OS and is distributed and executed manually via Remote Desktop Protocol (RDP) brute force attacks. CryptON does not contain a file extension list so it encrypts any and all file types it finds on the infected server.
Unlock26 targets Windows OS and is distributed through a Ransomware-as-a-Service (Raas) portal named Dot-Ransomware. The portal contains a basic, command line interface (CLI) builder that helps users create a custom binary to infect victims.
Filecoder.E targets macOS, is written in the Swift programming language, and it is distributed via BitTorrent through a file named “Patcher,” masquerading as a software pirating application. Once opened, the Torrent contains an application bundle for the victim to install.
Hermes targets Windows OS and its method of distribution is currently unknown. Once a system is infected, Hermes copies itself to C:\Users\Public\Reload.exe, executes, and then launches system_.bat to delete the original installation file.
DynA-Crypt targets Windows OS and its method of distribution is currently unknown. This variant was developed using the Dynamite Malware Creation Kit and contains a number of individual executables and PowerShell scripts used to steal, delete, and encrypt data.
Erebus targets Windows OS and its method of distribution is currently unknown. Once a system is infected, the Erebus installer utilizes a User Account Control (UAC) bypass method to prevent the system from displaying a prompt asking for elevated privileges. It then modifies the Windows registry and changes the .msc file association to launch the Erebus executable.
Ranion targets Windows OS and is distributed through the Ransomware-as-a-Service (RaaS) business model. Although its developer claims that Ranion exists only “for educational purposes,” it is still being sold at a profit as anyone can buy into this distribution network at the cost of 0.95 Bitcoin per year or 0.6 Bitcoin every six months.
Zyka targets Windows OS and its method of distribution is currently unknown. Zyka encrypts files using AES and appends .lock to their names.
Netix, also identified as RANSOM_NETIX.A, targets Windows 7 and Windows 10 and masquerades as applications designed to access hacked Netflix accounts. One of these applications, Netflix Login Generator v1.1.exe, when launched, displays a pop-up window with a “Generate Login” button and, if clicked, displays what appears to be a username and password combination.