This is a good read from DarkReading. In summary, Shamoon was Sha-sleep for quite Shum time (You see what I did there, right?) but returned last year to harass some folks in the Middle East. It is typically deployed as data wiping malware, but it seems as if the developer realized that there can be money in adding a ransomware feature in version 2. While it’s not in the wild yet, it’s a lesson that malware devs are starting to see the value in coding a ransomware option in to what they are already distributing.
Also, StoneDrill is injecting itself into the memory process of the user’s browser and doing a good job of ducking under sandbox radars. It appears to share code with NewsBeef and/or Charming Kitten APTs which are generally affiliated with Iranian State-Sanctioned options. Currently these are still focused on the Middle East, but it appears at least one European org has been infected with it.