Heimdall Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 4 |
| First Seen: | November 10, 2016 |
| Last Seen: | March 30, 2020 |
| OS(es) Affected: | Windows |
The Heimdall Ransomware is an open source ransomware Trojan that is designed to target Web servers. The Heimdall Ransomware was released publicly. The Heimdall Ransomware is coded using PHP and can be utilized to allow attackers to encrypt data on Web servers. The Heimdall Ransomware was taken down from GitHub after a Brazilian coder uploaded it. It is likely that the amateur con artists that tend to rely on open source ransomware Trojans will find copies of the Heimdall Ransomware, though.
Table of Contents
How the Heimdall Ransomware is Being Described
The Heimdall Ransomware's creator describes the Heimdall Ransomware on GitHub as follows:
'The Heimdall is a ransomware file writte in PHP language and it run in services web the Heimdall encrypted all files with a password register and only decrypted files with this password'
To clear up why the Heimdall Ransomware was released, the Heimdall Ransomware's creator writes the following:
'This project is only a concept prove and study of case. The ideia is prove for all the big extension of PHP and your utilities including vírus and malicious code. The utilization for real life is probably case of police in your country. Is recommend that use in controlled environment, with files with backup.'
The Norse God that will Set Off Your Security Alarms
The Heimdall Ransomware was first released on October 26, 2016. The Heimdall Ransomware is contained in 482 lines of PHP code. When an attack uses the Heimdall Ransomware, it is carried out by uploading the corrupted PHP file to a compromised server, and then accessing the file through its URL. Like many other attacks on Web servers, this attack relies on being able to compromise the targeted server entirely, usually because the server uses poor password protection or lacks other crucial security elements. The Heimdall Ransomware will be used to encrypt files on the targeted server, appending the marker 'Heimdall---' to each encrypted file to identify them. The attacker using a Web GUI operates the Heimdall Ransomware.
Unfortunately, the Heimdall Ransomware in the form in which it was uploaded to GitHub works immediately, as is. This is not the first time that a threatening ransomware was made available publicly. For example, Hidden Tear and EDA2, both released as educational projects on GitHub, ended up becoming the base for countless ransomware Trojans designed to target computers running the Windows operating system. Apparently, the purpose of uploading the Heimdall Ransomware to GitHub was to showcase how this PHP approach could be used to carry out attacks. To justify unleashing this threatening resource in public, the author of the Heimdall Ransomware wrote the following (note that English is not his first language:
'I´m decided to open source for title of studies, security offencive is a important content for studies. I written that the use of heindall can get many problem. And show many possibilities of php. I ever talked that we need understand how de bad code it works for create better defence or better code. How can we defend something we do not know ?!
No I dont received cristcim about ransomware, maybe peoples dont seen much but only haters of others language questioned about power of tool.'
How Threatening is the Heimdall Ransomware?
Unfortunately, the Heimdall Ransomware is quite harmful, especially now that it has been made available publicly. Things never truly disappear from the Internet, and it is highly likely that con artists have already gotten their hands on the Heimdall Ransomware's code. PC security analysts are concerned that the PHP approach showcased in the Heimdall Ransomware will be used in future attacks on computers around the world. Fortunately, server administrators tend to have better protections against ransomware Trojans than individual users, and having backups is a common practice that allows server administrators to recover from a ransomware attack quickly, unlike individual computer users who may be more careless. This is why ransomware attacks targeting servers have proved largely ineffective when compared to those to individual computer users. The best protections against the Heimdall Ransomware will be to establish strong security measures on Web servers and always having strong backups in place.
