Threat Database Ransomware iRansom Ransomware

iRansom Ransomware

By CagedTech in Ransomware

The iRansom Ransomware is an intelligent encryption Trojan that is released with spam emails to Windows users. Security analysts speculate that the authors of the iRansom Ransomware may be fans of the Apple products and note that the iRansom Ransomware is directed at the Windows OS exclusively. Initial threat assessment suggests that the iRansom Ransomware may be a version of Crowti and depends on the .NET Framework 4.5 by Microsoft to be installed on the compromised computer. In many cases, the iRansom Ransomware is introduced to systems as 'iRansom.exe,' which may be signed with a fake digital signature. Computer users should avoid spam that looks like it is sent from social media like Twitter, Instagram and Facebook. Threat actors prefer to use logos from trusted companies when they send out spam email to potential victims.

Spam Email is Your Number 1 Suspect When the iRansom Ransomware Enters Your PC

The iRansom Ransomware is programmed to check if the PC has the .NET Framework 4.5 or a newer version installed before proceeding to build and index of the targeted files. Trojans like iRansom and the FuckSociety Ransomware are designed to encode data that is stored in the default user library and scan for information stored on local drives and removable media as well. The iRansom Ransomware might interrupt the functions of database operators since it is known to encode configuration files along with video, audio, images, text, presentations and spreadsheets. The author of the iRansom Ransomware provides the ransom note as an HTA application that is loaded on the desktop of the victim. CTB-Faker Ransomware was one of the first to implement HTA-based message in its functionality. The notification by the iRansom Ransomware reads as follow:

'Your files have been locked by iRansom!
**Shutting Down or Attempting to stop this, will render your files useless forever!**
[random number] total files have been encrypted using
the strongest encryption And a unique key, generated for this computer.
The private key to unlock your files is stored on a hidden Internet database, and nothing can decrypt your files until you pay and obtain the private key.
Your private key will be destroyed in: [countdown timer beginning from 48 hours]
To unlock your precious files, you must pay a [0.15] bitcoin fee (90$) to the address below!
Wallet ID: [random characters] Copy
Dont know how to get bitcoin or set up a wallet?
https://supoort.coinbase.com
Sent the Transaction? Email us with your BTC wallet ID: GALAXYHIREN@SIGAINT.ORG Copy'

The iRansom Ransomware Favors the '.locked' Marker

Computer users that experienced an attack with the iRansom Ransomware will find that their data features the '.locked' suffix. For example, 'Golden_Retriever.png' will be transcoded to 'Golden_Retriever.png.locked' and Windows may flag the file as corrupted. Needless to say, the manager of the iRansom Trojan welcomes users to make a payment of 90 USD to his wallet address and written an email to galaxyhiren@sigaint.org. Sigant.org provides anonymous email services on the Dark Web and is associated with threats like the Flyper Ransomware and the N1n1n1 Ransomware. Unfortunately, there isn't a free decryptor on the Internet, and you will need to deal with the iRansom Ransomware by yourself. Researchers may be able to create a decryptor in the future if there are vulnerabilities in the code of iRansom. We do not recommend users to contact galaxyhiren@sigaint.org and pay the ransom. A better alternative is to use backups and archives to rebuild your data structure after you cleaned your PC with a credible anti-malware suite. Av vendors might alert users to the presence of the iRansom Ransomware by using notifications that mention:

  • Ransom_ILOCKED.A
  • Ransomer.MHR
  • Win32.Trojan-Ransom.Filecoder.P@gen
  • trojan.win32.skeeyah.a!rfn

Related Posts

Trending

Most Viewed

Loading...