Korean Ransomware

The Korean Ransomware is a variant of the HiddenTear encryption ransomware threat. The Korean Ransomware uses a ransom note written in the Korean and seems to have been designed to target computer users in Korea. However, the Korean Ransomware infections are not isolated, and there is nothing that would stop the Korean Ransomware from infecting computers in other parts of the world. The Korean Ransomware appends an extension containing Korean characters to each file that it encrypts. Through this and its ransom note, it is relatively simple to identify a Korean Ransomware infection.

How the Korean Ransomware Infection can Spread

It is possible that the Korean Ransomware is being distributed using targeted attacks through phishing email messages or by hacking of victims' computers directly. It is also possible that the Korean Ransomware is being distributed through corrupted email attachments included in spam email messages or compromised websites and advertising content. Caution online will prevent the Korean Ransomware infections, as with most threats.

The Korean Ransomware is a variant of HiddenTear, a well-known ransomware family. The Korean Ransomware was first discovered in mid-August of 2016, although it is possible that the Korean Ransomware had already been active for some time. Apart from its specifically Korean characteristics, the Korean Ransomware carries out a fairly typical ransomware attack. It may arrive into the victim's computer disguised as a different file. When the Korean Ransomware file is executed, it encrypts the victim's files using an advanced encryption algorithm. The Korean Ransomware makes the following change to the Windows Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This allows the Korean Ransomware to maintain persistence and to start up automatically whenever the victim starts up Windows. After encrypting the victim's files and sending the decryption key (which is itself encrypted) to its Command and Control server, the Korean Ransomware creates a file named 'ReadMe.txt' with a ransom note that is written entirely in Korean. A rough translation of the contents of this message would be 'Your files have been encrypted.' The Korean Ransomware also changes the affected computer's Desktop wallpaper image into a version of its ransom note. This ransom note, also written in the Korean, would translate into the following:

Your files have been encrypted.
Download and install https://www.torproject.org/projects/torbrowser.html.en
and enter your ID-code.
[Website and code given] Follow the instructions on the site.

The website included in this ransom note belongs to a known ransomware threat, CrypMIC. Since this website has been active for months constantly, it is likely that the con artists responsible for the Korean Ransomware and its variants have made substantial profits from these attacks. However, it is still unknown if the people responsible for the Korean Ransomware are the same as those responsible for CrypMIC or if they are a different group that is affiliated or associated in some way.

The Korean Ransomware will encrypt the following file types:

.png, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .psd, .svg, .bak, .db, .txt, .rar, .zip, .jpeg, .jpg, .pdf, .sql

Ways of Dealing with the Korean Ransomware

If your machine is infected with the Korean Ransomware, malware analysts recommend that you restore your files from a backup location. The best way to prevent ransomware attacks is to ensure that all of your files are properly backed up. If computer users could always restore their files from a backup, then the con artists responsible for these attacks would have no leverage to ask for ransoms. Unfortunately, this is not always the case. If you do not have backups of your files, PC security analysts still advise against paying the Korean Ransomware's ransom. In the best of cases, it will enable the creators of the Korean Ransomware to continue developing and improving their ransomware threats. In the worst of cases, the people responsible for the Korean Ransomware attack will simply turn around, ask for more money or ignore your payment altogether. Prevention is key when dealing with threats like the Korean Ransomware.