Lina Ransomware
The Lina Ransomwarebelongs to the rather prolific and ever-expanding family of ransomware threats that are based on the Dharma Ransomware. Users infected by the Lina Ransomware will have the files stored on their computers encrypted with a combination of cryptographic algorithms, which will render them unusable. The name of each encrypted file will be changed drastically by having an alphanumeric string representing the victim's unique ID, followed by an email address belonging to the hackers, and finally '.lina' appended to the original filename. The customary note with instructions left by nearly all ransomware threats will be displayed in a pop-up window. In addition, a text file named 'FILES ENCRYPTED.txt' will be created in all folders with locked data.
The two versions of the note differ significantly to the text file containing little more than just the two email addresses used to initiate contact with the cybercriminals - 'linajamser@aol.com' or 'spare322@protonmail.ch.' The text displayed in the pop-up window contains far more details. It specifies that the second email should be used if the Lina Ransomware victims do not receive any response for 12 hours after using the primary address. No specific sum for the decryption key is mentioned. Users are not offered to send any files to be decrypted for free, which makes the proposition of sending money and hoping that the hackers will be able to restore the files even riskier.
Instead, affected users should first clean the computer compromised by Lina Ransomware with a reputable anti-malware program to avoid any further encryption of files. Only after that, if such a suitable backup is available, should they try to restore the encrypted data.
The text found in the pop-up window states:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email linajamser@aol.com YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:spare322@protonmail.ch
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The text in the 'FILES ENCRYPTED.txt' files is:
'all your data has been locked us
You want to return?
write email linajamser@aol.com or spare322@protonmail.ch'
As soon as Lina gets a foothold on a computer system, it gets to work on several malicious operations. The first thing the ransomware does is corrupt system processes to avoid discovery by antivirus programs. It then infects the system registry to establish persistence, so it always starts when Windows does. It’s because of this that cleaning the registry is an integral part of removing Lina from your computer.
The primary purpose of the Lina ransomware is to encrypt personal files on the computer. The cyberthreat uses a robust AES cryptographic algorithm to do this. The virus contains a cipher module that scans the hard drive for specific file types, targeting files like audio, video, documents, and images, files used for personal information. The files are encrypted and become inaccessible to victims.
