Threat Database Ransomware Monument Ransomware

Monument Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 10,828
Threat Level: 80 % (High)
Infected Computers: 432
First Seen: March 28, 2017
Last Seen: August 10, 2023
OS(es) Affected: Windows

The Monument Ransomware is a ransomware Trojan that is also known as DarkLocker. There are two versions of the Monument Ransomware; one that locks the victim's screen and the other that encrypts the victim's files to demand the payment of a ransom. While one is more difficult than the other to deal with significantly, both versions of the Monument Ransomware pose a significant threat to computer users. The Monument Ransomware is delivered to the victims' computers through the use of corrupted spam email attachments and by installing the threat on the victim's computer directly through the use of a RAT (Remote Access Trojan) or by taking advantage of poor security measures.

How the Monument Ransomware Encrypts the Victims’ Computers

The Monument Ransomware uses a combination of the RSA-2048 and AES-256 encryptions to make the victim's files completely inaccessible, encrypting them and making them unreadable. The Monument Ransomware targets a wide variety of file types in its attack, including image, media, and other files. The files encrypted by the Monument Ransomware will be recognized because the Monument Ransomware's ransom message is included to the end of the file's name. The Monument Ransomware will add a very long extension '.To unlock your files send 0.15 Bitcoins to [RANDOM CHARACTERS] within 24 hours 0.20 after 24 hours.' to the end of each file's name. The Monument Ransomware also displays a ransom note in a program window. This ransom note contains the following text:

'YOUR COMPUTER HAS BEEN HACKED
YOU MUST PRY .25 BITCOINS WITHIN 24 HOURS OR _35 AFTER 24 HOURS TO GET YOUR FLES BACK
AFTER 48 HOUR YOUR COMPUTER WILL BE DESTROYED IF YOU HAVE NOT PAID
HACKED
YOUR BITCOIN PAYMENT ADDRESS ADDRESS IS:
[RANDOM CHARACTERS]
IF YOU DO NOT HAVE BITCOINS BUY THEM AT WWW.LOCAL BITCOINS.COM
OR FIND A BITCOIN ATM NEAR YOU AT WWWW.COINATMRADAR.COM
View Encrypted Files
Send $200 USD (.15 BTC)within 24 hrs this Address:
[RANDOM CHARACTERS]
Click here to verify your payment and unlock your files!'

A Simplified Version of the Monument Ransomware Locks Its Victim’s Screen

A variant of the Monument Ransomware will simply lock the victim's screen, rather than encrypt the victim's files. The Monument Ransomware's ransom note includes an image of a naked woman and also disables system tools like the Registry Editor and the Task Manager to prevent computer users from accessing their data or bypassing the Monument Ransomware lock screen. The following is the message included in the Monument Ransomware's lock screen:

'STOP WATCHING PORN! YOUR FILES ARE ENCRYPTED! READ THE INSTRUCTIONS.
[NSFW IMAGE]
Your Files Have Been Encrypted and Your Computer Has Been Locked. You must pay .15 Bitcoins within 24 hours or .20 Bitcoins after 24 hours.
Your Bitcoin Payment address is: 1 P67AghL2mNLbgxLM 19oJYXgsJxyLfcYiz
After 48 hours all the files and the operating system on your computer will be erased if you have not paid.
Once the payment is received your files will be unlocked and everything will return to normal. The virus will delete itself and not return.
The computer will recognize the payment within 10 minutes and unlock your files or you can click the unlock button to do it faster.
The virus will delete 1 to 5 files at random every hour until you pay or it will delete everything in 48 hours.
If you do not have Bitcoins visit www.LocalBitcoins.com or find a Bitcoin ATM at www.CoinAtmRadar.com
If you use local Bitcoins you can find local Bitcoin sellers that will meet you or offer bank deposit payments.
If there are no local sellers search for Western Union and MoneyGram sellers.
Place the offer to put your coins in Escrow and follow their payment instructions.
Once they receive payment they will release the coins to you.
Then send the coins to your payment address:
1P67AghL2mNLbgxLM 19oJYXgsJxyLfcYiz
so your computer and files can be unlocked.
You have not paid. Your computer and files will remain locked. You send payment to the address above'

Dealing with the Monument Ransomware

It is clear that both versions of the Monument Ransomware (also released under the pseudonym 'DarkLocker' are part of the same attack. Computer users should back up all files and have a reliable security program. Since the Monument Ransomware seems to be based on Jigsaw (which has been cracked by PC security researchers), it is possible that decryption utilities released for the Jigsaw variants will help computer users recover their files after a Monument Ransomware attack.

Trending

Most Viewed

Loading...