TROJ_RANSOM.DDR
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 90 % (High) |
| Infected Computers: | 3 |
| First Seen: | November 26, 2012 |
| Last Seen: | July 3, 2021 |
| OS(es) Affected: | Windows |
TROJ_RANSOM.DDR is a ransomware Trojan that has caught the attention of PC security researchers because TROJ_RANSOM.DDR makes use of fake digital certificates in its attack. ESG malware analysts have been concerned about the rising number of attacks involving ransomware Trojans. These attacks involve threatening ransom messages that impersonate law enforcement agencies in order to scam inexperienced computer users. TROJ_RANSOM.DDR in particular will display fake messages from the FBI or from many police agencies, depending on the infected computer's geographical location. ESG malware researchers have observed that police ransomware Trojans have started including more advanced features, such as prerecorded threatening audio messages. TROJ_RANSOM.DDR represents one of these advances: the inclusion of fake digital certificates in order to bypass security checks.
TROJ_RANSOM.DDR Uses Fake Digital Certificates to Fool Security Software
ESG security researchers have observed that several versions of this ransomware attack will include the TROJ_RANSOM.DDR fake digital certificates. Since these digital certificates are issued by suspicious sources, it seems that they are mainly designed to allow TROJ_RANSOM.DDR to bypass digital signature checks carried out by security software or components on the victim's computer. Digital signatures are a way for software vendors to help computer users verify that their software is legitimate. However, expired or bogus digital certificates (like TROJ_RANSOM.DDR) can be used to trick computer users and outdated security software. ESG security researchers have observed other malware infections using fake digital certificates, particularly high profile attacks like Flame which used Microsoft digital certificates and some Trojans with expired Adobe digital certificates. TROJ_RANSOM.DDR represents one of the first cases of ransomware Trojans incorporating bogus digital certificates into their attack.
Like most police ransomware Trojans, TROJ_RANSOM.DDR takes over the victim's computer, taking it hostage until the victim pays a ransom. These ransomware attacks use a warning message that tricks the victim into thinking that the message actually comes from their country's police force. These kinds of attacks were first observed in Easter Europe and Russia, dating back to 2005. Since then, ransomware Trojans have quickly spread throughout most of Europe and, since 2011, to parts of North America. TROJ_RANSOM.DDR and its variants will commonly display different messages depending on the infected computer's location (this data can be deduced from the infected computer's IP address). A computer located in the United States will receive a ransom message written in English and claiming to have been sent by the FBI while a computer in the United Kingdom will receive a different message, claiming to have been sent by the UK Police Cyber-Crimes Unit.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.