Threat Database Ransomware WinRarer Ransomware

WinRarer Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 23
First Seen: November 4, 2016
Last Seen: October 31, 2021
OS(es) Affected: Windows

First observed in November of 2016, the WinRarer Ransomware is a ransomware Trojan. Although it claims to be a file encrypter, the WinRarer Ransomware uses an uncommon method to take the victim's files hostage. The WinRarer Ransomware does not function in the same way as most of the ransomware Trojans active today. The most similar ransomware Trojan observed before the appearance of the WinRarer Ransomware was known as the Bart Ransomware. Rather than encrypting different files individually, the WinRarer Ransomware moves the targeted files to an archive file, which is itself password protected. The WinRarer Ransomware targets the following file types in its attack:

.123 | .3dm | .3ds | .3g2 | .3gp | .602 | .aes | .ARC | .asc | .asf | .asm | .asp | .avi | .bak | .bat | .bmp | .brd | .cgm | .cmd | .cpp | .crt | .csr | .CSV | .dbf | .dch | .dif | .dip | .djv | .djvu | .DOC | .docb | .docm | .docx | .DOT | .dotm | .dotx | .fla | .flv | .frm | .gif | .gpg | .hwp | .ibd | .jar | .java | .jpeg | .jpg | .key | .lay | .lay6 | .ldf | .m3u | .m4u | .max | .mdb | .mdf | .mid | .mkv | .mov | .mp3 | .mp4 | .mpeg | .mpg | .ms11 | .MYD | .MYI | .NEF | .odb | .odg | .odp | .ods | .odt | .otg | .otp | .ots | .ott | .p12 | .PAQ | .pas | .pdf | .pem | .php | .png | .pot | .potm | .potx | .ppam | .pps | .ppsm | .ppsx | .PPT | .pptm | .pptx | .psd | .rar | .raw | .RTF | .sch | .sldm | .sldx | .slk | .stc | .std | .sti | .stw | .svg | .swf | .sxc | .sxd | .sxi | .sxm | .sxw | .tar | .tbk | .tgz | .tif | .tiff | .txt | .uop | .uot | .vbs | .vdi | .vmdk | .vmx | .vob | .wav | .wb2 | .wk1 | .wks | .wma | .wmv | .xlc | .xlm | .XLS | .xlsb | .xlsm | .xlsx | .xlt | .xltm | .xltx | .xlw | .zip.

How the WinRarer Ransomware Attack Works

The WinRarer Ransomware attack method is simple when compared to more sophisticated attacks. Files that have the file extensions listed above are moved to an encrypted archive file that is named 'YourFilesHere-0penWithWinrar.ace,' which is created on the hard drive with the freest space connected to the affected computer. This archive uses the ACE format, which tends to use a compression that is more memory intense than ZIP or RAR archives. Because of this, the WinRarer Ransomware's encryption operation will cause noticeable system performance issues when they are being carried out in the background. In its encryption attack, the WinRarer Ransomware uses an asymmetric Blowfish-based encryption, which uses a personalized 448-bit key. Brute force attacks are unlikely to yield results when dealing with this threat.

The WinRarer Ransomware and Its Ransom Note

The WinRarer Ransomware may be distributed using corrupted email spam attachments. These corrupted emails may take the form of corrupted PDF or Microsoft Office files that exploit vulnerabilities in the macro features in the Windows software. The WinRarer Ransomware delivers its ransom note in an HTA dialog and in an image file that replaces the victim's Desktop image. The ransom note files are named 'RECOVERYOURFILES.HTA' and 'RecoverYourFiles.jpg'. The WinRarer Ransomware ransom note contains the text below:

'Attention : YOUR FILES were LOCKED
What happened ?
Your important files were LOCKED with Winrar so its now unusable and unreadable,
The only way to get your files back is to pay us.
Otherwise, your files will be useless
How can I get my files back?
The only way to restore them to a normal condition is to use our site to decrypt your key to get the password follow the flowing steps to enter our site :
1. Download and install tor-browser: [link to the TOR Browser project]
2. After a successful installation, run the browser and wait for initialization.
3. Go to this site ( paste it in the url address ) : [personal payment portal on an .onion domain]
4. Copy your id from the bottom of the page to paste in the site.
your id is : [18 random characters]
done'

Trending

Most Viewed

Loading...