16x Ransomware

The 16x Ransomware is a file-locker Trojan independent of families such as Hidden Tear, Xorist Ransomware or Ransomware-as-a-Services. The 16x Ransomware blocks the user's files with encryption, places its extension onto their names, and creates a pop-up text message with ransom demands. Users should recover from backups whenever possible and use appropriate security solutions for deleting the 16x Ransomware.

Some Oldschool Charm in New-Faced Trojans

Although ransom notes are far from the most critical part of any file-locking Trojan, they do provide useful information that's viscerally-memorable for their readers. Sometimes, the contents of these ransoming instructions also provide details, accidentally or deliberately, about how the Trojan's campaign functions. The 16x Ransomware does both and informs the PC community while also providing an almost charming 'face' for its extortion.

The 16x Ransomware's broad characteristics aren't unusual. The 16x Ransomware targets Windows systems' media files, such as documents, and blocks them by encrypting them (the security of which is awaiting analysis by malware researchers). The Trojan adds extensions ('16x') at the ends of these files' names and creates a pop-up window that walks the victim through the ransoming instructions for recovering their files.

The 16x Ransomware's pop-up design is heavily retro and imitates a Command Prompt, complete with a sword and skull in ASCII art. This throwback graphical style isn't too typical to most file-locker Trojans. However, malware experts see text art in occasional samples – mostly 'one-off' campaigns, a la R00t Ransomware, ShutUpAndDance Ransomware, etc.

The 16x Ransomware also specifies an unusual demographic for one of its target media formats: programming source files. This assertion could be due to the campaign's compromising software developer companies through brute-force or similar means or brute-force attacks against vulnerable Web servers.

Beware that Windows OS Component

Early leads in samples for the 16x Ransomware show that the Trojan pretends that it's a Windows component, svchost, which is a disguise that similar threats freely use. Since svchost.exe is omnipresent in Windows environments, a 'stray' one gives little alarm to users who stumble across the file. However, malware experts see no advanced programming or financial resources in this campaign, such as signed digital certificates or supply-chain compromises.

The 16x Ransomware might target programmers, but encryption is a general-purpose feature that can harm users' files at home or work. Malware experts can't confirm any advanced file-deletion features in the 16x Ransomware's payload, but, regardless, users already should have protected backups for restoring any data. Backups on removable devices, cloud storage, and similar alternatives are notably safer than local ones, like the Restore Points.

Two-thirds of all AV vendors will flag this Trojan under behavior-based flags for file-locking Trojans and similar threats. Windows users with appropriate security software should delete the 16x Ransomware without difficulties during a system-wide scan.

The 16x Ransomware's travel mechanisms require further exploration, but its motives are plain as day. While a text skull is more amusing than most mascots, it brings nothing but bad news to the ill-prepared.