Arena Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 3 |
| First Seen: | August 25, 2017 |
| Last Seen: | February 11, 2019 |
| OS(es) Affected: | Windows |
The Arena Ransomware is an encryption ransomware Trojan. Like other threats that carry out the same tactic, the Arena Ransomware is designed to take over a victim's computer by encrypting the victim's files. The Arena Ransomware demands payment of a ransom in exchange for the decryption key necessary to recover the affected files once the victim's files have been encrypted with a strong encryption algorithm. Ransomware Trojans like the Arena Ransomware are designed to take the victim's computer hostage until the victim pays a ransom to recover access to the infected computer.
Table of Contents
The Arena Ransomware may Enter a Computer Via Email Attachments
The Arena Ransomware seems to be a variant in the Dharma Ransomware family, which has numerous variants that carry out very similar attacks. The Arena Ransomware itself was first seen in the last week of August 2017 and is very similar to various other Dharma variants. The Arena Ransomware is sent to the victims in the form of spam email attachments, which may be Microsoft Word documents that have corrupted macro scripts enabled. These documents will use social engineering techniques to trick the computer users into believing that a reputable sender, tricking the victim into opening the attachment or clicking on an embedded link, sent the document. The Arena Ransomware will be downloaded and installed onto the victim's computer by email attachments that will use corrupted scripts after the victim opens the attached file.
How the Arena Ransomware Carries out Its Attack on the Victim’s PC
Once the Arena Ransomware is installed on the victim's PC, it connects to its Command and Control server and delivers information about the infected computer, as well as receives the data necessary to carry out its encryption attack. The Arena Ransomware will encrypt the victim's files using a strong encryption algorithm. The Arena Ransomware uses a combination of the AES and RSA encryptions, which was observed in many other encryption ransomware Trojans. Once the Arena Ransomware encrypts the files, it will no longer be possible to recover the affected files without the decryption key and the decryption software (both of which the con artists hold in their possession). The files encrypted by the Arena Ransomware attack are marked with the file extension '[sindragosa@bigmir.net].arena,' which is added to the end of each affected file's name. In its attack, the Arena Ransomware targets commonly used file extensions, specifically attempting to encrypt the victims' photos, music, videos, texts, databases, spreadsheets, configuration files, archives, and numerous other file types.
The Arena Ransomware’s Ransom Note
After the Arena Ransomware has encrypted the victim's files, the Arena Ransomware will deliver a ransom note. This ransom note is contained in a text file named 'FILES ENCRYPTED.txt,' which is dropped on the victim's desktop. The Arena Ransomware ransom note reads as follows:
'all your data has been locked us
You want to return?
write email sindragosa@bigmir.net'
The Arena Ransomware also will target other alternate recovery methods, such as the Shadow Volume Copies and the System Recovery, apart from encrypting the victim's files. However, malware researchers advise computer users to avoid contacting the con artists at their email address since it is very unlikely that it will result in the return of the affected files and may lead to further tactics.
Protecting Your Data from Threats Like the Arena Ransomware
The best protection against threats like the Arena Ransomware is to have file backups. If you have backup copies of your files on an external memory device, then the people responsible for the Arena Ransomware have no leverage to demand a ransom payment since you can simply restore the affected files from the file backups rather than having to resort to contacting the con artists. Besides using file backups, computer users also should use a reliable security program that is fully up-to-date to detect and remove the Arena Ransomware and other threats before they manage to cause damage to files on their computers. A combination of file backups and security software can stop the Arena Ransomware and most ransomware Trojans.
