Arena Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 3
First Seen: August 25, 2017
Last Seen: February 11, 2019
OS(es) Affected: Windows

The Arena Ransomware is an encryption ransomware Trojan. Like other threats that carry out the same tactic, the Arena Ransomware is designed to take over a victim's computer by encrypting the victim's files. The Arena Ransomware demands payment of a ransom in exchange for the decryption key necessary to recover the affected files once the victim's files have been encrypted with a strong encryption algorithm. Ransomware Trojans like the Arena Ransomware are designed to take the victim's computer hostage until the victim pays a ransom to recover access to the infected computer.

The Arena Ransomware may Enter a Computer Via Email Attachments

The Arena Ransomware seems to be a variant in the Dharma Ransomware family, which has numerous variants that carry out very similar attacks. The Arena Ransomware itself was first seen in the last week of August 2017 and is very similar to various other Dharma variants. The Arena Ransomware is sent to the victims in the form of spam email attachments, which may be Microsoft Word documents that have corrupted macro scripts enabled. These documents will use social engineering techniques to trick the computer users into believing that a reputable sender, tricking the victim into opening the attachment or clicking on an embedded link, sent the document. The Arena Ransomware will be downloaded and installed onto the victim's computer by email attachments that will use corrupted scripts after the victim opens the attached file.

How the Arena Ransomware Carries out Its Attack on the Victim’s PC

Once the Arena Ransomware is installed on the victim's PC, it connects to its Command and Control server and delivers information about the infected computer, as well as receives the data necessary to carry out its encryption attack. The Arena Ransomware will encrypt the victim's files using a strong encryption algorithm. The Arena Ransomware uses a combination of the AES and RSA encryptions, which was observed in many other encryption ransomware Trojans. Once the Arena Ransomware encrypts the files, it will no longer be possible to recover the affected files without the decryption key and the decryption software (both of which the con artists hold in their possession). The files encrypted by the Arena Ransomware attack are marked with the file extension '[].arena,' which is added to the end of each affected file's name. In its attack, the Arena Ransomware targets commonly used file extensions, specifically attempting to encrypt the victims' photos, music, videos, texts, databases, spreadsheets, configuration files, archives, and numerous other file types.

The Arena Ransomware’s Ransom Note

After the Arena Ransomware has encrypted the victim's files, the Arena Ransomware will deliver a ransom note. This ransom note is contained in a text file named 'FILES ENCRYPTED.txt,' which is dropped on the victim's desktop. The Arena Ransomware ransom note reads as follows:

'all your data has been locked us
You want to return?
write email'

The Arena Ransomware also will target other alternate recovery methods, such as the Shadow Volume Copies and the System Recovery, apart from encrypting the victim's files. However, malware researchers advise computer users to avoid contacting the con artists at their email address since it is very unlikely that it will result in the return of the affected files and may lead to further tactics.

Protecting Your Data from Threats Like the Arena Ransomware

The best protection against threats like the Arena Ransomware is to have file backups. If you have backup copies of your files on an external memory device, then the people responsible for the Arena Ransomware have no leverage to demand a ransom payment since you can simply restore the affected files from the file backups rather than having to resort to contacting the con artists. Besides using file backups, computer users also should use a reliable security program that is fully up-to-date to detect and remove the Arena Ransomware and other threats before they manage to cause damage to files on their computers. A combination of file backups and security software can stop the Arena Ransomware and most ransomware Trojans.


I removed Arena Ransomware from my PC , but still my files are encrypted , what can I do? where can I find decoder for my 2 very important file?

please i have an arena attacked and i have some files that are encrypted,
please can any one advise if there is a way to recover the data again because i donthave backup
please advise!!!!!

Related Posts


Most Viewed