Assembly Ransomware

The Assembly Ransomware is an encryption ransomware Trojan that is a variant of HiddenTear, an open source ransomware Trojan that has been responsible for countless variants since it was first released in 2015. The most common way of distributing the Assembly Ransomware is through the use of corrupted spam email attachments, which will use bad embedded macro scripts to download and install the Assembly Ransomware onto the victim's computer. The Assembly Ransomware carries out a typical encryption ransomware attack, using a strong encryption algorithm to make the victim's files inaccessible and then demanding the payment of a ransom to restore the affected files.

The Assembly Ransomware Dismantles Access to the Encrypted Files

The Assembly Ransomware runs as 'assembly.exe' on the affected computers. The Assembly Ransomware will use a strong encryption algorithm to make the user-generated files present on the infected computer inaccessible. The Assembly Ransomware targets a wide variety of file types, which include such files as texts, databases, music files, videos and numerous others. The file types that ransomware Trojans like the Assembly Ransomware will target in their attacks include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Assembly Ransomware also will delete the Shadow Volume copies, the System Restore points and other methods that Windows uses to help computer users recover lost files.

The Assembly Ransomware’s Ransom Demand

The Assembly Ransomware drops a file named 'READ_ME.txt' in the Documents and Desktop directories of the victim's computer. This text file contains the Assembly Ransomware's ransom note, which reads as follows:

'All files have been encrypted
Send 1000 $ in BTC to
1NRtwvG6hvmpm4qv7ChoFGxNNsLaU8A5B9
and send your computername to
ransomrust@protonmail.com
in order to decrypt the files.'

The Bitcoin wallet address associated with the Assembly Ransomware has indeed received payments, but that none of these are in the realm of 1000 USD, meaning that this wallet may be associated with other threats, or that the con artists accept negotiation with their victims. Regardless of this, PC security researchers strongly advise computer users to refrain from contacting these crooks or cooperating with the people responsible for these attacks.

Protecting Your Data from Attacks Like the Assembly Ransomware

Unfortunately, the encryption type used by threats like the Assembly Ransomware makes it very difficult, or almost impossible to recover the files encrypted by the Assembly Ransomware attack. Because of this, prevention is key when dealing with these threats. Malware experts advise computer users to use a reliable backup system, such as cloud services or an external memory device, to store backup copies of all files. Having backup copies of your files is the most effective method of halting the spread of ransomware Trojans like the Assembly Ransomware since it eliminates any leverage the extortionists have over their victims. Apart from having file backups, they should use a security product that is fully up-to-date to protect their data from these threats. Furthermore, since the Assembly Ransomware and similar threats spread using spam email attachments, it is important to take steps to protect your computer from these unwanted messages.