Black Worm Ransomware

By GoldSparrow in Ransomware

Translate To:

The Black Worm Ransomware is a file cryptor Trojan that was noticed by computer security researchers on December 14th, 2018. The Black Worm Ransomware caught the attention of researchers when PC users reported encrypted data after downloading a file from, what seemed to be, a Discord's content platform. Discord is a social service aimed at gamers primarily. The serviced is very popular, and one of its core perks is that it allows for easy sharing of files. Users can drag and drop files to Discord's window and add comments easily. The shared files are accessible via the Internet and can be downloaded on demand. Discord is using secure encryption and a dedicated domain to handle the shared data.

The correct Discord URL looks like this:

https://media.discordapp.net/attachments/[18-digit number]/[18-digit number]/[original file name].[original file extension]

However, the links used to distribute the Black Worm Ransomware look like this:

http://cdn.discordapp.com/attachments/[18-digit number]/[18-digit number]/[payload.exe]

The domain is different, and the connection is insecure, but many users may not notice these small differences. The threat actors were discovered to use the 104.16.9.231 IP to distribute their malware to potential victims and use various file names. Researchers alert that the Black Worm Ransomware may be packed into programs that look like cheats for games like Roblox, cracked copies of Adobe Photoshop and Windows OS activators. These programs are usually run when most users have their anti-virus solutions disabled so that they can't interfere. Once, the Black Worm Ransomware is loaded it would scan the local memory drives for targeted data and encode the available content quickly. The Black Worm Ransomware is known to attach the '.bworm' extension suffix to the filenames and something like 'Johns Hopkins Glacier.jpeg' is renamed to 'Johns Hopkins Glacier.jpeg.bworm.' The threat leaves a short random note called 'READ_IT.txt' to the desktop. The enclosed message reads:

'[ WARNING ]
Your files has been encrypted with Black Worm RansomWare
Send 200$ of bitcoins to my Bitcoin Address
Bitcoin Address:
[34 characters long string]'

Unfortunately, there is no working decryptor available to the users, unless they pay a fee to the Ransomware actors. You can rebuild your file structure using data backups, emails and file hosting services. Complying with the terms of the ransom is not encouraged as you may lose your money. AV engines support detection rules for the Black Worm Ransomware, and you should not turn off your virus protection when accessing potentially threatening software. Detection names for the Black Worm Ransomware include:

Backdoor.MSIL.Bladabindi.AG@7q5fmv
BehavesLike.Win32.PUPXAA.qm
Gen:Heur.Ransom.REntS.Gen.1
MSIL:Agent-CIB [Trj]
Ransom.Ryzerlo!8.782 (CLOUD)
Ransom.Win32.BLACKWORM.THABAGAH
Trojan ( 0044fb7e1 )
Trojan.Win32.S.Agent.52736.BBV
Trojan.YakbeexMSIL.ZZ4
Trojan/RL.Generic.R243108
Unsafe.AI_Score_88%
malicious_confidence_100% (W)

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Black Worm Ransomware

Submit Comment

Related Posts

Stoneblacksort.com

Shopblack2.xyz

BLACK ICE Ransomware

Black Berserk Ransomware

Blacksea.in

Black Hunt 2.0 Ransomware

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen