Bonsoir Ransomware

The Bonsoir Ransomware is a file-locking Trojan that's not part of a known family or Ransomware-as-a-Service. It endangers' users access to their media files, such as documents, by encrypting them and demands a ransom through a TOR website for decrypting them. Adequate backup precautions may nullify most infection effects and well-maintained security products should remove the Bonsoir Ransomware on sight.

A Not-Too-Good Evening Encountering Trojans

An independent file-locker Trojan that thinks it has the chops to compete with enormous Ransomware-as-a-Service families appears out in the wild, with victims submitting samples as of early January. The Bonsoir Ransomware has many of the behavioral norms and infrastructure setup that malware experts link to well-maintained RaaS businesses. It just goes to show that polish is an appreciable quality in extortion, even when the Trojan delivering it is brand-new.

The Bonsoir Ransomware is a Windows threat that uses AES-256, one of the most popular encryption algorithms among Trojans, for blocking files. Malware analysts place most file formats related to digital media at risk of this locking routine, including documents, images, spreadsheets and music. The Trojan also sets a 'bonsoir' extension in their names – the French phrase for 'good evening.'

However, the Bonsoir Ransomware's ransom note, a TXT file, is English. It recommends that victims proceed to the anonymous TOR website, which gives more instructions on the ransom. The Bonsoir Ransomware's ransom isn't dissimilar to other Trojans of the day, at $1,790 in Bitcoins, a sum that's suitable for home users or smaller businesses. Although the threat actor claims that the decryptor's availability is automated, malware experts have yet to verify this assertion and, as always, recommend against paying.

An 'Au Revoir' Appropriate to File-Molesting Trojans

That the Bonsoir Ransomware differs in its payload at all from similar threats barely is a good showing of both the seemingly-infinite potency of encryption as a data-blocking tool and an indicator that users are taking their security for granted. Windows users who back their files up onto other devices can guarantee a recovery without involving the ransom or cracking a possibly-unbreakable encryption routine. Threat actors suffer zero risks from withholding their help, thanks to the limited refund options with cryptocurrencies like the Bonsoir Ransomware's stated Bitcoin preference.

Although the Bonsoir Ransomware's campaign is live, malware researchers can't verify its current infection methods. Users might be at risk from outdated software vulnerabilities (see Microsoft Office's CVE-2017-11882 for an example) that are preventable with appropriate patches. There also is a strong chance of attackers breaking into servers with weak passwords by brute-forcing them, seeding torrents, or sending disguised e-mail attachments to workers.

Backups are useful for recovery, if not preventing infections necessarily. For the latter, users should install a proven brand of cyber-security solution for detecting and removing the Bonsoir Ransomware, before its encryption starts ideally.

The Bonsoir Ransomware has business hallmarks not very different from the NEFILIM Ransomware, the AES-Matrix Ransomware, or a 'public' Ransomware-as-a-Service. With one more data-blocking source entering the threat landscape, Windows users have more hazards than yesterday worth sidestepping slightly.