Threat Database Ransomware DarkWorld Ransomware

DarkWorld Ransomware

The DarkWorld Ransomware is a combination of a file-locker Trojan and spyware that blocks data while also collecting text files. Its ransom note doesn't indicate the theft and, as usual, asks for a Bitcoin ransom for unlocking the files. Users should ignore ransom demands if possible and recover from backups once an appropriate anti-malware tool uninstalls the DarkWorld Ransomware.

What Victims can't See in a Trojan's World of Darkness

Although file-locker Trojans remain insistent on raking in Bitcoins through turning files into hostages, more threat actors are seeking other ways of maximizing their profits. A trend malware experts took note of previously in campaigns like the Hidden Tear spin-off of the Blackheel Ransomware and the NEFILIM Ransomware family is the use of extra, data-collecting leverage. Now, the DarkWorld Ransomware continues it, showing the world that its victims can't fix every problem, even with a backup.

The DarkWorld Ransomware has no distinctive connections to past Trojans but operates similarly to them. It blocks the user's files – including not just media, but other formats, such as program EXEs (executables) – with Rijndael or AES encryption. The key for securing this data-locking feature includes random components, such as system time, which generates a different pattern for each attack scenario. These now non-opening files also receive 'dark' extensions.

The above is typical to file-locker Trojans, but malware analysts also catch more in the DarkWorld Ransomware's payload. The Trojan includes a built-in spyware-like feature that also uploads some files during the encryption routine. Currently, it targets Notepad TXT or text files of less than two megabytes in size. The threat actor, accordingly, has easy access to any data within them, such as passwords.

The DarkWorld Ransomware ransom note doesn't mention this attack and doesn't pressure the victim with the possibility of leaking data to the public. Instead, the attacker banks on profiting twice, without the target's awareness of the thievery.

Catching the DarkWorld Ransomware in a Revealing Spotlight

The DarkWorld Ransomware's wallet has no transactions, although its 300 USD ransom is appropriate for many victims, including home users and some smaller businesses. Malware experts naturally recommend against making payments due to the action funding further campaigns and Trojan development. Paying doesn't return the user's lost files, ignoring the risk of the attacker's not providing a decryptor for the locked ones.

The DarkWorld Ransomware ransom note is in English, although the language is a typical choice for Trojans worldwide. For now, malware researchers point to fake software download tactics being the DarkWorld Ransomware's infection vectors of choice. The Trojan includes falsified name and icon credentials and may circulate through torrents or corrupted websites. Avoiding illicit and unofficial downloads, as usual, is ideal for any Web surfer's safety.

Most anti-malware products should detect and block the DarkWorld Ransomware, although some services identify it as a variant of the relatively-less-harmful Hidden Tear program. Victims should default to using accomplished security services for uninstalling the DarkWorld Ransomware and check their accounts for unauthorized activity related to any text-based stolen information.

PC owners might remember that locking files isn't the objective of a Trojan at the day's end. The DarkWorld Ransomware exists for making money and will add on more attacks until it accomplishes the goal, with or without the victim's help.

Trending

Most Viewed

Loading...