Divsouth Ransomware

The Divsouth Ransomware is a file-locking Trojan that's part of the relatively small family of the MedusaLocker Ransomware. The Divsouth Ransomware can delete backups, block the user's files with encryption, and include a ransom note Web page promoting its TOR website. Users should ignore ransom-based services from criminals and use other data recovery options after removing the Divsouth Ransomware with a dependable anti-malware service.

The Next Set of Fangs from the MedusaLocker Ransomware

Only a short while after the first confirmation of an annual update for the snake-headed MedusaLocker Ransomware family (see: the Deathfiles Ransomware), malware researchers point to yet more samples of this family out in the wild. The second Trojan of the group for 2021, the Divsouth Ransomware, includes differences in typical ransom-related credentials like e-mails. However, its ransom note, and data-destroying attacks, are all characteristic of its ancestry.

Examples of the Divsouth Ransomware's family and encryption attacks go back to 2019, through cases such as the Decrypme Ransomware, the Deadfiles Ransomware and the Support Ransomware. It targets media formats rather than system-critical files and blocks most of the user's documents, images, audio, movies and similar data by encrypting it. This secure encryption routine stops the file from opening, while the Trojan marks it with a campaign extension like 'divsouth' additionally.

Like most of the file-locking Trojans of this day and age, the Divsouth Ransomware includes a comprehensive Shadow Volume Copy-deleting feature. This attack stops victims from recovering through their Restore Points. The files' practical hostage situation becomes leverage for the threat actor's ransom demands, which they provide through an HTML note – and an accompanying, anonymous, TOR browser website.

Heading Back North after a Trip to Digital Extortion

The Divsouth Ransomware offers the same dangers to users without secure backups as most file-locking Trojans, regardless of their families. Users can protect themselves by saving their files to other devices, whether the locations are wholly-detachable or just enjoying the benefits of password protection. Malware experts encourage this step for Windows users especially, who are the demographic most often the target (if by no means so exclusively) of file-locking Trojans.

Current samples of the Divsouth Ransomware fake being Windows components 'svhost,' a typo of 'svchost'). This disguise has little significance for any distribution or installation exploits its campaign might misuse. Users should watch for tactics through torrents, e-mail attachments, and fake media player updates as probable infection sources.

Without a readily-available reversal method for the Divsouth Ransomware's encryption, users also depend on preventing attacks more than curing them. Most anti-malware applications will flag this threat and remove the Divsouth Ransomware installations automatically.

Even users with backups intact aren't immune to the Divsouth Ransomware entirely. With data-selling and publicizing becoming part of these Trojans' businesses, the best way to prevent any financial loss is to protect one's computers and servers ahead of time instead of rolling back the consequences.