Threat Database Ransomware Domino Ransomware

Domino Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 484
First Seen: August 29, 2016
Last Seen: December 9, 2020
OS(es) Affected: Windows

The Domino Ransomware is a ransomware Trojan that is used to collect money from inexperienced computer users. The Domino Ransomware, recently discovered in the Summer of 2016, is based on the Hidden Tear, an open source ransomware project that was designed to help malware researchers originally but then backfired as it helped con artists to create ransomware more effectively than before. Although there are numerous Hidden Tear variants, the Domino Ransomware is particularly interesting because it pretends to be a KMSPico Windows activation crack that does install KMSpico on the victim's computer. Apart from doing this, however, the Domino Ransomware will also encrypt the victim's files. The Domino Ransomware is not the official KMSpico application, but simply an installer that has been modified by the people responsible for the Domino Ransomware attack.

How the Domino Ransomware Attack is Carried Out

When the modified KMSpico installer is executed on the targeted computer, it extracts a randomly named file into the %Temp% directory. This randomly named file is, in turn, executed and extracts another file, a password protected file in a ZIP format named Help.zip. The password to this file is abc123456. Inside, this ZIP archive contains two executable files. One of them is named Help.exe, and the other is named HelloWorld.exe. The first of these two files is the Domino Ransomware's encryptor, designed to encrypt the victim's files using a strong encryption algorithm. The second of these files displays the Domino Ransomware's ransom note, which alerts the victim of the attack in an unusual way, and then demands that the victim contacts the developers of the Domino Ransomware for further instructions.

It is Very Easy to Uncover this Domino

The Domino Ransomware's ransom note contains instructions for the computer user. It tells the victim how to pay the ransom and instructs the victim to contact the Domino Ransomware's developers at the email address 61f1e8055af3f6a672959e6b0493a2@gmail.com. The ransom note contains two curious elements: the phrase 'Winter is Coming,' immortalized by the popular TV show Game of Thrones, and an ASCII picture of a cow. The Domino Ransomware is nearly identical to other ransomware Trojans, except that it is distributed in a modified KMSpico installer and the curious pop-culture reference and picture of a cow contained in its ransom note.

The Domino Ransomware targets the following types of files on the victim's computer:

.3fr, .7z, .accdb, .ai, .apk, .arch00, .arw, .asp, .aspx, .asset, .avi, .bak, .bar, .bay, .bc6, .bc7, .big, .bik, .bkf, .bkp, .blob, .bsa, .c, .cas, .cdr, .cer, .cfm, .cfr, .class, .cpp, .cr2, .crt, .crw, .cs, .csr, .css, .csv, .d3dbsp, .das, .DayZProfile, .dazip, .db0, .dba, .dbf, .dbfv, .dcr, .der, .desc, .dmp, .dng, .doc, .docm, .docx, .dtd, .dwg, .dxg, .epk, .eps, .erf, .esm, .ff, .fla, .flv, .forge, .fos, .fpk, .fsh, .gdb, .gho, .h, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .java, .jpe, .jpeg, .jpg, .js, .jsp, .kdb, .kdc, .kf, .layout, .lbf, .litemod, .lrf, .ltx, .lua, .lvl, .m, .m2, .m3u, .m4a, .map, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mlx, .mov, .mp4, .mpqge, .mrwref, .ncf, .nrw, .ntl, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pak, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rss, .rtf, .rw2, .rwl, .sav, .sb, .sc2save, .sh, .sid, .sidd, .sidn, .sie, .sis, .slm, .sln, .snx, .sql, .sr2, .srf, .srw, .sum, .svg, .swift, .syncdb, .t12, .t13, .tax, .tor, .txt, .unity3d, .upk, .vb, .vcf, .vcxproj, .vdf, .vfs0, .vpk, .vpp_pc, .vtf, .w3x, .wallet, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xcodeproj, .xf, .xhtml, .xlk, .xls, .xlsb, .xlsm, .xlsx, .xxx, .zip, .ztmp.

Since the Domino Ransomware is based on the Hidden Tear, there is a brute force decryption key that can help victims of the Domino Ransomware recover their files without needing to pay the Domino Ransomware ransom to recover their files currently.

Trending

Most Viewed

Loading...