Evasive Ransomware

The Evasive Ransomware is an encryption ransomware Trojan. Like most ransomware Trojans, the Evasive Ransomware is designed to take the victim's files hostage by making them inaccessible with an encryption algorithm. After the victim's files are encrypted, the victim can no longer open the affected files. The victim is then asked to pay a large ransom in exchange for the decryption key, necessary to restore the affected files.

There’s no Evasiveness on the Evasive Ransomware Attack

The Evasive Ransomware was first observed carrying out attacks on November 10, 2017. The Evasive Ransomware is a variant of HiddenTear, an open source ransomware engine that has been responsible for countless attacks since it first appeared in August 2015. There are countless variants of HiddenTear, with new ones appearing every day. This is because HiddenTear is available on underground forums freely, and the cybercrooks will adapt it to their own needs. Unfortunately, the Evasive Ransomware and other HiddenTear variants use an encryption method that is impossible to crack without the decryption key currently, meaning that the victim's files will remain encrypted permanently once the Evasive Ransomware has encrypted them.

How the Evasive Ransomware Carries out Its Attack

The victims of the Evasive Ransomware may become infected from opening a corrupted email attachment commonly delivered as a Microsoft Word file attached to a spam email message. The Evasive Ransomware will be downloaded and installed on the victim's computer by a corrupted macro script. Once the Evasive Ransomware is downloaded and installed, it will use a powerful combination of the AES and RSA encryption so that the victim's files become inaccessible. The Evasive Ransomware marks the files that are encrypted by its attack with a new file extension. The file extension '.locked' will be added to the end of each affected file's name. The Evasive Ransomware will delete backup versions of the files that Windows sometimes saves to enable recovery and also can interfere with other possible recovery methods. The Evasive Ransomware targets the following file types in its attack (substantially fewer than many other ransomware Trojans):

.aspx, .cpp, .csv, .doc, .docx, .h, .html, .jpg, .jsp, .lnk, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .pst, .rar, .sql, .txt, .xls, .xlsx, .xml, .zip.

How the Evasive Ransomware Demands Its Ransom Payment

The Evasive Ransomware delivers a ransom note asking the victims to pay a ransom if they want to get the decryption key necessary to restore the affected files. The Evasive Ransomware's ransom note is delivered in a file named 'READ_ME.txt' on the victim's computer. This ransom note contains the following text:

'Dear fellows, Attention please!
As you may noticed, all the data on your computer has been encrypted.
To decrypt the files, each of your computer need a privatekey which is held by us.
We guarantee that your files can be 100% restored only with our help.
Your leadership (anyone who's in charge) should email us at getkeys@tutanota.com within the next 12 hours.
Remember, you only have 48 hours to get the keys before your data lost forever.
Backup Email: weknownit@mail2tor.com'

It is recommended not to contact the people responsible for the Evasive Ransomware attack or attempting to pay the ransom. In most cases, these people will ignore payments, demand a higher payment amount, or target victims who pay for future infections (since they have already shown a willingness to pay the ransom).

Dealing with the Evasive Ransomware

Instead of paying the ransom amount, take preventive measures to ensure that your data is backed up. Having file backups is, by far, the best protection against ransomware Trojans like the Evasive Ransomware. Apart from file backups, you can prevent the Evasive Ransomware from gaining access to your computer with the help of an updated security program.