Geminis Ransomware
Malware experts spot new ransomware threats on a daily basis as the popularity of data-locking Trojans grows. One of the most recently spotted threats of this class is the Geminis Ransomware.
Table of Contents
Propagation and Encryption
Numerous authors of ransomware threats opt to use fake emails as an infection vector for the spreading of data-locking Trojans. This would usually consist of a bogus message and a corrupted attachment that the users are urged to launch on their systems. Some other popular propagation methods include torrent trackers, fake application downloads of updates, malvertising operations, bogus pirated copies of well-known software, etc. Many creators of file-encrypting Trojans choose to use more than one infection vectors to expand their reach. The Geminis Ransomware would use a secure encryption algorithm to lock the user’s files. The Geminis Ransomware is likely going to target all files - .doc, .docx, .jpg, .jpeg, .pdf, .png, .gif, .mp3, .mp4, .mov, .rar, .xls, .xlsx, .ppt, .pptx, etc. Once the Geminis Ransomware locks a file, it will mark it by appending an additional extension at the end of the filename – ‘.geminis3.’ This means that a file you had named ‘red-soles.jpg’ will be renamed to ‘red-soles.jpg.geminis3’ upon the completion of the encryption process.
What Does Geminis Do?
Like most ransomware, Geminis looks for images, documents, videos, and other important files and encrypts them with robust cryptography. Geminis also gives infected files a new file extension; .geminis3.” This encryption means that it is impossible to access data and files. The only way to get access to your important files is by using the decryption tool kept by the attackers.
Geminis ransomware creates and drops a ransom note after encrypting data. This text file – called “README.txt” goes on the desktop. The note contains information about the situation and what users can do to remedy it. Victims must pay a ransom of 0.1 BTC in order to get their data back. This is approximately $914 at the time of writing.
The note signs off with a warning that trying to mess with infected files will cause the decryption key to be lost forever.
Geminis Ransom Note
————- Geminis3’s(R) Ransominator(TM) v1.1 ————-
Your personal files have been encrypted with “military grade” encryption and that’s not a good thing (evil laughs in the bg)
In order to recover your files you MUST buy our “Gimme Ma Files Back (TM)” tool for just 0.1 BTC
————- File Recovery ————-
Since this is a demo for the MT guys the decription key is:
24963
————- Warning ————-
Be aware that attempting to run this program again will overwrite this file thus causing decryption key to get lost
Should Victims Pay the Ransom?
It would appear that victims have no choice but to pay the ransom demand if they want to get their data back. However, security experts strongly recommend against doing that. There have been many cited examples of people not getting the decryption tools and keys they paid for, making them a victim of a scam as well as data loss.
Paying the ransom will also galvanize the attackers. It will encourage them to keep infecting other people and cause even more damage in the long run. You should never trust a hacker and instead rely on data backups to restore your lost data. Don’t forget to remove the virus from your computer first, however, or you run the risk of having your backups encrypted too.
How Does Ransomware Get on Computers?
Ransomware has several potential infection vectors, just like any other kind of virus. The main techniques for spreading ransomware are spam campaigns, trojan viruses, and illegal activation tools. Other common methods are fake software updates and untrustworthy download pages and websites.
Spam campaigns involve sending thousands of scam emails to as many people as possible. The emails have an infectious file or link attached to them. Once someone interacts with the compromised attachment, their computer is infected. The malicious file could be a document, a PDF file, an archive, an executable file, or any other kind of file. The point is that they contain code that triggers an infection when the file is activated. Trojan viruses are a kind of malware used to trigger chain infections and download other malware, such as the Zorgo ransomware.
Software pirates use illegal activation tools – also known as "cracks" – to activate pirated software. These tools also download and install malicious programs and viruses. A fake software update works on a similar principle. Sometimes they exploit the flaws in an application and sometimes they just install a virus rather than the update they should.
It's possible for a person to unwittingly download malicious content through untrustworthy download resources like peer-to-peer networks, third-party websites, and unofficial free file-hosting websites.
How to Protect Against Ransomware
The first step to avoiding ransomware infection is to be more vigilant with emails. Don't open unsolicited and dubious emails, especially ones that have links and attachments. You should also avoid using illicit and unofficial download resources. Make sure to activate and update products using official tools from the developers. Third-party updates and illegal activation tools (known as cracking tools) are often used to spread malware.
Keep your device secure by installing and using antivirus software. This software often catches a virus before it can become an issue, and will help to remove viruses that make it through the cracks.
