HC7 Planetary Ransomware

New year, old tactics – less than two weeks into 2018 and all sorts of new threats without any particular innovation have already popped up. Amongst those, there's the topic of the day, the HC7 Planetary Ransomware. This is a variant of the HC7 Ransomware. Malware researchers gave it this way due to the extension it adds to an encrypted file, '.PLANETARY.'

The authors of the HC7 Planetary Ransomware have opted to skip the traditional methods used to distribute file-lockers – spam e-mails, fake downloads, exploit kits, etc. Instead, they rely on compromising the computer or network they've targeted manually, and usually, this happens by exploiting a vulnerable Remote Desktop Protocol (RDP) software. If the attack is successful, they get the chance to execute the HC7 Planetary Ransomware and then erase all traces of its presence manually. While this attack method is inefficient in terms of automation and speed, it is certainly one of the top reasons why it is difficult to analyze the HC7 Planetary Ransomware properly. Furthermore, this nasty ransomware threat is able to infect all the systems connected to the same network and thus cause great damages.

The HC7 Planetary Ransomware will scan your PC to find the files it has been programmed to target upon infection. The list of the files that would be locked by the HC7 Planetary Ransomware is long and includes many of the popular audio, video, text and image file types. Interestingly, the HC7 Planetary Ransomware doesn't attempt to hide or remove the original extension of the files it encrypts; instead, it just adds '.PLANETARY,' which would cause a file that's named 'cats.mp4' prior to encryption to turn into 'cats.mp4.PLANETARY' after encryption.

When the HC7 Planetary Ransomware is done with encrypting the data targeted, it will proceed to drop a ransom note on the desktop and in every folder that contains the affected files. The ransom note is in the shape of a text file named "RECOVER.TXT.' The note itself serves as a guide to explain to the victim what has happened and how to pay the sum demanded by the cybercrooks. If the users have only one PC that is infected, the decryption key would cost them $700. However, if the victims' whole network were infected by the HC7 Planetary Ransomware, they'd have to pay $5000. As usual, the authors of the threat demand the sum in the shape of a cryptocurrency – Bitcoin, Ethereum or Monero. They proceed to give the addresses where the victims would have to deposit the money if the users choose to pay with Bitcoin or Monero. In case the victim wants to pay with Ethereum, the cybercrooks ask to be contacted via email first. The email address they provide is m4rk0v@tutanota.de. The attackers offer to provide proof that they are in possession of working decryption software. This is why they urge the victim to send at least one encrypted file and, In return, they'll get the decrypted version.

At the end of the day, it's never a good idea to pay cybercrooks. Not only would your money go to fund further harmful activity but there's no guarantee that the crooks will hold up their end of the deal and provide you with any decryption key at all. It's convenient that you seek the help of a reputable anti-malware suit to deal with a pest like the HC7 Planetary Ransomware.