Herbst Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 1 |
| First Seen: | June 7, 2016 |
| Last Seen: | June 28, 2019 |
| OS(es) Affected: | Windows |
The Herbst Ransomware is a ransomware Trojan that is designed to target computer users in Germany. The Herbst, which in English would be translated as Autumn, is designed to force computer users to pay large amounts of money after encrypting their files. The Herbst Ransomware demands a ransom that is significantly smaller than other, similar threats. However, the Herbst Ransomware attack is nearly identical to most mainstream ransomware Trojans currently active.
Table of Contents
The Ransom Fee Demanded by the Herbst Ransomware
The Herbst Ransomware delivers a ransom note that is contained in its own window and with its own file memory process. This is different from other ransomware that drops text or HTML files. The Herbst Ransomware demands the payment of its ransom in BitCoins and includes an address where the computer user can buy BitCoins. The Herbst Ransomware demands the payment of 0.1 BitCoin, which is approximately $53 USD at the current exchange rate. The BitCoin address associated with the Herbst Ransomware is 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq.
To encrypt the victim's files, the Herbst Ransomware prepares its encryption key. The Herbst Ransomware chooses two random numbers from 0 to 99999999 as randomization seeds. The Herbst Ransomware will put strings in random positions and then uses this key, after hashing it, as the AES encryption key. Once the Herbst Ransomware has prepared the encryption key, the Herbst Ransomware encrypts all files in the StartupPath, Desktop, MyPictures, MyMusic and Personal, searching for “*.*”, meaning that it encrypts all of the victim's files contained in these directories. The Herbst Ransomware adds the extension '.the Herbst' to all files that it encrypts with its encryption algorithm.
Using the encryption key, the Herbst Ransomware uses the AES 256 encryption to encrypt the victim's files. The Herbst Ransomware seems to be an unfinished piece of malware. There are several reasons for this, especially the fact that the Herbst Ransomware includes several functions that are unused. For example, the 'Encrypt' function in the Herbst Ransomware code, which is believed to be used to encrypt the AES key prior to sending it to the Herbst Ransomware's Command and Control server is never used. Fortunately, this means that it is still possible to recover the encrypted files using a decryption utility released by PC security researchers. The Herbst Ransomware also does not use its 'unlock' function to decrypt traffic from its Command and Control server and does not seem to be capable of communicating with its Command and Control server effectively as of yet. Essentially, the Herbst Ransomware is unfinished. The Herbst Ransomware can encrypt files and display a decryption note, but it does not send the key to its Command and Control server, verify any identifier number, or perform any decryption functions.
Then, Why Are the Con Artists Distributing the Herbst Ransomware?
Since PC security researchers believe that the Herbst Ransomware is unfinished, it is possible that it represents an advance portion of what will soon become a ransomware campaign targeting computer users in Germany. The Herbst Ransomware may be in its beta version and still be under development currently. Unfortunately, PC security researchers are not able to determine information about the Herbst Ransomware's Command and Control servers because the Herbst Ransomware still does not communicate with them. It is possible that this version of the Herbst Ransomware may be a test to determine PC security analysts' capabilities in dealing with these kinds of threats or to test some other aspect of the ransomware Trojan attack and delivery system. PC security analysts will continue to monitor the Herbst Ransomware and any possible threats released with a German target.
Protecting Your Computer from Threats Like the Herbst Ransomware
The best way to protect your computer from a threat like the Herbst Ransomware is to backup all files regularly. This technique allows computer users to recover from an attack by restoring the encrypted files from their backups. Using a security program that is fully up-to-date and good email practices also can prevent threats like the Herbst Ransomware from entering your PC.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.