Ior Ransomware

As ransomware attacks grow more sophisticated and destructive, protecting your devices from harmful threats has never been more crucial. These attacks can encrypt your data, disrupt business operations, and extort money from victims, often with no data recovery guarantee. The recent discovery of the Ior Ransomware highlights the persistent threat that modern ransomware families pose. Understanding how the Ior Ransomware works and performing strong security actions can significantly reduce the risk of falling victim to such attacks.

The Ior Ransomware: A New Threat in the Dharma Family

The Ior Ransomware belongs to the notorious Dharma Ransomware family, which has a reputation for targeting businesses and individuals alike. Once Ior infects a system, it quickly encrypts files and renames them using the format filename.id-[ID STRING].[attacker's email].ior. For example, 'document.pdf' would be renamed to 'document.pdf.id-9ECFA74E.[jasalivan@420blaze.it].ior,' locking the file and making it inaccessible to the user.

The Ior ransomware leaves behind two types of ransom notes:

• A pop-up window that immediately informs the victim of the attack.
• A file named 'manual.txt,' which provides detailed instructions on how to restore the encrypted data.

These ransom notes direct the victim to contact the attackers via the provided email addresses—jasalivan@420blaze.it or ja.salivan@keemail.me—within 12 hours. The note also offers to decrypt up to three files (smaller than 3 MB) as proof that decryption is possible. However, the attackers warn against attempting to rename encrypted files or using third-party decryption tools, threatening permanent data loss or higher costs for decryption if these actions are taken.

The Attack Methods: How the Ior Ransomware Infects Systems

The Ior Ransomware is highly threatening not only because of its file encryption capabilities but also due to its aggressive approach to disabling security features and ensuring persistence. The malware:

• Encrypts both local and network-shared files, affecting not just the infected computer but any connected storage devices or systems.
• Disables the system firewall, making the device more vulnerable to further attacks.
• Deletes the Shadow Volume Copies, which prevents users from recovering files using built-in Windows restore points.
• Copies itself to the %LOCALAPPDATA% directory and registers with Windows Run keys, allowing it to restart automatically when the system reboots.

Additionally, the Ior ransomware is capable of collecting location data and excluding certain directories from encryption, suggesting a level of customization based on the attacker's strategy.

Infection Vectors: How the Ior Ransomware Is Delivered

Like many ransomware strains in the Dharma family, the Ior Ransomware is often delivered through vulnerable Remote Desktop Protocol (RDP) services. Cybercriminals exploit weak RDP configurations, using brute-force or dictionary attacks to crack poorly managed credentials. However, this is not the only way that Ior infects systems:

• Corrupted email attachments or links: Phishing emails with harmful attachments or embedded links are a common delivery method for ransomware.
• Exploited software vulnerabilities: Unpatched systems are prime targets for ransomware, as attackers can exploit known vulnerabilities in outdated software or operating systems.
• Pirated software: Illegally downloaded software often hides malware, including ransomware, which is unknowingly executed by users.
• Compromised websites: Users may be tricked into downloading malware through deceptive ads, fake downloads, or compromised websites.
• Peer-to-Peer (P2P) networks and third-party downloaders: Unsafe files can easily spread through torrenting platforms or third-party download managers that lack security controls.

Best Security Practices to Defend against Ransomware

To protect yourself from Ior ransomware and other cyber threats, it's essential to follow best security practices. By being proactive and taking the right precautions, you can significantly narrow the risk of falling victim to these attacks. Here are the key steps to bolster your defense against ransomware:

1. Regularly Backup Your Data: Frequent backups are your strongest defense against ransomware. Ensure that all fundamental files are backed up to an independent storage device or cloud service that is disconnected from your main system. This way, if your data is encrypted, you can restore it without having to pay the ransom.
2. Secure Remote Access: If you use RDP or other remote access services, make sure they are securely configured:

Disable RDP if it's not in use.

Use strong, unique passwords for accounts with remote access.

Enable multi-factor authentication (MFA) for added security.

Restrict RDP access to specific IP addresses through a firewall or VPN.

1. Keep Systems and Software Updated: Outdated software is a frequent target for ransomware attacks. Ensure that your operating system, applications, and anti-malware software are upgraded with the latest security patches. Automate updates where possible to minimize the window of vulnerability.
2. Deploy Anti-Ransomware Solutions: Invest in reputable anti-malware software that includes anti-ransomware protection. Many modern security suites can detect suspicious behavior, such as file encryption or unauthorized changes to system settings, and stop ransomware before it causes damage.
3. Be Cautious with Emails: Phishing emails remain one of the most effective ways for attackers to deliver ransomware. Avoid clicking on unsolicited email attachments or links. Verify the legitimacy of unexpected emails, even if they appear to come from trusted sources.
4. Use Strong, Unique Passwords: Weak passwords are a major vulnerability in ransomware attacks, particularly those involving brute-force tactics on RDP. Use strong, complex passwords and change them regularly. Consider the utilization of a password manager to store and engender unique passwords for different accounts.
5. Disable Macros and Limit Script Execution: Many ransomware infections start through malicious macros in documents or by exploiting scripting engines such as PowerShell. Disable macros by default and restrict script execution to minimize the risk of infection.
6. Use a Firewall and Network Segmentation: A firewall can stop unauthorized access to your system, and network segmentation can reduce the spread of ransomware within an organization. By isolating critical systems and limiting network access, you can contain the damage from an attack.

Conclusion: Stay Informed and Prepared

The Ior ransomware, like other members of the Dharma family, poses a serious threat to individuals and organizations alike. Its ability to encrypt data, disable security features, and propagate through compromised networks makes it a formidable adversary. However, by adopting the best practices outlined above—regular backups, software updates, robust remote access controls, and strong passwords—you can strengthen your defenses and minimize the impact of a ransomware attack. The key to staying safe is proactive vigilance and a commitment to cybersecurity best practices.

The ransom note that is shown by the Ior Ransomware as a pop-up window:

'All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: jasalivan@420blaze.it YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:ja.salivan@keemail.me
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Message from the attackers delivered as a text file:

'You want to return?

write email jasalivan@420blaze.it or ja.salivan@keemail.me'