KillSwitch Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 34 |
First Seen: | June 2, 2017 |
Last Seen: | April 25, 2021 |
OS(es) Affected: | Windows |
The KillSwitch Ransomware is an encryption ransomware Trojan that is used to make the victims' files inaccessible. The KillSwitch Ransomware uses the AES encryption to make the victims' files out of reach. However, it is clear to malware researchers that the KillSwitch Ransomware is still under development. The KillSwitch Ransomware was first observed on an online anti-virus scanner. Con artists will submit a threat that is under development as a convenient way of testing whether it can bypass anti-malware measures frequently. Monitoring these sources allows PC security researchers to catch threats like the KillSwitch Ransomware before they can become widespread.
Table of Contents
This Kill Switch is not Activated Yet
The main reason to believe that the KillSwitch Ransomware is still under development is that the KillSwitch Ransomware does not include capabilities to decrypt the affected data nor does it include instructions on how to carry out a payment. Rather than carrying out a full ransomware attack (where the victim's files are encrypted, and then a ransom payment is asked for), the KillSwitch Ransomware limits its encryption attack to a single test folder, which is found in the path C:\Users\%USERPROFILE%\Documents\test\ folder. This means that a KillSwitch Ransomware infection in its current state will not encrypt any of the victim's data. For the people responsible for this attack, changing the path so that it targets the entirety of the victim's drives is a trivial change, meaning that the KillSwitch Ransomware could be updated to encrypt the entirety of the victim's files easily.
After encrypting the victim's files, the KillSwitch Ransomware is designed to add the file extension '.switch' to the end of each file's name. In its current state, the KillSwitch Ransomware will only encrypt a small number of file types, which include the following:
.crt, .csr, .csv, .doc, .key, .odt, .ott, .pdf, .pern, .ppt, .rtf, .stw, .sxw, .txt, .uot, .xls, .xml.
As with the path to the encrypted files, expanding the file types targeted in the KillSwitch Ransomware attack also is a trivial change that would only require making a slight alteration to the KillSwitch Ransomware's code.
How the KillSwitch Ransomware Demands a Ransom Payment from Its Victims
The KillSwitch Ransomware ransom notification takes the form of a program window with the name '{} KillSwitch.' This program window delivers a ransom message, informing the victim of the infection (but failing to ask for a ransom payment). The following is the full text of the message contained in the KillSwitch Ransomware ransom note:
'ATTENTION!
Your files has been encrypted by KillSwitch
KillSwitch is a new kind of cryptography malware, unlike the most of other ones utilizing encryption like ransomware...
All of your files are encrypted with AES-256 ciphers. Unlocking of your files is not possible because KillSwitch generates unique one-way encryption keys without keys used to decrypt.
Your only option would be to attempt to break the encryption, but this is very hard since AES256 is a strong cipher algorithm.'
Protecting Your Data from Threats Like the KillSwitch Ransomware
Although the KillSwitch Ransomware is in an unfinished state, it could be updated to carry out more effective attacks against various victims easily. The real danger of threats like the KillSwitch Ransomware is that even after the threat infection has been removed, the victim's files will remain encrypted and inaccessible. Because of this, the best protection against the KillSwitch Ransomware and similar encryption Trojans is the use of a reliable backup method. Backup copies of all files stored in a safe place are the best way to prevent these infections, allowing computer users to recover their files after an attack without having to pay any ransom. Having file backups is such an effective protection against the KillSwitch Ransomware and similar threats that if enough computer users do it, these infections will become obsolete quickly.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.