Threat Database Ransomware LIZARD Ransomware

LIZARD Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 12
First Seen: July 24, 2009
Last Seen: April 19, 2021
OS(es) Affected: Windows

The LIZARD Ransomware is a file-locking Trojan that's an update of the old LANDSLIDE Ransomware. The LIZARD Ransomware continues attacking the user's files by encrypting likely-ransom-suitable formats, such as documents and creates text terminal-themed pop-up alerts. Withholding the ransom and restoring from safe backups is the recommended ideal for most users, and most Windows cyber-security products should delete the LIZARD Ransomware appropriately.

Servers Contaminated by Skittering Software

After the recent unveiling of a LANDSLIDE Ransomware clone, the SUMMON Ransomware, it ought to surprise no one that another variant is in the threat landscape. The LIZARD Ransomware is a confirmed member of the now-apparent family, which uses typical encryption attacks for sabotaging victims' data. The most-identifying element, a text-based pop-up, remains a defining feature in the LIZARD Ransomware's payload.

The LIZARD Ransomware blocks users' media files (documents, spreadsheets, pictures, and other content) with a secure encryption routine that doesn't have a free unlocking application. The Trojan includes extensive changes to their names that help victims identify the non-opening content: a Yandex e-mail address, an ID and a 'LIZARD' extension. It is notable that the LIZARD Ransomware's e-mail uses a Russian domain and continues the theme of LANDSLIDE Ransomware's targeting Russian users, more likely than not.

Although many file-locking Trojans use HTA-based pop-up windows, the style in favor here is memorable. Its pop-up red, green, and white text in a format similar to that of a pure text terminal UI and includes programming-like parentheses warnings. The message is mostly identical to that of previous LANDSLIDE Ransomware samples and retains a reference to Russian currency in its unlocker-selling offer.

Since criminals can take their payment without bothering with unlocking the victim's files, malware experts recommend against paying the Bitcoin ransom, if possible.

Another Reptile that can Go Extinct with the File-Ransoming Industry

Servers under attack by file-locking Trojans usually owe their infections to careless administrators. Software vulnerabilities in infrastructure like WordPress play significant roles in helping attackers hack into servers and run their Trojans manually. Besides patching software, admins also should look to their passwords and make sure that the credentials aren't so simple or common that a brute-force attack could 'guess' them.

There isn't free decryption or unlocking software for LANDSLIDE Ransomware. This unfortunate limitation applies just as well to variants like the LIZARD Ransomware and, possibly, SUMMON Ransomware. Windows users should protect their work by saving backups to areas that Trojans can't target, such as cloud services or detachable USB drives. Doing so eliminates any leverage from the LIZARD Ransomware attacks and lets victims focus on disinfection.

The only significant stealth malware experts discern in this Trojan, so far, is UPX packing. This protection is inadequate against most PC security products, which remain preferable for deleting the LIZARD Ransomware and stopping installation exploits.

The LIZARD Ransomware may scurry into files without permission, but users enable it through poor perimeter security. Safety standards and data preservation habits come in handy against all file-locking Trojans, whether they're rip-offs of old ones or newfound threats.


4 security vendors flagged this file as malicious.

Anti-Virus Software Detection
McAfee-GW-Edition Trojan.Clicker.Delf.CT
Ikarus Trojan-Clicker.Delf.CT
AntiVir TR/Clicker.Delf.CT
a-squared Trojan-Clicker.Delf.CT!IK

File System Details

LIZARD Ransomware may create the following file(s):
# File Name MD5 Detections
1. diskperff.dll 0be52be18a8508b65f33e704b3e63242 0

Related Posts


Most Viewed