LordOfShadow Ransomware

The LordOfShadow Ransomware is an encryption ransomware Trojan that was released on October 20, 2017. The LordOfShadow Ransomware is one of the countless variants of HiddenTear, an open source ransomware engine that was released in August of 2015. Since the initial release of HiddenTear, countless ransomware variants have been released based on its code. This happens because HiddenTear is easy to be obtained by con artists and the attack that it carries out is highly effective. Typically, the crooks will customize HiddenTear to suit their own purposes. This is the case of the LordOfShadow Ransomware. The attack used by the LordOfShadow Ransomware is nearly identical to most other HiddenTear variants, with its own particular Command and Control servers, some different obfuscation options, and the use of a specific ransom note and specific strings in its attacks. The LordOfShadow Ransomware seems to be designed to target computer users in Portuguese speaking locations, primarily victims located in Brazil, which in the last few decades has become an important target for developers of ransomware Trojans and banking Trojans, in particular.

How a LordOfShadow Ransomware Infection Affects Your Files

The LordOfShadow Ransomware is nearly identical to many other HiddenTear variants that are being used to target computer users today. The LordOfShadow Ransomware will encrypt a wide variety of file types, which can include media files and various documents, as well as databases, configuration files and numerous other file types. The LordOfShadow Ransomware and other, similar threats' main purposes is to encrypt as much of the victim's data as they can without stopping Windows from functioning since making Windows stop would mean that the victim would not see a ransom note or be able to pay a ransom. To do this, the LordOfShadow Ransomware targets the user-generated files while avoiding the Windows system folder and system files. The following are examples of the file types that may be encrypted in attacks similar to the LordOfShadow Ransomware:

.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.

The LordOfShadow Ransomware marks the files it encrypts with the file extension '.lordofshadow,' which is added to each of the affected files' names. The LordOfShadow Ransomware uses a strong encryption method to make the victim's files out of reach by using the AES and RSA encryptions. Once the LordOfShadow Ransomware encrypts the files, they can't be reached anymore.

How the LordOfShadow Ransomware Demands Its Ransom Payment

After the LordOfShadow Ransomware encrypts the victim's files, the LordOfShadow Ransomware displays a ransom note in the form of a text file named 'LEIA_ME.txt' (Portuguese for 'Read Me'), which is dropped on the infected computer's desktop. The text contained in the LordOfShadow Ransomware's ransom note reads:

'Seus arquivos foram Sequestrados!
Entre em contato para recuperar seus arquivos
lordashadow@gmail.com'

The above message, translated into English, reads as follows:

'Your files have been hijacked!
Contact us to recover your files
lordashadow@gmail.com'

Responding to a LordOfShadow Ransomware Infection

Computer users that avoid contacting the people at the provided email address are doing the right thing. They will be asked to pay a large ransom in exchange for the decryption key. Instead of doing this, they should take steps to ensure that their data is protected from these attacks in the first place. The use of backups on safe places can help ensure that you are well-protected since in the event of an attack it would be possible to restore the affected files from the backup copy.