The Lucifer Ransomware is a file-locking Trojan that may block the users' media files, such as documents, and display text and Web page ransom notes. Windows users at risk from its attacks should back files up to other devices for recovery without 'unlocking' or decrypting them. For disinfection, effective security products also should delete the Lucifer Ransomware without much issue.
A Fallen Angel Arises from Hell in Code Form
Although its genealogy is uncertain, malware experts confirm a new file-locking Trojan that shows extortionist plans similar to those of old threats of the same type. The Lucifer Ransomware, unrelated to the Lucifer Malware (a DDoS worm) or the Lucifer Trojan (a Latin American banking Trojan), uses encryption as its main attack for forcing victims into paying a ransom. It also includes components that may reference the Anonymous hacktivists as a fear-mongering tactic.
The Lucifer Ransomware is, like many file-locker Trojans, only for Windows systems. Its encryption feature targets media such as PDF, TXT, DOC documents, JPG or BMP pictures, MP3 music and similar content. After encrypting each file so that it can't open, the Lucifer Ransomware appends a compound extension with a random-character ID and the 'lucifer' tag – an apparent reference to the Devil of Judeo-Christian theology.
Malware experts also point to some components downloading from Anonymous hacker-activist domains, suggesting that this is a theme for its payload. The Trojan's unlocking or decryption offer isn't unusual save for requesting Telegram-based communication, in the vein of the P4YME Screenlocker or some versions of the Black Claw Ransomware (as recent examples). Malware experts advise against paying; there's no way of knowing if the threat actor's offer is sincere, and the text of the instructions is a copy-paste from previous Trojans' campaigns.
Casting Demons Out of a Hard Drive
While verification of the Lucifer Ransomware's full origins awaits, malware researchers indicate that this threat includes its classification's traditional limitations and weaknesses. The Trojan extorts money from victims by depriving them of their files – but can't block or delete content on other devices, which are ideal for backup purposes. There is also no indication of the Lucifer Ransomware's deleting the Restore Points, although depending on this data recovery solution alone, it is unwise.
Users also can protect themselves by scanning downloads with appropriate security services, identifying threats like the Lucifer Ransomware before they can attack. Possible infection sources include disguised e-mail attachments like fake invoices, mislabeled 'freeware' like torrents, and counterfeit updates from unofficial websites. Admins also should be attentive concerning password strength and the updates available for their server's software.
A robust anti-malware product should delete the Lucifer Ransomware after identifying it without much trouble. The Trojan includes no exception code-obfuscation or features for terminating security software.
The Lucifer Ransomware's payload could be immune to reverse-engineered antidotes to its file-locking function with its boasts of AES and RSA encryption. All the more reason for Windows users never to treat their files lightly and take as good care of them as any other possession.