Math Ransomware

The Math Ransomware is a newly-spotted data-encrypting Trojan that targets users at random. This nasty Trojan will infect your PC and make sure to lock all the data present on your system. Ransomware threats are one of the most unfavorable malware one may have to face. 

Propagation and Encryption

There are many popular propagation methods used by authors of ransomware threats, so it is difficult to pinpoint which infection vector are the creators of the Math Ransomware utilizing. Some creators of ransomware threats use various distribution techniques – mass spam email campaigns, fake application updates and downloads, malvertising, torrent trackers, etc. Most ransomware threats are designed to target as many file types as possible to cause maximum damage to the targeted system. The more files a ransomware threat encrypts, the more likely it is for the victim to consider paying up the fee demanded by the attackers. Upon compromising the user's system, the Math Ransomware will scan the files present and trigger the encryption process. During the encryption process, the threat will use an encryption algorithm to lock the targeted files. When the encryption process is completed, the users are likely to notice that their files have been renamed. The authors of the Math Ransomware have opted to use '.math' as an extension that would be appended to all the locked files. For example, if the users had named a file 'green-speaker.png' previously, the Math Ransomware will make sure to rename it to 'green-speaker.png.math.'

What Does Math Ransomware Do?

As mentioned above, Math ransomware infects computers and encrypts data and files. Once the infection is complete, the ransomware then displays a pop-up screen on the desktop. The text on the screen comprises the ransom note. It’s written in Italian, but when translated, it appears to inform victims of the encryption. The ransom note demands that users send 0.4 bitcoin to the hackers to receive a decryption key to get their data back.

Hackers claim to be able to delete data in the event of non-payment remotely. The attackers threaten to delete some files within 24 hours to prove they can do this and create a sense of urgency. The threat of deleted files continues, with warnings that hundreds of files will be lost on the second day and thousands on the third. The longer a victim goes without paying, the more data the hackers will delete.

The Ransom Note

Instead of dropping the ransom note in the shape of a document file, like the majority of ransomware threats do, the Math Ransomware will spawn the attackers' message in a new window. The attackers appear to use the image of the Anonymous group on ra ed background, while the text appears in green, gradually, on a black background. The creators of the Math Ransomware also have added a countdown – a classic social engineering trick designed to pressure users into complying with the attackers' demands. The note is written in Italian, so it is likely that the attackers are targeting Italian users mainly. The attackers demand 0.04 Bitcoin (approximately $250 at the time of typing this post) in exchange for the decryption key. The attackers claim that unless the victims pay up, they will be deleting files every hour. Furthermore, users who try to reboot their system or close the ransom message window will have 1000 of their files deleted permanently as a punishment, according to the attackers. The authors of the Math Ransomware do not provide an email address or any other means of reaching them.

The ransom note reads like the following:

Buongiorno voglio fare un gioco con te lascia che ti spieghi
I tuoi files stanno per essere eliminati foto, video, documenti ecc...
Ma non preoccuparti succederà solo se il pagamento non andrà a buon fine
Comunque li ho già criptati in modo che tu non possa accedervi
Ogni ora ne selezionerò alcuni da eliminare permanentemente
E nemmeno io potrò più accedervi.
Ti è familiare il concetto di crescita esponenziale? Ti spiego
Inizierò lentamente e poi li eliminerò con tapidità
Durante le prime 24 ore ne perderai pochi ,
il secondo giorno poche centinaia, il terzo poche migliaia e così via
Se spegni il computer o provi a chiudermi io ritornerò
E ti cancellerò 1000 files come punizione.
Si ha capito bene, ritornerò, sinceramente sono l'unico che
è capace di decriptare i suoi files per lei
Ora, divertiamoci insieme con questo gioco
1 files verranno eliminati.
Visualizza la lista dei file criptati
Please, send at least 0,04 worth of Bitcoin here:
32CCbV3wMs4kRo8vZ9GuusgzZh4D5GdkUo
Ho fatto il pagamento, Ora ridammi i miei files!

Can I Get My Data Back?

In general, it isn’t possible to get data back without the assistance of the malware developers. It may be possible that the ransomware wasn’t developed properly. In that case, security researchers may be able to exploit vulnerabilities in the program and create a free decryption tool. Check to see if there is a decryption tool available for the virus infecting your computer.

Even if you do pay the ransom, which is not recommended, there’s no guarantee that the hackers will hand over the decryption tool. Also, if they give you the tool, there’s no guarantee it will work. The only way to securely restore your data is through the use of a complete backup. Never communicate with the cybercriminals. You don’t want to be the victim of a scam, as well as the victim of ransomware.

The ransomware looks for files it can encrypt by searching for specific file extensions. The virus primarily targets productivity documents like Word documents and PDF files. Entertainment files such as photos and videos are also encrypted. The following is a list of the file extensions Math ransomware looks for:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Math ransomware encrypts files and applies the ".math" file extension before creating a ransom note. The ransom note, called Unnamed.txt, is placed in infected folders and on the desktop of the computer.

The last thing the virus does is delete all of the Shadow Volume Copies it can find. These copies are how Windows restores lost and deleted files, so removing the duplicates prevents users from being able to restore their data.

How Does Math Ransomware Infect Computers?

Math ransomware spreads mostly through spam emails. The emails contain an attachment that exploits vulnerabilities in installed software and Windows operating systems. The ransomware targets all versions of Windows from Windows 7 to Windows 10.

Cybercriminals behind Math ransomware send out spam emails with false header information. The information on the email tricks readers into thinking it comes from a delivery company such as FedEx. The email says that the company failed to deliver a package, and you need to open the attachment to find out more and reschedule the delivery. Once you open the attached file or click the included link, the ransomware infects your computer.

Math ransomware has also been seen to attack victims through vulnerable Remote Desktop Services (RDP) ports. Attackers look for systems running RDP (TCP port 3389) and hack into the system by brute-forcing the password for it.

We would advise you strongly to avoid interacting with cyber crooks. There is no point in paying them the sum demanded, as they are not likely to provide you with the decryption tool you need to unlock your data. According to malware analysts, the Math Ransomware may be a variant of the JigSaw Ransomware. Therefore, users may be able to use the JigSaw decryption tool to recover their files. You should consider investing in a reputable anti-malware application instead. The cybersecurity utility will help you remove the Math Ransomware from your system for good.