Monument Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 10,828 |
Threat Level: | 80 % (High) |
Infected Computers: | 432 |
First Seen: | March 28, 2017 |
Last Seen: | August 10, 2023 |
OS(es) Affected: | Windows |
The Monument Ransomware is a ransomware Trojan that is also known as DarkLocker. There are two versions of the Monument Ransomware; one that locks the victim's screen and the other that encrypts the victim's files to demand the payment of a ransom. While one is more difficult than the other to deal with significantly, both versions of the Monument Ransomware pose a significant threat to computer users. The Monument Ransomware is delivered to the victims' computers through the use of corrupted spam email attachments and by installing the threat on the victim's computer directly through the use of a RAT (Remote Access Trojan) or by taking advantage of poor security measures.
Table of Contents
How the Monument Ransomware Encrypts the Victims’ Computers
The Monument Ransomware uses a combination of the RSA-2048 and AES-256 encryptions to make the victim's files completely inaccessible, encrypting them and making them unreadable. The Monument Ransomware targets a wide variety of file types in its attack, including image, media, and other files. The files encrypted by the Monument Ransomware will be recognized because the Monument Ransomware's ransom message is included to the end of the file's name. The Monument Ransomware will add a very long extension '.To unlock your files send 0.15 Bitcoins to [RANDOM CHARACTERS] within 24 hours 0.20 after 24 hours.' to the end of each file's name. The Monument Ransomware also displays a ransom note in a program window. This ransom note contains the following text:
'YOUR COMPUTER HAS BEEN HACKED
YOU MUST PRY .25 BITCOINS WITHIN 24 HOURS OR _35 AFTER 24 HOURS TO GET YOUR FLES BACK
AFTER 48 HOUR YOUR COMPUTER WILL BE DESTROYED IF YOU HAVE NOT PAID
HACKED
YOUR BITCOIN PAYMENT ADDRESS ADDRESS IS:
[RANDOM CHARACTERS]
IF YOU DO NOT HAVE BITCOINS BUY THEM AT WWW.LOCAL BITCOINS.COM
OR FIND A BITCOIN ATM NEAR YOU AT WWWW.COINATMRADAR.COM
View Encrypted Files
Send $200 USD (.15 BTC)within 24 hrs this Address:
[RANDOM CHARACTERS]
Click here to verify your payment and unlock your files!'
A Simplified Version of the Monument Ransomware Locks Its Victim’s Screen
A variant of the Monument Ransomware will simply lock the victim's screen, rather than encrypt the victim's files. The Monument Ransomware's ransom note includes an image of a naked woman and also disables system tools like the Registry Editor and the Task Manager to prevent computer users from accessing their data or bypassing the Monument Ransomware lock screen. The following is the message included in the Monument Ransomware's lock screen:
'STOP WATCHING PORN! YOUR FILES ARE ENCRYPTED! READ THE INSTRUCTIONS.
[NSFW IMAGE]
Your Files Have Been Encrypted and Your Computer Has Been Locked. You must pay .15 Bitcoins within 24 hours or .20 Bitcoins after 24 hours.
Your Bitcoin Payment address is: 1 P67AghL2mNLbgxLM 19oJYXgsJxyLfcYiz
After 48 hours all the files and the operating system on your computer will be erased if you have not paid.
Once the payment is received your files will be unlocked and everything will return to normal. The virus will delete itself and not return.
The computer will recognize the payment within 10 minutes and unlock your files or you can click the unlock button to do it faster.
The virus will delete 1 to 5 files at random every hour until you pay or it will delete everything in 48 hours.
If you do not have Bitcoins visit www.LocalBitcoins.com or find a Bitcoin ATM at www.CoinAtmRadar.com
If you use local Bitcoins you can find local Bitcoin sellers that will meet you or offer bank deposit payments.
If there are no local sellers search for Western Union and MoneyGram sellers.
Place the offer to put your coins in Escrow and follow their payment instructions.
Once they receive payment they will release the coins to you.
Then send the coins to your payment address:
1P67AghL2mNLbgxLM 19oJYXgsJxyLfcYiz
so your computer and files can be unlocked.
You have not paid. Your computer and files will remain locked. You send payment to the address above'
Dealing with the Monument Ransomware
It is clear that both versions of the Monument Ransomware (also released under the pseudonym 'DarkLocker' are part of the same attack. Computer users should back up all files and have a reliable security program. Since the Monument Ransomware seems to be based on Jigsaw (which has been cracked by PC security researchers), it is possible that decryption utilities released for the Jigsaw variants will help computer users recover their files after a Monument Ransomware attack.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.