Threat Database Ransomware Omfl Ransomware

Omfl Ransomware

The Omfl Ransomware is a file-locking Trojan that's from the Xorist Ransomware kit. The Omfl Ransomware can block the user's media, such as documents, pictures, or compressed archives, by encrypting the files with XOR or TEA algorithms and generates a pop-up ransom note afterward. Users can preserve their files with appropriate backup security and let anti-malware products delete the Omfl Ransomware from infected PCs.

Coincidences in Naming Conventions with Mass-Produced Trojans

With the thousands of file-locker Trojans pouring through freeware, independent sources, and Ransomware-as-a-Services, it's more surprising than not that most of them enjoy unique names for their campaigns. This incidental theme periodically is broken up by Trojans that, either intentionally or accidentally, use symptoms that are almost identical to those of competing ones. This case is apparent with the latest version of the Omfl Ransomware, which malware experts place in the Xorist Ransomware family.

The Xorist Ransomware is a Trojan-building 'kit' that can generate file-locking Trojans with different extensions, format-targeting attacks, and cryptography algorithms (the means of locking the files). Variants that malware analysts can point out from the recent past include the EnCryp13d Ransomware, the Bl9c98vcvv Ransomware, the CryptPethya Ransomware, and the ZaToN Ransomware. The names derive from the extension that the Trojans add to any files they block: any text string that the threat actor prefers.

The Omfl Ransomware differs in that its apparently-random name is one that it shares with a variant of the STOP Ransomware, a Ransomware-as-a-Service that currently defaults to members that use random, four-character titles. In both cases, these Trojans add their names to files as an extension with no formatting differences between them. Malware experts point to the differences in ransom note formats as a direct way of differentiating between these two threats: besides the different phrases, the Omfl Ransomware's pop-up alert asks for an upfront ransom of 500 USD in Bitcoins. It gives only five attempts for inputting the unlocker's password (a default feature in the Xorist Ransomware).

How to Handle a Begging Trojan

Because the Omfl Ransomware's primary feature is locking most of the user's popular digital media formats, Windows users without backups are at the most risk from this Trojan. There is a reasonable possibility that users can unlock or decrypt their files by using a Xorist Ransomware decryptor, which is free to download. However, this additional solution doesn't apply to the vast majority of other file-locker Trojan families.

There are no ransom payments in the Omfl Ransomware's current wallet, and its campaign is still new as of February. Malware researchers recommend that users protect themselves with security-strengthening practices such as:

  • Using strong passwords (which prevent brute-force attacks)
  • Updating software (which removes exploitable vulnerabilities)
  • Disabling risky features, including Flash, Java, JavaScript, and document or spreadsheet macros
  • Avoiding traditional infection vectors, such as illegally-obtained media, torrents, unofficial software updates, and advertising-promoted downloads
  • Being particularly cautious around obfuscated Web links or e-mail attachments

Users who ignore the ransom requests do their part to stop this industry and prevent more iterations of the Xorist Ransomware from coming into being. Malware experts also recommend using most cyber-security products for detecting and removing the Omfl Ransomware.

The Omfl Ransomware might offer a moment of confusion between itself and a familiar RaaS, but a name isn't the best identifier of a Trojan. Users can depend on their security products to classify the threat and limit its payload, making money out of harming others' files.


Most Viewed