Threat Database Ransomware Ransomware Ransomware

PC security analysts observed the Ransomware, an encryption ransomware Trojan, on June 11, 2018. The Ransomware seems to be developed independently and does not seem to be based on open source code or be part of a Ransomware as a Service (RaaS) platform. The Ransomware, like most ransomware Trojans active currently, is being distributed to victims via spam email messages containing a document attachment that uses corrupted embedded macro scripts to download and install the Ransomware onto the victim's computer. The Ransomware, like most ransomware Trojans, will take the victim's files hostage by encrypting them with a robust encryption algorithm and then demanding a ransom that will be exchanged for the software needed to the recovery of the affected files.

The Ransomware Infection Process

Once the Ransomware is installed, this ransomware threat scans the victim's computer for the files that match certain file extensions. The Ransomware will create a list of the targeted files and generate encryption and decryption keys, which will be stored on its Command and control server after the encryption process is complete. This makes them impossible to be obtained by PC security researchers. The Ransomware also will eliminate other possible file recovery options as part of its attack. For example, the Ransomware will delete the Windows System Restore points and the Shadow Volume Copies of the victim's files. Some of the files that threats like the Ransomware will target in their attacks include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

When the Ransomware encrypts the files, they will be easily recognizable because the Ransomware will add the string '!@#$%___________%$#@.mail' to their names, which makes them no longer recognized by Windows. The encrypted files will show up as blank icons in the Windows Explorer. They also will no longer be accessible, and may even be lost permanently since current technology does not allow for their decryption without the decryption key. The Ransomware delivers its ransom note in the form of a text file that is dropped onto the victim's desktop. This file is named 'DECRYPT FILES.txt' and threatens the victims and tells them to email the criminals to receive the decryption software.

Dealing with the Ransomware Infection

PC security researchers do not endorse computer users contacting the criminals responsible for the Ransomware attack. Instead of doing this, computer users should restore their files from a backup copy. Having backups of their files stored securely is the best protection against threats like the Ransomware. Also, a security program that is capable of dealing with ransomware threats and fully up-to-date can prevent intrusion and threats like the Ransomware from being installed in the first place. Since one of the most used ways of delivering the Ransomware to the victims is via spam email attachments, learning to recognize spam email tactics and dealing with potentially malicious email attachments is an essential part of preventing malware infections like the Ransomware. A combination of file backups, security software, and common sense is the best protection against threats.


Most Viewed