Pennywise Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 14,674 |
Threat Level: | 10 % (Normal) |
Infected Computers: | 301 |
First Seen: | November 3, 2017 |
Last Seen: | September 15, 2023 |
OS(es) Affected: | Windows |
The Pennywise Ransomware is a data encryption Trojan that was reported for the first time on October 23rd, 2017. The Pennywise Ransomware appears to be a variant of another well-documented threat dubbed Jigsaw Ransomware, which emerged in April 2016. The Jigsaw family of Trojans has expanded since the original threat was discovered and Pennywise Ransomware is one of the latest iterations among them, which are the HACKED Ransomware and the StrutterGear Ransomware. The new variant was found on an online security platform that malware researchers use to exchange samples, notes, and keep an eye on the latest trends in threat development. The samples of the Pennywise Ransomware available to researchers suggest that the Trojan is still under development. Evidence suggests that the Pennywise Ransomware is in its testing and debug phase. The creators of the Pennywise Ransomware continue to use the image of a scary clown to brand their products. Code analysis revealed that the Pennywise Ransomware is designed to create a folder on the primary system disk — C:\FileSystemSimulation\ — and use the location to load on the system. Lab tests indicate that the threat uses the following files to facilitate its operations:
Setup.exe
EncryptedFileList.txt
NotTxtTest.nottxt
TxtTest.txt
TxtTest.txt.beep
The Trojan is known to generate a program window that offers the following information to the compromised user:
'Your personal files are being deleted. Your photos, videos, documents, etc...
But, don't worry! It will only happen if you don't comply.
However I've already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently, therefore I won't be able to access them, either.
If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you.
Meanwhile..... You want a balloon? Hahahahaha_'
At the time of research, the Pennywise Ransomware is known to target one hundred and twenty-seven file types for encryption. Researchers provided the following lists of targeted data formats:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
As you can see, the Pennywise Ransomware is designed to encrypt standard data formats that regular PC users are likely to be familiar with. The encrypted data is marked with the '.beep' file marker. For example, 'Hawa Mahal - Palace of the Winds.jpeg' is renamed to 'Hawa Mahal - Palace of the Winds.jpeg.beep' and there is no way for the user to decrypt the file, except for paying the cybercrooks. At least that is what the threat is trying to convince compromised users. It is true that the Pennywise Ransomware employs secure encryption mechanisms, but you can boot up a system recovery disk and any type of backup to rebuild your file structure. It is a must to use a reputable anti-malware scanner that can purge the Pennywise Ransomware from your PC safely. AV companies identify the threat as:
- Generic.MSIL.Ransomware.Jigsaw.5123367C
- MSIL/Filecoder.JIGSAW!tr
- Ransom/W32.Jigsaw.672256
- Ransom_JIGSAW.WD
- TR/AD.JigsawLocker.adzox
- Trojan ( 004f21821 )
- Trojan.Win32.Ransom.672256
- Trojan/Win32.Ransom.C2210683
- malicious (moderate confidence)