PooleZoor Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | August 14, 2018 |
| Last Seen: | August 29, 2018 |
| OS(es) Affected: | Windows |
The PooleZoor Ransomware is an encryption ransomware Trojan that was first observed by malware analysts in the second week of August 2018. The PooleZoor Ransomware was first observed through a Blogspot website associated with this threat, which was removed by Google after PC security researchers observed its activities. Malware analysts have studied the PooleZoor Ransomware and observed that the first samples associated with the PooleZoor Ransomware seem to originate from an Iranian IP address and the code associated with the PooleZoor Ransomware has comments in Persian, making it likely that the PooleZoor Ransomware hails from this part of the world. The PooleZoor Ransomware is nearly identical to most encryption ransomware Trojans so that taking the right steps you can ensure that your data is well protected from this and similar threats.
Table of Contents
How the PooleZoor Ransomware Attacks a Computer
The PooleZoor Ransomware attacks seem to target large organizations and Web servers rather than individual computer users. The PooleZoor Ransomware is a variant of HiddenTear, an open source ransomware platform first released in 2015 that has been the basis for countless variants in this malware tactic. The PooleZoor Ransomware uses the AES encryption to make the victim's files inaccessible and adds the file extension '.poolezoor' to each file affected by the attack. Unfortunately, HiddenTear variants use a strong encryption method that cannot be cracked without the decryption key, which the criminals hold in their possession. Malware analysts advise computer users to keep their files backed up so that, in case of an attack, they can recover their data.
Other Actions Executed by the PooleZoor Ransomware
The PooleZoor Ransomware targets the user-generated files while avoiding the Windows system files. This ensures that the victim can read a ransom note and pay the ransom, which would not be possible if the victim's computer stops working altogether. The PooleZoor Ransomware targets the subsequent files in its attacks:
.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.
The PooleZoor Ransomware uses a strong encryption algorithm to take over the victim's files and then drops a ransom note onto the victim's computer. This ransom note is in a text file named 'READ_me_for_encrypted_files.txt' and delivers the following message, written in Persian:
'Files has been encrypted with PooleZoor
Pay 10,000,000 Riyal, return your files
This money will go to a good deed.'
Dealing with the PooleZoor Ransomware
The ransom demanded by the PooleZoor Ransomware is nearly three million US dollars! This may indicate that the PooleZoor Ransomware is still unfinished, or that the criminals have no intention of demanding a ransom from their victims. In any case, it is not recommended that computer users contact the criminals or attempt to make any payment. Instead, computer users can use backup copies of their files or system images to restore any content encrypted by the PooleZoor Ransomware.
