Threat Database Ransomware PooleZoor Ransomware

PooleZoor Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: August 14, 2018
Last Seen: August 29, 2018
OS(es) Affected: Windows

The PooleZoor Ransomware is an encryption ransomware Trojan that was first observed by malware analysts in the second week of August 2018. The PooleZoor Ransomware was first observed through a Blogspot website associated with this threat, which was removed by Google after PC security researchers observed its activities. Malware analysts have studied the PooleZoor Ransomware and observed that the first samples associated with the PooleZoor Ransomware seem to originate from an Iranian IP address and the code associated with the PooleZoor Ransomware has comments in Persian, making it likely that the PooleZoor Ransomware hails from this part of the world. The PooleZoor Ransomware is nearly identical to most encryption ransomware Trojans so that taking the right steps you can ensure that your data is well protected from this and similar threats.

How the PooleZoor Ransomware Attacks a Computer

The PooleZoor Ransomware attacks seem to target large organizations and Web servers rather than individual computer users. The PooleZoor Ransomware is a variant of HiddenTear, an open source ransomware platform first released in 2015 that has been the basis for countless variants in this malware tactic. The PooleZoor Ransomware uses the AES encryption to make the victim's files inaccessible and adds the file extension '.poolezoor' to each file affected by the attack. Unfortunately, HiddenTear variants use a strong encryption method that cannot be cracked without the decryption key, which the criminals hold in their possession. Malware analysts advise computer users to keep their files backed up so that, in case of an attack, they can recover their data.

Other Actions Executed by the PooleZoor Ransomware

The PooleZoor Ransomware targets the user-generated files while avoiding the Windows system files. This ensures that the victim can read a ransom note and pay the ransom, which would not be possible if the victim's computer stops working altogether. The PooleZoor Ransomware targets the subsequent files in its attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The PooleZoor Ransomware uses a strong encryption algorithm to take over the victim's files and then drops a ransom note onto the victim's computer. This ransom note is in a text file named 'READ_me_for_encrypted_files.txt' and delivers the following message, written in Persian:

'Files has been encrypted with PooleZoor
Pay 10,000,000 Riyal, return your files
This money will go to a good deed.'

Dealing with the PooleZoor Ransomware

The ransom demanded by the PooleZoor Ransomware is nearly three million US dollars! This may indicate that the PooleZoor Ransomware is still unfinished, or that the criminals have no intention of demanding a ransom from their victims. In any case, it is not recommended that computer users contact the criminals or attempt to make any payment. Instead, computer users can use backup copies of their files or system images to restore any content encrypted by the PooleZoor Ransomware.


Most Viewed