Ranssiria Ransomware
PC security researchers first observed the Ranssiria Ransomware, an encryption ransomware Trojan, on April 20, 2018. The Ranssiria Ransomware spreads through corrupted spam email messages, social engineering and online tactics mainly. The Ranssiria Ransomware is delivered in the form of an executable file named 'RsSIRIA.exe' and several DLL files. Once installed, the Ranssiria Ransomware will carry out a typical ransomware attack.
How the Ranssiria Ransomware Attack Works
The Ranssiria Ransomware, like most other encryption ransomware Trojans, will use a strong encryption algorithm to make the victim's files inaccessible. This allows the Ranssiria Ransomware to take the victim's files hostage, to then demand the payment of a ransom in exchange for the software needed to recover the affected files. The Ranssiria Ransomware will target the user-generated files, which may include video, audio and numerous file types. The following are examples of the files that are typically targeted in attacks like the Ranssiria Ransomware:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Ranssiria Ransomware uses the AES encryption to make the victim's files inaccessible. Once the Ranssiria Ransomware corrupts a file, it will not be recognized by the victim's operating system or applications, and its contents will not be accessible. The Ranssiria Ransomware, unlike many other encryption ransomware Trojans, does not rename the files encrypted by the attack.
The Ranssiria Ransomware's Ransom Note
The Ranssiria Ransomware imitates the ransom note delivered by WannaCry and variants of this threat, using a program window with a color scheme where there is a preponderance of red. The Ranssiria Ransomware uses photos of the destruction in Syria to claim that it is asking for 'donations' to help victims of the war violence. It is very unlikely that the people responsible for the Ranssiria Ransomware attack are trying to help the people in Syria. These approaches have been observed in these attacks before, and are often a shameless cash grab with nothing to differentiate it from more common ransomware attacks. The Ranssiria Ransomware demands the payment of a ransom of 77.7 Litecoin, which is nearly 12,000 USD at the current exchange rate. The Ranssiria Ransomware delivers a ransom note in Portuguese, which contains the following text (translated here into English):
'Sorry, your files have been locked
Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering …
All as victims of a war that is not even theirs !!!
But unfortunately, only words will not change the situation of these human beings …
We DO NOT want your files, or you harm them … we only want a small contribution …
Remember .. by contributing, you will not only be recovering your files …
… but helping to restore the dignity of these victims …
Contribute your contribution from only: Litecoins to wallet/address below.'
There is nothing assuring the recovery of the corrupted files if an infected user accepts to pay the Ranssiria Ransomware ransom. Instead of paying the Ranssiria Ransomware ransom, malware analysts strongly advise computer users to use backup copies to restore affected files.
