Russenger Ransomware
The Russenger Ransomware is an encryption ransomware Trojan that was first observed on February 19, 2018. The Russenger Ransomware is mainly being distributed to victims through the use of phishing email messages. These emails will contain a corrupted file attachment that invites the victim to run an embedded macro script. Allowing this macro script to run installs the Russenger Ransomware onto the victim's computer and loads the Russenger Ransomware to the affected computer's memory. The Russenger Ransomware will then carry out its attack.
Symptoms of a Russenger Ransomware Attack
The Russenger Ransomware carries out a fairly typical ransomware attack. The Russenger Ransomware scans the victim's computer for certain file types, the user-generated files such as videos, audio, images, documents, databases, and numerous other file types mainly. The Russenger Ransomware will then use a strong encryption algorithm to make those files inaccessible, essentially taking the victim's files hostage. The Russenger Ransomware does this to demand a ransom payment in exchange for the decryption key. The following are some of the file types that are commonly affected by these attacks:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Some versions of the Russenger Ransomware will run as '1cv8s32-n.exe' on the victim's computer, once installed onto the victim's computer. The Russenger Ransomware will add the file extension '.messenger-[random characters]' to the end of each affected file's name, making it relatively simple to know which files have been encrypted by the Russenger Ransomware attack.
How the Russenger Ransomware Demands Its Ransom Payment
The Russenger Ransomware will deliver a ransom note named 'Инструкция по дешифровке.txt' (Decryption instructions.txt). The Russenger Ransomware delivers its ransom note in Russian and seems to be targeted towards Russian speakers, although there is nothing preventing the Russenger Ransomware attack from spreading to other victims. The following is the full text of the Russenger Ransomware ransom note:
'Вся ваша информация на этом компьютере была зашифрована.
Зашифрованные документы имеют расширение .messenger-******
Для получения инструкций по дешифровке напишите письмо на адрес:
messenger@riseup.net
В теме письма укажите ваш код для разшифровки:
***
Если вам приходит ответ, что почтовый адрес не существует:
1. Попробуйте написать нам с других емеил, mail.ru, yandex.ru;
2. Попробуйте написать через время.'
The following is a translation of the text of the Russenger Ransomware's ransom note:
'All your information on this computer has been encrypted.
Encrypted documents have the extension .messenger - ******
For instructions on decryption write a letter to:
messenger@riseup.net
In the subject line write your code for decryption:
***
If you receive an answer that the mailing address does not exist:
1. Try to write to us from other email, mail.ru, yandex.ru;
2. Try to write after some time.'
PC security researchers are totally against contacting the people responsible for the Russenger Ransomware or paying the Russenger Ransomware ransom. Instead, it is important to take preventive steps to ensure that your data is safe from the Russenger Ransomware and other encryption ransomware Trojans. The most effective protection against these threats is to have reliable backup copies of your files on an external memory device, coupled with a reliable security program that is fully up-to-date.
