TerrorWare Ransomware

The TerrorWare Ransomware is a file-locking Trojan that blocks the user's media, such as documents or movies, with data encryption. It also changes the desktop wallpaper and creates text ransom notes. Users should protect themselves by backing up any important files to other devices and letting a trusted anti-malware service remove the TerrorWare Ransomware.

The Difference That a Few Letters Make in a Website's Address

File-locker Trojans, traditionally, prefer upfront extortion: demanding money for restoring the files that they damage by giving the victims an e-mail or TOR website service, for example. Malware researchers may find an exception to the rule in the TerrorWare Ransomware, which some security researchers point to as a probable variant of the Hidden Tear project. The TerrorWare Ransomware has what resembles a backhanded means of profiteering: infecting users with more Trojans after the first success.

The TerrorWare Ransomware targets Windows-based systems and encrypts (or locks) media files; examples malware analysts confirm at this time include BMP pictures, AVI movies, and TXT text files, among others. The Trojan adds 'terror' extensions onto the names, but doesn't remove any previous extensions. This data sabotage is traditional to file-locker Trojans entirely.

The TerrorWare Ransomware's ransom note is more unusual. The Notepad file promotes a Swedish gaming channel ('Grabbarna' translating to 'The Boys') for contacting the threat actor, and a link to a website for downloading what it claims is the decryption tool's executable file. The URL also implies that the site is an official Discord domain, but it's an unrelated website that threat actors use for hosting various Trojans and spyware, such as password collectors. It seems likely that the attackers are using the decryption link as a tactic for tricking users into infecting their devices with more severe threats.

Calming the Fear of Terrorizing Software

The TerrorWare Ransomware's note is an example of why malware experts suggest that users not take Trojans' ransom notes at their word or ignore the context of their presence. It also is a useful moral on the dangers of cheating in online games or downloading illegal software. Many of the Trojans on the faux-Discord website use names referring to Counter-Strike cheats, key generators, premium account cracks and similar tools.

Users can improve their Web-browsing safety by disabling features like Flash and JavaScript, and avoiding websites or torrents that traffic in illicit resources. Secondarily, creating a backup in a secure location is an excellent means of keeping file-locker Trojans from having any leverage over restoring media like documents. Malware experts can't confirm any possible relationship with Hidden Tear, but users may test the appropriate (and free) decryptors with spare copies of their files.

Many anti-malware services flag this threat and should prevent its installation. For their device's safety, users should depend on these dedicated security products for removing the TerrorWare Ransomware infections.

The TerrorWare Ransomware has more scares up its sleeve than someone might expect, but that's not odd with Trojans. 'What you see is what you get' doesn't apply to Black Hat programming.