TrumpHead Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 4 |
| First Seen: | January 21, 2019 |
| Last Seen: | August 28, 2020 |
| OS(es) Affected: | Windows |
The TrumpHead Ransomware is an encryption ransomware Trojan based on HiddenTear, an open source ransomware platform. The TrumpHead Ransomware was released on January 14, 2019. The TrumpHead Ransomware carries out a typical version of the encryption ransomware tactic, which is to take the victims' files hostage and then demand a ransom payment in exchange for their return.
How the TrumpHead Ransomware Carries Out Its Attack
The TrumpHead Ransomware uses AES encryption to make the victim's files inaccessible, targeting the user-generated files such as the following file types:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .r.
The TrumpHead Ransomware will change the infected computer's desktop image into an image that is comprised of a black screen with a white text overlaid on top after the victim's files have been encrypted. The text contains the following ransom demand for the victim:
'I'm sorry, you're computer has been
compromised by us. All your files are
encrypted now!
Look for the READ_THIS.html file on
your computer (it's everywhere) and
read all the instructions to decrypt
your files again.
Be sure not to RENAME or DELETE'
The TrumpHead Ransomware's ransom note also is contained in a text file named 'READ_THIS.txt,' which contains the following message for the victim:
'Hey there,
Were sorry to tell you that we•ve encrypted ALL your data and there is no other way to get it hack without paying us:
0.8 in BITCOINS to this address: [random characters]
Pay up before it's too late!
You've got IS hours to pay. If you have any questions, Just contact us on this email address: wegotyoudata@protonmail.com
To speed IS the process: Just send us the following computer id [random characters] send us your btc
payment, transaction ID a. we will send you all instruction how to get your data back.
We are serious people and will always deliver after payment. Be sure NOT to rename
or delete your files, shutdown your commuter or contact the law, otherwise it's gone forever!
We're the best. No one has ever seen such a hacker group as we are.'
Dealing with the TrumpHead Ransomware
Unfortunately, the TrumpHead Ransomware enciphers the files in a way that they cannot be recovered. Computer users shouldn't pay the TrumpHead Ransomware's ransom demand, which amounts to 3,000 USD approximately at the current Bitcoin exchange rate. Instead, it is important to have backup copies of all data. Having file backups ensures that the victims of the TrumpHead Ransomware attack can restore any files lost by replacing them with the backup copy after removing the TrumpHead Ransomware threat itself with the help of a security program that is fully up-to-date.
