Tsar Ransomware

The Tsar ransomware is a form of malware that aims to extort money from victims by encrypting all of their documents, music, pictures, videos, and databases. Victims are told they have to pay up in order to have their information restored.

Tsar was spotted and brought into the spotlight by security researcher dnwls0719 who posted about the threat on Twitter. The ransomware changes the file extension of encrypted files to .Tsar and places a ReadMe text file ransom note in infected folders. The virus also puts up a pop-up to further scare users. The pop-up claims that the files have been encrypted using AES, RSA, and ChaCha20 encryption algorithms and that the only way users can get their files back is to pay the ransom ($1,000 in cryptocurrency).

The attackers claim that if they don’t receive the ransom within five days then the decryption key, which his needed to unlock the files, will be destroyed. While it’s unknown of this is really the case or not, security experts always recommend against paying the ransom. There is never any guarantee that the hackers will even give you the decryption key, let alone leave you and your computer alone after that.

How Does Tsar Ransomware Infect Computers?

Malware and ransomware like this generally spread through spam campaigns, trojan viruses, fake updates, and "cracking" tools. They are also distributed through malicious file hosting websites and suspicious downloads. Trojans are a kind of malicious program that is able to download extra malware for a coordinated attack, making them even more dangerous. Spam campaigns send out thousands of emails and adopt a "spray and pray" approach. The aim is to send out as many emails as possible so that even if just 1% of people open them and fall for them, the campaign is a success. The virus is attached to the email in the form of an archive file, executable file, Word document, or any other file type.

Cracking tools work by activating the malware instead of the product a user thinks they are installing. Malicious software updates follow a similar pattern, installing malware instead of an intended update. Downloading from malicious websites and P2P sharing websites always comes with the risk of being infected by a ransomware, which is why users should avoid them – or at least protect themselves when using them.

What Does Tsar Ransomware Do?

Tsar comes from the BlackHeart family of malware, which first came to the public eye back in April of 2018. BlackHeart isn’t exactly prevalent, but a number of different versions of it have been released. Some of the more notable versions are BlackRouter and Prodecrypter. While the ransomware isn’t prevalent and hasn’t infected a lot of people it does cause severe damage to the people it does infect. The encryption algorithm employed is very secure and there are currently no known decryption tools.

The Tsar virus targets Windows in particular and it infects computers through a few different means. One of the most common infection methods is the use of spam email campaigns. Attackers send out thousands of spam messages to as many people as possible in the hope some of them click on the malicious link or download the infected attachment. Other exploits such as cracks and fake updates are used too.

Tsar ransomware does more than just lock up files and prevent them being accessed. It also removes any Shadow Volume Copies on the computer to make recovery even more difficult. It makes changes to the Windows Registry to prevent removal and drops other malicious files on to a computer.

It will generally infect the most common file types, including documents, pictures, and videos. It doesn’t lock up any important system files though as even the virus needs these to work properly. Once the information has been locked up, the virus displays a pop-up message that reads;

You Are Crypted!
What's Happened to my computer?
You Are Crypted By RSA And AES And ChaCha20 Encryption And Not Recovered!
Your important files are encrypted.
Many of your documents,photo,video,database,project
and other files are no longer accessible because they have
been encrypted. maybe you are busy looking for a way to
recover your files, but do not waste your time. nobody can
recover your files without our decryption service. For Decrypting Email Me On ==>MR_Liosion@protonmail.com
For Decrypt pay
1000 $
Step 2: Complete form for get Decryption tools
My Email==>MR_Liosion@protonmail.com
mail Target
Write Your Email:
Request Decrypt
1000 $ Time Left ( Payment Will be raised to 2x )

It’s unknown if the hackers will actually deliver the encryption tool they promise. Even if the tool was delivered though, it’s always recommended that you never give in to ransom demands. There’s no telling if the hackers will leave you alone after you pay up. There’s also the risk they would demand more money or just delete your files anyway. It’s better to remove Tsar ransomware and any other malicious programs.