Tyrant Ransomware
The Tyrant Ransomware is an encryption ransomware Trojan that was first observed on October 16, 2017. The Tyrant Ransomware, like most encryption ransomware Trojans, is designed to encrypt the victim's data, taking it hostage. Once the Tyrant Ransomware has finished encrypting the victim's data, it demands a ransom payment to send the decryption key that is needed to restore the affected data. The Tyrant Ransomware's ransom note is written in Farsi, meaning that it is very likely that the Tyrant Ransomware is targeting computer users in a small geographical region specifically, mainly limited to Iran, Iraq and the United Arab Emirates. These geographically limited attacks are not uncommon. However, there is nothing limiting the Tyrant Ransomware from spreading beyond this region.
Table of Contents
Is a Tyrant Ruling Your Files?
The main way in which the Tyrant Ransomware is distributed is through the use of spam email messages. These messages will often include a corrupted file attachments, which take the form of a DOCX, PDF, or ZIP file, often accompanied by some social engineering tactic designed to trick the victim into downloading the attached file. For example, the file may be disguised as an invoice or other important documents. The Tyrant Ransomware seems to be related to the DUMB Ransomware, a threat released previously, which targeted computer users in Turkey, and still seems to run as 'DUMB.exe,' meaning that it is likely that con artists have simply adapted the Tyrant Ransomware to target computer users in a different country. It is, therefore, not unlikely that new variants of the Tyrant Ransomware may appear in new languages and target new groups of people.
How the Tyrant Ransomware Carries out Its Attack
The Tyrant Ransomware will scan the victim's computer, searching for files with specific file extensions. Threats like the Tyrant Ransomware generally target the user-generated files, which can range from documents and configuration files to media such as video, audio and images. The Tyrant Ransomware creates a list of the files that it will target and then uses a pair of strong encryption algorithms to encrypt the files in a way that makes them inaccessible to the victim. The Tyrant Ransomware will search for files with the following extensions on the victim's computer:
.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.
The Tyrant Ransomware will display a pop-up program window titled 'Crypto Tyrant' with the ransom demand after encrypting the victim's files (here translated into English):
'Your files are encrypted. You have 24 hours to pay the ransom of $15 dollars. The amount may increase further if 24 hours have elapsed... The file decryptor will be sent to you after receiving the payment. If you have any questions, please contact us by email, we will answer you...
Praise be to Allah in the heaven'
Apart from the message, the Tyrant Ransomware ransom note includes a countdown timer, which implies that the victim has 24 hours to pay to avoid losing the affected data permanently. PC security researchers strongly advise computer users to avoid following the Tyrant Ransomware's instructions.
Dealing with a Tyrant Ransomware Infection
Instead of paying the Tyrant Ransomware ransom, it is important to take precautions to ensure that the compromised data can be restored easily. The best prevention is to have file backups on external memory devices. Having backups means that the victims of the Tyrant Ransomware attack can recover their files without having to pay the Tyrant Ransomware ransom. This is especially necessary because the con artists will almost never deliver the affected files after payment is carried out.
