URSA Ransomware

The URSA Ransomware is a file-locking Trojan that blocks the user's media, such as pictures or documents and takes them hostage for a ransom. Its ransom notes have strong similarities to those of the CryptoWall Ransomware, of which it may be an update. Preferably, Windows users have backups for recovering their work and anti-malware solutions for removing the URSA Ransomware comprehensively.

A Bear Tearing through Files

With a dignified Latin name, but rather undignified, mercenary attacks, another file-locker Trojan with strong resemblances to old ones appears in January. The ursine-referencing the URSA Ransomware targets Windows users and employs many of the well-thought-out, semi-automated data-extortion service hallmarks. Coincidentally or not, the program also includes components calling back to the CryptoWall Ransomware family.

While the CryptoWall Ransomware family's reputation includes infection vectors such as e-mail tactics and hacked website-running Exploit Kits, the URSA Ransomware's distribution techniques aren't yet knowable to malware researchers. The Trojan's payload is, however, and centers around a typical, data-encrypting attack that 'locks' most media files of value to users. Unlike most file-locker Trojans, the URSA Ransomware doesn't mark the non-opening files with extensions or other name-based identifiers.

Although the URSA Ransomware bears little resemblance to the older versions of CryptoWall Ransomware's family, it drops TXT and HTML ransom notes similar to the current templates. It uses English instructions to direct users to its TOR website and inform them on paying the ransom for the file-unlocking service (AKA, the decryptor). Malware analysts detect no ransom-related activity to its wallet and note that its current fee is small and most appropriate for home user-based victims.

The Best Repellent for a Toothy File Predator

The URSA Ransomware pretends that it's a part of the Windows OS, 'WinInit,' (a background application launcher) while on infected systems. While unlikely to relate to any installation tactics, this disguise suffices for protecting the Trojan while it runs its encryption routine. After that, victims have limited recovery avenues, although any Windows users with backups on other devices, naturally, can restore their data effortlessly.

For the time being, malware experts recommend guarding against all of the traditional infection vectors, but ones previously associated with the CryptoWall Ransomware family especially. E-mail tactics may disguise attachments or linked downloads as work documents, news articles, or invoices, and abuse features like embedded macros or 'advanced content.' Users also could run into the URSA Ransomware's installers on websites that use passive vulnerabilities and JavaScript or Flash against visitors. Establishing safe Web-browsing settings and behavior is crucial.

Of course, most security products disregard the falsified copyright information and name of the URSA Ransomware's EXE. Users with this protection can delete the URSA Ransomware automatically and preempt the attacked attack.

The URSA Ransomware wouldn't be the first Trojan collecting another's ransom note but has equal chances of being a proper successor to CryptoWall Ransomware. The question isn't always relevant to users without backups, who experience locked files, either way.