Werd Ransomware

Most cyber crooks are not as highly-skilled as they are often portrayed. Most shady individuals who decide to try their luck in the world of cybercrime are not very proficient or experienced. In the case of ransomware threats, such actors would opt to borrow the readily available code of well-established file-encrypting Trojans and only slightly tweak it to fit their needs. This is the case with the Werd Ransomware.

Propagation and Encryption

Once spotted and dissected, it became evident that the Werd Ransomware is in fact a variant of the notorious STOP Ransomware. Despite malware researchers being unable to determine the infection vectors used in the spreading of the Werd Ransomware, the most popular ransomware propagation methods have been speculated as potential culprits. This includes fake pirated copies of legitimate applications, fraudulent software updates and spam emails that contain macro-laced attachments. The Werd Ransomware targets a very long list of popular filetypes, which every regular user is sure to have on their system - .jpeg, .mp3, .mov, .docx, .mp4, .png, .rar, etc. Once the Werd Ransomware has located the files of interest, it will lose no time and begin locking them using a complex encryption algorithm immediately. The Werd Ransomware adds a new extension to the locked files – ‘.werd.’ This means that a file that was called ‘golden-spinner.jpeg’ previously, will have its name changed to ‘golden-spinner.jpeg.werd’ when the encryption process is through.

The Ransom Note

As with more ransomware threats, when the encryption process is completed, the file-locking Trojan will drop its ransom note on the victim’s desktop. The name of the Werd Ransomware’s note is ‘_readme.txt.’ The message of the note states that the ransom fee is $980, but for users who contact the authors of the Werd Ransomware within 72 hours successfully, the price will be dropped by 50% to $490. The attackers offer to unlock one file for free. This is a common tactic and serves to convince the victim that the authors of the malware are capable of decrypting the locked data. There are two email addresses that are given out as a means of contacting the attackers – ‘gorentos@bitmessage.ch’ and ‘gerentosrestore@firemail.cc.’

It is always best to stay clear from cyber crooks. Users who attempt to negotiate or bargain are often left empty-handed even if they pay the ransom fee as there is no guarantee that the attackers will provide you with the decryption key they promise. It is far safer to utilize the help of an anti-virus tool, which will aid you in wiping off the Werd Ransomware from your PC.