WinRarer Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 23 |
First Seen: | November 4, 2016 |
Last Seen: | October 31, 2021 |
OS(es) Affected: | Windows |
First observed in November of 2016, the WinRarer Ransomware is a ransomware Trojan. Although it claims to be a file encrypter, the WinRarer Ransomware uses an uncommon method to take the victim's files hostage. The WinRarer Ransomware does not function in the same way as most of the ransomware Trojans active today. The most similar ransomware Trojan observed before the appearance of the WinRarer Ransomware was known as the Bart Ransomware. Rather than encrypting different files individually, the WinRarer Ransomware moves the targeted files to an archive file, which is itself password protected. The WinRarer Ransomware targets the following file types in its attack:
.123 | .3dm | .3ds | .3g2 | .3gp | .602 | .aes | .ARC | .asc | .asf | .asm | .asp | .avi | .bak | .bat | .bmp | .brd | .cgm | .cmd | .cpp | .crt | .csr | .CSV | .dbf | .dch | .dif | .dip | .djv | .djvu | .DOC | .docb | .docm | .docx | .DOT | .dotm | .dotx | .fla | .flv | .frm | .gif | .gpg | .hwp | .ibd | .jar | .java | .jpeg | .jpg | .key | .lay | .lay6 | .ldf | .m3u | .m4u | .max | .mdb | .mdf | .mid | .mkv | .mov | .mp3 | .mp4 | .mpeg | .mpg | .ms11 | .MYD | .MYI | .NEF | .odb | .odg | .odp | .ods | .odt | .otg | .otp | .ots | .ott | .p12 | .PAQ | .pas | .pdf | .pem | .php | .png | .pot | .potm | .potx | .ppam | .pps | .ppsm | .ppsx | .PPT | .pptm | .pptx | .psd | .rar | .raw | .RTF | .sch | .sldm | .sldx | .slk | .stc | .std | .sti | .stw | .svg | .swf | .sxc | .sxd | .sxi | .sxm | .sxw | .tar | .tbk | .tgz | .tif | .tiff | .txt | .uop | .uot | .vbs | .vdi | .vmdk | .vmx | .vob | .wav | .wb2 | .wk1 | .wks | .wma | .wmv | .xlc | .xlm | .XLS | .xlsb | .xlsm | .xlsx | .xlt | .xltm | .xltx | .xlw | .zip.
How the WinRarer Ransomware Attack Works
The WinRarer Ransomware attack method is simple when compared to more sophisticated attacks. Files that have the file extensions listed above are moved to an encrypted archive file that is named 'YourFilesHere-0penWithWinrar.ace,' which is created on the hard drive with the freest space connected to the affected computer. This archive uses the ACE format, which tends to use a compression that is more memory intense than ZIP or RAR archives. Because of this, the WinRarer Ransomware's encryption operation will cause noticeable system performance issues when they are being carried out in the background. In its encryption attack, the WinRarer Ransomware uses an asymmetric Blowfish-based encryption, which uses a personalized 448-bit key. Brute force attacks are unlikely to yield results when dealing with this threat.
The WinRarer Ransomware and Its Ransom Note
The WinRarer Ransomware may be distributed using corrupted email spam attachments. These corrupted emails may take the form of corrupted PDF or Microsoft Office files that exploit vulnerabilities in the macro features in the Windows software. The WinRarer Ransomware delivers its ransom note in an HTA dialog and in an image file that replaces the victim's Desktop image. The ransom note files are named 'RECOVERYOURFILES.HTA' and 'RecoverYourFiles.jpg'. The WinRarer Ransomware ransom note contains the text below:
'Attention : YOUR FILES were LOCKED
What happened ?
Your important files were LOCKED with Winrar so its now unusable and unreadable,
The only way to get your files back is to pay us.
Otherwise, your files will be useless
How can I get my files back?
The only way to restore them to a normal condition is to use our site to decrypt your key to get the password follow the flowing steps to enter our site :
1. Download and install tor-browser: [link to the TOR Browser project]
2. After a successful installation, run the browser and wait for initialization.
3. Go to this site ( paste it in the url address ) : [personal payment portal on an .onion domain]
4. Copy your id from the bottom of the page to paste in the site.
your id is : [18 random characters]
done'