YourRansom Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 50 % (Medium) |
Infected Computers: | 3 |
First Seen: | February 6, 2017 |
Last Seen: | October 21, 2022 |
OS(es) Affected: | Windows |
The YourRansom Ransomware is one of many pranks and educational ransomware infections that are being used to attack computer users currently. These attacks don't cause permanent damage to the victim's computer but are, rather, an attempt to 'educate' computer users about ransomware and other forms of threats. The YourRansom Ransomware, discovered in February 2017, is based on an open source ransomware engine and is being used to attack computer users currently.
Table of Contents
The YourRansom Ransomware – Prank or Unfinished Threat?
A ransomware Trojan named the YourRansom Ransomware already existed previously. A Chinese programmer coded it using Go and released on GitHub. This open-source ransomware Trojan was used to develop this latest, 'educational' iteration of the YourRansom Ransomware. PC security analysts suspect that the YourRansom Ransomware was intended for private use since there does not seem to be evidence that the YourRansom Ransomware is being used in mass attacks or distributed widely. The YourRansom Ransomware campaign may have started as a way for the threat's author to prank friends or colleagues. However, there is the possibility that the YourRansom Ransomware is only an early version of what may later become a fully implemented threat attack.
How the YourRansom Ransomware Carries out Its Attack
Various modifications have been made to the open source basis for the YourRansom Ransomware attack, meaning that many of its behaviors are different. As soon as the YourRansom Ransomware enters a computer, the YourRansom Ransomware searches the victim's hard drives for files of the following types, encrypting them in the process:
.txt, .zip, .rar, .7z, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .jpg, .gif, .jpeg, .png, .mpg, .mov, .mp4, .avi, .mp3.
During its attacks, the YourRansom Ransomware will skip the following directories (or directories that contain these strings in their names):
- windows
- program
- appdata
- system
The files that have been encrypted by the YourRansom Ransomware will have the extension '.youransom' added to the end of their names. Once the YourRansom Ransomware has finished encrypting the victim's files, it will drop the following files on the victim's computer:
- README.txt
- YourRansom.key
The 'YourRansom.key' contains the encryption key. This is different from the open source version, which also displays the 'YourRansom.dkey' which contains the decryption key. Because of this, it seems that the YourRansom Ransomware does not send the decryption key to a Command and Control server or save it anywhere. According to the open source version's instructions, running the YourRansom Ransomware with the flag '-d' should supposedly make it decrypt the files, but this is not happening with the YourRansom Ransomware.
The YourRansom Ransomware's 'Ransom Note'
The YourRansom Ransomware's ransom note, contained in the 'README.txt' file, displays the following message (which has made malware analysts suspect that the YourRansom Ransomware may be nothing more than an elaborate joke):
Hey gay, welcome to use the YourRansom. Do you like this joke? Contact me to decrypt your files, it's free! Email: i@bobiji.com
After contacting the YourRansom Ransomware's author, the following message was received:
'Send me the YourRansom.key file. I'll return you a ourRansom.dkey file. Put it in the directory of the YourRansom binary file and rerun it. Your file will be unlocked.'
Unfortunately, the effects of a YourRansom Ransomware infection can be permanent, especially if the victims of the YourRansom Ransomware attack delete the 'YourRansom.key' file, believing it to be part of the Trojan. While other ransomware Trojans that do not include the risk of file loss are being distributed, it seems an unnecessary risk to allow the YourRansom Ransomware to continue to be circulated. Hopefully, the YourRansom Ransomware attack has been limited to only a few friends of the threat's author. Unfortunately, these threats have a way of getting disseminated and attacking innocent computer users. More worryingly, it may not be difficult to adapt these threats so as to create traditional ransomware attacks that prey on computer users. For example, in this case, all it would take is to deprive the victim of the 'YourRansom.dkey' file.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.