Threat Database Ransomware YourRansom Ransomware

YourRansom Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 50 % (Medium)
Infected Computers: 3
First Seen: February 6, 2017
Last Seen: October 21, 2022
OS(es) Affected: Windows

The YourRansom Ransomware is one of many pranks and educational ransomware infections that are being used to attack computer users currently. These attacks don't cause permanent damage to the victim's computer but are, rather, an attempt to 'educate' computer users about ransomware and other forms of threats. The YourRansom Ransomware, discovered in February 2017, is based on an open source ransomware engine and is being used to attack computer users currently.

The YourRansom Ransomware – Prank or Unfinished Threat?

A ransomware Trojan named the YourRansom Ransomware already existed previously. A Chinese programmer coded it using Go and released on GitHub. This open-source ransomware Trojan was used to develop this latest, 'educational' iteration of the YourRansom Ransomware. PC security analysts suspect that the YourRansom Ransomware was intended for private use since there does not seem to be evidence that the YourRansom Ransomware is being used in mass attacks or distributed widely. The YourRansom Ransomware campaign may have started as a way for the threat's author to prank friends or colleagues. However, there is the possibility that the YourRansom Ransomware is only an early version of what may later become a fully implemented threat attack.

How the YourRansom Ransomware Carries out Its Attack

Various modifications have been made to the open source basis for the YourRansom Ransomware attack, meaning that many of its behaviors are different. As soon as the YourRansom Ransomware enters a computer, the YourRansom Ransomware searches the victim's hard drives for files of the following types, encrypting them in the process:

.txt, .zip, .rar, .7z, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .jpg, .gif, .jpeg, .png, .mpg, .mov, .mp4, .avi, .mp3.

During its attacks, the YourRansom Ransomware will skip the following directories (or directories that contain these strings in their names):

  • windows
  • program
  • appdata
  • system

The files that have been encrypted by the YourRansom Ransomware will have the extension '.youransom' added to the end of their names. Once the YourRansom Ransomware has finished encrypting the victim's files, it will drop the following files on the victim's computer:

  • README.txt
  • YourRansom.key

The 'YourRansom.key' contains the encryption key. This is different from the open source version, which also displays the 'YourRansom.dkey' which contains the decryption key. Because of this, it seems that the YourRansom Ransomware does not send the decryption key to a Command and Control server or save it anywhere. According to the open source version's instructions, running the YourRansom Ransomware with the flag '-d' should supposedly make it decrypt the files, but this is not happening with the YourRansom Ransomware.

The YourRansom Ransomware's 'Ransom Note'

The YourRansom Ransomware's ransom note, contained in the 'README.txt' file, displays the following message (which has made malware analysts suspect that the YourRansom Ransomware may be nothing more than an elaborate joke):

Hey gay, welcome to use the YourRansom. Do you like this joke? Contact me to decrypt your files, it's free! Email:

After contacting the YourRansom Ransomware's author, the following message was received:

'Send me the YourRansom.key file. I'll return you a ourRansom.dkey file. Put it in the directory of the YourRansom binary file and rerun it. Your file will be unlocked.'

Unfortunately, the effects of a YourRansom Ransomware infection can be permanent, especially if the victims of the YourRansom Ransomware attack delete the 'YourRansom.key' file, believing it to be part of the Trojan. While other ransomware Trojans that do not include the risk of file loss are being distributed, it seems an unnecessary risk to allow the YourRansom Ransomware to continue to be circulated. Hopefully, the YourRansom Ransomware attack has been limited to only a few friends of the threat's author. Unfortunately, these threats have a way of getting disseminated and attacking innocent computer users. More worryingly, it may not be difficult to adapt these threats so as to create traditional ransomware attacks that prey on computer users. For example, in this case, all it would take is to deprive the victim of the 'YourRansom.dkey' file.


Most Viewed